Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handshake Failures with Post-Quantum Certificates on SCTP & DTLS 1.2 #481

Open
lakshya-chopra opened this issue Aug 14, 2024 · 6 comments
Open
Labels
question No code change required

Comments

@lakshya-chopra
Copy link

lakshya-chopra commented Aug 14, 2024

I was testing a client & server application making use of Post Quantum certificates and Kyber768 group, it ran perfectly well on a standard TLS 1.3 connection. However, I am facing problems when using an SCTP socket with DTLS 1.2. Specifically, the handshake fails due to no shared cipher between the client and the server.

  • With DTLS: SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2307:

  • With TLS:
    image

Question: Is DTLS 1.2/1.3 support available for Post-Quantum certificates?

Edited: From the documentation, it does seem like PQ certificates can still not be used with DTLS. Are there any plans to add support for DTLS in the future?

@lakshya-chopra lakshya-chopra added the question No code change required label Aug 14, 2024
@fwh-dc
Copy link
Contributor

fwh-dc commented Aug 15, 2024

I'm currently developing DTLS 1.3 for OpenSSL in order to use PQC for DTLS. Key exchange providers can only be used with (D)TLS1.3 in OpenSSL. Let me know if you want to contribute to the development.

@baentsch
Copy link
Member

Sounds very interesting, @fwh-dc . Where in GH are you doing that work? Any concrete issues one could take a look at to gauge whether one could contribute?

@fwh-dc
Copy link
Contributor

fwh-dc commented Aug 16, 2024

I am doing the implementation in openssl's github. There are still some remaining features waiting to be implemented. Feel free to reach out if you're interested. I can give some additional info to help get started.

Issue: openssl/openssl#13900
Feature branch: https://github.com/openssl/openssl/tree/feature/dtls-1.3

@lakshya-chopra
Copy link
Author

That's great to hear, @fwh-dc . I'd like to contribute to this feature addition to openssl. It would be helpful if you could share some information about the current progress and the features that still need to be implemented. In the meantime, I'll review this branch and understand the existing code.

@fwh-dc
Copy link
Contributor

fwh-dc commented Aug 20, 2024

Ok, I'm preparing some text and I'll let you know when I have posted it. I think I will do it in the OpenSSL DTLS 1.3 issue.

@fwh-dc
Copy link
Contributor

fwh-dc commented Aug 20, 2024

I've added some notes to openssl/openssl#13900

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question No code change required
Projects
None yet
Development

No branches or pull requests

3 participants