mirror of
https://github.com/openssl/openssl.git
synced 2024-11-21 01:15:20 +08:00
Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This commit is contained in:
Kurt Roeckx
Viktor Dukhovni
parent
1e0784ff95
commit
7946ab33ce
8
CHANGES
8
CHANGES
@ -4,6 +4,14 @@
|
||||
|
||||
Changes between 1.0.2e and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) Add support for setting the minimum and maximum supported protocol.
|
||||
It can bet set via the SSL_set_min_proto_version() and
|
||||
SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
|
||||
MaxProtcol. It's recommended to use the new APIs to disable
|
||||
protocols instead of disabling individual protocols using
|
||||
SSL_set_options() or SSL_CONF's Protocol.
|
||||
[Kurt Roeckx]
|
||||
|
||||
*) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
|
||||
[Andy Polyakov]
|
||||
|
||||
|
||||
@ -109,6 +109,11 @@ Attempts to use the file B<value> as the set of temporary DH parameters for
|
||||
the appropriate context. This option is only supported if certificate
|
||||
operations are permitted.
|
||||
|
||||
=item B<-min_protocol>, B<-max_protocol>
|
||||
|
||||
Sets the minimum and maximum supported protocol.
|
||||
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>.
|
||||
|
||||
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||
|
||||
Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
|
||||
@ -258,16 +263,37 @@ picks an appropriate curve based on client and server preferences. The curve
|
||||
can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
|
||||
(e.g B<prime256v1>). Curve names are case sensitive.
|
||||
|
||||
=item B<MinProtocol>
|
||||
|
||||
This sets the minimum supported SSL, TLS or DTLS version.
|
||||
|
||||
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>.
|
||||
|
||||
=item B<MaxProtocol>
|
||||
|
||||
This sets the maximum supported SSL, TLS or DTLS version.
|
||||
|
||||
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>.
|
||||
|
||||
=item B<Protocol>
|
||||
|
||||
The supported versions of the SSL or TLS protocol.
|
||||
This can be used to enable or disable certain versions of the SSL, TLS or DTLS protocol.
|
||||
|
||||
The B<value> argument is a comma separated list of supported protocols to
|
||||
enable or disable. If an protocol is preceded by B<-> that version is disabled.
|
||||
All versions are enabled by default, though applications may choose to
|
||||
explicitly disable some. Currently supported protocol values are
|
||||
B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers
|
||||
to all supported versions.
|
||||
The B<value> argument is a comma separated list of supported protocols to enable or disable.
|
||||
If a protocol is preceded by B<-> that version is disabled.
|
||||
|
||||
All protocol versions are enabled by default.
|
||||
You need to disable at least 1 protocol version for this setting have any effect.
|
||||
Only enabling some protocol versions does not disable the other protocol versions.
|
||||
|
||||
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>.
|
||||
The special value B<ALL> refers to all supported versions.
|
||||
|
||||
This can't enable protocols that are disabled using B<MinProtocol> or B<MaxProtocol>, but can disable protocols that are still allowed by them.
|
||||
|
||||
The B<Protocol> command is fragile and deprecated; do not use it.
|
||||
Use B<MinProtocol> and B<MaxProtocol> instead.
|
||||
If you do use B<Protocol>, make sure that the resulting range of enabled protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also leave TLS 1.1 enabled.
|
||||
|
||||
=item B<Options>
|
||||
|
||||
@ -416,12 +442,29 @@ Set supported signature algorithms:
|
||||
|
||||
SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
|
||||
|
||||
Enable all protocols except SSLv3:
|
||||
There are various ways to select the supported procotols.
|
||||
|
||||
This set the minimum protocol version to TLSv1, and so disables SSLv3.
|
||||
This is the recommended way to disable protocols.
|
||||
|
||||
SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
|
||||
|
||||
The following also disables SSLv3:
|
||||
|
||||
SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
|
||||
|
||||
The following will first enable all protocols, and then disable SSLv3.
|
||||
If nothing was disabled before it has the same effect as "-SSLv3", but if things were disables it will first enable them again before disabling SSLv3.
|
||||
|
||||
SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
|
||||
|
||||
Only enable TLSv1.2:
|
||||
|
||||
SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
|
||||
SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
|
||||
|
||||
This also only enables TLSv1.2:
|
||||
|
||||
SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
|
||||
|
||||
Disable TLS session tickets:
|
||||
@ -474,4 +517,6 @@ B<SSL_CONF_TYPE_NONE> was first added to OpenSSL 1.1.0. In earlier versions of
|
||||
OpenSSL passing a command which didn't take an argument would return
|
||||
B<SSL_CONF_TYPE_UNKNOWN>.
|
||||
|
||||
B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
=head1 NAME
|
||||
|
||||
SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions
|
||||
SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method - create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled functions
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
@ -10,51 +10,77 @@ SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_metho
|
||||
|
||||
SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
|
||||
|
||||
const SSL_METHOD *TLS_method(void);
|
||||
const SSL_METHOD *TLS_server_method(void);
|
||||
const SSL_METHOD *TLS_client_method(void);
|
||||
|
||||
#define SSLv23_method TLS_method
|
||||
#define SSLv23_server_method TLS_server_method
|
||||
#define SSLv23_client_method TLS_client_method
|
||||
|
||||
#ifndef OPENSSL_NO_SSL3_METHOD
|
||||
const SSL_METHOD *SSLv3_method(void);
|
||||
const SSL_METHOD *SSLv3_server_method(void);
|
||||
const SSL_METHOD *SSLv3_client_method(void);
|
||||
#endif
|
||||
|
||||
const SSL_METHOD *TLSv1_method(void);
|
||||
const SSL_METHOD *TLSv1_server_method(void);
|
||||
const SSL_METHOD *TLSv1_client_method(void);
|
||||
|
||||
const SSL_METHOD *TLSv1_1_method(void);
|
||||
const SSL_METHOD *TLSv1_1_server_method(void);
|
||||
const SSL_METHOD *TLSv1_1_client_method(void);
|
||||
|
||||
const SSL_METHOD *TLSv1_2_method(void);
|
||||
const SSL_METHOD *TLSv1_2_server_method(void);
|
||||
const SSL_METHOD *TLSv1_2_client_method(void);
|
||||
|
||||
const SSL_METHOD *DTLS_method(void);
|
||||
const SSL_METHOD *DTLS_server_method(void);
|
||||
const SSL_METHOD *DTLS_client_method(void);
|
||||
|
||||
const SSL_METHOD *DTLSv1_method(void);
|
||||
const SSL_METHOD *DTLSv1_server_method(void);
|
||||
const SSL_METHOD *DTLSv1_client_method(void);
|
||||
|
||||
const SSL_METHOD *DTLSv1_2_method(void);
|
||||
const SSL_METHOD *DTLSv1_2_server_method(void);
|
||||
const SSL_METHOD *DTLSv1_2_client_method(void);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish
|
||||
TLS/SSL enabled connections.
