Disable TLS 1.0 and TLS 1.1 in libssl

Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@
author: beck <> 2023-07-02 17:21:33 +0000
committer: beck <> 2023-07-02 17:21:33 +0000
commit: ddcb4efd6551a982bf29b2e8e83c9c808a1670dc (patch)
tree: 33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src
parent: 025f3b8ef1e0ff3017dd0079925fbf85f15a6d22 (diff)
download: openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.gz
openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.bz2
openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.zip
9 files changed, 106 insertions, 161 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 37ca7bd113..7561060120 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s)
        s->s3->in_read_app_data = 0;
        s->packet_length = 0;
-        s->version = TLS1_VERSION;
+        s->version = TLS1_2_VERSION;
        s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
 }
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index fbc0004f4b..8273546062 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
        }
-        if ((options & SSL_OP_NO_TLSv1) == 0)
+        if ((options & SSL_OP_NO_TLSv1_2) == 0)
-                min_version = TLS1_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_1) == 0)
-                min_version = TLS1_1_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_2) == 0)
                min_version = TLS1_2_VERSION;
        else if ((options & SSL_OP_NO_TLSv1_3) == 0)
                min_version = TLS1_3_VERSION;
@@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
        if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
                max_version = TLS1_2_VERSION;
        if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
-                max_version = TLS1_1_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
-                max_version = TLS1_VERSION;
-        if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
                max_version = 0;
        /* Everything has been disabled... */
diff --git a/src/regress/lib/libssl/Makefile b/src/regress/lib/libssl/Makefile
index bae1248ab1..f9919404f2 100644
--- a/src/regress/lib/libssl/Makefile
+++ b/src/regress/lib/libssl/Makefile
@@ -1,11 +1,11 @@
-#       $OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $
+#       $OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $
 SUBDIR += api
 SUBDIR += asn1
 SUBDIR += buffer
 SUBDIR += bytestring
 SUBDIR += ciphers
-SUBDIR += client
+#SUBDIR += client
 SUBDIR += dtls
 SUBDIR += exporter
 SUBDIR += handshake
@@ -13,7 +13,7 @@ SUBDIR += pqueue
 SUBDIR += quic
 SUBDIR += record
 SUBDIR += record_layer
-SUBDIR += server
+#SUBDIR += server
 SUBDIR += ssl
 SUBDIR += tls
 SUBDIR += tlsext
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 9d0ae418ba..c4f7705d63 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -14,7 +14,7 @@ LIBRARIES +=		openssl11
 LIBRARIES +=            openssl30
 .endif
-VERSIONS =      any TLS1 TLS1_1 TLS1_2 TLS1_3
+VERSIONS =      any TLS1_2 TLS1_3
 .for cver in ${VERSIONS}
 .for sver in ${VERSIONS}
diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c
index b4b10446e6..6b8e243073 100644
--- a/src/regress/lib/libssl/ssl/ssltest.c
+++ b/src/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
+/*      $OpenBSD: ssltest.c,v 1.40 2023/07/02 17:21:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -336,7 +336,7 @@ sv_usage(void)
        fprintf(stderr, " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
        fprintf(stderr, " -no_dhe       - disable DHE\n");
