Open
Description
Problem:
There have been recent cases where various s2n TLS features have been added to s2n that were tested and known to work individually, but not tested in combination with every other s2n feature, leading to cases where some features did not work together.
Examples of features that did not work together and needed to be fixed:
- Async Client Hello + Pre-Shared Keys
- TLS 1.0 + ECDSA Client Certificates
- Openssl 1.0.2 + TLS 1.3 + RSA Server Certificate
- ClientHello Retry + TLS 1.3 Early Data
- Session Resumption + Pre-Shared Keys
- Client Authentication + FIPS
Solution:
Create a test framework that iterates through all combinations of TLS features, determines if that combination of features is valid, and tests that combination to confirm that s2n client and server can actually use that combination of features together.
Various Features that could be tested in combination with one another:
- TLS Version: 1.0, 1.2, 1.3
- Pre-Shared Key
- Async ClientHello
- Server Certificates: RSA, ECDSA
- Client Certificates: RSA, ECDSA
- FIPS
- Session Tickets
- Session ID
- TLS 1.3 Early Data
- ClientHello Retry
- Hybrid Post-Quantum Key Exchange
- Online Certificate Stapling Protocol
- LibCrypto: 1.0.2, 1.1.1, 3.0, AWS-LC
- TLS Client: libs2n, libssl
- TLS Server: libs2n, libssl