|
||||
SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish TLS/SSL or DTLS enabled connections.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
The SSL_CTX object uses B<method> as connection method. The methods exist
|
||||
in a generic type (for client and server use), a server only type, and a
|
||||
client only type. B<method> can be of the following types:
|
||||
The SSL_CTX object uses B<method> as connection method.
|
||||
The methods exist in a generic type (for client and server use), a server only type, and a client only type.
|
||||
B<method> can be of the following types:
|
||||
|
||||
=over 4
|
||||
|
||||
=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
|
||||
=item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()
|
||||
|
||||
A TLS/SSL connection established with these methods will only understand the
|
||||
SSLv3 protocol. A client will send out SSLv3 client hello messages
|
||||
and will indicate that it only understands SSLv3. A server will only understand
|
||||
SSLv3 client hello messages.
|
||||
An SSL connection established with these methods will only understand the SSLv3 protocol.
|
||||
A client will send out a SSLv3 client hello messages and will indicate that it supports SSLv3.
|
||||
A server will only understand SSLv3 client hello message and only support the SSLv3 protocol.
|
||||
|
||||
=item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
|
||||
=item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()
|
||||
|
||||
A TLS/SSL connection established with these methods will only understand the
|
||||
TLSv1 protocol. A client will send out TLSv1 client hello messages
|
||||
and will indicate that it only understands TLSv1. A server will only understand
|
||||
TLSv1 client hello messages.
|
||||
A TLS connection established with these methods will only understand the TLS 1.0 protocol.
|
||||
|
||||
=item TLSv1_1_method(void), TLSv1_1_server_method(void), TLSv1_1_client_method(void)
|
||||
=item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()
|
||||
|
||||
A TLS/SSL connection established with these methods will only understand the
|
||||
TLSv1.1 protocol. A client will send out TLSv1.1 client hello messages
|
||||
and will indicate that it only understands TLSv1.1. A server will only
|
||||
understand TLSv1.1 client hello messages.
|
||||
A TLS connection established with these methods will only understand the TLS 1.1 protocol.
|
||||
|
||||
=item TLSv1_2_method(void), TLSv1_2_server_method(void), TLSv1_2_client_method(void)
|
||||
=item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
|
||||
|
||||
A TLS/SSL connection established with these methods will only understand the
|
||||
TLSv1.2 protocol. A client will send out TLSv1.2 client hello messages
|
||||
and will indicate that it only understands TLSv1.2. A server will only
|
||||
understand TLSv1.2 client hello messages.
|
||||
A TLS connection established with these methods will only understand the TLS 1.2 protocol.
|
||||
|
||||
=item TLS_method(void), TLS_server_method(void), TLS_client_method(void)
|
||||
=item TLS_method(), TLS_server_method(), TLS_client_method()
|
||||
|
||||
A TLS/SSL connection established with these methods may understand the
|
||||
SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
|
||||
A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
|
||||
|
||||
If extensions are required (for example server name)
|
||||
a client will send out TLSv1 client hello messages including extensions and
|
||||
@ -62,26 +88,36 @@ will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
|
||||
fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
|
||||
protocols. This is the best choice when compatibility is a concern.
|
||||
|
||||
=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
|
||||
=item SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()
|
||||
|
||||
Use of these functions is deprecated. They have been replaced with TLS_Method(),
|
||||
Use of these functions is deprecated. They have been replaced with TLS_method(),
|
||||
TLS_server_method() and TLS_client_method() respectively. New code should use
|
||||
those functions instead.
|
||||
|
||||
=item DTLS_method(), DTLS_server_method(), DTLS_client_method()
|
||||
|
||||
A DTLS connection established with those methods understands all supported DTLS protocols.
|
||||
Currently supported protocols are DTLS 1.0 and DTLS 1.2.
|
||||
|
||||
=item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
|
||||
|
||||
A DTLS connection established with these methods will only understand the DTLS 1.0 protocol.
|
||||
|
||||
=item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()
|
||||
|
||||
A DTLS connection established with these methods will only understand the DTLS 1.2 protocol.
|
||||
|
||||
=back
|
||||
|
||||
The list of protocols available can later be limited using the
|
||||
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
|
||||
options of the SSL_CTX_set_options() or SSL_set_options() functions.
|
||||
Using these options it is possible to choose e.g. TLS_server_method() and
|
||||
be able to negotiate with all possible clients, but to only allow newer
|
||||
protocols like TLSv1, TLSv1.1 or TLS v1.2.
|
||||
TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(), DTLS_server_method() and DTLS_client_method() are the version flexible methods.
|
||||
All other methods only support 1 specific protocol version.
|
||||
It's recommended to use those methods instead of the version specific methods.
|
||||
|
||||
Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
|
||||
If you want to limit the supported protocols for the version flexible methods you can use SSL_CTX_set_min_proto_version(), SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and SSL_set_max_proto_version() functions.
|
||||
They can also be limited using by using an option like SSL_OP_NO_SSLv3 of the SSL_CTX_set_options() or SSL_set_options() functions, but that's not recommended.
|
||||
Using these functions it is possible to choose e.g. TLS_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like TLS v1, TLS v1.1 or TLS v1.2.
|
||||
|
||||
SSL_CTX_new() initializes the list of ciphers, the session cache setting,
|
||||
the callbacks, the keys and certificates and the options to its default
|
||||
values.
|
||||
SSL_CTX_new() initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to its default values.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
@ -102,14 +138,14 @@ The return value points to an allocated SSL_CTX object.
