summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
diff options
context:
space:
mode:
authorbeck <>2023-07-02 17:21:33 +0000
committerbeck <>2023-07-02 17:21:33 +0000
commit4edd92a57f3a74829fe519f35b5c7c79e03ce0b0 (patch)
tree33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
parent4536f2834a091e2b67ca99b59dc364c7ccc30a4b (diff)
downloadopenbsd-4edd92a57f3a74829fe519f35b5c7c79e03ce0b0.tar.gz
openbsd-4edd92a57f3a74829fe519f35b5c7c79e03ce0b0.tar.bz2
openbsd-4edd92a57f3a74829fe519f35b5c7c79e03ce0b0.zip
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@
Diffstat (limited to '')
-rw-r--r--src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py43
1 files changed, 37 insertions, 6 deletions
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index 2953320c1d..aa7e384e1f 100644
--- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
1# $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $ 1# $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $
2# 2#
3# Copyright (c) 2020 Theo Buehler <tb@openbsd.org> 3# Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4# 4#
@@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
323tls12_exclude_legacy_protocols = [ 323tls12_exclude_legacy_protocols = [
324 # all these have BIO_read timeouts against TLSv1.3 324 # all these have BIO_read timeouts against TLSv1.3
325 "-e", "Protocol (3, 0)", 325 "-e", "Protocol (3, 0)",
326 "-e", "Protocol (3, 1)",
327 "-e", "Protocol (3, 2)",
326 "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", 328 "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
327 # the following only fail with TLSv1.3 329 # the following only fail with TLSv1.3
328 "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", 330 "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
@@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [
331 "-e", "Protocol (3, 1) with x448 group", 333 "-e", "Protocol (3, 1) with x448 group",
332 "-e", "Protocol (3, 2) with x448 group", 334 "-e", "Protocol (3, 2) with x448 group",
333 "-e", "Protocol (3, 3) with x448 group", 335 "-e", "Protocol (3, 3) with x448 group",
336 # These don't work without TLSv1.0 and TLSv1.1
337 "-e", "Protocol (3, 1) with secp256r1 group",
338 "-e", "Protocol (3, 1) with secp384r1 group",
339 "-e", "Protocol (3, 1) with secp521r1 group",
340 "-e", "Protocol (3, 1) with x25519 group",
341 "-e", "Protocol (3, 2) with secp256r1 group",
342 "-e", "Protocol (3, 2) with secp384r1 group",
343 "-e", "Protocol (3, 2) with secp521r1 group",
344 "-e", "Protocol (3, 2) with x25519 group",
334] 345]
335 346
336tls12_tests = TestGroup("TLSv1.2 tests", [ 347tls12_tests = TestGroup("TLSv1.2 tests", [
337 # Tests that pass as they are. 348 # Tests that pass as they are.
338 Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
339 Test("test-aes-gcm-nonces.py"), 349 Test("test-aes-gcm-nonces.py"),
340 Test("test-chacha20.py"),
341 Test("test-connection-abort.py"), 350 Test("test-connection-abort.py"),
342 Test("test-conversation.py"), 351 Test("test-conversation.py"),
343 Test("test-cve-2016-2107.py"), 352 Test("test-cve-2016-2107.py"),
@@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
386 ] 395 ]
387 ), 396 ),
388 Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), 397 Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
389 Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]), 398 Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
390 Test( 399 Test(
391 "test-downgrade-protection.py", 400 "test-downgrade-protection.py",
392 tls12_args = ["--server-max-protocol", "TLSv1.2"], 401 tls12_args = ["--server-max-protocol", "TLSv1.2"],
393 tls13_args = ["--server-max-protocol", "TLSv1.3"], 402 tls13_args = [
403 "--server-max-protocol", "TLSv1.3",
404 "-e", "TLS 1.3 downgrade check for Protocol (3, 1)",
405 "-e", "TLS 1.3 downgrade check for Protocol (3, 2)",
406 ]
407 ),
408 Test(
409 "test-fallback-scsv.py",
410 tls13_args = [
411 "--tls-1.3",
412 "-e", "FALLBACK - hello TLSv1.1 - pos 0",
413 "-e", "FALLBACK - hello TLSv1.1 - pos 1",
414 "-e", "FALLBACK - hello TLSv1.1 - pos 2",
415 "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0",
416 "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1",
417 "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2",
418 "-e", "record TLSv1.1 hello TLSv1.1",
419 "-e", "sanity - TLSv1.1",
420 ]
394 ), 421 ),
395 Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ),
396 422
397 Test("test-invalid-compression-methods.py", [ 423 Test("test-invalid-compression-methods.py", [
398 "-x", "invalid compression methods", 424 "-x", "invalid compression methods",
@@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
412 Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), 438 Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
413 439
414 Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), 440 Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
441
442 Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
415]) 443])
416 444
417tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ 445tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
@@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
549 577
550 # x448 tests need disabling plus x25519 corner cases need sorting out 578 # x448 tests need disabling plus x25519 corner cases need sorting out
551 Test("test-x25519.py"), 579 Test("test-x25519.py"),
580
581 # Needs TLS 1.0 or 1.1
582 Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
552]) 583])
553 584
554tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ 585tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [