s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard
verified publisher icon aws

create rfc9151 security policy

Open toidiu opened this issue 3 years ago • 0 comments

Description of changes:

Adds a new security policy with AES256, SHA384 and support for TLS1.3

Testing:

Verified that we can connect via tls1.3/tls1.2 and rsa/ecdsa

# ./build/bin/s2nd --cert tests/pems/ecdsa_p384_pkcs1_cert.pem --key tests/pems/ecdsa_p384_pkcs1_key.pem -c "rfc9151" 127.1.0.1 8888

# ./build/bin/s2nc -i -c "20210816" 127.1.0.1 8888
# CONNECTED:
# Handshake: NEGOTIATED|FULL_HANDSHAKE|TLS12_PERFECT_FORWARD_SECRECY|WITH_SESSION_TICKET
# Client hello version: 33
# Client protocol version: 33
# Server protocol version: 34
# Actual protocol version: 33
# Server name: 127.1.0.1
# Curve: secp384r1
# KEM: NONE
# KEM Group: NONE
# Cipher negotiated: ECDHE-ECDSA-AES256-GCM-SHA384
# Server signature negotiated: ECDSA+SHA384
# Early Data status: NOT REQUESTED
# s2n is ready

# ./build/bin/s2nc -i -c "rfc9151" 127.1.0.1 8888
# CONNECTED:
# Handshake: NEGOTIATED|FULL_HANDSHAKE|MIDDLEBOX_COMPAT
# Client hello version: 33
# Client protocol version: 34
# Server protocol version: 34
# Actual protocol version: 34
# Server name: 127.1.0.1
# Curve: secp384r1
# KEM: NONE
# KEM Group: NONE
# Cipher negotiated: TLS_AES_256_GCM_SHA384
# Server signature negotiated: ECDSA+SHA384
# Early Data status: NOT REQUESTED
# s2n is ready




#############
./build/bin/s2nd --cert tests/pems/rsa_2048_pkcs1_cert.pem --key tests/pems/rsa_2048_pkcs1_key.pem -c "rfc9151" 127.1.0.1 8888

# ./build/bin/s2nc -i -c "rfc9151" 127.1.0.1 8888
# CONNECTED:
# Handshake: NEGOTIATED|FULL_HANDSHAKE|MIDDLEBOX_COMPAT
# Client hello version: 33
# Client protocol version: 34
# Server protocol version: 34
# Actual protocol version: 34
# Server name: 127.1.0.1
# Curve: secp384r1
# KEM: NONE
# KEM Group: NONE
# Cipher negotiated: TLS_AES_256_GCM_SHA384
# Server signature negotiated: RSA-PSS-RSAE+SHA384
# Early Data status: NOT REQUESTED
# s2n is ready


# ./build/bin/s2nc -i -c "default" 127.1.0.1 8888
# CONNECTED:
# Handshake: NEGOTIATED|FULL_HANDSHAKE|TLS12_PERFECT_FORWARD_SECRECY|WITH_SESSION_TICKET
# Client hello version: 33
# Client protocol version: 33
# Server protocol version: 34
# Actual protocol version: 33
# Server name: 127.1.0.1
# Curve: secp384r1
# KEM: NONE
# KEM Group: NONE
# Cipher negotiated: ECDHE-RSA-AES256-GCM-SHA384
# Server signature negotiated: RSA+SHA384
# Early Data status: NOT REQUESTED
# s2n is ready

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

toidiu avatar Aug 06 '22 06:08 toidiu