Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL

Jingjing Guan; Hui Li; Xiang Dong Li; Xiao Lei Wang; Binghan Wang; Qiuye Wang; Shengchao Qin; Mengda He; Md Armanuzzaman; Ziming Zhao

doi:10.1109/INFOCOM55648.2025.11044576

Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL

Jingjing Guan
, Hui Li
, Xiang Dong Li
, Xiao Lei Wang
, Binghan Wang
, Qiuye Wang
, Shengchao Qin
, Mengda He
, Md Armanuzzaman
, Ziming Zhao

Department of Computer Science and Engineering

Beijing University of Posts and Telecommunications
Zhejiang University
Xidian University
Teesside University
Northeastern University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

The TLS handshake state machine manages the handshake messages exchanged in a session based on the parameters negotiated between the client and the server. Although the TLS 1.3 standard has undergone multiple rounds of analysis and revisions before official release to ensure its security, the process from natural language descriptions to implementations still relies on human expertise and is error-prone. In this paper, we propose a systematic method to conduct equivalence verification between the implementation of the TLS state machine and the standard. We also conduct formal verification of OpenSSL, the extensively utilized open-source TLS implementation for secure communications. Using Cryptol, we model the handshake state machine both from the standards and OpenSSL's implementation to perform its formal verification. Our automatic tool E-Verify performs equivalence verification by comparing the state transition sequences produced by the RFC model and OpenSSL model with all combinations of negotiation parameters. Guided by the verification results, we identify 640 mismatches out of a total of 1,536 scenarios and pinpoint the corresponding negotiation parameter combinations.

Original language	English
Title of host publication	INFOCOM 2025 - IEEE Conference on Computer Communications
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798331543051
DOIs	https://doi.org/10.1109/INFOCOM55648.2025.11044576
State	Published - 2025
Event	2025 IEEE Conference on Computer Communications, INFOCOM 2025 - London, United Kingdom Duration: May 19 2025 → May 22 2025

Publication series

Name	Proceedings - IEEE INFOCOM
ISSN (Print)	0743-166X

Conference

Conference	2025 IEEE Conference on Computer Communications, INFOCOM 2025
Country/Territory	United Kingdom
City	London
Period	05/19/25 → 05/22/25

Keywords

Cryptol
formal methods
handshake state machine
SAW
Transport Layer Security

Access to Document

10.1109/INFOCOM55648.2025.11044576

Cite this

Guan, J., Li, H., Li, X. D., Wang, X. L., Wang, B., Wang, Q., Qin, S., He, M., Armanuzzaman, M., & Zhao, Z. (2025). Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL. In INFOCOM 2025 - IEEE Conference on Computer Communications (Proceedings - IEEE INFOCOM). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/INFOCOM55648.2025.11044576

@inproceedings{210ed6c800d9401f862dc41304465dc8,

title = "Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL",

abstract = "The TLS handshake state machine manages the handshake messages exchanged in a session based on the parameters negotiated between the client and the server. Although the TLS 1.3 standard has undergone multiple rounds of analysis and revisions before official release to ensure its security, the process from natural language descriptions to implementations still relies on human expertise and is error-prone. In this paper, we propose a systematic method to conduct equivalence verification between the implementation of the TLS state machine and the standard. We also conduct formal verification of OpenSSL, the extensively utilized open-source TLS implementation for secure communications. Using Cryptol, we model the handshake state machine both from the standards and OpenSSL's implementation to perform its formal verification. Our automatic tool E-Verify performs equivalence verification by comparing the state transition sequences produced by the RFC model and OpenSSL model with all combinations of negotiation parameters. Guided by the verification results, we identify 640 mismatches out of a total of 1,536 scenarios and pinpoint the corresponding negotiation parameter combinations.",

keywords = "Cryptol, formal methods, handshake state machine, SAW, Transport Layer Security",

author = "Jingjing Guan and Hui Li and Li, \{Xiang Dong\} and Wang, \{Xiao Lei\} and Binghan Wang and Qiuye Wang and Shengchao Qin and Mengda He and Md Armanuzzaman and Ziming Zhao",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 2025 IEEE Conference on Computer Communications, INFOCOM 2025 ; Conference date: 19-05-2025 Through 22-05-2025",

