diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2023-07-02 17:21:34 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2023-07-02 17:21:34 +0000 |
| commit | 4fd9808494c2101f7ad6f8d4e93f9187c9ce65da (patch) | |
| tree | 1e2b6d43586085986ffe3b8f8b36d896cfa449b9 /regress/lib/libssl/ssl | |
| parent | 8ebb60ea0474963d819d9e9d025bf29f3b258fde (diff) | |
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
Diffstat (limited to 'regress/lib/libssl/ssl')
| -rw-r--r-- | regress/lib/libssl/ssl/ssltest.c | 16 | ||||
| -rw-r--r-- | regress/lib/libssl/ssl/testssl | 36 |
2 files changed, 25 insertions, 27 deletions
diff --git a/regress/lib/libssl/ssl/ssltest.c b/regress/lib/libssl/ssl/ssltest.c index b4b10446e6c..6b8e2430735 100644 --- a/regress/lib/libssl/ssl/ssltest.c +++ b/regress/lib/libssl/ssl/ssltest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */ +/* $OpenBSD: ssltest.c,v 1.40 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -336,7 +336,7 @@ sv_usage(void) fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); - fprintf(stderr, " -dtls1 - use DTLSv1\n"); + fprintf(stderr, " -dtls1_2 - use DTLSv1.2\n"); fprintf(stderr, " -tls1 - use TLSv1\n"); fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); @@ -409,7 +409,7 @@ main(int argc, char *argv[]) int badop = 0; int bio_pair = 0; int force = 0; - int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1; + int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; char *app_verify_arg = "Test Callback Argument"; @@ -464,8 +464,8 @@ main(int argc, char *argv[]) no_dhe = 1; else if (strcmp(*argv, "-no_ecdhe") == 0) no_ecdhe = 1; - else if (strcmp(*argv, "-dtls1") == 0) - dtls1 = 1; + else if (strcmp(*argv, "-dtls1_2") == 0) + dtls1_2 = 1; else if (strcmp(*argv, "-tls1") == 0) tls1 = 1; else if (strcmp(*argv, "-tls1_2") == 0) @@ -565,7 +565,7 @@ bad: goto end; } - if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { + if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " @@ -588,8 +588,8 @@ bad: SSL_library_init(); SSL_load_error_strings(); - if (dtls1) - meth = DTLSv1_method(); + if (dtls1_2) + meth = DTLSv1_2_method(); else if (tls1) meth = TLSv1_method(); else if (tls1_2) diff --git a/regress/lib/libssl/ssl/testssl b/regress/lib/libssl/ssl/testssl index 43efaa6460a..70db1752b76 100644 --- a/regress/lib/libssl/ssl/testssl +++ b/regress/lib/libssl/ssl/testssl @@ -95,8 +95,7 @@ done if $openssl no-dh; then echo skipping anonymous DH tests else - echo test tls1 with 1024bit anonymous DH, multiple handshakes - $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 + echo skipping tls1 tests. fi #if $openssl no-rsa; then @@ -117,17 +116,16 @@ fi # DTLS tests # -echo test dtlsv1 -$ssltest -dtls1 $extra || exit 1 +$ssltest -dtls1_2 $extra || exit 1 -echo test dtlsv1 with server authentication -$ssltest -dtls1 -server_auth $CA $extra || exit 1 +echo test dtlsv1_2 with server authentication +$ssltest -dtls1_2 -server_auth $CA $extra || exit 1 -echo test dtlsv1 with client authentication -$ssltest -dtls1 -client_auth $CA $extra || exit 1 +echo test dtlsv1_2 with client authentication +$ssltest -dtls1_2 -client_auth $CA $extra || exit 1 -echo test dtlsv1 with both client and server authentication -$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1 +echo test dtlsv1_2 with both client and server authentication +$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1 echo "Testing DTLS ciphersuites" for protocol in SSLv3; do @@ -136,7 +134,7 @@ for protocol in SSLv3; do awk "/ $protocol / { print \\$1 }" | grep -v RC4`; do echo "Testing $cipher" - $ssltest -cipher $cipher -dtls1 + $ssltest -cipher $cipher -dtls1_2 if [ $? -ne 0 ] ; then echo "Failed $cipher" exit 1 @@ -148,17 +146,17 @@ done # ALPN tests # echo "Testing ALPN..." -$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \ +$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1 +$ssltest -bio_pair -alpn_client foo -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \ +$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \ -alpn_expected bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \ +$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \ -alpn_expected bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1 +$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1 |