To infer the state machines of implementations of the TLS protocol we used LearnLib, which uses a modified version of Angluin’s L* algorithm. An implementation that is analysed is referred to as the System Under Test (SUT) and is considered to be a black box. LearnLib has to be provided with a list of messages it can send to the SUT (also known as the input alphabet), and a command to reset the SUT to its initial state. A test harness is needed to translate abstract messages from the input alphabet to concrete messages that can be sent to the SUT.
To use LearnLib, we need to fix an input alphabet of messages that can be sent to the SUT. This alphabet is an abstraction of the actual messages sent. In our analyses we use different input alphabets depending on whether we test a client or server, and whether we perform a more limited or more extensive analysis. To test servers we support the following messages: ClientHello (RSA and DHE), Certificate (RSA and empty), ClientKeyExchange, ClientCertificateVerify, ChangeCipherSpec, Finished, ApplicationData (regular and empty), HeartbeatRequest and HeartbeatResponse. To test clients we support the following messages: ServerHello (RSA and DHE), Certificate (RSA and empty), CertificateRequest, ServerKeyExchange, ServerHelloDone, ChangeCipherSpec, Finished, ApplicationData (regular and empty), HeartbeatRequest and HeartbeatResponse.
Below models were learned from real TLS implementations with the learning setup described below.
| Benchmark Name | Model | Inputs/Outputs | States | Transitions | Publications |
|---|---|---|---|---|---|
| GnuTLS 3.3.12 client (full) | dot-file | 12 / 7 | 9 | 108 | [RP15] |
| GnuTLS 3.3.12 client (regular) | dot-file | 8 / 10 | 7 | 56 | [RP15] |
| GnuTLS 3.3.12 server (full) | dot-file | 12 / 12 | 9 | 108 | [RP15] |
| GnuTLS 3.3.12 server (regular) | dot-file | 8 / 10 | 7 | 56 | [RP15] |
| GnuTLS 3.3.8 client (full) | dot-file | 12 / 8 | 15 | 180 | [RP15] |
| GnuTLS 3.3.8 client (regular) | dot-file | 8 / 6 | 11 | 88 | [RP15] |
| GnuTLS 3.3.8 server (full) | dot-file | 11 / 12 | 16 | 176 | [RP15] |
| GnuTLS 3.3.8 server (regular) | dot-file | 8 / 10 | 12 | 96 | [RP15] |
| miTLS 0.1.3 server (regular) | dot-file | 8 / 8 | 6 | 48 | [RP15] |
| NSS 3.17.4 client (full) | dot-file | 12 / 9 | 11 | 132 | [RP15] |
| NSS 3.17.4 client (regular) | dot-file | 8 / 7 | 7 | 56 | [RP15] |
| NSS 3.17.4 server (regular) | dot-file | 8 / 9 | 8 | 64 | [RP15] |
| OpenSSL 1.0.1g client (regular) | dot-file | 7 / 7 | 10 | 70 | [RP15] |
| OpenSSL 1.0.1g server (regular) | dot-file | 7 / 11 | 16 | 112 | [RP15] |
| OpenSSL 1.0.1j client (regular) | dot-file | 7 / 5 | 6 | 42 | [RP15] |
| OpenSSL 1.0.1j server (regular) | dot-file | 7 / 9 | 11 | 77 | [RP15] |
| OpenSSL 1.0.1l client (regular) | dot-file | 7 / 5 | 6 | 42 | [RP15] |
| OpenSSL 1.0.1l server (regular) | dot-file | 7 / 8 | 10 | 70 | [RP15] |
| OpenSSL 1.0.2 client (full) | dot-file | 10 / 6 | 9 | 90 | [RP15] |
| OpenSSL 1.0.2 client (regular) | dot-file | 7 / 5 | 6 | 42 | [RP15] |
| OpenSSL 1.0.2 server (regular) | dot-file | 7 / 7 | 7 | 49 | [RP15] |
| RSA BSAFE C 4.0.4 server (regular) | dot-file | 8 / 11 | 9 | 72 | [RP15] |
| RSA BSAFE Java 6.1.1 server (regular) | dot-file | 8 / 7 | 6 | 48 | [RP15] |
Some of the learned models listed in the table Models of TLS protocols above are shown below :
