Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The howsmyssl site does not fully support TLS 1.3 (IDFGH-13611) #14496

Open
3 tasks done
gojimmypi opened this issue Sep 3, 2024 · 2 comments
Open
3 tasks done

The howsmyssl site does not fully support TLS 1.3 (IDFGH-13611) #14496

gojimmypi opened this issue Sep 3, 2024 · 2 comments
Labels
Status: Opened Issue is new

Comments

@gojimmypi
Copy link
Contributor

Answers checklist.

  • I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
  • I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
  • I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

While working on adding wolfSSL Certificate Bundle support in wolfSSL/wolfssl#7936 to the Espressif esp-tls, I encountered a problem with the howsmyssl.com web site used in many of the Espressif examples.

When using wolfSSL in a client and forcing only TLS1.3, the connection fails, even though the web site indicates the TLS 1.3 is supported:

image

As it turns out, TLS 1.3 is not fully supported. See jmhodges/howsmyssl#716:

Howsmyssl doesn't yet fully support TLS 1.3. It's working off an old fork of the crypto/tls library from long ago. There's been a tradeoff between upgrading it to a version that supports 1.3 and continuing to have support for the older versions of TLS and ciphersuites that it detects problems in.

I might have said "Hey, let's use wolfSSL there", but the site is implemented in the Go Programming Language, and I have little experience with that.

I've initiated some internal conversations at wolfSSL to see how to best proceed.

Many users choose wolfSSL specifically for the robust TLS1.3 support. This issue is to bring light to a known problem with the sample code in the Espressif ESP-IDF.

See also #13966
@espressif-bot espressif-bot added the Status: Opened Issue is new label Sep 3, 2024
@github-actions github-actions bot changed the title The howsmyssl site does not fully support TLS 1.3 The howsmyssl site does not fully support TLS 1.3 (IDFGH-13611) Sep 3, 2024
@gojimmypi gojimmypi mentioned this issue Sep 4, 2024
Merged
4 tasks
@mahavirj
Copy link
Member

@gojimmypi

The endpoint that we have in examples is for testing purpose only. It can be overridden as per the end users requirement. If you suggest more suitable endpoint supporting both TLS1.2 and TLS1.3 then we can consider that one as well.

@gojimmypi
Copy link
Contributor Author

Hi @mahavirj

Yes, I understand the howsmyssl site is for testing only, but that's also my point: false & misleading test results for TLS 1.3.

There are alternatives such as https://clienttest.ssllabs.com - a little tricky though, as there's both a port and page redirect.

Other options: www.cloudflare.com or their www.example.com. Also www.letsencrypt.org/docs/staging-environment/

The howsmyssl site is currently hard coded in ESP-IDF example. It is unlikely that end users would consider changing the test site. I also spent some time myself trying to figure out what was wrong. Visiting the web site interactively, it does appear that TLS 1.3 is supported, as noted above.

I don't have a good solution here, particularly for all the already-installed ESP-IDF instances, other than this informative issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Opened Issue is new
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mahavirj @gojimmypi @espressif-bot