|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | for some reason. | 
| | 
| 
| 
| 
| 
| | Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the
interop tests anymore. anton's and bluhm's regress tests will switch
to testing interoperability with OpenSSL 3.0. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | The plan is to retire the 1.0.2 interop tests soon so as to be able to
drop the dead and dangerous OpenSSL 1.0.2 port.
The cert part is extremely slow on arm64: the whole interop test on an m1
is about 10x slower (~45 min!) than on a modern amd64 laptop, so people
running regress may want to wait a bit with adding OpenSSL 3 to their test
boxes until this is sorted out. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers.
This wasn't a problem until now since the AEAD- ciphers were counted as
distinct from TLS_ ciphers by the regress test, so they were never used
in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests
With the renaming, the TLSv1.3 ciphers are now considered as common
ciphers, so they're tested. With openssl11 this results in
0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573:
The design of these tests doesn't allow easily adding a call to
SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2)
so skip the TLS_* ciphers for the time being. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | Other regress tests do it differently;  just fix/thouch those that did not
mention any package name at all.
This helps grepping logs for SKIPPED to find instructions for the next run. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | suggested by millert@ | 
| | 
| 
| 
| 
| | This makes CFLAGS pick up -O2, which shaves a few seconds runtime
off these very slow tests. | 
| | |  | 
| | 
| 
| 
| | This makes this interop test pass on sparc64. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Fix some tests that fail with obscure error messages on 'make' if the
required package (either version of OpenSSL or Botan 2) isn't installed.
This can be avoided by doing 'make regress' instead.  I'll try to adjust
my finger memory for the many tests outside the LibreSSL tree that have
the same "problem". The fix here is unintrusive and I've been wasting
enough time with this to want to change it.
ok bluhm | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | 2) Reorder the interop tests so the really slow "cert" test is at the end
3) Change the cert tests to use REGRESS_SLOW_TARGETS when testing combination
   of client and server that does not involve libressl. This way we can
   skip testing openssl to openssl11 when running these manually by
   setting REGRESS_SKIP_SLOW to "yet" in mk.conf
ok jsing@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | openssl 1.0.2, or openssl 1.1.  Pin client or server to a fixed TLS
version number.  Incompatible versions must fail.  Check that client
and server have used correct version by grepping in their session
print out. | 
| | 
| 
| 
| | chacha-poly over aes-gcm.  Expect both fallbacks for non 1.3 ciphers. | 
| | 
| 
| 
| 
| 
| 
| 
| | been fixed to work with libressl TLS 1.3.  Both libressl and openssl11
replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or
TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively.  The test expects
that now.  Currently GOST does not work with libressl and TLS 1.3
and is disabled. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | The libressl TLSv1.3 client and server currently lack client certificate
authentication support and this test expects all clients can auth with
all servers.
We can likely turn this back on in the near future. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | These make far too many assumptions about cipher suites - TLSv1.3 cipher
suites can only be used with TLSv1.3 and there is tests using TLSv1.3
cipher suites with TLSv1.2 will not work. Likewise, expecting TLSv1.2
cipher suites to work with TLSv1.3 is futile. Additionally, eopenssl11
lists TLSv1.3 cipher suites with different names to libressl.
Futher work will be necessary before this can be re-enabled. | 
| | 
| 
| 
| 
| | This can potentially be improved by adding knowledge about which libraries
support which versions and handle differences between clients and servers. | 
| | 
| 
| 
| | This is now talking over TLSv1.3 and needs session support. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | connections between client and server implemented with LibreSSL or
OpenSSL with a fixed cipher on each side.  Check the used cipher
in the session print out. | 
| | 
| 
| 
| | sign error during arm regress. | 
| | 
| 
| 
| 
| | the server child could be delayed.  In this case wait a second and
check again. | 
| | 
| 
| 
| 
| | directory.  Keep all log files for easier debugging.  Name regress
target names consistently. | 
| | 
| 
| 
| 
| | all combinations of LibreSSL, OpenSSL 1.0.2, and OpenSSL 1.1.  It
is currently disabled for TLS 1.3 as this needs more setup. | 
| | 
| 
| 
| 
| 
| | Having the three libraries, client and server certificates, missing
or invalid CA or certificates, and enforcing peer certificate results
in 1944 new test cases. | 
| | 
| 
| 
| 
| 
| | server.  Check that the highest available TLS version is selected.
LibreSSL TLS 1.3 check is disabled until the feature becomes
available. | 
| | 
| 
| 
| 
| | when it becomes available in LibreSSL.
thanks to sthen@ for the new OpenSSL port | 
| | 
| 
| 
| 
| | and server compile with OpenSSL 1.1.  Check runtime version string
of SSL library. | 
|  | Implement simple SSL client and server in C.  Create four binaries
by linking them with LibreSSL or OpenSSL.  This way API compatibility
is tested.  Connect and accept with netcat to test protocol
compatibility with libtls.
Currently OpenSSL 1.0.2p from ports is used.  Plan is to move to
OpenSSL 1.1 and and test TLS 1.3.
idea from beck@; help from jsing@ |