mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-15 06:01:37 +08:00
Code Issues Packages Projects Releases Wiki Activity
ef1e0242a9
openssl/test/ssl-tests/05-sni.cnf.in

174 lines
4.3 KiB
Plaintext
Raw Normal View History

Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
# -*- mode: perl; -*-
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 20:55:52 +08:00
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
#
Following the license change, modify the boilerplates in test/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7767)
2018-12-06 20:05:25 +08:00
# Licensed under the Apache License 2.0 (the "License"). You may not use
Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## SSL test configurations
use strict;
use warnings;
package ssltests;
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
use OpenSSL::Test::Utils;
Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
Teach ssl_test_new how to test the FIPS module We load the FIPS module and make sure it is configured before running the ssl_test_new tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
2020-04-08 00:03:19 +08:00
our $fips_mode;
Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
our @tests = (
{
SSL test framework: port SNI tests Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 23:20:25 +08:00
name => "SNI-switch-context",
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-21 22:29:48 +08:00
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => {
extra => {
"ServerName" => "server2",
},
},
test => {
"ExpectedServerName" => "server2",
"ExpectedResult" => "Success"
},
SSL test framework: port SNI tests Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 23:20:25 +08:00
},
{
name => "SNI-keep-context",
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-21 22:29:48 +08:00
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => {
extra => {
"ServerName" => "server1",
},
},
test => {
"ExpectedServerName" => "server1",
"ExpectedResult" => "Success"
},
SSL test framework: port SNI tests Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 23:20:25 +08:00
},
{
name => "SNI-no-server-support",
server => { },
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-21 22:29:48 +08:00
client => {
extra => {
"ServerName" => "server1",
},
},
test => { "ExpectedResult" => "Success" },
SSL test framework: port SNI tests Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 23:20:25 +08:00
},
{
name => "SNI-no-client-support",
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-21 22:29:48 +08:00
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
SSL test framework: port SNI tests Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 23:20:25 +08:00
client => { },
test => {
# We expect that the callback is still called
# to let the application decide whether they tolerate
# missing SNI (as our test callback does).
"ExpectedServerName" => "server1",
"ExpectedResult" => "Success"
},
},
{
name => "SNI-bad-sni-ignore-mismatch",
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-21 22:29:48 +08:00
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => {
extra => {
"ServerName" => "invalid",
},
},
test => {
"ExpectedServerName" => "server1",
"ExpectedResult" => "Success"
},
SSL test framework: port SNI tests Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 23:20:25 +08:00
},
{
name => "SNI-bad-sni-reject-mismatch",
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-21 22:29:48 +08:00
server => {
extra => {
"ServerNameCallback" => "RejectMismatch",
},
},
client => {
extra => {
"ServerName" => "invalid",
},
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => "UnrecognizedName"
},
Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
},
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
{
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4349)
2017-09-08 06:39:40 +08:00
name => "SNI-bad-clienthello-sni-ignore-mismatch",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
server => {
extra => {
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4349)
2017-09-08 06:39:40 +08:00
"ServerNameCallback" => "ClientHelloIgnoreMismatch",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
},
},
client => {
extra => {
"ServerName" => "invalid",
},
},
test => {
"ExpectedServerName" => "server1",
"ExpectedResult" => "Success"
},
},
{
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4349)
2017-09-08 06:39:40 +08:00
name => "SNI-bad-clienthello-sni-reject-mismatch",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
server => {
extra => {
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4349)
2017-09-08 06:39:40 +08:00
"ServerNameCallback" => "ClientHelloRejectMismatch",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
},
},
client => {
extra => {
"ServerName" => "invalid",
},
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => "UnrecognizedName"
},
},
Fix session ticket and SNI When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
);
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
our @tests_tls_1_1 = (
{
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4349)
2017-09-08 06:39:40 +08:00
name => "SNI-clienthello-disable-v12",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
server => {
Reduce the security bits for MD5 and SHA1 based signatures in TLS This has as effect that SHA1 and MD5+SHA1 are no longer supported at security level 1, and that TLS < 1.2 is no longer supported at the default security level of 1, and that you need to set the security level to 0 to use TLS < 1.2. Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #10787
2020-01-03 06:25:27 +08:00
"CipherString" => "DEFAULT:\@SECLEVEL=0",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
extra => {
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4349)
2017-09-08 06:39:40 +08:00
"ServerNameCallback" => "ClientHelloNoV12",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
},
},
client => {
Reduce the security bits for MD5 and SHA1 based signatures in TLS This has as effect that SHA1 and MD5+SHA1 are no longer supported at security level 1, and that TLS < 1.2 is no longer supported at the default security level of 1, and that you need to set the security level to 0 to use TLS < 1.2. Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #10787
2020-01-03 06:25:27 +08:00
"CipherString" => "DEFAULT:\@SECLEVEL=0",
Tests for SSL early callback Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-01 06:06:30 +08:00
extra => {
"ServerName" => "server2",
},
},
test => {
"ExpectedProtocol" => "TLSv1.1",
"ExpectedServerName" => "server2",
},
},
);
Teach ssl_test_new how to test the FIPS module We load the FIPS module and make sure it is configured before running the ssl_test_new tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
2020-04-08 00:03:19 +08:00
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $fips_mode;
Reference in New Issue Copy Permalink