TLS over UDP not handled correctly #1385
Description
The TLS tests assume that all TLS connections are established on top of TCP. This results in false negatives for devices that use TLS over UDP even if they use the appropriate ciphers.
To Reproduce
- Setup the device under test that sets up TLS connections over UDP e.g., the default configuration of openvpn
- Run the test
- The security.tls.v_X.client test fails
Expected behavior
TLS connections over UDP should either be ignored in the assessment or TLS connections over UDP that offer appropriate ciphers such as ecdh, ecdsa should not cause the test to fail.
Error logs
Logs report that appropriate cipher support is not detected
Nov 13 17:14:02 test_tls INFO Checking client ciphers: {'dst_ip': '192.158.31.31', 'src_ip': '10.10.10.15', 'dst_port': '', 'cipher_support': {'ecdh': False, 'ecdsa': False}}
Nov 13 17:14:02 test_tls INFO Required ciphers not detected
But my packet analysis shows that the appropriate ciphers are offered in the TLS Client Hello message.
Environment:
- OS: Ubuntu
- Version: 22.04
- Device under test has a raspberry pi SoC
Additional context
testrun fails to parse the packets becuase the parsing script relies on a TCP destination port which for the case of our openvpn setup is empty because it is setup to work on top of UDP. I confirmed this by removing the tcp.dstport filter in the script (see testrun/modules/test/tls/bin/get_ciphers.sh at a2264828aa9086086c289831038ed99a913d07f6 · google/testrun ) and I get the full set of ciphers including ECDHE_ECDSA based ciphers which should be sufficient to pass the test case.