        fprintf(stderr, " -no_ecdhe     - disable ECDHE\n");
-        fprintf(stderr, " -dtls1        - use DTLSv1\n");
+        fprintf(stderr, " -dtls1_2      - use DTLSv1.2\n");
        fprintf(stderr, " -tls1         - use TLSv1\n");
        fprintf(stderr, " -tls1_2       - use TLSv1.2\n");
        fprintf(stderr, " -CApath arg   - PEM format directory of CA's\n");
@@ -409,7 +409,7 @@ main(int argc, char *argv[])
        int badop = 0;
        int bio_pair = 0;
        int force = 0;
-        int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
+        int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1;
        int client_auth = 0;
        int server_auth = 0, i;
        char *app_verify_arg = "Test Callback Argument";
@@ -464,8 +464,8 @@ main(int argc, char *argv[])
                        no_dhe = 1;
                else if (strcmp(*argv, "-no_ecdhe") == 0)
                        no_ecdhe = 1;
-                else if (strcmp(*argv, "-dtls1") == 0)
+                else if (strcmp(*argv, "-dtls1_2") == 0)
-                        dtls1 = 1;
+                        dtls1_2 = 1;
                else if (strcmp(*argv, "-tls1") == 0)
                        tls1 = 1;
                else if (strcmp(*argv, "-tls1_2") == 0)
@@ -565,7 +565,7 @@ bad:
                goto end;
        }
-        if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
+        if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
                fprintf(stderr,
                    "This case cannot work.  Use -f to perform "
                    "the test anyway (and\n-d to see what happens), "
@@ -588,8 +588,8 @@ bad:
        SSL_library_init();
        SSL_load_error_strings();
-        if (dtls1)
+        if (dtls1_2)
-                meth = DTLSv1_method();
+                meth = DTLSv1_2_method();
        else if (tls1)
                meth = TLSv1_method();
        else if (tls1_2)
diff --git a/src/regress/lib/libssl/ssl/testssl b/src/regress/lib/libssl/ssl/testssl
index 43efaa6460..70db1752b7 100644
--- a/src/regress/lib/libssl/ssl/testssl
+++ b/src/regress/lib/libssl/ssl/testssl
@@ -95,8 +95,7 @@ done
 if $openssl no-dh; then
  echo skipping anonymous DH tests
 else
-  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  echo skipping tls1 tests.
-  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
 fi
 #if $openssl no-rsa; then
@@ -117,17 +116,16 @@ fi
 # DTLS tests
 #
-echo test dtlsv1
+$ssltest -dtls1_2 $extra || exit 1
-$ssltest -dtls1 $extra || exit 1
-echo test dtlsv1 with server authentication
+echo test dtlsv1_2 with server authentication
-$ssltest -dtls1 -server_auth $CA $extra || exit 1
+$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
-echo test dtlsv1 with client authentication
+echo test dtlsv1_2 with client authentication
-$ssltest -dtls1 -client_auth $CA $extra || exit 1
+$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
-echo test dtlsv1 with both client and server authentication
+echo test dtlsv1_2 with both client and server authentication
-$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
+$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
 echo "Testing DTLS ciphersuites"
 for protocol in SSLv3; do
@@ -136,7 +134,7 @@ for protocol in SSLv3; do
    awk "/ $protocol / { print \\$1 }" |
    grep -v RC4`; do
    echo "Testing $cipher"
-    $ssltest -cipher $cipher -dtls1
+    $ssltest -cipher $cipher -dtls1_2
    if [ $? -ne 0 ] ; then
      echo "Failed $cipher"
      exit 1
@@ -148,17 +146,17 @@ done
 # ALPN tests
 #
 echo "Testing ALPN..."
