diff options
| author | beck <> | 2023-07-02 17:21:33 +0000 |
|---|---|---|
| committer | beck <> | 2023-07-02 17:21:33 +0000 |
| commit | 4edd92a57f3a74829fe519f35b5c7c79e03ce0b0 (patch) | |
| tree | 33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src/regress/lib/libssl/ssl/testssl | |
| parent | 4536f2834a091e2b67ca99b59dc364c7ccc30a4b (diff) | |
| download | openbsd-4edd92a57f3a74829fe519f35b5c7c79e03ce0b0.tar.gz openbsd-4edd92a57f3a74829fe519f35b5c7c79e03ce0b0.tar.bz2 openbsd-4edd92a57f3a74829fe519f35b5c7c79e03ce0b0.zip | |
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
Diffstat (limited to 'src/regress/lib/libssl/ssl/testssl')
| -rw-r--r-- | src/regress/lib/libssl/ssl/testssl | 36 |
1 files changed, 17 insertions, 19 deletions
diff --git a/src/regress/lib/libssl/ssl/testssl b/src/regress/lib/libssl/ssl/testssl index 43efaa6460..70db1752b7 100644 --- a/src/regress/lib/libssl/ssl/testssl +++ b/src/regress/lib/libssl/ssl/testssl | |||
| @@ -95,8 +95,7 @@ done | |||
| 95 | if $openssl no-dh; then | 95 | if $openssl no-dh; then |
| 96 | echo skipping anonymous DH tests | 96 | echo skipping anonymous DH tests |
| 97 | else | 97 | else |
| 98 | echo test tls1 with 1024bit anonymous DH, multiple handshakes | 98 | echo skipping tls1 tests. |
| 99 | $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 | ||
| 100 | fi | 99 | fi |
| 101 | 100 | ||
| 102 | #if $openssl no-rsa; then | 101 | #if $openssl no-rsa; then |
| @@ -117,17 +116,16 @@ fi | |||
| 117 | # DTLS tests | 116 | # DTLS tests |
| 118 | # | 117 | # |
| 119 | 118 | ||
| 120 | echo test dtlsv1 | 119 | $ssltest -dtls1_2 $extra || exit 1 |
| 121 | $ssltest -dtls1 $extra || exit 1 | ||
| 122 | 120 | ||
| 123 | echo test dtlsv1 with server authentication | 121 | echo test dtlsv1_2 with server authentication |
| 124 | $ssltest -dtls1 -server_auth $CA $extra || exit 1 | 122 | $ssltest -dtls1_2 -server_auth $CA $extra || exit 1 |
| 125 | 123 | ||
| 126 | echo test dtlsv1 with client authentication | 124 | echo test dtlsv1_2 with client authentication |
| 127 | $ssltest -dtls1 -client_auth $CA $extra || exit 1 | 125 | $ssltest -dtls1_2 -client_auth $CA $extra || exit 1 |
| 128 | 126 | ||
| 129 | echo test dtlsv1 with both client and server authentication | 127 | echo test dtlsv1_2 with both client and server authentication |
| 130 | $ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1 | 128 | $ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1 |
| 131 | 129 | ||
| 132 | echo "Testing DTLS ciphersuites" | 130 | echo "Testing DTLS ciphersuites" |
| 133 | for protocol in SSLv3; do | 131 | for protocol in SSLv3; do |
| @@ -136,7 +134,7 @@ for protocol in SSLv3; do | |||
| 136 | awk "/ $protocol / { print \\$1 }" | | 134 | awk "/ $protocol / { print \\$1 }" | |
| 137 | grep -v RC4`; do | 135 | grep -v RC4`; do |
| 138 | echo "Testing $cipher" | 136 | echo "Testing $cipher" |
| 139 | $ssltest -cipher $cipher -dtls1 | 137 | $ssltest -cipher $cipher -dtls1_2 |
| 140 | if [ $? -ne 0 ] ; then | 138 | if [ $? -ne 0 ] ; then |
| 141 | echo "Failed $cipher" | 139 | echo "Failed $cipher" |
| 142 | exit 1 | 140 | exit 1 |
| @@ -148,17 +146,17 @@ done | |||
| 148 | # ALPN tests | 146 | # ALPN tests |
| 149 | # | 147 | # |
| 150 | echo "Testing ALPN..." | 148 | echo "Testing ALPN..." |
| 151 | $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1 | 149 | $ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1 |
| 152 | $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \ | 150 | $ssltest -bio_pair -alpn_client foo -alpn_server foo \ |
| 153 | -alpn_expected foo || exit 1 | 151 | -alpn_expected foo || exit 1 |
| 154 | $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \ | 152 | $ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \ |
| 155 | -alpn_expected foo || exit 1 | 153 | -alpn_expected foo || exit 1 |
| 156 | $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \ | 154 | $ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \ |
| 157 | -alpn_expected foo || exit 1 | 155 | -alpn_expected foo || exit 1 |
| 158 | $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \ | 156 | $ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \ |
| 159 | -alpn_expected foo || exit 1 | 157 | -alpn_expected foo || exit 1 |
| 160 | $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \ | 158 | $ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \ |
| 161 | -alpn_expected bar || exit 1 | 159 | -alpn_expected bar || exit 1 |
| 162 | $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \ | 160 | $ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \ |
| 163 | -alpn_expected bar || exit 1 | 161 | -alpn_expected bar || exit 1 |
| 164 | $ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1 | 162 | $ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1 |