diff options
| author | beck <> | 2023-07-02 17:21:33 +0000 |
|---|---|---|
| committer | beck <> | 2023-07-02 17:21:33 +0000 |
| commit | ddcb4efd6551a982bf29b2e8e83c9c808a1670dc (patch) | |
| tree | 33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src/regress/lib/libssl/tlsfuzzer | |
| parent | 025f3b8ef1e0ff3017dd0079925fbf85f15a6d22 (diff) | |
| download | openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.gz openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.bz2 openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.zip | |
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
Diffstat (limited to 'src/regress/lib/libssl/tlsfuzzer')
| -rw-r--r-- | src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | 43 |
1 files changed, 37 insertions, 6 deletions
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py index 2953320c1d..aa7e384e1f 100644 --- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $ | 1 | # $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $ |
| 2 | # | 2 | # |
| 3 | # Copyright (c) 2020 Theo Buehler <tb@openbsd.org> | 3 | # Copyright (c) 2020 Theo Buehler <tb@openbsd.org> |
| 4 | # | 4 | # |
| @@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [ | |||
| 323 | tls12_exclude_legacy_protocols = [ | 323 | tls12_exclude_legacy_protocols = [ |
| 324 | # all these have BIO_read timeouts against TLSv1.3 | 324 | # all these have BIO_read timeouts against TLSv1.3 |
| 325 | "-e", "Protocol (3, 0)", | 325 | "-e", "Protocol (3, 0)", |
| 326 | "-e", "Protocol (3, 1)", | ||
| 327 | "-e", "Protocol (3, 2)", | ||
| 326 | "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", | 328 | "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", |
| 327 | # the following only fail with TLSv1.3 | 329 | # the following only fail with TLSv1.3 |
| 328 | "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", | 330 | "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", |
| @@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [ | |||
| 331 | "-e", "Protocol (3, 1) with x448 group", | 333 | "-e", "Protocol (3, 1) with x448 group", |
| 332 | "-e", "Protocol (3, 2) with x448 group", | 334 | "-e", "Protocol (3, 2) with x448 group", |
| 333 | "-e", "Protocol (3, 3) with x448 group", | 335 | "-e", "Protocol (3, 3) with x448 group", |
| 336 | # These don't work without TLSv1.0 and TLSv1.1 | ||
| 337 | "-e", "Protocol (3, 1) with secp256r1 group", | ||
| 338 | "-e", "Protocol (3, 1) with secp384r1 group", | ||
| 339 | "-e", "Protocol (3, 1) with secp521r1 group", | ||
| 340 | "-e", "Protocol (3, 1) with x25519 group", | ||
| 341 | "-e", "Protocol (3, 2) with secp256r1 group", | ||
| 342 | "-e", "Protocol (3, 2) with secp384r1 group", | ||
| 343 | "-e", "Protocol (3, 2) with secp521r1 group", | ||
| 344 | "-e", "Protocol (3, 2) with x25519 group", | ||
| 334 | ] | 345 | ] |
| 335 | 346 | ||
| 336 | tls12_tests = TestGroup("TLSv1.2 tests", [ | 347 | tls12_tests = TestGroup("TLSv1.2 tests", [ |
| 337 | # Tests that pass as they are. | 348 | # Tests that pass as they are. |
| 338 | Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), | ||
| 339 | Test("test-aes-gcm-nonces.py"), | 349 | Test("test-aes-gcm-nonces.py"), |
| 340 | Test("test-chacha20.py"), | ||
| 341 | Test("test-connection-abort.py"), | 350 | Test("test-connection-abort.py"), |
| 342 | Test("test-conversation.py"), | 351 | Test("test-conversation.py"), |
| 343 | Test("test-cve-2016-2107.py"), | 352 | Test("test-cve-2016-2107.py"), |
| @@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ | |||
| 386 | ] | 395 | ] |
| 387 | ), | 396 | ), |
| 388 | Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), | 397 | Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), |
| 389 | Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]), | 398 | Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]), |
| 390 | Test( | 399 | Test( |
| 391 | "test-downgrade-protection.py", | 400 | "test-downgrade-protection.py", |
| 392 | tls12_args = ["--server-max-protocol", "TLSv1.2"], | 401 | tls12_args = ["--server-max-protocol", "TLSv1.2"], |
| 393 | tls13_args = ["--server-max-protocol", "TLSv1.3"], | 402 | tls13_args = [ |
| 403 | "--server-max-protocol", "TLSv1.3", | ||
| 404 | "-e", "TLS 1.3 downgrade check for Protocol (3, 1)", | ||
| 405 | "-e", "TLS 1.3 downgrade check for Protocol (3, 2)", | ||
| 406 | ] | ||
| 407 | ), | ||
| 408 | Test( | ||
| 409 | "test-fallback-scsv.py", | ||
| 410 | tls13_args = [ | ||
| 411 | "--tls-1.3", | ||
| 412 | "-e", "FALLBACK - hello TLSv1.1 - pos 0", | ||
| 413 | "-e", "FALLBACK - hello TLSv1.1 - pos 1", | ||
| 414 | "-e", "FALLBACK - hello TLSv1.1 - pos 2", | ||
| 415 | "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0", | ||
| 416 | "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1", | ||
| 417 | "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2", | ||
| 418 | "-e", "record TLSv1.1 hello TLSv1.1", | ||
| 419 | "-e", "sanity - TLSv1.1", | ||
| 420 | ] | ||
| 394 | ), | 421 | ), |
| 395 | Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ), | ||
| 396 | 422 | ||
| 397 | Test("test-invalid-compression-methods.py", [ | 423 | Test("test-invalid-compression-methods.py", [ |
| 398 | "-x", "invalid compression methods", | 424 | "-x", "invalid compression methods", |
| @@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ | |||
| 412 | Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), | 438 | Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), |
| 413 | 439 | ||
| 414 | Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), | 440 | Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), |
| 441 | |||
| 442 | Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]), | ||
| 415 | ]) | 443 | ]) |
| 416 | 444 | ||
| 417 | tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ | 445 | tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ |
| @@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [ | |||
| 549 | 577 | ||
| 550 | # x448 tests need disabling plus x25519 corner cases need sorting out | 578 | # x448 tests need disabling plus x25519 corner cases need sorting out |
| 551 | Test("test-x25519.py"), | 579 | Test("test-x25519.py"), |
| 580 | |||
| 581 | # Needs TLS 1.0 or 1.1 | ||
| 582 | Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), | ||
| 552 | ]) | 583 | ]) |
| 553 | 584 | ||
| 554 | tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ | 585 | tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ |