9 files changed, 106 insertions, 161 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 37ca7bd113..7561060120 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s)
        s->s3->in_read_app_data = 0;
        s->packet_length = 0;
-        s->version = TLS1_VERSION;
+        s->version = TLS1_2_VERSION;
        s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
 }
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index fbc0004f4b..8273546062 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
        }
-        if ((options & SSL_OP_NO_TLSv1) == 0)
+        if ((options & SSL_OP_NO_TLSv1_2) == 0)
-                min_version = TLS1_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_1) == 0)
-                min_version = TLS1_1_VERSION;
-        else if ((options & SSL_OP_NO_TLSv1_2) == 0)
                min_version = TLS1_2_VERSION;
        else if ((options & SSL_OP_NO_TLSv1_3) == 0)
                min_version = TLS1_3_VERSION;
@@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
        if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
                max_version = TLS1_2_VERSION;
        if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
-                max_version = TLS1_1_VERSION;
-        if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
-                max_version = TLS1_VERSION;
-        if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
                max_version = 0;
        /* Everything has been disabled... */
diff --git a/src/regress/lib/libssl/Makefile b/src/regress/lib/libssl/Makefile
index bae1248ab1..f9919404f2 100644
--- a/src/regress/lib/libssl/Makefile
+++ b/src/regress/lib/libssl/Makefile
@@ -1,11 +1,11 @@
-#       $OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $
+#       $OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $
 SUBDIR += api
 SUBDIR += asn1
 SUBDIR += buffer
 SUBDIR += bytestring
 SUBDIR += ciphers
-SUBDIR += client
+#SUBDIR += client
 SUBDIR += dtls
 SUBDIR += exporter
 SUBDIR += handshake
@@ -13,7 +13,7 @@ SUBDIR += pqueue
 SUBDIR += quic
 SUBDIR += record
 SUBDIR += record_layer
-SUBDIR += server
+#SUBDIR += server
 SUBDIR += ssl
 SUBDIR += tls
 SUBDIR += tlsext
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 9d0ae418ba..c4f7705d63 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -14,7 +14,7 @@ LIBRARIES +=		openssl11
 LIBRARIES +=            openssl30
 .endif
-VERSIONS =      any TLS1 TLS1_1 TLS1_2 TLS1_3
+VERSIONS =      any TLS1_2 TLS1_3
 .for cver in ${VERSIONS}
 .for sver in ${VERSIONS}
diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c
index b4b10446e6..6b8e243073 100644
--- a/src/regress/lib/libssl/ssl/ssltest.c
+++ b/src/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
+/*      $OpenBSD: ssltest.c,v 1.40 2023/07/02 17:21:32 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -336,7 +336,7 @@ sv_usage(void)
        fprintf(stderr, " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
        fprintf(stderr, " -no_dhe       - disable DHE\n");
        fprintf(stderr, " -no_ecdhe     - disable ECDHE\n");
-        fprintf(stderr, " -dtls1        - use DTLSv1\n");
+        fprintf(stderr, " -dtls1_2      - use DTLSv1.2\n");
        fprintf(stderr, " -tls1         - use TLSv1\n");
        fprintf(stderr, " -tls1_2       - use TLSv1.2\n");
        fprintf(stderr, " -CApath arg   - PEM format directory of CA's\n");
@@ -409,7 +409,7 @@ main(int argc, char *argv[])
        int badop = 0;
        int bio_pair = 0;
        int force = 0;
-        int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
+        int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1;
        int client_auth = 0;
        int server_auth = 0, i;
        char *app_verify_arg = "Test Callback Argument";
@@ -464,8 +464,8 @@ main(int argc, char *argv[])
                        no_dhe = 1;
                else if (strcmp(*argv, "-no_ecdhe") == 0)
                        no_ecdhe = 1;
-                else if (strcmp(*argv, "-dtls1") == 0)
+                else if (strcmp(*argv, "-dtls1_2") == 0)
-                        dtls1 = 1;
+                        dtls1_2 = 1;
                else if (strcmp(*argv, "-tls1") == 0)
                        tls1 = 1;
                else if (strcmp(*argv, "-tls1_2") == 0)
@@ -565,7 +565,7 @@ bad:
                goto end;
        }
-        if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
+        if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
                fprintf(stderr,
                    "This case cannot work.  Use -f to perform "
                    "the test anyway (and\n-d to see what happens), "
@@ -588,8 +588,8 @@ bad:
        SSL_library_init();
        SSL_load_error_strings();
-        if (dtls1)
+        if (dtls1_2)
-                meth = DTLSv1_method();
+                meth = DTLSv1_2_method();
        else if (tls1)
                meth = TLSv1_method();
        else if (tls1_2)
diff --git a/src/regress/lib/libssl/ssl/testssl b/src/regress/lib/libssl/ssl/testssl
index 43efaa6460..70db1752b7 100644
--- a/src/regress/lib/libssl/ssl/testssl
+++ b/src/regress/lib/libssl/ssl/testssl
@@ -95,8 +95,7 @@ done
 if $openssl no-dh; then
  echo skipping anonymous DH tests
 else
-  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  echo skipping tls1 tests.