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
+$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo -alpn_server foo \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
  -alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
  -alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
+$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1
diff --git a/src/regress/lib/libssl/tls/tlstest.c b/src/regress/lib/libssl/tls/tlstest.c
index 5c72717e6e..8154e7576c 100644
--- a/src/regress/lib/libssl/tls/tlstest.c
+++ b/src/regress/lib/libssl/tls/tlstest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */
+/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */
 /*
 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -245,14 +245,6 @@ static const struct tls_test tls_tests[] = {
                .server_max_version = TLS1_2_VERSION,
        },
        {
-                .desc = "Default client and TLSv1.1 server",
-                .server_max_version = TLS1_1_VERSION,
-        },
-        {
-                .desc = "Default client and TLSv1.0 server",
-                .server_max_version = TLS1_VERSION,
-        },
-        {
                .desc = "Default client and default server with ECDHE KEX",
                .server_ciphers = "ECDHE-RSA-AES128-SHA",
        },
@@ -262,16 +254,6 @@ static const struct tls_test tls_tests[] = {
                .server_ciphers = "ECDHE-RSA-AES128-SHA",
        },
        {
-                .desc = "Default client and TLSv1.1 server with ECDHE KEX",
-                .server_max_version = TLS1_1_VERSION,
-                .server_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "Default client and TLSv1.0 server with ECDHE KEX",
-                .server_max_version = TLS1_VERSION,
-                .server_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "Default client and default server with DHE KEX",
                .server_ciphers = "DHE-RSA-AES128-SHA",
        },
@@ -281,16 +263,6 @@ static const struct tls_test tls_tests[] = {
                .server_ciphers = "DHE-RSA-AES128-SHA",
        },
        {
-                .desc = "Default client and TLSv1.1 server with DHE KEX",
-                .server_max_version = TLS1_1_VERSION,
-                .server_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "Default client and TLSv1.0 server with DHE KEX",
-                .server_max_version = TLS1_VERSION,
-                .server_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "Default client and default server with RSA KEX",
                .server_ciphers = "AES128-SHA",
        },
@@ -300,72 +272,24 @@ static const struct tls_test tls_tests[] = {
                .server_ciphers = "AES128-SHA",
        },
        {
-                .desc = "Default client and TLSv1.1 server with RSA KEX",
-                .server_max_version = TLS1_1_VERSION,
-                .server_ciphers = "AES128-SHA",
-        },
-        {
-                .desc = "Default client and TLSv1.0 server with RSA KEX",
-                .server_max_version = TLS1_VERSION,
-                .server_ciphers = "AES128-SHA",
-        },
-        {
                .desc = "TLSv1.2 client and default server",
                .client_max_version = TLS1_2_VERSION,
        },
        {
-                .desc = "TLSv1.1 client and default server",
-                .client_max_version = TLS1_1_VERSION,
-        },
-        {
-                .desc = "TLSv1.0 client and default server",
-                .client_max_version = TLS1_VERSION,
-        },
-        {
                .desc = "TLSv1.2 client and default server with ECDHE KEX",
                .client_max_version = TLS1_2_VERSION,
                .client_ciphers = "ECDHE-RSA-AES128-SHA",
        },
        {
-                .desc = "TLSv1.1 client and default server with ECDHE KEX",
-                .client_max_version = TLS1_1_VERSION,
-                .client_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "TLSv1.0 client and default server with ECDHE KEX",
-                .client_max_version = TLS1_VERSION,
-                .client_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "TLSv1.2 client and default server with DHE KEX",
                .server_max_version = TLS1_2_VERSION,
                .client_ciphers = "DHE-RSA-AES128-SHA",
        },
        {
-                .desc = "TLSv1.1 client and default server with DHE KEX",
-                .client_max_version = TLS1_1_VERSION,
-                .client_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "TLSv1.0 client and default server with DHE KEX",
-                .client_max_version = TLS1_VERSION,
-                .client_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "TLSv1.2 client and default server with RSA KEX",
                .client_max_version = TLS1_2_VERSION,
                .client_ciphers = "AES128-SHA",
        },
-        {
-                .desc = "TLSv1.1 client and default server with RSA KEX",
-                .client_max_version = TLS1_1_VERSION,
-                .client_ciphers = "AES128-SHA",
-        },
-        {
-                .desc = "TLSv1.0 client and default server with RSA KEX",
-                .client_max_version = TLS1_VERSION,
-                .client_ciphers = "AES128-SHA",
-        },
 };
 #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests))
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index 2953320c1d..aa7e384e1f 100644
--- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
 tls12_exclude_legacy_protocols = [
    # all these have BIO_read timeouts against TLSv1.3
    "-e", "Protocol (3, 0)",
+    "-e", "Protocol (3, 1)",
+    "-e", "Protocol (3, 2)",
    "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
    # the following only fail with TLSv1.3
    "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
@@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [
    "-e", "Protocol (3, 1) with x448 group",
    "-e", "Protocol (3, 2) with x448 group",
    "-e", "Protocol (3, 3) with x448 group",
+    # These don't work without TLSv1.0 and TLSv1.1
+    "-e", "Protocol (3, 1) with secp256r1 group",
+    "-e", "Protocol (3, 1) with secp384r1 group",
+    "-e", "Protocol (3, 1) with secp521r1 group",
+    "-e", "Protocol (3, 1) with x25519 group",
+    "-e", "Protocol (3, 2) with secp256r1 group",
+    "-e", "Protocol (3, 2) with secp384r1 group",
+    "-e", "Protocol (3, 2) with secp521r1 group",
+    "-e", "Protocol (3, 2) with x25519 group",
 ]
