Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: TLS1.2 support for RSA-PSS certificates #4927

Merged
merged 3 commits into from
Dec 6, 2024
Merged

feat: TLS1.2 support for RSA-PSS certificates #4927

merged 3 commits into from
Dec 6, 2024

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Nov 22, 2024
edited
Loading

Release Summary:

Added TLS1.2 support for RSA-PSS certificates. Previously, RSA-PSS certificates could only be used with TLS1.3.

Resolved issues:

resolves #4804

Description of changes:

Supporting RSA-PSS certificates with TLS1.2 turned out to be as simple as just removing the TLS1.3-only restrictions. Previously, we specifically restricted RSA-PSS-PSS to TLS1.3.

Call-outs:

  • Is this a feature or a fix? 🤔

Testing:

I added a new end-to-end test to clearly assert that we support all certificates where we expect to.

Initially, I also updated the integration tests to start testing TLS1.2 + RSA-PSS-PSS. However, the cross_compatibility test fails because the mainline version of s2n-tls can't handle the new cases because it still forbids TLS1.2 + RSA-PSS-PSS. Skipping just TLS1.2 + RSA-PSS-PSS for the cross_compatibility test would be pretty verbose (I'd have to add a hacky "ignore this" check to every test in the cross_compatibility file) so I'm thinking it'd be simpler just to split the change into two steps. If folks disagree, I can recombine the changes. Here is a working run of the integ tests, with cross_compatibility removed.

Here's the integ test changes: b2efd5c

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@lrstewart lrstewart force-pushed the rsapss branch 5 times, most recently from 7a70f20 to 7906e1c Compare November 26, 2024 07:04
@lrstewart lrstewart force-pushed the rsapss branch 2 times, most recently from cad840e to 4419928 Compare December 4, 2024 07:12
@lrstewart lrstewart mentioned this pull request Dec 4, 2024
Merged
@lrstewart lrstewart marked this pull request as ready for review December 4, 2024 09:08
@lrstewart lrstewart requested review from goatgoose and jouho December 4, 2024 09:09
goatgoose
goatgoose reviewed Dec 4, 2024
View reviewed changes
tls/s2n_signature_algorithms.c Show resolved Hide resolved
tests/unit/s2n_security_policies_test.c Outdated Show resolved Hide resolved
@lrstewart lrstewart requested review from jouho and goatgoose December 5, 2024 00:22
@lrstewart lrstewart enabled auto-merge (squash) December 5, 2024 23:43
@lrstewart lrstewart merged commit c426395 into aws:main Dec 6, 2024
39 checks passed
@lrstewart lrstewart deleted the rsapss branch December 6, 2024 01:23
@BrewTestBot BrewTestBot mentioned this pull request Dec 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jouho jouho jouho approved these changes

@goatgoose goatgoose goatgoose approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS1.2 should support RSA-PSS certificates
3 participants
@lrstewart @goatgoose @jouho