freenode/#lisp - IRC Chatlog
Search
20:11:12
jasom
Anybody know the most recent version of ASDF for which the package ASDF/PACKAGE exists as a nickname for UIOP/PACKAGE?
20:22:32
shrdlu68
Got some time to work on cl-tls. I edited a version of dexador to test with, and ran into an issue where some servers are sending records that are bigger in length than the spec allows for. Very weird.
20:41:36
fe[nl]ix
shrdlu68: have you tried extracting the conformance test suites from other ssl libraries and running them against cl-tls ?
20:44:04
shrdlu68
fe[nl]ix: Nope, apart from the openssl and gnutls command-line tools. Might you know of any?
20:49:12
shrdlu68
If I comment out the code that checks that the fragment length does not exceed the maximum fragment length it all works fine. I can see in wireshark that the records are indeed past the allowed size limit (2^14).
20:52:36
fe[nl]ix
there are two types of test suites: the ones that send ostensibly correct packetes and check the server configuration for features that are vulnerable to attacks
20:53:15
fe[nl]ix
and the ones that send incorrect packets and try to detect bugs in the protocol state machine
20:56:14
shrdlu68
I'm aware of ssllabs, I think it tests for poor configuration rather than implementation bugs.
20:58:07
shrdlu68
There are hardly more sophisticated tls test suits than fuzzers, which are, in my experience, not very effective in the case of tls/ssl.
21:01:07
fe[nl]ix
I know there are proprietary suites that were built by going through the standard and implementing a contrary test every time there's a MUST or a SHOULD
21:03:02
shrdlu68
For example, cl-tls reports that the certificate that signs microsoft.com's ocsp responses does not have the ocsp-sign bit set.
21:03:12
fe[nl]ix
setting up a business and finding the first customers might not be easy, but doable
21:04:51
shrdlu68
Another example: A bunch of ocsp responders have much longer update intervals than I had initially set as the maximum in cl-tls, forcing me to lower the standards. The spec only says the interval should be "sufficiently recent". This gives people the freedom to set update intervals that I thought no sane person would set for an ocsp responder.
21:09:45
shrdlu68
One concept I learned in writing cl-tls was "bug-compliance" and "bug-compatibility", from Peter Gutmann's blogs. When a major company misreads the specs and creates a buggy x509/tls implementation, everyone else is forced to introduce this bug as well in order to be bug-compatible with the big guys.
21:55:59
shrdlu68
How should write-byte and write-sequence behave when attempting to write to a closed stream?
21:58:12
specbot
Open and Closed Streams: http://www.lispworks.com/reference/HyperSpec/Body/21_aaab.htm
21:58:23
Shinmera
"Except as explicitly specified otherwise, the consequences are undefined when a closed stream is used where a stream is called for.
22:02:24
shrdlu68
I'm trying to determine what's the correct way to handle such a situation in cl-tls. I'm currently raising an error but cl:stream-error might be a better idea.
2:03:50
jasom
emaczen: oh, I guess it's not part of the spec, see trivial-garbage for a portable library