Artifacts Associated With Ticket d0518a5645

1. Ticket change [b5a633ec89] (rid 1409) by anonymous on 2019-04-15 21:26:20:

   1. foundin initialized to: "1.7.17"
   2. icomment:

      The "-cipher" switch in the tls::socket command should allow an explicit cipher 
      to use for a session.  It does not do this when the tls1.3 switch is set to true.
      
      Openssl version is 1.1.1b
      tcltls version 1.7.17
      
      When the socket is set up in the following fashion it functions correctly 
      allowing the passed cipher to be used explicitly.  
      
      Examples of individually passed ciphers include:
       
      DHE-RSA-AES256-GCM-SHA384 
      DHE-RSA-AES256-SHA256 
      AES256-GCM-SHA384 
      AES256-SHA256 
      DHE-RSA-AES128-GCM-SHA256 
      DHE-RSA-AES128-SHA256 
      AES128-GCM-SHA256 
      AES128-SHA256     ...... and so on 
      
      set server_channel [tls::socket \
         -tls1.3 0 \
         -tls1.2 1 
         -tls1 0 \
         -tls1.1 0 \
         -ssl2 0 \
         -ssl3 0 \
         -server EchoAccept \
         -request 1 \
         -require 1 \
         -cafile $CA_CERTIFICATE \
         -certfile $CERTFILE \
         -keyfile $PRIVATE_KEY \
         -password get_master_password \
         -cipher $ENCRYPTION_CIPHER \
         $LISTEN_SOCKET ]
      
      A similar setup is in place for the client.
      
      When the tls1.3 switch is set to true, the ability to individually select the explicit cipher goes away.  
      In my setup, it always defaults to TLS_AES_256_GCM_SHA384.
      
      When tls1.2 is true and tls1.3 is false is works as expected.
      When tls1.3 is true, it does not function as expected (regarless of how tls1.2 is set).
      
      Correct and corresponding setup was done on the client side when investigated.
      

   3. login: "anonymous"
   4. mimetype: "text/x-fossil-plain"
   5. private_contact initialized to: "07dea8439aa410135bf1d5b46943118fd70e6703"
   6. severity initialized to: "Critical"
   7. status initialized to: "Open"
   8. title initialized to:

      tls::socket -cipher arg not working as expected when -tls1.3 is true
      

   9. type initialized to: "Code Defect"

2. Ticket change [b8f3de1ae5] (rid 1410) by anonymous on 2019-04-18 01:13:29:

   1. icomment:

      After reading further, it seems that tls1.3 configuration will require hooks into 
      the SSL_CTX_set_ciphersuites() or SSL_set_ciphersuites() functions to configure 
      TLSv1.3 ciphersuites.  The functions SSL_CTX_get_ciphers() and SSL_get_ciphers() 
      will return the full list of ciphersuites that have been configured for both 
      TLSv1.2 and below and TLSv1.3. 
      
      The code in tls.c uses SSL_CTX_get_ciphers() and there is no function for the 
      ciphersuites functions.  As a consequence, it is not possible to configure tls1.3 
      for use with this version of tcltls.
      

   2. login: "anonymous"
   3. mimetype: "text/x-fossil-plain"
   4. priority changed to: "Immediate"
   5. resolution changed to: "Open"