From a159ecdd10b23b8889c9496924086383656873b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Eng=C3=A9libert?= <tuxmain@zettascript.org>
Date: Fri, 27 Feb 2026 13:48:14 +0100
Subject: [PATCH] Client uses userland certs

---
 README.md  |  2 +-
 crawler.py | 33 +++++++++++++++++++++++++++------
 exp.py     | 16 +++++++++-------
 3 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 5efbf40..884f9f4 100644
--- a/README.md
+++ b/README.md
@@ -375,7 +375,7 @@ oarsub -q default -l host=2,walltime=2 -I
 # Let's call them p1 and p2
 ping p2
 # Note p2 addr to exp.py
-pip3 install fabric
+pip3 install fabric --break-system-packages
 python exp.py make g5k -c
 python exp.py send g5k
 
diff --git a/crawler.py b/crawler.py
index 89f932c..60f42cc 100644
--- a/crawler.py
+++ b/crawler.py
@@ -8,7 +8,8 @@ CAPTURES = {
 	"written_bytes": "SSL handshake has read \\d+ bytes and written (\\d+) bytes\n",
 	"cert_sig": "Peer signature type: ([a-zA-Z0-9_.-]+)\n",
 	"cert_pk_size": "Server public key is (\\d+) bit\n",
-	"kx": "(?:Negotiated TLS1\\.3 group|Peer Temp Key): ([a-zA-Z0-9_.-]+)(?:\n|,)",
+	#"kx": "(?:Negotiated TLS1\\.3 group|Peer Temp Key): ([a-zA-Z0-9_.-]+)(?:\n|,)",
+	"kx": "(?:Negotiated TLS1\\.3 group|Peer Temp Key): ([a-zA-Z0-9_., -]+)\n",
 	"cipher": "Cipher is ([a-zA-Z0-9_.-]+)\n",
 	"protocol": "Protocol: ([a-zA-Z0-9_.-]+)\n",
 }
@@ -106,7 +107,12 @@ if __name__ == "__main__":
 				"none": 0,
 				"x25519mlkem768": 0,
 				"x25519": 0,
-				"rsa": 0,
+				"rsa2048": 0,
+				"rsa3072": 0,
+				"rsa4096": 0,
+				"secp256r1": 0,
+				"secp384r1": 0,
+				"secp521r1": 0,
 			},
 			"version": {
 				"none": 0,
@@ -134,6 +140,7 @@ if __name__ == "__main__":
 				except StopIteration:
 					pass
 					#print("Not found:", line, r)
+
 			if "cert_sig" not in domain_stats:
 				summary["cert"]["none"] += 1
 			elif domain_stats["cert_sig"] == "ecdsa_secp256r1_sha256":
@@ -144,6 +151,7 @@ if __name__ == "__main__":
 				summary["cert"]["secp521r1"] += 1
 			elif "rsa" in domain_stats["cert_sig"]:
 				summary["cert"]["rsa{}".format(domain_stats["cert_pk_size"])] += 1
+
 			if "cipher" not in domain_stats:
 				summary["cipher"]["none"] += 1
 			elif "AES_128" in domain_stats["cipher"] or "AES128" in domain_stats["cipher"]:
@@ -152,21 +160,34 @@ if __name__ == "__main__":
 				summary["cipher"]["aes256"] += 1
 			elif "CHACHA20" in domain_stats["cipher"]:
 				summary["cipher"]["chacha20"] += 1
+
 			if "kx" not in domain_stats:
 				summary["kx"]["none"] += 1
 			elif domain_stats["kx"] == "X25519MLKEM768":
 				summary["kx"]["x25519mlkem768"] += 1
-			elif domain_stats["kx"] == "X25519" or domain_stats["kx"] == "ECDH":
+			elif domain_stats["kx"] == "X25519, 253 bits":
 				summary["kx"]["x25519"] += 1
-			elif domain_stats["kx"] == "DH":
-				summary["kx"]["rsa"] += 1
+			elif domain_stats["kx"] == "DH, 2048 bits":
+				summary["kx"]["rsa2048"] += 1
+			elif domain_stats["kx"] == "DH, 3072 bits":
+				summary["kx"]["rsa3072"] += 1
+			elif domain_stats["kx"] == "DH, 4096 bits":
+				summary["kx"]["rsa4096"] += 1
+			elif domain_stats["kx"] == "ECDH, prime256v1, 256 bits":
+				summary["kx"]["secp256r1"] += 1
+			elif domain_stats["kx"] == "ECDH, secp384r1, 384 bits":
+				summary["kx"]["secp384r1"] += 1
+			elif domain_stats["kx"] == "ECDH, secp521r1, 521 bits":
+				summary["kx"]["secp521r1"] += 1
+
 			if "protocol" not in domain_stats:
 				summary["version"]["none"] += 1
 			elif domain_stats["protocol"] == "TLSv1.3":
 				summary["version"]["1.3"] += 1
 			elif domain_stats["protocol"] == "TLSv1.2":
 				summary["version"]["1.2"] += 1
-			#if "kx" in domain_stats and domain_stats["kx"] == "DH":
+
+			#if "kx" in domain_stats and domain_stats["kx"] == "ECDH":
 			#	print(c[domain])
 			#	exit(0)
 		if "-t" in sys.argv: # text output
diff --git a/exp.py b/exp.py
index e8064d2..c7c8caf 100644
--- a/exp.py
+++ b/exp.py
@@ -390,9 +390,9 @@ EXPERIMENTS = {
 			"AES_128_GCM_SHA256",
 			"AES_256_GCM_SHA384",
 			"CHACHA20_POLY1305_SHA256",
-			"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-			"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-			"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			#"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 		],
 		"kexes": ["X25519"],
 		"cert": ["prime256v1"],
@@ -403,7 +403,7 @@ EXPERIMENTS = {
 		"impls": IMPLS,
 		"ciphers": [
 			"AES_128_GCM_SHA256",
-			"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 		],
 		"kexes": ["X25519"],
 		"cert": [
@@ -420,7 +420,7 @@ EXPERIMENTS = {
 		"impls": IMPLS,
 		"ciphers": [
 			"AES_128_GCM_SHA256",
-			"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 		],
 		"kexes": [
 			"X25519",
@@ -640,7 +640,7 @@ def run_netreplay_server(ssh, exp_dir, repo_dir, record, listen_addr, listen_por
 	print(cmdline)
 	return ssh_run_bg(ssh, cmdline, env)
 