year = "2025",

doi = "10.1109/INFOCOM55648.2025.11044576",

language = "English",

series = "Proceedings - IEEE INFOCOM",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "INFOCOM 2025 - IEEE Conference on Computer Communications",

address = "United States",

}

Guan, J, Li, H, Li, XD, Wang, XL, Wang, B, Wang, Q, Qin, S, He, M, Armanuzzaman, M & Zhao, Z 2025, Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL. in INFOCOM 2025 - IEEE Conference on Computer Communications. Proceedings - IEEE INFOCOM, Institute of Electrical and Electronics Engineers Inc., 2025 IEEE Conference on Computer Communications, INFOCOM 2025, London, United Kingdom, 05/19/25. https://doi.org/10.1109/INFOCOM55648.2025.11044576

Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL. / Guan, Jingjing; Li, Hui; Li, Xiang Dong et al.
INFOCOM 2025 - IEEE Conference on Computer Communications. Institute of Electrical and Electronics Engineers Inc., 2025. (Proceedings - IEEE INFOCOM).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL

AU - Guan, Jingjing

AU - Li, Hui

AU - Li, Xiang Dong

AU - Wang, Xiao Lei

AU - Wang, Binghan

AU - Wang, Qiuye

AU - Qin, Shengchao

AU - He, Mengda

AU - Armanuzzaman, Md

AU - Zhao, Ziming

PY - 2025

Y1 - 2025

N2 - The TLS handshake state machine manages the handshake messages exchanged in a session based on the parameters negotiated between the client and the server. Although the TLS 1.3 standard has undergone multiple rounds of analysis and revisions before official release to ensure its security, the process from natural language descriptions to implementations still relies on human expertise and is error-prone. In this paper, we propose a systematic method to conduct equivalence verification between the implementation of the TLS state machine and the standard. We also conduct formal verification of OpenSSL, the extensively utilized open-source TLS implementation for secure communications. Using Cryptol, we model the handshake state machine both from the standards and OpenSSL's implementation to perform its formal verification. Our automatic tool E-Verify performs equivalence verification by comparing the state transition sequences produced by the RFC model and OpenSSL model with all combinations of negotiation parameters. Guided by the verification results, we identify 640 mismatches out of a total of 1,536 scenarios and pinpoint the corresponding negotiation parameter combinations.

AB - The TLS handshake state machine manages the handshake messages exchanged in a session based on the parameters negotiated between the client and the server. Although the TLS 1.3 standard has undergone multiple rounds of analysis and revisions before official release to ensure its security, the process from natural language descriptions to implementations still relies on human expertise and is error-prone. In this paper, we propose a systematic method to conduct equivalence verification between the implementation of the TLS state machine and the standard. We also conduct formal verification of OpenSSL, the extensively utilized open-source TLS implementation for secure communications. Using Cryptol, we model the handshake state machine both from the standards and OpenSSL's implementation to perform its formal verification. Our automatic tool E-Verify performs equivalence verification by comparing the state transition sequences produced by the RFC model and OpenSSL model with all combinations of negotiation parameters. Guided by the verification results, we identify 640 mismatches out of a total of 1,536 scenarios and pinpoint the corresponding negotiation parameter combinations.

KW - Cryptol

KW - formal methods

KW - handshake state machine

KW - SAW

KW - Transport Layer Security

UR - https://www.scopus.com/pages/publications/105011072510

U2 - 10.1109/INFOCOM55648.2025.11044576

DO - 10.1109/INFOCOM55648.2025.11044576

M3 - Conference contribution

AN - SCOPUS:105011072510

T3 - Proceedings - IEEE INFOCOM

BT - INFOCOM 2025 - IEEE Conference on Computer Communications

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2025 IEEE Conference on Computer Communications, INFOCOM 2025

Y2 - 19 May 2025 through 22 May 2025

ER -

Formally Verifying the State Machine of TLS 1.3 Handshake in OpenSSL

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this