-  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
 fi
 #if $openssl no-rsa; then
@@ -117,17 +116,16 @@ fi
 # DTLS tests
 #
-echo test dtlsv1
+$ssltest -dtls1_2 $extra || exit 1
-$ssltest -dtls1 $extra || exit 1
-echo test dtlsv1 with server authentication
+echo test dtlsv1_2 with server authentication
-$ssltest -dtls1 -server_auth $CA $extra || exit 1
+$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
-echo test dtlsv1 with client authentication
+echo test dtlsv1_2 with client authentication
-$ssltest -dtls1 -client_auth $CA $extra || exit 1
+$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
-echo test dtlsv1 with both client and server authentication
+echo test dtlsv1_2 with both client and server authentication
-$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
+$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
 echo "Testing DTLS ciphersuites"
 for protocol in SSLv3; do
@@ -136,7 +134,7 @@ for protocol in SSLv3; do
    awk "/ $protocol / { print \\$1 }" |
    grep -v RC4`; do
    echo "Testing $cipher"
-    $ssltest -cipher $cipher -dtls1
+    $ssltest -cipher $cipher -dtls1_2
    if [ $? -ne 0 ] ; then
      echo "Failed $cipher"
      exit 1
@@ -148,17 +146,17 @@ done
 # ALPN tests
 #
 echo "Testing ALPN..."
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
+$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo -alpn_server foo \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
  -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
  -alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
  -alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
+$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1
diff --git a/src/regress/lib/libssl/tls/tlstest.c b/src/regress/lib/libssl/tls/tlstest.c
index 5c72717e6e..8154e7576c 100644
--- a/src/regress/lib/libssl/tls/tlstest.c
+++ b/src/regress/lib/libssl/tls/tlstest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */
+/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */
 /*
 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -245,14 +245,6 @@ static const struct tls_test tls_tests[] = {
                .server_max_version = TLS1_2_VERSION,
        },
        {
-                .desc = "Default client and TLSv1.1 server",
-                .server_max_version = TLS1_1_VERSION,
-        },
-        {
-                .desc = "Default client and TLSv1.0 server",
-                .server_max_version = TLS1_VERSION,
-        },
-        {
                .desc = "Default client and default server with ECDHE KEX",
                .server_ciphers = "ECDHE-RSA-AES128-SHA",
        },
@@ -262,16 +254,6 @@ static const struct tls_test tls_tests[] = {
                .server_ciphers = "ECDHE-RSA-AES128-SHA",
        },
        {
-                .desc = "Default client and TLSv1.1 server with ECDHE KEX",
-                .server_max_version = TLS1_1_VERSION,
-                .server_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "Default client and TLSv1.0 server with ECDHE KEX",
-                .server_max_version = TLS1_VERSION,
-                .server_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "Default client and default server with DHE KEX",
                .server_ciphers = "DHE-RSA-AES128-SHA",
        },
@@ -281,16 +263,6 @@ static const struct tls_test tls_tests[] = {
                .server_ciphers = "DHE-RSA-AES128-SHA",
        },
        {
-                .desc = "Default client and TLSv1.1 server with DHE KEX",
-                .server_max_version = TLS1_1_VERSION,
-                .server_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "Default client and TLSv1.0 server with DHE KEX",
-                .server_max_version = TLS1_VERSION,
-                .server_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "Default client and default server with RSA KEX",
                .server_ciphers = "AES128-SHA",
        },
@@ -300,72 +272,24 @@ static const struct tls_test tls_tests[] = {
                .server_ciphers = "AES128-SHA",
        },
        {
-                .desc = "Default client and TLSv1.1 server with RSA KEX",
-                .server_max_version = TLS1_1_VERSION,
-                .server_ciphers = "AES128-SHA",
-        },
-        {
-                .desc = "Default client and TLSv1.0 server with RSA KEX",
-                .server_max_version = TLS1_VERSION,
-                .server_ciphers = "AES128-SHA",
-        },
-        {
                .desc = "TLSv1.2 client and default server",
                .client_max_version = TLS1_2_VERSION,
        },
        {
-                .desc = "TLSv1.1 client and default server",
-                .client_max_version = TLS1_1_VERSION,
-        },
-        {
-                .desc = "TLSv1.0 client and default server",
-                .client_max_version = TLS1_VERSION,
-        },
-        {
                .desc = "TLSv1.2 client and default server with ECDHE KEX",
                .client_max_version = TLS1_2_VERSION,
                .client_ciphers = "ECDHE-RSA-AES128-SHA",
        },
        {
-                .desc = "TLSv1.1 client and default server with ECDHE KEX",
-                .client_max_version = TLS1_1_VERSION,
-                .client_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "TLSv1.0 client and default server with ECDHE KEX",
-                .client_max_version = TLS1_VERSION,
-                .client_ciphers = "ECDHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "TLSv1.2 client and default server with DHE KEX",
                .server_max_version = TLS1_2_VERSION,
                .client_ciphers = "DHE-RSA-AES128-SHA",
        },
        {
-                .desc = "TLSv1.1 client and default server with DHE KEX",
-                .client_max_version = TLS1_1_VERSION,
-                .client_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
-                .desc = "TLSv1.0 client and default server with DHE KEX",
-                .client_max_version = TLS1_VERSION,
-                .client_ciphers = "DHE-RSA-AES128-SHA",
-        },
-        {
                .desc = "TLSv1.2 client and default server with RSA KEX",
                .client_max_version = TLS1_2_VERSION,
                .client_ciphers = "AES128-SHA",
        },
-        {
-                .desc = "TLSv1.1 client and default server with RSA KEX",
-                .client_max_version = TLS1_1_VERSION,
-                .client_ciphers = "AES128-SHA",
-        },
-        {
-                .desc = "TLSv1.0 client and default server with RSA KEX",
-                .client_max_version = TLS1_VERSION,
-                .client_ciphers = "AES128-SHA",
-        },
 };
 #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests))
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index 2953320c1d..aa7e384e1f 100644
--- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
 tls12_exclude_legacy_protocols = [
    # all these have BIO_read timeouts against TLSv1.3
    "-e", "Protocol (3, 0)",
+    "-e", "Protocol (3, 1)",
+    "-e", "Protocol (3, 2)",
    "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
    # the following only fail with TLSv1.3
    "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
@@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [
    "-e", "Protocol (3, 1) with x448 group",
    "-e", "Protocol (3, 2) with x448 group",
    "-e", "Protocol (3, 3) with x448 group",
+    # These don't work without TLSv1.0 and TLSv1.1
+    "-e", "Protocol (3, 1) with secp256r1 group",
+    "-e", "Protocol (3, 1) with secp384r1 group",
+    "-e", "Protocol (3, 1) with secp521r1 group",
+    "-e", "Protocol (3, 1) with x25519 group",
+    "-e", "Protocol (3, 2) with secp256r1 group",
+    "-e", "Protocol (3, 2) with secp384r1 group",
+    "-e", "Protocol (3, 2) with secp521r1 group",
+    "-e", "Protocol (3, 2) with x25519 group",
 ]
