Skip to content
OpenSSL ECH Interop Test

TLS ECH Testing Improvements #1

Sign in to view logs

TLS ECH Testing Improvements

TLS ECH Testing Improvements #1

Workflow file for this run

.github/workflows/openssl-ech.yml at 576f669
name: OpenSSL ECH Interop Test
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: >-
--enable-ech
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built wolfSSL
uses: actions/upload-artifact@v4
with:
name: wolf-install-openssl-ech
path: build-dir.tgz
retention-days: 5
build_openssl_ech:
name: Build OpenSSL (feature/ech)
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Checkout OpenSSL feature/ech branch
uses: actions/checkout@v4
with:
repository: openssl/openssl
ref: feature/ech
path: openssl
- name: Build OpenSSL
working-directory: openssl
run: |
./Configure --prefix=$GITHUB_WORKSPACE/openssl-install \
--openssldir=$GITHUB_WORKSPACE/openssl-install/ssl \
enable-ech no-docs
make -j$(nproc)
make install_sw
- name: tar openssl-install
run: tar -zcf openssl-install.tgz openssl-install
- name: Upload built OpenSSL
uses: actions/upload-artifact@v4
with:
name: openssl-ech-install
path: openssl-install.tgz
retention-days: 5
ech_interop_test:
name: ECH Interop Test
if: github.repository_owner == 'wolfssl'
needs: [build_wolfssl, build_openssl_ech]
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Download wolfSSL build
uses: actions/download-artifact@v4
with:
name: wolf-install-openssl-ech
- name: Download OpenSSL build
uses: actions/download-artifact@v4
with:
name: openssl-ech-install
- name: Extract builds
run: |
tar -xzf build-dir.tgz
tar -xzf openssl-install.tgz
- name: ECH interop - wolfSSL server, OpenSSL client
run: |
set -e
export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl
WOLFSSL_SERVER=$GITHUB_WORKSPACE/build-dir/bin/server
CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
READY_FILE="$GITHUB_WORKSPACE/wolfssl_tls13_ready$$"
LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
PRIV_NAME="ech-private-name.com"
PUB_NAME="ech-public-name.com"
ECH_CONFIG=""
PORT=0
rm -f "$READY_FILE"
rm -f "$LOG_FILE"
$OPENSSL version
# start server with ephemeral port + ready file
# also set server to be line buffered so the log can be grepped
stdbuf -oL $WOLFSSL_SERVER -v 4 -R "$READY_FILE" -p "$PORT" \
-S "$PRIV_NAME" --ech "$PUB_NAME" &> "$LOG_FILE" &
SERVER_PID=$!
# wait for server to be ready, then get port
counter=0
while [ ! -s "$READY_FILE" ]; do
sleep 0.1
counter=$((counter + 1))
if [ "$counter" -gt 50 ]; then
echo "ERROR: no ready file" &>> "$LOG_FILE"
exit 1
fi
done
PORT="$(cat "$READY_FILE")"
# get ECH config from server
counter=0
while [ -z "$ECH_CONFIG" ]; do
ECH_CONFIG=$(grep -m1 "ECH config (base64): " "$LOG_FILE" \
2>/dev/null | sed 's/ECH config (base64): //g')
sleep 0.1
counter=$((counter + 1))
if [ "$counter" -gt 50 ]; then
echo "ERROR: no ECH configs" &>> "$LOG_FILE"
exit 1
fi
done
# Test with OpenSSL s_client using ECH
echo "wolfssl" | $OPENSSL s_client \
-tls1_3 \
-connect "localhost:$PORT" \
-cert "$CERT_DIR/client-cert.pem" \
-key "$CERT_DIR/client-key.pem" \
-CAfile "$CERT_DIR/ca-cert.pem" \
-servername "$PRIV_NAME" \
-ech_config_list "$ECH_CONFIG" \
&>> "$LOG_FILE"
grep "ECH: success: 1" "$LOG_FILE"
# cleanup
rm -f "$READY_FILE"
kill $SERVER_PID 2>/dev/null
- name: Print debug info on failure
if: ${{ failure() }}
run: |
if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then
cat "$GITHUB_WORKSPACE/log_file.log"
else
echo "No log file"
fi