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in
|
||||
OpenSSL 1.1.0. SSLv23_method, SSLv23_server_method and SSLv23_client_method were
|
||||
deprecated and TLS_method, TLS_server_method and TLS_client_method
|
||||
were introduced in OpenSSL 1.1.0.
|
||||
SSLv3
|
||||
SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in OpenSSL 1.1.0.
|
||||
SSLv23_method, SSLv23_server_method and SSLv23_client_method were deprecated and TLS_method, TLS_server_method and TLS_client_method were introduced in OpenSSL 1.1.0.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<SSL_CTX_free(3)>, L<SSL_accept(3)>,
|
||||
L<SSL_CTX_set_min_proto_version(3)>,
|
||||
L<ssl(3)>, L<SSL_set_connect_state(3)>
|
||||
|
||||
=cut
|
||||
|
||||
42
doc/ssl/SSL_CTX_set_min_proto_version.pod
Normal file
42
doc/ssl/SSL_CTX_set_min_proto_version.pod
Normal file
@ -0,0 +1,42 @@
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
SSL_CTX_set_min_proto_version, SSL_CTX_set_max_proto_version, SSL_set_min_proto_version, SSL_set_max_proto_version - Set minimum and maximum supported protocol version
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
|
||||
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
|
||||
int SSL_set_min_proto_version(SSL *ssl, int version);
|
||||
int SSL_set_max_proto_version(SSL *ssl, int version);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The functions set the minimum and maximum supported portocol versions for the B<ctx> or B<ssl>.
|
||||
This works in combination with the options set via SSL_CTX_set_options() that allows to disable specific protocol versions.
|
||||
You should use these functions instead of disabling a specific protocol version.
|
||||
|
||||
When setting the minimum or maximum version to 0 it will use the lowest or highest supported version, respectively, by the library.
|
||||
|
||||
Currently supported versions are B<SSL3_VERSION>, B<TLS1_VERSION>, B<TLS1_1_VERSION>, B<TLS1_2_VERSION>, B<DTLS1_VERSION> and B<DTLS1_2_VERSION>.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The function returns 1 on success and 0 on failure.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
All these functions are implemented using macros.
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The functions were added in OpenSSL 1.1.0
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<SSL_CTX_set_options(3)>, L<SSL_CONF_cmd(3)>
|
||||
|
||||
=cut
|
||||
@ -153,13 +153,10 @@ own preferences.
|
||||
...
|
||||
|
||||
|
||||
=item SSL_OP_NO_SSLv3
|
||||
=item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1
|
||||
|
||||
Do not use the SSLv3 protocol.
|
||||
|
||||
=item SSL_OP_NO_TLSv1
|
||||
|
||||
Do not use the TLSv1 protocol.
|
||||
Do not use the SSLv3 or TLSv1 protocol, respectively.
|
||||
You should avoid using those settings and instead use SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version().
|
||||
|
||||
=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
||||
|
||||
@ -269,6 +266,7 @@ secure renegotiation and 0 if it does not.
|
||||
|
||||
L<ssl(3)>, L<SSL_new(3)>, L<SSL_clear(3)>,
|
||||
L<SSL_CTX_set_tmp_dh_callback(3)>,
|
||||
L<SSL_CTX_set_min_proto_version(3)>,
|
||||
L<dhparam(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
@ -66,6 +66,7 @@ extern "C" {
|
||||
|
||||
# define DTLS1_VERSION 0xFEFF
|
||||
# define DTLS1_2_VERSION 0xFEFD
|
||||
# define DTLS_MIN_VERSION DTLS1_VERSION
|
||||
# define DTLS_MAX_VERSION DTLS1_2_VERSION
|
||||
# define DTLS1_VERSION_MAJOR 0xFE
|
||||
|
||||
|
||||
@ -438,6 +438,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
|
||||
|
||||
# define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
|
||||
SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
|
||||
# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
|
||||
|
||||
|
||||
/* Removed from previous versions */
|
||||
# define SSL_OP_PKCS1_CHECK_1 0x0
|
||||
@ -1219,6 +1221,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
# define DTLS_CTRL_SET_LINK_MTU 120
|
||||
# define DTLS_CTRL_GET_LINK_MIN_MTU 121
|
||||
# define SSL_CTRL_GET_EXTMS_SUPPORT 122
|
||||
# define SSL_CTRL_SET_MIN_PROTO_VERSION 123
|
||||
# define SSL_CTRL_SET_MAX_PROTO_VERSION 124
|
||||
# define SSL_CERT_SET_FIRST 1
|
||||
# define SSL_CERT_SET_NEXT 2
|
||||
# define SSL_CERT_SET_SERVER 3
|
||||
@ -1350,6 +1354,15 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
|
||||
# define SSL_get0_ec_point_formats(s, plst) \
|
||||
SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,plst)
|
||||
#define SSL_CTX_set_min_proto_version(ctx, version) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
|
||||
#define SSL_CTX_set_max_proto_version(ctx, version) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
|
||||
#define SSL_set_min_proto_version(s, version) \
|
||||
SSL_ctrl(s, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
|
||||
#define SSL_set_max_proto_version(s, version) \
|
||||
SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
|
||||
|
||||
|
||||
__owur BIO_METHOD *BIO_f_ssl(void);
|
||||
__owur BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
|
||||
|
||||
16
ssl/d1_lib.c
16
ssl/d1_lib.c
@ -259,14 +259,24 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
case SSL_CTRL_CHECK_PROTO_VERSION:
|
||||
/*
|
||||
* For library-internal use; checks that the current protocol is the
|
||||
* highest enabled version (according to s->ctx->method, as version
|
||||
* negotiation may have changed s->method).
|
||||
* is the highest enabled version.
|
||||
*/
|
||||
if (s->max_proto_version == 0 && s->version == DTLS_MAX_VERSION)
|
||||
return 1;
|
||||
if (s->max_proto_version != 0 && s->version == s->max_proto_version)
|
||||
return 1;
|
||||
/* We're not limited by the max_proto_version but might still have
|
||||
* other reasons why we use an older version like not using a
|
||||
* version-flexible SSL_METHOD. Check s->ctx->method as version
|
||||
* negotiation may have changed s->method.
|
||||
* This check can be removed when we only have version-flexible
|
||||
* SSL_METHODs
|
||||
*/
|
||||
if (s->version == s->ctx->method->version)
|
||||
return 1;
|
||||
/*
|
||||
* Apparently we're using a version-flexible SSL_METHOD (not at its
|
||||
* highest protocol version).
|
||||
* highest protocol version, not limited by max_proto_version).
