Tests depending on security level

[dcillera]

Title: Tests depending on security level

Description:
We’re testing OpenSSL 3.2 in Envoy.
Some tests are failing.
Some of the failures seem related to the security level, which has been raised from 1 (in OpenSSL 3.0.x) to 2 (in OpenSSL 3.2.x).

TLS < 1.2 is not supported in security level 2.

Then in tls_inspector_test the following sub-tests:

• SniRegistered,
• AlpnRegistered,
• MultipleReads,
• NoExtensions,

will fail with input parameters TLS1_VERSION and TLS1_1_VERSION.

And the following will fail too, as they are using TLS1.0 and 1.1:

• ConnectionJA3HashTls10NoExtensions,
• ConnectionJA3HashTls11,

Then I’d ask if there are any plans for BoringSSL work in light of the security level 2.

[optional Relevant Links:]
See at the following link for more info on security levels:
https://www.ibm.com/docs/en/flashsystem-5x00/8.6.0?topic=r-security-levels-supported-security-ciphers

[adisuissa]

cc @ggreenway @alyssawilk @yanavlasov

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[dcillera]

@adisuissa could you please mark this issue as no stalebot?

[ggreenway]

The tls_inspector tests aren't doing any TLS termination and don't represent a security vulnerability, but it is valid to test these cases with older TLS versions.

If you have a question about boringssl plans, you should inquire with boringssl. If you do, please link to any issue/conversation here for reference.

[dcillera]

I'm trying to find a way to test also older TLS versions in the tests above.
Your suggestion to reach out to BoringSSL community makes sense.