-def run_netreplay_client(ssh, exp_dir, repo_dir, record, remote_addr, remote_port, tls, impl, only_record=None, ciphers=None, kexes=None, earlydata="0", debug=False, notify_addr=None):
+def run_netreplay_client(ssh, exp_dir, repo_dir, record, remote_addr, remote_port, tls, impl, certs_dir, only_record=None, ciphers=None, kexes=None, earlydata="0", debug=False, notify_addr=None):
 	if exp_dir[-1] != "/":
 		exp_dir += "/"
 	repo_dir = repo_dir.removesuffix("/")
@@ -649,7 +649,7 @@ def run_netreplay_client(ssh, exp_dir, repo_dir, record, remote_addr, remote_por
 		env["CIPHERS"] = ciphers
 	if kexes:
 		env["KEXES"] = kexes
-	cmd = [repo_dir+"/netreplay"+("" if impl == None else ("-"+impl)), repo_dir+"/records/"+record["filename"], "client", remote_addr, str(remote_port), "-r", str(record["repeat"])]
+	cmd = [repo_dir+"/netreplay"+("" if impl == None else ("-"+impl)), repo_dir+"/records/"+record["filename"], "client", remote_addr, str(remote_port), "-r", str(record["repeat"]), "--certs", certs_dir]
 	if debug:
 		cmd.append("-d")
 	if tls:
@@ -864,6 +864,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 												config["listen_port"],
 												tls,
 												impl,
+												certs_dir,
 												only_record=only_record,
 												ciphers=cipher,
 												kexes=kex,
@@ -896,6 +897,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
 												config["listen_port"],
 												tls,
 												None,
+												certs_dir,
 												only_record=only_record,
 												ciphers=cipher,
 												kexes=kex,