 tls12_tests = TestGroup("TLSv1.2 tests", [
    # Tests that pass as they are.
-    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
    Test("test-aes-gcm-nonces.py"),
-    Test("test-chacha20.py"),
    Test("test-connection-abort.py"),
    Test("test-conversation.py"),
    Test("test-cve-2016-2107.py"),
@@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
        ]
    ),
    Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
-    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]),
+    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
    Test(
        "test-downgrade-protection.py",
        tls12_args = ["--server-max-protocol", "TLSv1.2"],
-        tls13_args = ["--server-max-protocol", "TLSv1.3"],
+        tls13_args = [
+            "--server-max-protocol", "TLSv1.3",
+            "-e", "TLS 1.3 downgrade check for Protocol (3, 1)",
+            "-e", "TLS 1.3 downgrade check for Protocol (3, 2)",
+        ]
+    ),
+    Test(
+        "test-fallback-scsv.py",
+        tls13_args = [
+            "--tls-1.3",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 0",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 1",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 2",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2",
+            "-e", "record TLSv1.1 hello TLSv1.1",
+            "-e", "sanity - TLSv1.1",
+        ]
    ),
-    Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ),
    Test("test-invalid-compression-methods.py", [
        "-x", "invalid compression methods",
@@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
    Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
    Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
+    Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
 ])
 tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
@@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
    # x448 tests need disabling plus x25519 corner cases need sorting out
    Test("test-x25519.py"),
+    # Needs TLS 1.0 or 1.1
+    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
 ])
 tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [
diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c
index 261bed3a7a..ebfe8d2c28 100644
--- a/src/regress/lib/libssl/unit/ssl_versions.c
+++ b/src/regress/lib/libssl/unit/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -32,43 +32,43 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_3_VERSION,
        },
        {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1_3,
                .minver = TLS1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1_2,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = SSL_OP_NO_TLSv1_1,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
@@ -81,15 +81,15 @@ static struct version_range_test version_range_tests[] = {
                .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
@@ -119,14 +119,14 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = 0,
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
@@ -140,14 +140,14 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_3_VERSION,
        },
        {
                .options = 0,
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_3_VERSION,
        },
        {
@@ -168,15 +168,15 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_1_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
 };
@@ -276,7 +276,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -284,7 +284,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -316,7 +316,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -324,7 +324,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -340,7 +340,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -356,7 +356,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -372,7 +372,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_1_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -380,7 +380,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLSv1_method,
@@ -388,7 +388,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLSv1_method,
@@ -404,7 +404,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = DTLS_method,
@@ -412,7 +412,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = DTLS1_VERSION,
-                .want_maxver = DTLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = DTLS_method,
@@ -436,7 +436,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_1_VERSION,
                .peerver = DTLS1_2_VERSION,
-                .want_maxver = DTLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = DTLSv1_2_method,
@@ -476,7 +476,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = DTLS1_2_VERSION,
-                .want_maxver = DTLS1_VERSION,
+                .want_maxver = 0,
        },
 };
author	beck <>	2023-07-02 17:21:33 +0000
committer	beck <>	2023-07-02 17:21:33 +0000
commit	ddcb4efd6551a982bf29b2e8e83c9c808a1670dc (patch)
tree	33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src
parent	025f3b8ef1e0ff3017dd0079925fbf85f15a6d22 (diff)
download	openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.gz openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.bz2 openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.zip