diff options
| author | tb <> | 2022-02-05 18:34:06 +0000 |
|---|---|---|
| committer | tb <> | 2022-02-05 18:34:06 +0000 |
| commit | 28b1970bee19f8f767c738fb89dbe3ae1e5fe05f (patch) | |
| tree | eee24b1a2e2c9478aa888ab55fde7f93fcb68880 /src/regress/lib/libssl | |
| parent | dd2cc4aae10ad27fe8a36547c4658bf841bef6bb (diff) | |
| download | openbsd-28b1970bee19f8f767c738fb89dbe3ae1e5fe05f.tar.gz openbsd-28b1970bee19f8f767c738fb89dbe3ae1e5fe05f.tar.bz2 openbsd-28b1970bee19f8f767c738fb89dbe3ae1e5fe05f.zip | |
Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list
SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers.
This wasn't a problem until now since the AEAD- ciphers were counted as
distinct from TLS_ ciphers by the regress test, so they were never used
in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests
With the renaming, the TLSv1.3 ciphers are now considered as common
ciphers, so they're tested. With openssl11 this results in
0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573:
The design of these tests doesn't allow easily adding a call to
SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2)
so skip the TLS_* ciphers for the time being.
Diffstat (limited to 'src/regress/lib/libssl')
| -rw-r--r-- | src/regress/lib/libssl/interop/cipher/Makefile | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile index 77ed0f7ebe..bfe8cfea7a 100644 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ b/src/regress/lib/libssl/interop/cipher/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.8 2022/02/05 18:21:09 tb Exp $ | 1 | # $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $ |
| 2 | 2 | ||
| 3 | # Connect a client to a server. Both can be current libressl, or | 3 | # Connect a client to a server. Both can be current libressl, or |
| 4 | # openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers | 4 | # openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers |
| @@ -52,6 +52,10 @@ client-${clib}-server-${slib}.ciphers: \ | |||
| 52 | uniq -d <$@.tmp >$@ | 52 | uniq -d <$@.tmp >$@ |
| 53 | # we are only interested in ciphers supported by libressl | 53 | # we are only interested in ciphers supported by libressl |
| 54 | sort $@ client-libressl.ciphers >$@.tmp | 54 | sort $@ client-libressl.ciphers >$@.tmp |
| 55 | . if "${clib}" == "openssl11" || "${slib}" == "openssl11" | ||
| 56 | # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers | ||
| 57 | sed -i '/^TLS_/d' $@.tmp | ||
| 58 | . endif | ||
| 55 | uniq -d <$@.tmp >$@ | 59 | uniq -d <$@.tmp >$@ |
| 56 | rm $@.tmp | 60 | rm $@.tmp |
| 57 | .endfor | 61 | .endfor |