Brian, Can you try again with the "-G" option added to selfserv?
Thanks, Kevin On Thu, Mar 19, 2020 at 6:57 AM Brian Reichert <reich...@numachi.com> wrote: > I'm trying to develop some tests for confirming a TLS server honors > the Extended Master Secret extension (RFC 7627). > > I've stood up a simple selfserv server: > > /usr/lib/nss/selfserv -v -d /path/to/my/certdb/ -n MyCert -p 8000 -V > tls1.0:tls1.2 > > But, when I run a test of that with OpenSSL's s_client: > > openssl s_client -connect 10.200.192.68:8000 > > I get the diagnostic 'Extended master secret: no'. > > Via Wireshark, I can confirm that s_client does include the extension > in the Client Hello, but I don't see it in the Server Hello. > > I'm using mozilla-nss-tools-3.45-58.31.1.x86_64 under SLES 12 SP3. > > I acknowledge that I may be misinterpreting Wireshark, as I can find no > example captures on the net of a Server Hello providing the extension. > > Is this an appropriate mechanism for testing for this feature? > > -- > Brian Reichert <reich...@numachi.com> > BSD admin/developer at large > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
