Update openssl 3.0.3

2024-12-29 04:49:44 +01:00 · 2022-05-04 14:32:04 +02:00 · 2022-05-04 14:32:04 +02:00 · d84492a75e
commit d84492a75e
parent cc7a88386d
3 changed files with 46 additions and 2 deletions
--- a/etc/client-simulation.txt
+++ b/etc/client-simulation.txt
@ -2820,6 +2820,28 @@ names+=("Opera 66 (Win 10)")
     requiresSha2+=(true)
     current+=(true)

+     names+=("OpenSSL 3.0.3 (git)")
+     short+=("openssl_303")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030101370100013303031bd0fe6e109e027d3c6368ac3629f9ecdb499a4a284df7fea7084bcbc8975900206db4bfae530aef2092a0faa3668bc23924b4a333f31eb48c0a55e4e420e9a417003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000ac0000000f000d00000a7465737473736c2e7368000b000403000102000a00160014001d0017001e0019001801000101010201030104002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b0009080304030303020301002d00020101003300260024001d00207112b9de757a3a6a8afac74621c945419bbadd8e74f35a5958b2969328b73d4e")
+     protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:x448:secp521r1:secp384r1")
+     requiresSha2+=(true)
+     current+=(true)
+
     names+=("Thunderbird (60.6)")
     short+=("thunderbird_60_6_1")
     ch_ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
--- a/etc/client-simulation.wiresharked.md
+++ b/etc/client-simulation.wiresharked.md
@ -13,9 +13,9 @@ The whole process is manual but not too difficult.
 * Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client from it.
 * Edit the *names* accordingly and "short". The latter must not contain blanks.
 * Retrieve *handshakebytes* by marking the "TLS 1.x Record Layer" --> Copy --> As a hex stream.
-* Figure out *protos* and *tlsvers* by looking at the "supported_versions" TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3).
+* Figure out *protos* and *tlsvers* by looking at the "supported_versions" TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3).
 * Adjust *lowest_protocol* and *highest_protocol* accordingly.
-* For *curves* mark the "supported groups" TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
+* For *curves* mark the "supported groups" TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. Ignore any ffdhe\* values here.
 * Retrieve *alpn* by looking at the "alpn" TLS extension 16 (=0x0010).
 * Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
 * Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle.
--- a/etc/client-simulation.wiresharked.txt
+++ b/etc/client-simulation.wiresharked.txt
@ -443,6 +443,28 @@
     requiresSha2+=(true)
     current+=(true)

+     names+=("OpenSSL 3.0.3 (git)")
+     short+=("openssl_303")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030101370100013303031bd0fe6e109e027d3c6368ac3629f9ecdb499a4a284df7fea7084bcbc8975900206db4bfae530aef2092a0faa3668bc23924b4a333f31eb48c0a55e4e420e9a417003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000ac0000000f000d00000a7465737473736c2e7368000b000403000102000a00160014001d0017001e0019001801000101010201030104002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b0009080304030303020301002d00020101003300260024001d00207112b9de757a3a6a8afac74621c945419bbadd8e74f35a5958b2969328b73d4e")
+     protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:x448:secp521r1:secp384r1")
+     requiresSha2+=(true)
+     current+=(true)
+
     names+=("Thunderbird (60.6)")
     short+=("thunderbird_60_6_1")
     ch_ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")