|
||||
*/
|
||||
if (s->ctx->method->version == DTLS_method()->version) {
|
||||
#if DTLS_MAX_VERSION != DTLS1_2_VERSION
|
||||
|
||||
@ -142,6 +142,10 @@ struct ssl_conf_ctx_st {
|
||||
uint32_t *pcert_flags;
|
||||
/* Pointer to SSL or SSL_CTX verify_mode or NULL if none */
|
||||
uint32_t *pvfy_flags;
|
||||
/* Pointer to SSL or SSL_CTX min_version field or NULL if none */
|
||||
int *min_version;
|
||||
/* Pointer to SSL or SSL_CTX max_version field or NULL if none */
|
||||
int *max_version;
|
||||
/* Current flag table being worked on */
|
||||
const ssl_flag_tbl *tbl;
|
||||
/* Size of table */
|
||||
@ -307,13 +311,78 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
|
||||
SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
|
||||
SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
|
||||
SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
|
||||
SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
|
||||
SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
|
||||
SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
|
||||
SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
|
||||
};
|
||||
cctx->tbl = ssl_protocol_list;
|
||||
cctx->ntbl = OSSL_NELEM(ssl_protocol_list);
|
||||
return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
|
||||
}
|
||||
|
||||
/*
|
||||
* protocol_from_string - converts a protocol version string to a number
|
||||
*
|
||||
* Returns -1 on failure or the version on success
|
||||
*/
|
||||
static int protocol_from_string(const char *value)
|
||||
{
|
||||
struct protocol_versions {
|
||||
const char *name;
|
||||
int version;
|
||||
};
|
||||
static const struct protocol_versions versions[] = {
|
||||
{"SSLv3", SSL3_VERSION},
|
||||
{"TLSv1", TLS1_VERSION},
|
||||
{"TLSv1.1", TLS1_1_VERSION},
|
||||
{"TLSv1.2", TLS1_2_VERSION},
|
||||
{"DTLSv1", DTLS1_VERSION},
|
||||
{"DTLSv1.2", DTLS1_2_VERSION}};
|
||||
size_t i;
|
||||
size_t n = OSSL_NELEM(versions);
|
||||
|
||||
for (i = 0; i < n; i++)
|
||||
if (strcmp(versions[i].name, value) == 0)
|
||||
return versions[i].version;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* cmd_MinProtocol - Set min protocol version
|
||||
* @cctx: config structure to save settings in
|
||||
* @value: The min protocol version in string form
|
||||
*
|
||||
* Returns 1 on success and 0 on failure.
|
||||
*/
|
||||
static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value)
|
||||
{
|
||||
int version = protocol_from_string(value);
|
||||
|
||||
if (version < 0)
|
||||
return 0;
|
||||
|
||||
*(cctx->min_version) = version;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* cmd_MaxProtocol - Set max protocol version
|
||||
* @cctx: config structure to save settings in
|
||||
* @value: The max protocol version in string form
|
||||
*
|
||||
* Returns 1 on success and 0 on failure.
|
||||
*/
|
||||
static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value)
|
||||
{
|
||||
int version = protocol_from_string(value);
|
||||
|
||||
if (version < 0)
|
||||
return 0;
|
||||
|
||||
*(cctx->max_version) = version;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
||||
{
|
||||
static const ssl_flag_tbl ssl_option_list[] = {
|
||||
@ -527,6 +596,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
|
||||
#endif
|
||||
SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
|
||||
SSL_CONF_CMD_STRING(Protocol, NULL, 0),
|
||||
SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CLIENT),
|
||||
SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CLIENT),
|
||||
SSL_CONF_CMD_STRING(Options, NULL, 0),
|
||||
SSL_CONF_CMD_STRING(VerifyMode, NULL, 0),
|
||||
SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
|
||||
@ -831,10 +902,14 @@ void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
|
||||
cctx->ctx = NULL;
|
||||
if (ssl) {
|
||||
cctx->poptions = &ssl->options;
|
||||
cctx->min_version = &ssl->min_proto_version;
|
||||
cctx->max_version = &ssl->max_proto_version;
|
||||
cctx->pcert_flags = &ssl->cert->cert_flags;
|
||||
cctx->pvfy_flags = &ssl->verify_mode;
|
||||
} else {
|
||||
cctx->poptions = NULL;
|
||||
cctx->min_version = NULL;
|
||||
cctx->max_version = NULL;
|
||||
cctx->pcert_flags = NULL;
|
||||
cctx->pvfy_flags = NULL;
|
||||
}
|
||||
@ -846,10 +921,14 @@ void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
|
||||
cctx->ssl = NULL;
|
||||
if (ctx) {
|
||||
cctx->poptions = &ctx->options;
|
||||
cctx->min_version = &ctx->min_proto_version;
|
||||
cctx->max_version = &ctx->max_proto_version;
|
||||
cctx->pcert_flags = &ctx->cert->cert_flags;
|
||||
cctx->pvfy_flags = &ctx->verify_mode;
|
||||
} else {
|
||||
cctx->poptions = NULL;
|
||||
cctx->min_version = NULL;
|
||||
cctx->max_version = NULL;
|
||||
cctx->pcert_flags = NULL;
|
||||
cctx->pvfy_flags = NULL;
|
||||
}
|
||||
|
||||
@ -293,6 +293,8 @@ SSL *SSL_new(SSL_CTX *ctx)
|
||||
RECORD_LAYER_init(&s->rlayer, s);
|
||||
|
||||
s->options = ctx->options;
|
||||
s->min_proto_version = ctx->min_proto_version;
|
||||
s->max_proto_version = ctx->max_proto_version;
|
||||
s->mode = ctx->mode;
|
||||
s->max_cert_list = ctx->max_cert_list;
|
||||
s->references = 1;
|
||||
@ -1198,6 +1200,12 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
return 1;
|
||||
else
|
||||
return 0;
|
||||
case SSL_CTRL_SET_MIN_PROTO_VERSION:
|
||||
s->min_proto_version = larg;
|
||||
return 1;
|
||||
case SSL_CTRL_SET_MAX_PROTO_VERSION:
|
||||
s->max_proto_version = larg;
|
||||
return 1;
|
||||
default:
|
||||
return (s->method->ssl_ctrl(s, cmd, larg, parg));
|
||||
}
|
||||
@ -1314,6 +1322,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||
return (ctx->cert->cert_flags |= larg);
|
||||
case SSL_CTRL_CLEAR_CERT_FLAGS:
|
||||
return (ctx->cert->cert_flags &= ~larg);
|
||||
case SSL_CTRL_SET_MIN_PROTO_VERSION:
|
||||
ctx->min_proto_version = larg;
|
||||
return 1;
|
||||
case SSL_CTRL_SET_MAX_PROTO_VERSION:
|
||||
ctx->max_proto_version = larg;
