From ddcb4efd6551a982bf29b2e8e83c9c808a1670dc Mon Sep 17 00:00:00 2001 From: beck <> Date: Sun, 2 Jul 2023 17:21:33 +0000 Subject: Disable TLS 1.0 and TLS 1.1 in libssl Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@ --- src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | 43 +++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 6 deletions(-) (limited to 'src/regress/lib/libssl/tlsfuzzer') diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py index 2953320c1d..aa7e384e1f 100644 --- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py @@ -1,4 +1,4 @@ -# $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $ +# $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $ # # Copyright (c) 2020 Theo Buehler # @@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [ tls12_exclude_legacy_protocols = [ # all these have BIO_read timeouts against TLSv1.3 "-e", "Protocol (3, 0)", + "-e", "Protocol (3, 1)", + "-e", "Protocol (3, 2)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", # the following only fail with TLSv1.3 "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", @@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [ "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", "-e", "Protocol (3, 3) with x448 group", + # These don't work without TLSv1.0 and TLSv1.1 + "-e", "Protocol (3, 1) with secp256r1 group", + "-e", "Protocol (3, 1) with secp384r1 group", + "-e", "Protocol (3, 1) with secp521r1 group", + "-e", "Protocol (3, 1) with x25519 group", + "-e", "Protocol (3, 2) with secp256r1 group", + "-e", "Protocol (3, 2) with secp384r1 group", + "-e", "Protocol (3, 2) with secp521r1 group", + "-e", "Protocol (3, 2) with x25519 group", ] tls12_tests = TestGroup("TLSv1.2 tests", [ # Tests that pass as they are. - Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), Test("test-aes-gcm-nonces.py"), - Test("test-chacha20.py"), Test("test-connection-abort.py"), Test("test-conversation.py"), Test("test-cve-2016-2107.py"), @@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ ] ), Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), - Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]), + Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]), Test( "test-downgrade-protection.py", tls12_args = ["--server-max-protocol", "TLSv1.2"], - tls13_args = ["--server-max-protocol", "TLSv1.3"], + tls13_args = [ + "--server-max-protocol", "TLSv1.3", + "-e", "TLS 1.3 downgrade check for Protocol (3, 1)", + "-e", "TLS 1.3 downgrade check for Protocol (3, 2)", + ] + ), + Test( + "test-fallback-scsv.py", + tls13_args = [ + "--tls-1.3", + "-e", "FALLBACK - hello TLSv1.1 - pos 0", + "-e", "FALLBACK - hello TLSv1.1 - pos 1", + "-e", "FALLBACK - hello TLSv1.1 - pos 2", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2", + "-e", "record TLSv1.1 hello TLSv1.1", + "-e", "sanity - TLSv1.1", + ] ), - Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ), Test("test-invalid-compression-methods.py", [ "-x", "invalid compression methods", @@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), + + Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]), ]) tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ @@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [ # x448 tests need disabling plus x25519 corner cases need sorting out Test("test-x25519.py"), + + # Needs TLS 1.0 or 1.1 + Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), ]) tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ -- cgit v1.2.3-55-g6feb