 tls12_tests = TestGroup("TLSv1.2 tests", [
    # Tests that pass as they are.
-    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
    Test("test-aes-gcm-nonces.py"),
-    Test("test-chacha20.py"),
    Test("test-connection-abort.py"),
    Test("test-conversation.py"),
    Test("test-cve-2016-2107.py"),
@@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
        ]
    ),
    Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
-    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]),
+    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
    Test(
        "test-downgrade-protection.py",
        tls12_args = ["--server-max-protocol", "TLSv1.2"],
-        tls13_args = ["--server-max-protocol", "TLSv1.3"],
+        tls13_args = [
+            "--server-max-protocol", "TLSv1.3",
+            "-e", "TLS 1.3 downgrade check for Protocol (3, 1)",
+            "-e", "TLS 1.3 downgrade check for Protocol (3, 2)",
+        ]
+    ),
+    Test(
+        "test-fallback-scsv.py",
+        tls13_args = [
+            "--tls-1.3",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 0",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 1",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 2",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2",
+            "-e", "record TLSv1.1 hello TLSv1.1",
+            "-e", "sanity - TLSv1.1",
+        ]
    ),
-    Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ),
    Test("test-invalid-compression-methods.py", [
        "-x", "invalid compression methods",
@@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
    Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
    Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
+    Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
 ])
 tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
@@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
    # x448 tests need disabling plus x25519 corner cases need sorting out
    Test("test-x25519.py"),
+    # Needs TLS 1.0 or 1.1
+    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
 ])
 tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [
diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c
index 261bed3a7a..ebfe8d2c28 100644
--- a/src/regress/lib/libssl/unit/ssl_versions.c
+++ b/src/regress/lib/libssl/unit/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -32,43 +32,43 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_3_VERSION,
        },
        {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1_3,
                .minver = TLS1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1_2,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = SSL_OP_NO_TLSv1_1,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
@@ -81,15 +81,15 @@ static struct version_range_test version_range_tests[] = {
                .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
@@ -119,14 +119,14 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
                .options = 0,
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_2_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_2_VERSION,
        },
        {
@@ -140,14 +140,14 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_3_VERSION,
        },
        {
                .options = 0,
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_3_VERSION,
-                .want_minver = TLS1_1_VERSION,
+                .want_minver = TLS1_2_VERSION,
                .want_maxver = TLS1_3_VERSION,
        },
        {
@@ -168,15 +168,15 @@ static struct version_range_test version_range_tests[] = {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_1_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .options = 0,
                .minver = TLS1_VERSION,
                .maxver = TLS1_VERSION,
-                .want_minver = TLS1_VERSION,
+                .want_minver = 0,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
 };
@@ -276,7 +276,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -284,7 +284,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -316,7 +316,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -324,7 +324,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -340,7 +340,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -356,7 +356,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -372,7 +372,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_1_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLS_method,
@@ -380,7 +380,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_VERSION,
                .peerver = TLS1_2_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLSv1_method,
@@ -388,7 +388,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_VERSION,
-                .want_maxver = TLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = TLSv1_method,
@@ -404,7 +404,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = TLS1_1_VERSION,
-                .want_maxver = TLS1_1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = DTLS_method,
@@ -412,7 +412,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = DTLS1_VERSION,
-                .want_maxver = DTLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = DTLS_method,
@@ -436,7 +436,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_1_VERSION,
                .peerver = DTLS1_2_VERSION,
-                .want_maxver = DTLS1_VERSION,
+                .want_maxver = 0,
        },
        {
                .ssl_method = DTLSv1_2_method,
@@ -476,7 +476,7 @@ static struct shared_version_test shared_version_tests[] = {
                .minver = TLS1_1_VERSION,
                .maxver = TLS1_2_VERSION,
                .peerver = DTLS1_2_VERSION,
-                .want_maxver = DTLS1_VERSION,
+                .want_maxver = 0,
        },
 };