|
||||
return 1;
|
||||
default:
|
||||
return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
|
||||
}
|
||||
@ -1794,6 +1808,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
goto err;
|
||||
|
||||
ret->method = meth;
|
||||
ret->min_proto_version = 0;
|
||||
ret->max_proto_version = 0;
|
||||
ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
|
||||
ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
|
||||
/* We take the system default. */
|
||||
|
||||
@ -264,6 +264,11 @@
|
||||
c[1]=(unsigned char)(((l)>> 8)&0xff), \
|
||||
c[2]=(unsigned char)(((l) )&0xff)),c+=3)
|
||||
|
||||
#define DTLS_VERSION_GT(v1, v2) ((v1) < (v2))
|
||||
#define DTLS_VERSION_GE(v1, v2) ((v1) <= (v2))
|
||||
#define DTLS_VERSION_LT(v1, v2) ((v1) > (v2))
|
||||
#define DTLS_VERSION_LE(v1, v2) ((v1) >= (v2))
|
||||
|
||||
/* LOCAL STUFF */
|
||||
|
||||
# define SSL_DECRYPT 0
|
||||
@ -796,6 +801,8 @@ struct ssl_ctx_st {
|
||||
|
||||
uint32_t options;
|
||||
uint32_t mode;
|
||||
int min_proto_version;
|
||||
int max_proto_version;
|
||||
long max_cert_list;
|
||||
|
||||
struct cert_st /* CERT */ *cert;
|
||||
@ -1066,6 +1073,8 @@ struct ssl_st {
|
||||
uint32_t options;
|
||||
/* API behaviour */
|
||||
uint32_t mode;
|
||||
int min_proto_version;
|
||||
int max_proto_version;
|
||||
long max_cert_list;
|
||||
int first_packet;
|
||||
/* what was passed, used for SSLv3/TLS rollback check */
|
||||
|
||||
@ -852,6 +852,14 @@ static int ssl_set_version(SSL *s)
|
||||
s->version = SSL3_VERSION;
|
||||
#endif
|
||||
|
||||
if (s->max_proto_version != 0 && (s->version > s->max_proto_version))
|
||||
s->version = s->max_proto_version;
|
||||
if (s->version < s->min_proto_version)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (s->version != TLS1_2_VERSION && tls1_suiteb(s)) {
|
||||
SSLerr(SSL_F_SSL_SET_VERSION,
|
||||
SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
|
||||
@ -864,9 +872,17 @@ static int ssl_set_version(SSL *s)
|
||||
}
|
||||
|
||||
} else if (s->method->version == DTLS_ANY_VERSION) {
|
||||
/* Determine which DTLS version to use */
|
||||
int max_version = DTLS_MAX_VERSION;
|
||||
int min_version = DTLS_MIN_VERSION;
|
||||
|
||||
if (s->max_proto_version != 0)
|
||||
max_version = s->max_proto_version;
|
||||
if (s->min_proto_version != 0)
|
||||
min_version = s->min_proto_version;
|
||||
|
||||
/* If DTLS 1.2 disabled correct the version number */
|
||||
if (options & SSL_OP_NO_DTLSv1_2) {
|
||||
if (options & SSL_OP_NO_DTLSv1_2
|
||||
|| DTLS_VERSION_GT(DTLS1_2_VERSION, max_version)) {
|
||||
if (tls1_suiteb(s)) {
|
||||
SSLerr(SSL_F_SSL_SET_VERSION,
|
||||
SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
|
||||
@ -875,7 +891,8 @@ static int ssl_set_version(SSL *s)
|
||||
/*
|
||||
* Disabling all versions is silly: return an error.
|
||||
*/
|
||||
if (options & SSL_OP_NO_DTLSv1) {
|
||||
if (options & SSL_OP_NO_DTLSv1
|
||||
|| DTLS_VERSION_GT(min_version, DTLS1_VERSION)) {
|
||||
SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_WRONG_SSL_VERSION);
|
||||
return 0;
|
||||
}
|
||||
@ -888,7 +905,8 @@ static int ssl_set_version(SSL *s)
|
||||
/*
|
||||
* We only support one version: update method
|
||||
*/
|
||||
if (options & SSL_OP_NO_DTLSv1)
|
||||
if (options & SSL_OP_NO_DTLSv1
|
||||
|| DTLS_VERSION_GE(min_version, DTLS1_2_VERSION))
|
||||
s->method = DTLSv1_2_client_method();
|
||||
s->version = DTLS1_2_VERSION;
|
||||
}
|
||||
@ -1129,6 +1147,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
|
||||
if (s->method->version == TLS_ANY_VERSION) {
|
||||
unsigned int sversion;
|
||||
int max_version = TLS_MAX_VERSION;
|
||||
|
||||
if (s->max_proto_version != 0)
|
||||
max_version = s->max_proto_version;
|
||||
|
||||
if (!PACKET_get_net_2(pkt, &sversion)) {
|
||||
al = SSL_AD_DECODE_ERROR;
|
||||
@ -1140,7 +1162,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
#error Code needs updating for new TLS version
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
if ((sversion == SSL3_VERSION) && !(s->options & SSL_OP_NO_SSLv3)) {
|
||||
if ((sversion == SSL3_VERSION) && !(s->options & SSL_OP_NO_SSLv3) &&
|
||||
(s->min_proto_version <= SSL3_VERSION) &&
|
||||
(max_version >= SSL3_VERSION)) {
|
||||
if (FIPS_mode()) {
|
||||
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
|
||||
SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
|
||||
@ -1150,13 +1174,19 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
s->method = SSLv3_client_method();
|
||||
} else
|
||||
#endif
|
||||
if ((sversion == TLS1_VERSION) && !(s->options & SSL_OP_NO_TLSv1)) {
|
||||
if ((sversion == TLS1_VERSION) && !(s->options & SSL_OP_NO_TLSv1) &&
|
||||
(s->min_proto_version <= TLS1_VERSION) &&
|
||||
(max_version >= TLS1_VERSION)) {
|
||||
s->method = TLSv1_client_method();
|
||||
} else if ((sversion == TLS1_1_VERSION) &&
|
||||
!(s->options & SSL_OP_NO_TLSv1_1)) {
|
||||
!(s->options & SSL_OP_NO_TLSv1_1) &&
|
||||
(s->min_proto_version <= TLS1_1_VERSION) &&
|
||||
(max_version >= TLS1_1_VERSION)) {
|
||||
s->method = TLSv1_1_client_method();
|
||||
} else if ((sversion == TLS1_2_VERSION) &&
|
||||
!(s->options & SSL_OP_NO_TLSv1_2)) {
|
||||
!(s->options & SSL_OP_NO_TLSv1_2) &&
|
||||
(s->min_proto_version <= TLS1_2_VERSION) &&
|
||||
(max_version >= TLS1_2_VERSION)) {
|
||||
s->method = TLSv1_2_client_method();
|
||||
} else {
|
||||
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
|
||||
@ -1165,7 +1195,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
}
|
||||
s->session->ssl_version = s->version = s->method->version;
|
||||
|
||||
if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
|
||||
if ((s->version < s->min_proto_version)
|
||||
|| !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
|
||||
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_VERSION_TOO_LOW);
|
||||
al = SSL_AD_PROTOCOL_VERSION;
|
||||
goto f_err;
|
||||
