From ddcb4efd6551a982bf29b2e8e83c9c808a1670dc Mon Sep 17 00:00:00 2001 From: beck <> Date: Sun, 2 Jul 2023 17:21:33 +0000 Subject: Disable TLS 1.0 and TLS 1.1 in libssl Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@ --- src/lib/libssl/s3_lib.c | 4 +- src/lib/libssl/ssl_versions.c | 12 +--- src/regress/lib/libssl/Makefile | 6 +- src/regress/lib/libssl/interop/version/Makefile | 4 +- src/regress/lib/libssl/ssl/ssltest.c | 16 ++--- src/regress/lib/libssl/ssl/testssl | 36 ++++++------ src/regress/lib/libssl/tls/tlstest.c | 78 +------------------------ src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | 43 ++++++++++++-- src/regress/lib/libssl/unit/ssl_versions.c | 68 ++++++++++----------- 9 files changed, 106 insertions(+), 161 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 37ca7bd113..7561060120 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s) s->s3->in_read_app_data = 0; s->packet_length = 0; - s->version = TLS1_VERSION; + s->version = TLS1_2_VERSION; s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index fbc0004f4b..8273546062 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; } - if ((options & SSL_OP_NO_TLSv1) == 0) - min_version = TLS1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_1) == 0) - min_version = TLS1_1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_2) == 0) + if ((options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; else if ((options & SSL_OP_NO_TLSv1_3) == 0) min_version = TLS1_3_VERSION; @@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) max_version = TLS1_2_VERSION; if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) - max_version = TLS1_1_VERSION; - if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) - max_version = TLS1_VERSION; - if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ diff --git a/src/regress/lib/libssl/Makefile b/src/regress/lib/libssl/Makefile index bae1248ab1..f9919404f2 100644 --- a/src/regress/lib/libssl/Makefile +++ b/src/regress/lib/libssl/Makefile @@ -1,11 +1,11 @@ -# $OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $ +# $OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $ SUBDIR += api SUBDIR += asn1 SUBDIR += buffer SUBDIR += bytestring SUBDIR += ciphers -SUBDIR += client +#SUBDIR += client SUBDIR += dtls SUBDIR += exporter SUBDIR += handshake @@ -13,7 +13,7 @@ SUBDIR += pqueue SUBDIR += quic SUBDIR += record SUBDIR += record_layer -SUBDIR += server +#SUBDIR += server SUBDIR += ssl SUBDIR += tls SUBDIR += tlsext diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile index 9d0ae418ba..c4f7705d63 100644 --- a/src/regress/lib/libssl/interop/version/Makefile +++ b/src/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $ +# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -14,7 +14,7 @@ LIBRARIES += openssl11 LIBRARIES += openssl30 .endif -VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3 +VERSIONS = any TLS1_2 TLS1_3 .for cver in ${VERSIONS} .for sver in ${VERSIONS} diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c index b4b10446e6..6b8e243073 100644 --- a/src/regress/lib/libssl/ssl/ssltest.c +++ b/src/regress/lib/libssl/ssl/ssltest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */ +/* $OpenBSD: ssltest.c,v 1.40 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -336,7 +336,7 @@ sv_usage(void) fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); - fprintf(stderr, " -dtls1 - use DTLSv1\n"); + fprintf(stderr, " -dtls1_2 - use DTLSv1.2\n"); fprintf(stderr, " -tls1 - use TLSv1\n"); fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); @@ -409,7 +409,7 @@ main(int argc, char *argv[]) int badop = 0; int bio_pair = 0; int force = 0; - int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1; + int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; char *app_verify_arg = "Test Callback Argument"; @@ -464,8 +464,8 @@ main(int argc, char *argv[]) no_dhe = 1; else if (strcmp(*argv, "-no_ecdhe") == 0) no_ecdhe = 1; - else if (strcmp(*argv, "-dtls1") == 0) - dtls1 = 1; + else if (strcmp(*argv, "-dtls1_2") == 0) + dtls1_2 = 1; else if (strcmp(*argv, "-tls1") == 0) tls1 = 1; else if (strcmp(*argv, "-tls1_2") == 0) @@ -565,7 +565,7 @@ bad: goto end; } - if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { + if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " @@ -588,8 +588,8 @@ bad: SSL_library_init(); SSL_load_error_strings(); - if (dtls1) - meth = DTLSv1_method(); + if (dtls1_2) + meth = DTLSv1_2_method(); else if (tls1) meth = TLSv1_method(); else if (tls1_2) diff --git a/src/regress/lib/libssl/ssl/testssl b/src/regress/lib/libssl/ssl/testssl index 43efaa6460..70db1752b7 100644 --- a/src/regress/lib/libssl/ssl/testssl +++ b/src/regress/lib/libssl/ssl/testssl @@ -95,8 +95,7 @@ done if $openssl no-dh; then echo skipping anonymous DH tests else - echo test tls1 with 1024bit anonymous DH, multiple handshakes - $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 + echo skipping tls1 tests. fi #if $openssl no-rsa; then @@ -117,17 +116,16 @@ fi # DTLS tests # -echo test dtlsv1 -$ssltest -dtls1 $extra || exit 1 +$ssltest -dtls1_2 $extra || exit 1 -echo test dtlsv1 with server authentication -$ssltest -dtls1 -server_auth $CA $extra || exit 1 +echo test dtlsv1_2 with server authentication +$ssltest -dtls1_2 -server_auth $CA $extra || exit 1 -echo test dtlsv1 with client authentication -$ssltest -dtls1 -client_auth $CA $extra || exit 1 +echo test dtlsv1_2 with client authentication +$ssltest -dtls1_2 -client_auth $CA $extra || exit 1 -echo test dtlsv1 with both client and server authentication -$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1 +echo test dtlsv1_2 with both client and server authentication +$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1 echo "Testing DTLS ciphersuites" for protocol in SSLv3; do @@ -136,7 +134,7 @@ for protocol in SSLv3; do awk "/ $protocol / { print \\$1 }" | grep -v RC4`; do echo "Testing $cipher" - $ssltest -cipher $cipher -dtls1 + $ssltest -cipher $cipher -dtls1_2 if [ $? -ne 0 ] ; then echo "Failed $cipher" exit 1 @@ -148,17 +146,17 @@ done # ALPN tests # echo "Testing ALPN..." -$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \ +$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1 +$ssltest -bio_pair -alpn_client foo -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \ +$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \ -alpn_expected bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \ +$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \ -alpn_expected bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1 +$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1 diff --git a/src/regress/lib/libssl/tls/tlstest.c b/src/regress/lib/libssl/tls/tlstest.c index 5c72717e6e..8154e7576c 100644 --- a/src/regress/lib/libssl/tls/tlstest.c +++ b/src/regress/lib/libssl/tls/tlstest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */ +/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */ /* * Copyright (c) 2020, 2021 Joel Sing * @@ -244,14 +244,6 @@ static const struct tls_test tls_tests[] = { .desc = "Default client and TLSv1.2 server", .server_max_version = TLS1_2_VERSION, }, - { - .desc = "Default client and TLSv1.1 server", - .server_max_version = TLS1_1_VERSION, - }, - { - .desc = "Default client and TLSv1.0 server", - .server_max_version = TLS1_VERSION, - }, { .desc = "Default client and default server with ECDHE KEX", .server_ciphers = "ECDHE-RSA-AES128-SHA", @@ -261,16 +253,6 @@ static const struct tls_test tls_tests[] = { .server_max_version = TLS1_2_VERSION, .server_ciphers = "ECDHE-RSA-AES128-SHA", }, - { - .desc = "Default client and TLSv1.1 server with ECDHE KEX", - .server_max_version = TLS1_1_VERSION, - .server_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and TLSv1.0 server with ECDHE KEX", - .server_max_version = TLS1_VERSION, - .server_ciphers = "ECDHE-RSA-AES128-SHA", - }, { .desc = "Default client and default server with DHE KEX", .server_ciphers = "DHE-RSA-AES128-SHA", @@ -280,16 +262,6 @@ static const struct tls_test tls_tests[] = { .server_max_version = TLS1_2_VERSION, .server_ciphers = "DHE-RSA-AES128-SHA", }, - { - .desc = "Default client and TLSv1.1 server with DHE KEX", - .server_max_version = TLS1_1_VERSION, - .server_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and TLSv1.0 server with DHE KEX", - .server_max_version = TLS1_VERSION, - .server_ciphers = "DHE-RSA-AES128-SHA", - }, { .desc = "Default client and default server with RSA KEX", .server_ciphers = "AES128-SHA", @@ -299,73 +271,25 @@ static const struct tls_test tls_tests[] = { .server_max_version = TLS1_2_VERSION, .server_ciphers = "AES128-SHA", }, - { - .desc = "Default client and TLSv1.1 server with RSA KEX", - .server_max_version = TLS1_1_VERSION, - .server_ciphers = "AES128-SHA", - }, - { - .desc = "Default client and TLSv1.0 server with RSA KEX", - .server_max_version = TLS1_VERSION, - .server_ciphers = "AES128-SHA", - }, { .desc = "TLSv1.2 client and default server", .client_max_version = TLS1_2_VERSION, }, - { - .desc = "TLSv1.1 client and default server", - .client_max_version = TLS1_1_VERSION, - }, - { - .desc = "TLSv1.0 client and default server", - .client_max_version = TLS1_VERSION, - }, { .desc = "TLSv1.2 client and default server with ECDHE KEX", .client_max_version = TLS1_2_VERSION, .client_ciphers = "ECDHE-RSA-AES128-SHA", }, - { - .desc = "TLSv1.1 client and default server with ECDHE KEX", - .client_max_version = TLS1_1_VERSION, - .client_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "TLSv1.0 client and default server with ECDHE KEX", - .client_max_version = TLS1_VERSION, - .client_ciphers = "ECDHE-RSA-AES128-SHA", - }, { .desc = "TLSv1.2 client and default server with DHE KEX", .server_max_version = TLS1_2_VERSION, .client_ciphers = "DHE-RSA-AES128-SHA", }, - { - .desc = "TLSv1.1 client and default server with DHE KEX", - .client_max_version = TLS1_1_VERSION, - .client_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "TLSv1.0 client and default server with DHE KEX", - .client_max_version = TLS1_VERSION, - .client_ciphers = "DHE-RSA-AES128-SHA", - }, { .desc = "TLSv1.2 client and default server with RSA KEX", .client_max_version = TLS1_2_VERSION, .client_ciphers = "AES128-SHA", }, - { - .desc = "TLSv1.1 client and default server with RSA KEX", - .client_max_version = TLS1_1_VERSION, - .client_ciphers = "AES128-SHA", - }, - { - .desc = "TLSv1.0 client and default server with RSA KEX", - .client_max_version = TLS1_VERSION, - .client_ciphers = "AES128-SHA", - }, }; #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests)) diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py index 2953320c1d..aa7e384e1f 100644 --- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py @@ -1,4 +1,4 @@ -# $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $ +# $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $ # # Copyright (c) 2020 Theo Buehler # @@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [ tls12_exclude_legacy_protocols = [ # all these have BIO_read timeouts against TLSv1.3 "-e", "Protocol (3, 0)", + "-e", "Protocol (3, 1)", + "-e", "Protocol (3, 2)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", # the following only fail with TLSv1.3 "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", @@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [ "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", "-e", "Protocol (3, 3) with x448 group", + # These don't work without TLSv1.0 and TLSv1.1 + "-e", "Protocol (3, 1) with secp256r1 group", + "-e", "Protocol (3, 1) with secp384r1 group", + "-e", "Protocol (3, 1) with secp521r1 group", + "-e", "Protocol (3, 1) with x25519 group", + "-e", "Protocol (3, 2) with secp256r1 group", + "-e", "Protocol (3, 2) with secp384r1 group", + "-e", "Protocol (3, 2) with secp521r1 group", + "-e", "Protocol (3, 2) with x25519 group", ] tls12_tests = TestGroup("TLSv1.2 tests", [ # Tests that pass as they are. - Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), Test("test-aes-gcm-nonces.py"), - Test("test-chacha20.py"), Test("test-connection-abort.py"), Test("test-conversation.py"), Test("test-cve-2016-2107.py"), @@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ ] ), Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), - Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]), + Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]), Test( "test-downgrade-protection.py", tls12_args = ["--server-max-protocol", "TLSv1.2"], - tls13_args = ["--server-max-protocol", "TLSv1.3"], + tls13_args = [ + "--server-max-protocol", "TLSv1.3", + "-e", "TLS 1.3 downgrade check for Protocol (3, 1)", + "-e", "TLS 1.3 downgrade check for Protocol (3, 2)", + ] + ), + Test( + "test-fallback-scsv.py", + tls13_args = [ + "--tls-1.3", + "-e", "FALLBACK - hello TLSv1.1 - pos 0", + "-e", "FALLBACK - hello TLSv1.1 - pos 1", + "-e", "FALLBACK - hello TLSv1.1 - pos 2", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2", + "-e", "record TLSv1.1 hello TLSv1.1", + "-e", "sanity - TLSv1.1", + ] ), - Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ), Test("test-invalid-compression-methods.py", [ "-x", "invalid compression methods", @@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), + + Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]), ]) tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ @@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [ # x448 tests need disabling plus x25519 corner cases need sorting out Test("test-x25519.py"), + + # Needs TLS 1.0 or 1.1 + Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), ]) tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ diff --git a/src/regress/lib/libssl/unit/ssl_versions.c b/src/regress/lib/libssl/unit/ssl_versions.c index 261bed3a7a..ebfe8d2c28 100644 --- a/src/regress/lib/libssl/unit/ssl_versions.c +++ b/src/regress/lib/libssl/unit/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -32,43 +32,43 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_3_VERSION, }, { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1_3, .minver = TLS1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1_2, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = SSL_OP_NO_TLSv1_1, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, + .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, @@ -81,15 +81,15 @@ static struct version_range_test version_range_tests[] = { .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | @@ -119,14 +119,14 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = 0, .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { @@ -140,14 +140,14 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_3_VERSION, }, { .options = 0, .minver = TLS1_1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_3_VERSION, }, { @@ -168,15 +168,15 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_1_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, }; @@ -276,7 +276,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -284,7 +284,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -316,7 +316,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -324,7 +324,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -340,7 +340,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -356,7 +356,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -372,7 +372,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_1_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -380,7 +380,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLSv1_method, @@ -388,7 +388,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLSv1_method, @@ -404,7 +404,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLS_method, @@ -412,7 +412,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, .peerver = DTLS1_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLS_method, @@ -436,7 +436,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = TLS1_1_VERSION, .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLSv1_2_method, @@ -476,7 +476,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, }; -- cgit v1.2.3-55-g6feb