https://github.com/newam/tls-tester
TLS 1.3 client tester
https://github.com/newam/tls-tester
Last synced: 4 months ago
JSON representation
TLS 1.3 client tester
- Host: GitHub
- URL: https://github.com/newam/tls-tester
- Owner: newAM
- License: apache-2.0
- Created: 2025-06-01T15:23:51.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-12-20T04:08:26.000Z (7 months ago)
- Last Synced: 2025-12-22T12:45:43.416Z (6 months ago)
- Language: Rust
- Homepage:
- Size: 188 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE-APACHE
Awesome Lists containing this project
README
# TLS tester
A tool for testing [TLS 1.3] implementation compliance.
> [!WARNING]
> This is in a pre-alpha state, the crate is missing:
>
> - Documentation
> - Unit tests
## Goals
- Hackability
- Debugability
- Testing TLS implementation compliance
## Non-goals
- Performance
- Security
- Versions of TLS older than [TLS 1.3]
- `#![no_std]` support
- Strict TLS compliance
- TLS tester needs to create non-compliant behaviour to test compliance, for all other purposes TLS tester should be compliant unless otherwise noted
## Limitations
- [Compliance](https://datatracker.ietf.org/doc/html/rfc8446#section-9) limitations
- Does not implement all required digital signature algorithms, missing:
- `rsa_pkcs1_sha256`
- `rsa_pss_rsae_sha256`
- Does not implement all recommended cipher suites, missing:
- `TLS_AES_256_GCM_SHA384`
- `TLS_CHACHA20_POLY1305_SHA256`
- Client ignores server `EncryptedExtensions`
- Client ignores TLS certificate extensions
- Certificate parsing is messy and contains many outstanding TODOs
- PSK does not support `psk_ke`, only `psk_dhe_ke` is supported
## Available tests
- Server record fragmentation
### Planned tests
- Forced HelloRetry
- Invalid GCM tag
- Missing handshake messages, such as CertificateVerify
- Packing server Encrypted Extensions, Certificate, CertificateVerify, and Finished into a single record
- Non-zero padding extension
- Record fragmentation across key changes
- Record overflow
- Sending application data before handshake is done
- Sending duplicate handshake message types
- Sending handshake messages out of order
- Zero length alert/handshake/applicationdata
- Zero padding appended to records
- Certificates with GeneralizedTime and UTCTime types for notBefore and notAfter
- UTCTime before 2050
- GeneralizedTime after 2050
- Sending unrecognized values for:
- cipher suites
- hello extensions
- named groups
- key shared
- supported versions
- signature algorithms
## License
Licensed under either of
- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE) or
)
- MIT license ([LICENSE-MIT](LICENSE-MIT) or )
at your option.
[TLS 1.3]: https://datatracker.ietf.org/doc/html/rfc8446