@ -1174,6 +1205,13 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
/* Work out correct protocol version to use */
|
||||
unsigned int hversion;
|
||||
int options;
|
||||
int max_version = DTLS_MAX_VERSION;
|
||||
int min_version = DTLS_MIN_VERSION;
|
||||
|
||||
if (s->max_proto_version != 0)
|
||||
max_version = s->max_proto_version;
|
||||
if (s->min_proto_version != 0)
|
||||
min_version = s->min_proto_version;
|
||||
|
||||
if (!PACKET_get_net_2(pkt, &hversion)) {
|
||||
al = SSL_AD_DECODE_ERROR;
|
||||
@ -1182,7 +1220,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
}
|
||||
|
||||
options = s->options;
|
||||
if (hversion == DTLS1_2_VERSION && !(options & SSL_OP_NO_DTLSv1_2))
|
||||
if (hversion == DTLS1_2_VERSION && !(options & SSL_OP_NO_DTLSv1_2) &&
|
||||
DTLS_VERSION_LE(min_version, DTLS1_2_VERSION) &&
|
||||
DTLS_VERSION_GE(max_version, DTLS1_2_VERSION))
|
||||
s->method = DTLSv1_2_client_method();
|
||||
else if (tls1_suiteb(s)) {
|
||||
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
|
||||
@ -1190,7 +1230,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
||||
s->version = hversion;
|
||||
al = SSL_AD_PROTOCOL_VERSION;
|
||||
goto f_err;
|
||||
} else if (hversion == DTLS1_VERSION && !(options & SSL_OP_NO_DTLSv1))
|
||||
} else if (hversion == DTLS1_VERSION && !(options & SSL_OP_NO_DTLSv1) &&
|
||||
DTLS_VERSION_LE(min_version, DTLS1_VERSION) &&
|
||||
DTLS_VERSION_GE(max_version, DTLS1_VERSION))
|
||||
s->method = DTLSv1_client_method();
|
||||
else {
|
||||
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
|
||||
|
||||
@ -1044,10 +1044,17 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|
||||
protverr = 0;
|
||||
}
|
||||
} else if (s->client_version >= SSL3_VERSION) {
|
||||
int max_version = TLS_MAX_VERSION;
|
||||
|
||||
if (s->max_proto_version != 0)
|
||||
max_version = s->max_proto_version;
|
||||
|
||||
switch(s->client_version) {
|
||||
default:
|
||||
case TLS1_2_VERSION:
|
||||
if(!(s->options & SSL_OP_NO_TLSv1_2)) {
|
||||
if(!(s->options & SSL_OP_NO_TLSv1_2) &&
|
||||
(max_version >= TLS1_2_VERSION) &&
|
||||
(s->min_proto_version <= TLS1_2_VERSION)) {
|
||||
s->version = TLS1_2_VERSION;
|
||||
s->method = TLSv1_2_server_method();
|
||||
protverr = 0;
|
||||
@ -1055,7 +1062,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|
||||
}
|
||||
/* Deliberately fall through */
|
||||
case TLS1_1_VERSION:
|
||||
if(!(s->options & SSL_OP_NO_TLSv1_1)) {
|
||||
if(!(s->options & SSL_OP_NO_TLSv1_1) &&
|
||||
(max_version >= TLS1_1_VERSION) &&
|
||||
(s->min_proto_version <= TLS1_1_VERSION)) {
|
||||
s->version = TLS1_1_VERSION;
|
||||
s->method = TLSv1_1_server_method();
|
||||
protverr = 0;
|
||||
@ -1063,7 +1072,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|
||||
}
|
||||
/* Deliberately fall through */
|
||||
case TLS1_VERSION:
|
||||
if(!(s->options & SSL_OP_NO_TLSv1)) {
|
||||
if(!(s->options & SSL_OP_NO_TLSv1) &&
|
||||
(max_version >= TLS1_VERSION) &&
|
||||
(s->min_proto_version <= TLS1_VERSION)) {
|
||||
s->version = TLS1_VERSION;
|
||||
s->method = TLSv1_server_method();
|
||||
protverr = 0;
|
||||
@ -1072,7 +1083,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|
||||
/* Deliberately fall through */
|
||||
case SSL3_VERSION:
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
if(!(s->options & SSL_OP_NO_SSLv3)) {
|
||||
if(!(s->options & SSL_OP_NO_SSLv3) &&
|
||||
(max_version >= SSL3_VERSION) &&
|
||||
(s->min_proto_version <= SSL3_VERSION)) {
|
||||
s->version = SSL3_VERSION;
|
||||
s->method = SSLv3_server_method();
|
||||
protverr = 0;
|
||||
@ -1254,8 +1267,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|
||||
}
|
||||
if (s->method->version == DTLS_ANY_VERSION) {
|
||||
/* Select version to use */
|
||||
if (s->client_version <= DTLS1_2_VERSION &&
|
||||
!(s->options & SSL_OP_NO_DTLSv1_2)) {
|
||||
int max_version = DTLS_MAX_VERSION;
|
||||
int min_version = DTLS_MIN_VERSION;
|
||||
|
||||
if (s->max_proto_version != 0)
|
||||
max_version = s->max_proto_version;
|
||||
if (s->min_proto_version != 0)
|
||||
min_version = s->min_proto_version;
|
||||
|
||||
if (DTLS_VERSION_GE(s->client_version, DTLS1_2_VERSION) &&
|
||||
!(s->options & SSL_OP_NO_DTLSv1_2) &&
|
||||
DTLS_VERSION_GE(max_version, DTLS1_2_VERSION) &&
|
||||
DTLS_VERSION_LE(min_version, DTLS1_2_VERSION)) {
|
||||
s->version = DTLS1_2_VERSION;
|
||||
s->method = DTLSv1_2_server_method();
|
||||
} else if (tls1_suiteb(s)) {
|
||||
@ -1264,8 +1287,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|
||||
s->version = s->client_version;
|
||||
al = SSL_AD_PROTOCOL_VERSION;
|
||||
goto f_err;
|
||||
} else if (s->client_version <= DTLS1_VERSION &&
|
||||
!(s->options & SSL_OP_NO_DTLSv1)) {
|
||||
} else if (DTLS_VERSION_GE(s->client_version, DTLS1_VERSION) &&
|
||||
!(s->options & SSL_OP_NO_DTLSv1) &&
|
||||
DTLS_VERSION_GE(max_version, DTLS1_VERSION) &&
|
||||
DTLS_VERSION_LE(min_version, DTLS1_VERSION)) {
|
||||
s->version = DTLS1_VERSION;
|
||||
s->method = DTLSv1_server_method();
|
||||
} else {
|
||||
|
||||
@ -11,8 +11,8 @@ use OpenSSL::Test::Utils;
|
||||
|
||||
setup("test_ssl");
|
||||
|
||||
my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk) =
|
||||
disabled qw/rsa dsa dh ec srp psk/;
|
||||
my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, $no_ssl3, $no_dtls) =
|
||||
disabled qw/rsa dsa dh ec srp psk ssl3 dtls/;
|
||||
|
||||
my $digest = "-sha1";
|
||||
my @reqcmd = ("openssl", "req");
|
||||
@ -55,7 +55,7 @@ my $P2intermediate="tmp_intP2.ss";
|
||||
plan tests =>
|
||||
1 # For testss
|
||||
+ 1 # For ssltest -test_cipherlist
|
||||
+ 8 # For the first testssl
|
||||
+ 9 # For the first testssl
|
||||
+ 16 # For the first testsslproxy
|
||||
+ 16 # For the second testsslproxy
|
||||
;
|
||||
@ -316,7 +316,7 @@ sub testssl {
|
||||
}
|
||||
|
||||
|
||||
# plan tests => 7;
|
||||
# plan tests => 9;
|
||||
|
||||
subtest 'standard SSL tests' => sub {
