Skip to content

Fix eporter secret computations#495

Merged
hannesm merged 2 commits intomirleft:mainfrom
hannesm:fix
May 10, 2024
Merged

Fix eporter secret computations#495
hannesm merged 2 commits intomirleft:mainfrom
hannesm:fix

Conversation

@hannesm
Copy link
Copy Markdown
Member

@hannesm hannesm commented May 10, 2024

//cc @reynir

hannesm added 2 commits May 10, 2024 11:04
@hannesm
lwt examples: minor nits, correct the binary name for cmdliner
22291c4
@hannesm
TLS 1.3: fix exporter secret computation
29d6ad5 
on the client, if a client certificate was used, this was included in the
transcript -- we now call it earlier

on the server, an empty master secret was used, so the exporter secret
never matched

this has been validated with the OCaml-TLS implementation itself (now, a
client and server talking to each other compute the same exporter secret).

also a "openssl s_server" with a "test_client.exe" using TLS 1.3 compute the
very same exporter key material now.
@hannesm hannesm mentioned this pull request May 10, 2024
Closed
@hannesm
Copy link
Copy Markdown
Member Author

hannesm commented May 10, 2024

I tested this with miragevpn -- before this PR, our server couldn't use tls-ekm with our client - with this PR, it can! :)

@hannesm hannesm merged commit dcaef23 into mirleft:main May 10, 2024
@hannesm hannesm deleted the fix branch May 10, 2024 11:08
@hannesm hannesm mentioned this pull request May 14, 2024
Merged
raphael-proust pushed a commit to ocaml/opam-repository that referenced this pull request May 15, 2024
@hannesm
[new release] tls (5 packages) (0.17.5)
b711179 
CHANGES:

* tls: documentation: clarify send_application_data (mirleft/ocaml-tls#492 @reynir)
* BUGFIX: tls: export_key_material was wrong for the server side on TLS 1.3,
  reported in robur-coop/miragevpn#181 by @reynir, fix in mirleft/ocaml-tls#495 @hannesm
* FEATURE: tls: add channel_binding (RFC 5929, RFC 9266) support (tls_unique,
  tls_exporter, tls_server_endpoint), requested by @Neustradamus in mirleft/ocaml-tls#484, added
  in mirleft/ocaml-tls#496 by @hannesm
dinosaure added a commit to dinosaure/ocaml-tls that referenced this pull request Jun 27, 2024
@dinosaure
Rebase no-cstruct to include mirleft#495 and mirleft#496
8564a46
@dinosaure dinosaure mentioned this pull request Jun 27, 2024
Merged
dinosaure added a commit to dinosaure/ocaml-tls that referenced this pull request Jul 22, 2024
@dinosaure
Rebase no-cstruct to include mirleft#495 and mirleft#496
858db7d
hannesm pushed a commit to dinosaure/ocaml-tls that referenced this pull request Aug 19, 2024
@dinosaure @hannesm
Rebase no-cstruct to include mirleft#495 and mirleft#496
f19233e
hannesm pushed a commit to dinosaure/ocaml-tls that referenced this pull request Aug 20, 2024
@dinosaure @hannesm
Rebase no-cstruct to include mirleft#495 and mirleft#496
02b774d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hannesm