diff options
| author | beck <> | 2023-07-02 17:21:33 +0000 |
|---|---|---|
| committer | beck <> | 2023-07-02 17:21:33 +0000 |
| commit | ddcb4efd6551a982bf29b2e8e83c9c808a1670dc (patch) | |
| tree | 33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src/regress/lib/libssl/tls/tlstest.c | |
| parent | 025f3b8ef1e0ff3017dd0079925fbf85f15a6d22 (diff) | |
| download | openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.gz openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.bz2 openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.zip | |
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
Diffstat (limited to '')
| -rw-r--r-- | src/regress/lib/libssl/tls/tlstest.c | 78 |
1 files changed, 1 insertions, 77 deletions
diff --git a/src/regress/lib/libssl/tls/tlstest.c b/src/regress/lib/libssl/tls/tlstest.c index 5c72717e6e..8154e7576c 100644 --- a/src/regress/lib/libssl/tls/tlstest.c +++ b/src/regress/lib/libssl/tls/tlstest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */ | 1 | /* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -245,14 +245,6 @@ static const struct tls_test tls_tests[] = { | |||
| 245 | .server_max_version = TLS1_2_VERSION, | 245 | .server_max_version = TLS1_2_VERSION, |
| 246 | }, | 246 | }, |
| 247 | { | 247 | { |
| 248 | .desc = "Default client and TLSv1.1 server", | ||
| 249 | .server_max_version = TLS1_1_VERSION, | ||
| 250 | }, | ||
| 251 | { | ||
| 252 | .desc = "Default client and TLSv1.0 server", | ||
| 253 | .server_max_version = TLS1_VERSION, | ||
| 254 | }, | ||
| 255 | { | ||
| 256 | .desc = "Default client and default server with ECDHE KEX", | 248 | .desc = "Default client and default server with ECDHE KEX", |
| 257 | .server_ciphers = "ECDHE-RSA-AES128-SHA", | 249 | .server_ciphers = "ECDHE-RSA-AES128-SHA", |
| 258 | }, | 250 | }, |
| @@ -262,16 +254,6 @@ static const struct tls_test tls_tests[] = { | |||
| 262 | .server_ciphers = "ECDHE-RSA-AES128-SHA", | 254 | .server_ciphers = "ECDHE-RSA-AES128-SHA", |
| 263 | }, | 255 | }, |
| 264 | { | 256 | { |
| 265 | .desc = "Default client and TLSv1.1 server with ECDHE KEX", | ||
| 266 | .server_max_version = TLS1_1_VERSION, | ||
| 267 | .server_ciphers = "ECDHE-RSA-AES128-SHA", | ||
| 268 | }, | ||
| 269 | { | ||
| 270 | .desc = "Default client and TLSv1.0 server with ECDHE KEX", | ||
| 271 | .server_max_version = TLS1_VERSION, | ||
| 272 | .server_ciphers = "ECDHE-RSA-AES128-SHA", | ||
| 273 | }, | ||
| 274 | { | ||
| 275 | .desc = "Default client and default server with DHE KEX", | 257 | .desc = "Default client and default server with DHE KEX", |
| 276 | .server_ciphers = "DHE-RSA-AES128-SHA", | 258 | .server_ciphers = "DHE-RSA-AES128-SHA", |
| 277 | }, | 259 | }, |
| @@ -281,16 +263,6 @@ static const struct tls_test tls_tests[] = { | |||
| 281 | .server_ciphers = "DHE-RSA-AES128-SHA", | 263 | .server_ciphers = "DHE-RSA-AES128-SHA", |
| 282 | }, | 264 | }, |
| 283 | { | 265 | { |
| 284 | .desc = "Default client and TLSv1.1 server with DHE KEX", | ||
| 285 | .server_max_version = TLS1_1_VERSION, | ||
| 286 | .server_ciphers = "DHE-RSA-AES128-SHA", | ||
| 287 | }, | ||
| 288 | { | ||
| 289 | .desc = "Default client and TLSv1.0 server with DHE KEX", | ||
| 290 | .server_max_version = TLS1_VERSION, | ||
| 291 | .server_ciphers = "DHE-RSA-AES128-SHA", | ||
| 292 | }, | ||
| 293 | { | ||
| 294 | .desc = "Default client and default server with RSA KEX", | 266 | .desc = "Default client and default server with RSA KEX", |
| 295 | .server_ciphers = "AES128-SHA", | 267 | .server_ciphers = "AES128-SHA", |
| 296 | }, | 268 | }, |