|
||||
######################################################################
|
||||
@ -567,6 +567,516 @@ sub testssl {
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
subtest 'Version min/max tests' => sub {
|
||||
|
||||
plan tests => 425;
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 76 if $no_ssl3;
|
||||
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
}
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 19 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
}
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "ssl3 disabled", 6 if $no_ssl3;
|
||||
ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"])));
|
||||
}
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-client_max_proto", "tls1", "-should_negotiate", "tls1"])));
|
||||
ok(run(test([@ssltest, "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"])));
|
||||
ok(run(test([@ssltest, "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"])));
|
||||
ok(run(test([@ssltest, "-should_negotiate", "tls1.2"])));
|
||||
|
||||
SKIP : {
|
||||
skip "dtls disabled", 64 if $no_dtls;
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-should_negotiate", "fail-client"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
|
||||
ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"])));
|
||||
ok(run(test([@ssltest, "-dtls", "-should_negotiate", "dtls1.2"])));
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
sub testsslproxy {
|
||||
|
||||
142
test/ssltest.c
142
test/ssltest.c
@ -367,6 +367,11 @@ static const char *alpn_client;
|
||||
static const char *alpn_server;
|
||||
static const char *alpn_expected;
|
||||
static unsigned char *alpn_selected;
|
||||
static const char *server_min_proto;
|
||||
static const char *server_max_proto;
|
||||
static const char *client_min_proto;
|
||||
static const char *client_max_proto;
|
||||
static const char *should_negotiate;
|
||||
|
||||
/*-
|
||||
* next_protos_parse parses a comma separated list of strings into a string
|
||||
@ -776,6 +781,7 @@ static void sv_usage(void)
|
||||
#endif
|
||||
fprintf(stderr, " -tls1 - use TLSv1\n");
|
||||
#ifndef OPENSSL_NO_DTLS
|
||||
fprintf(stderr, " -dtls - use DTLS\n");
|
||||
fprintf(stderr, " -dtls1 - use DTLSv1\n");
|
||||
fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
|
||||
#endif
|
||||
@ -818,6 +824,11 @@ static void sv_usage(void)
|
||||
fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
|
||||
fprintf(stderr,
|
||||
" -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
|
||||
fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
|
||||
fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
|
||||
fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
|
||||
fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
|
||||
fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
|
||||
}
|
||||
|
||||
static void print_key_details(BIO *out, EVP_PKEY *key)
|
||||
@ -942,13 +953,58 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* protocol_from_string - converts a protocol version string to a number
|
||||
*
|
||||
* Returns -1 on failure or the version on success
|
||||
*/
|
||||
static int protocol_from_string(const char *value)
|
||||
{
|
||||
struct protocol_versions {
|
||||
const char *name;
|
||||
int version;
|
||||
};
|
||||
static const struct protocol_versions versions[] = {
|
||||
{"ssl3", SSL3_VERSION},
|
||||
{"tls1", TLS1_VERSION},
|
||||
{"tls1.1", TLS1_1_VERSION},
|
||||
{"tls1.2", TLS1_2_VERSION},
|
||||
{"dtls1", DTLS1_VERSION},
|
||||
{"dtls1.2", DTLS1_2_VERSION}};
|
||||
size_t i;
|
||||
size_t n = OSSL_NELEM(versions);
|
||||
|
||||
for (i = 0; i < n; i++)
|
||||
if (strcmp(versions[i].name, value) == 0)
|
||||
return versions[i].version;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* set_protocol_version - Sets protocol version minimum or maximum
|
||||
*
|
||||
* Returns 0 on failure and 1 on success
|
||||
*/
|
||||
static int set_protocol_version(const char *version, SSL *ssl, int setting)
|
||||
{
|
||||
if (version != NULL) {
|
||||
int ver = protocol_from_string(version);
|
||||
if (ver < 0) {
|
||||
BIO_printf(bio_err, "Error parsing: %s\n", version);
|
||||
return 0;
|
||||
}
|
||||
return SSL_ctrl(ssl, setting, ver, NULL);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
char *CApath = NULL, *CAfile = NULL;
|
||||
int badop = 0;
|
||||
int bio_pair = 0;
|
||||
int force = 0;
|
||||
int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl3 = 0, ret = 1;
|
||||
int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
|
||||
int client_auth = 0;
|
||||
int server_auth = 0, i;
|
||||
struct app_verify_arg app_verify_arg =
|
||||
@ -1136,6 +1192,11 @@ int main(int argc, char *argv[])
|
||||
no_protocol = 1;
|
||||
#endif
|
||||
dtls12 = 1;
|
||||
} else if (strcmp(*argv, "-dtls") == 0) {
|
||||
#ifdef OPENSSL_NO_DTLS
|
||||
no_protocol = 1;
|
||||
#endif
|
||||
dtls = 1;
|
||||
} else if (strncmp(*argv, "-num", 4) == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
@ -1225,6 +1286,26 @@ int main(int argc, char *argv[])
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
alpn_expected = *(++argv);
|
||||
} else if (strcmp(*argv, "-server_min_proto") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
server_min_proto = *(++argv);
|
||||
} else if (strcmp(*argv, "-server_max_proto") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
server_max_proto = *(++argv);
|
||||
} else if (strcmp(*argv, "-client_min_proto") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
client_min_proto = *(++argv);
|
||||
} else if (strcmp(*argv, "-client_max_proto") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
client_max_proto = *(++argv);
|
||||
} else if (strcmp(*argv, "-should_negotiate") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
should_negotiate = *(++argv);
|
||||
} else {
|
||||
int rv;
|
||||
arg = argv[0];
|
||||
@ -1283,8 +1364,8 @@ int main(int argc, char *argv[])
