-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSLlabs.com test fails #8995
Comments
Hi! Thanks for reporting this issue. Could you help us debug this by providing some more information about exactly which SSLLabs tests are failing? As far as I can tell, SSLLabs is just reporting an "Unexpected Failure", which they claim is usually caused by having multiple "Multiple TLS servers behind the same IP address". Also, it looks like the download link for the unreleased Hiawatha 11.6 is broken. |
The test fails after saying 'Testing renegotiation'. Does that help? I can share a tcpdump of the scan. I'm willing to help, let me know what you need. The download link was a http:// link by mistake. Changed it to https://. Should work. |
Yeah, a tcpdump would be great! Ideally both of the failing TLS 1.2+1.3 and the working TLS 1.2 only and TLS 1.3 only test sessions. Also, could you try running the test with |
I use mbedtls_ssl_conf_renegotiation(&client_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED) to disable it. Would that be the same? To what e-mail address can I send the tcpdump? |
In principle it should be equivalent. Please send the tcpdump to [email protected] |
Could you also enable TLS debugging in MbedTLS and send me the logs? |
TCPdumps for TLS1.2 only, TLS1.3 only and both TLS1.2 and TLS1.3 have been sent. I've added the corresponding ssllabs.com output. I've also send a Mbed TLS debug logfile of the failing both-TLS1.2-and-TLS1.3 test. |
Mail received? What's next? |
Hi! Sorry for the late reply. I've received the emails - I was sidetracked a bit by unrelated tasks, but I'm looking into the issue. |
Anything yet? |
Any status update? |
Can I assume this bug has no priority? Then I'll ignore it from now on. |
Fixed in #9244 |
Summary
I use mbed TLS in my Hiawatha webserver. I updated to version 3.6.0 and enabled TLS v1.3 support. (btw, congrats with this new milestone!) It seems to work fine, but SSLlabs.com shows a failure while testing my server. When I only support TLS v1.3 (disabling TLS v1.2) the test runs fine. Same with only supporting TLS v1.2 (not enabling TLS v1.3).
System information
Mbed TLS version (number or commit id): 3.6.0
Operating system and version: Ubuntu Linux (Jammy)
Configuration (if not default, please attach
mbedtls_config.h
):I enabled the following settings:
MBEDTLS_THREADING_PTHREAD
MBEDTLS_THREADING_C
MBEDTLS_SSL_PROTO_TLS1_3
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
I disabled the following settings:
MBEDTLS_ECP_DP_SECP192R1_ENABLED
MBEDTLS_ECP_DP_SECP192K1_ENABLED
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:
Expected behavior
I hoped SSLlabs.com would show the result of a server test.
Actual behavior
SSLlabs.com shows a failure while testing renegotation.
Steps to reproduce
Visit ssllabs.com, select Test your server and test www.hiawatha-webserver.org
Additional information
You can test Hiawatha v11.6 (not yet released) which has mbed TLS v3.6.0 by downloading it via https://www.leisink.net/hiawatha-11.6.tar.gz
The text was updated successfully, but these errors were encountered: