openbsd/src/regress/lib/libssl/interop, branch libressl-v3.2.5

openbsd/src/regress/lib/libssl/interop, branch libressl-v3.2.5 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.2.5 2020-09-21T15:13:24+00:00 1) Move the interop tests to the end so we see tlsfuzzer first 2020-09-21T15:13:24+00:00 beck 2020-09-21T15:13:24+00:00 urn:sha1:9d558960cf920187dcf488f05a3decde546bbddc 2) Reorder the interop tests so the really slow "cert" test is at the end 3) Change the cert tests to use REGRESS_SLOW_TARGETS when testing combination of client and server that does not involve libressl. This way we can skip testing openssl to openssl11 when running these manually by setting REGRESS_SKIP_SLOW to "yet" in mk.conf ok jsing@ Test botan TLS client with libressl, openssl, openssl11 server. 2020-09-15T01:45:16+00:00 bluhm 2020-09-15T01:45:16+00:00 urn:sha1:99c305e9a1574d8ffff5ba4752c88b964c0fafbd Connect a client to a server. Both can be current libressl, or 2020-09-14T00:51:04+00:00 bluhm 2020-09-14T00:51:04+00:00 urn:sha1:407ed00262824449401bb81ab8981bc63ea02280 openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS version number. Incompatible versions must fail. Check that client and server have used correct version by grepping in their session print out. If CPU does not support AES-NI, LibreSSL TLS 1.3 client prefers 2020-09-12T15:48:30+00:00 bluhm 2020-09-12T15:48:30+00:00 urn:sha1:e0ab7f11dbb9b75ca3e654c6a2b285049e1c7afc chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers. Enable cert and cipher interop tests. cert just works. cipher has 2020-09-11T22:48:00+00:00 bluhm 2020-09-11T22:48:00+00:00 urn:sha1:66b3b0fa0e26b882333bdd906d8811b1f4094144 been fixed to work with libressl TLS 1.3. Both libressl and openssl11 replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively. The test expects that now. Currently GOST does not work with libressl and TLS 1.3 and is disabled. Revise regress for TLSv1.3 server being enabled. 2020-05-11T18:20:24+00:00 jsing 2020-05-11T18:20:24+00:00 urn:sha1:9cb614ecfae85e33f73e37c50b4b124384f3403e Disable cert interop tests for now. 2020-01-25T16:10:32+00:00 jsing 2020-01-25T16:10:32+00:00 urn:sha1:7d21cbd7f1e56eb8ddf1d70461ed852a17e87e91 The libressl TLSv1.3 client and server currently lack client certificate authentication support and this test expects all clients can auth with all servers. We can likely turn this back on in the near future. Actually disable cipher interop tests. 2020-01-25T16:09:05+00:00 jsing 2020-01-25T16:09:05+00:00 urn:sha1:2de79ce59f152afc2bd7f8ebf2d6e99265f6df6f Disable the cipher interop tests. 2020-01-25T16:08:25+00:00 jsing 2020-01-25T16:08:25+00:00 urn:sha1:56946132136f68c15473210cddc908c241274b83 These make far too many assumptions about cipher suites - TLSv1.3 cipher suites can only be used with TLSv1.3 and there is tests using TLSv1.3 cipher suites with TLSv1.2 will not work. Likewise, expecting TLSv1.2 cipher suites to work with TLSv1.3 is futile. Additionally, eopenssl11 lists TLSv1.3 cipher suites with different names to libressl. Futher work will be necessary before this can be re-enabled. Accept both TLSv1.2 and TLSv1.3 protocols for netcat. 2020-01-25T16:03:31+00:00 jsing 2020-01-25T16:03:31+00:00 urn:sha1:c8f22637e2e0244253a8ef175e56c99345346a71 This can potentially be improved by adding knowledge about which libraries support which versions and handle differences between clients and servers.