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (ssl3 + tls1 + dtls1 + dtls12 > 1) {
|
||||
fprintf(stderr, "At most one of -ssl3, -tls1, -dtls1 or -dtls12 should "
|
||||
if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
|
||||
fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
|
||||
"be requested.\n");
|
||||
EXIT(1);
|
||||
}
|
||||
@ -1301,10 +1382,10 @@ int main(int argc, char *argv[])
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
|
||||
if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
|
||||
fprintf(stderr, "This case cannot work. Use -f to perform "
|
||||
"the test anyway (and\n-d to see what happens), "
|
||||
"or add one of -ssl3, -tls1, -dtls1, -dtls12, -reuse\n"
|
||||
"or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
|
||||
"to avoid protocol mismatch.\n");
|
||||
EXIT(1);
|
||||
}
|
||||
@ -1378,6 +1459,8 @@ int main(int argc, char *argv[])
|
||||
meth = DTLSv1_method();
|
||||
else if (dtls12)
|
||||
meth = DTLSv1_2_method();
|
||||
else if (dtls)
|
||||
meth = DTLS_method();
|
||||
else
|
||||
#endif
|
||||
if (tls1)
|
||||
@ -1659,6 +1742,15 @@ int main(int argc, char *argv[])
|
||||
c_ssl = SSL_new(c_ctx);
|
||||
s_ssl = SSL_new(s_ctx);
|
||||
|
||||
if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
|
||||
goto end;
|
||||
if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
|
||||
goto end;
|
||||
if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
|
||||
goto end;
|
||||
if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
|
||||
goto end;
|
||||
|
||||
BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
|
||||
for (i = 0; i < number; i++) {
|
||||
if (!reuse) {
|
||||
@ -1674,6 +1766,23 @@ int main(int argc, char *argv[])
|
||||
if (ret) break;
|
||||
}
|
||||
|
||||
if (should_negotiate && ret == 0 &&
|
||||
strcmp(should_negotiate, "fail-server") != 0 &&
|
||||
strcmp(should_negotiate, "fail-client") != 0) {
|
||||
int version = protocol_from_string(should_negotiate);
|
||||
if (version < 0) {
|
||||
BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
|
||||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
if (SSL_version(c_ssl) != version) {
|
||||
BIO_printf(bio_err, "Unxpected version negotiated. "
|
||||
"Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
|
||||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
if (!verbose) {
|
||||
print_details(c_ssl, "");
|
||||
}
|
||||
@ -1696,6 +1805,7 @@ int main(int argc, char *argv[])
|
||||
#endif
|
||||
}
|
||||
|
||||
err:
|
||||
SSL_free(s_ssl);
|
||||
SSL_free(c_ssl);
|
||||
|
||||
@ -1728,6 +1838,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
|
||||
BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
|
||||
int ret = 1;
|
||||
int err_in_client = 0;
|
||||
int err_in_server = 0;
|
||||
|
||||
size_t bufsiz = 256; /* small buffer for testing */
|
||||
|
||||
@ -1820,6 +1932,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
if (r < 0) {
|
||||
if (!BIO_should_retry(c_ssl_bio)) {
|
||||
fprintf(stderr, "ERROR in CLIENT\n");
|
||||
err_in_client = 1;
|
||||
goto err;
|
||||
}
|
||||
/*
|
||||
@ -1845,6 +1958,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
if (r < 0) {
|
||||
if (!BIO_should_retry(c_ssl_bio)) {
|
||||
fprintf(stderr, "ERROR in CLIENT\n");
|
||||
err_in_client = 1;
|
||||
goto err;
|
||||
}
|
||||
/*
|
||||
@ -1897,6 +2011,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
if (r < 0) {
|
||||
if (!BIO_should_retry(s_ssl_bio)) {
|
||||
fprintf(stderr, "ERROR in SERVER\n");
|
||||
err_in_server = 1;
|
||||
goto err;
|
||||
}
|
||||
/* Ignore "BIO_should_retry". */
|
||||
@ -1917,6 +2032,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
if (r < 0) {
|
||||
if (!BIO_should_retry(s_ssl_bio)) {
|
||||
fprintf(stderr, "ERROR in SERVER\n");
|
||||
err_in_server = 1;
|
||||
goto err;
|
||||
}
|
||||
/* blah, blah */
|
||||
@ -2084,6 +2200,11 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
BIO_free(s_ssl_bio);
|
||||
BIO_free(c_ssl_bio);
|
||||
|
||||
if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
|
||||
ret = (err_in_client != 0) ? 0 : 1;
|
||||
else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
|
||||
ret = (err_in_server != 0) ? 0 : 1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -2109,6 +2230,8 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
int c_write, s_write;
|
||||
int do_server = 0, do_client = 0;
|
||||
int max_frag = 5 * 1024;
|
||||
int err_in_client = 0;
|
||||
int err_in_server = 0;
|
||||
|
||||
bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
|
||||
|
||||
@ -2201,6 +2324,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
c_w = 1;
|
||||
} else {
|
||||
fprintf(stderr, "ERROR in CLIENT\n");
|
||||
err_in_client = 1;
|
||||
ERR_print_errors(bio_err);
|
||||
goto err;
|
||||
}
|
||||
@ -2229,6 +2353,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
c_w = 1;
|
||||
} else {
|
||||
fprintf(stderr, "ERROR in CLIENT\n");
|
||||
err_in_client = 1;
|
||||
ERR_print_errors(bio_err);
|
||||
goto err;
|
||||
}
|
||||
@ -2265,6 +2390,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
s_w = 1;
|
||||
} else {
|
||||
fprintf(stderr, "ERROR in SERVER\n");
|
||||
err_in_server = 1;
|
||||
ERR_print_errors(bio_err);
|
||||
goto err;
|
||||
}
|
||||
@ -2300,6 +2426,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
s_w = 1;
|
||||
} else {
|
||||
fprintf(stderr, "ERROR in SERVER\n");
|
||||
err_in_server = 1;
|
||||
ERR_print_errors(bio_err);
|
||||
goto err;
|
||||
}
|
||||
@ -2370,6 +2497,11 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
OPENSSL_free(cbuf);
|
||||
OPENSSL_free(sbuf);
|
||||
|
||||
if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
|
||||
ret = (err_in_client != 0) ? 0 : 1;
|
||||
else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
|
||||
ret = (err_in_server != 0) ? 0 : 1;
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user