| @@ -300,72 +272,24 @@ static const struct tls_test tls_tests[] = { | |||
| 300 | .server_ciphers = "AES128-SHA", | 272 | .server_ciphers = "AES128-SHA", |
| 301 | }, | 273 | }, |
| 302 | { | 274 | { |
| 303 | .desc = "Default client and TLSv1.1 server with RSA KEX", | ||
| 304 | .server_max_version = TLS1_1_VERSION, | ||
| 305 | .server_ciphers = "AES128-SHA", | ||
| 306 | }, | ||
| 307 | { | ||
| 308 | .desc = "Default client and TLSv1.0 server with RSA KEX", | ||
| 309 | .server_max_version = TLS1_VERSION, | ||
| 310 | .server_ciphers = "AES128-SHA", | ||
| 311 | }, | ||
| 312 | { | ||
| 313 | .desc = "TLSv1.2 client and default server", | 275 | .desc = "TLSv1.2 client and default server", |
| 314 | .client_max_version = TLS1_2_VERSION, | 276 | .client_max_version = TLS1_2_VERSION, |
| 315 | }, | 277 | }, |
| 316 | { | 278 | { |
| 317 | .desc = "TLSv1.1 client and default server", | ||
| 318 | .client_max_version = TLS1_1_VERSION, | ||
| 319 | }, | ||
| 320 | { | ||
| 321 | .desc = "TLSv1.0 client and default server", | ||
| 322 | .client_max_version = TLS1_VERSION, | ||
| 323 | }, | ||
| 324 | { | ||
| 325 | .desc = "TLSv1.2 client and default server with ECDHE KEX", | 279 | .desc = "TLSv1.2 client and default server with ECDHE KEX", |
| 326 | .client_max_version = TLS1_2_VERSION, | 280 | .client_max_version = TLS1_2_VERSION, |
| 327 | .client_ciphers = "ECDHE-RSA-AES128-SHA", | 281 | .client_ciphers = "ECDHE-RSA-AES128-SHA", |
| 328 | }, | 282 | }, |
| 329 | { | 283 | { |
| 330 | .desc = "TLSv1.1 client and default server with ECDHE KEX", | ||
| 331 | .client_max_version = TLS1_1_VERSION, | ||
| 332 | .client_ciphers = "ECDHE-RSA-AES128-SHA", | ||
| 333 | }, | ||
| 334 | { | ||
| 335 | .desc = "TLSv1.0 client and default server with ECDHE KEX", | ||
| 336 | .client_max_version = TLS1_VERSION, | ||
| 337 | .client_ciphers = "ECDHE-RSA-AES128-SHA", | ||
| 338 | }, | ||
| 339 | { | ||
| 340 | .desc = "TLSv1.2 client and default server with DHE KEX", | 284 | .desc = "TLSv1.2 client and default server with DHE KEX", |
| 341 | .server_max_version = TLS1_2_VERSION, | 285 | .server_max_version = TLS1_2_VERSION, |
| 342 | .client_ciphers = "DHE-RSA-AES128-SHA", | 286 | .client_ciphers = "DHE-RSA-AES128-SHA", |
| 343 | }, | 287 | }, |
| 344 | { | 288 | { |
| 345 | .desc = "TLSv1.1 client and default server with DHE KEX", | ||
| 346 | .client_max_version = TLS1_1_VERSION, | ||
| 347 | .client_ciphers = "DHE-RSA-AES128-SHA", | ||
| 348 | }, | ||
| 349 | { | ||
| 350 | .desc = "TLSv1.0 client and default server with DHE KEX", | ||
| 351 | .client_max_version = TLS1_VERSION, | ||
| 352 | .client_ciphers = "DHE-RSA-AES128-SHA", | ||
| 353 | }, | ||
| 354 | { | ||
| 355 | .desc = "TLSv1.2 client and default server with RSA KEX", | 289 | .desc = "TLSv1.2 client and default server with RSA KEX", |
| 356 | .client_max_version = TLS1_2_VERSION, | 290 | .client_max_version = TLS1_2_VERSION, |
| 357 | .client_ciphers = "AES128-SHA", | 291 | .client_ciphers = "AES128-SHA", |
| 358 | }, | 292 | }, |
| 359 | { | ||
| 360 | .desc = "TLSv1.1 client and default server with RSA KEX", | ||
| 361 | .client_max_version = TLS1_1_VERSION, | ||
| 362 | .client_ciphers = "AES128-SHA", | ||
| 363 | }, | ||
| 364 | { | ||
| 365 | .desc = "TLSv1.0 client and default server with RSA KEX", | ||
| 366 | .client_max_version = TLS1_VERSION, | ||
| 367 | .client_ciphers = "AES128-SHA", | ||
| 368 | }, | ||
| 369 | }; | 293 | }; |
| 370 | 294 | ||
| 371 | #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests)) | 295 | #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests)) |