diff options
author | Pauli <pauli@openssl.org> | 2022-05-04 13:01:35 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-11-21 10:49:51 +0100 |
commit | a8b6c9f83ce49b6192137c7600532441db885e19 (patch) | |
tree | 56b9f7d26c6c930dc16063c33e72ef2a424c5bda /test | |
parent | 4a929c7c5cb06dcf1952691ee8732007cc1a41d4 (diff) |
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.
Fixes #18194
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)
(cherry picked from commit 7bf2e4d7f0c7ae19b7a8c416910886a7171e9820)
Diffstat (limited to 'test')
-rw-r--r-- | test/bad_dtls_test.c | 1 | ||||
-rw-r--r-- | test/recipes/80-test_ssl_old.t | 54 | ||||
-rw-r--r-- | test/ssl-tests/20-cert-select.cnf | 4 | ||||
-rw-r--r-- | test/ssl-tests/20-cert-select.cnf.in | 7 |
4 files changed, 55 insertions, 11 deletions
diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c index e6ee1ea09f..7b50ee0545 100644 --- a/test/bad_dtls_test.c +++ b/test/bad_dtls_test.c @@ -499,6 +499,7 @@ static int test_bad_dtls(void) || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA"))) goto end; + SSL_CTX_set_security_level(ctx, 0); con = SSL_new(ctx); if (!TEST_ptr(con) || !TEST_true(SSL_set_session(con, sess))) diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 8c52b637fc..50b74a1e29 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -78,9 +78,10 @@ my $client_sess="client.ss"; # If you're adding tests here, you probably want to convert them to the # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. plan tests => - ($no_fips ? 0 : 5) # testssl with fips provider + ($no_fips ? 0 : 6) # testssl with fips provider + 1 # For testss + 5 # For the testssl with default provider + + 1 # For security level 0 failure tests ; subtest 'test_ss' => sub { @@ -345,7 +346,6 @@ sub testssl { $dsa_cert = 1; } - subtest 'standard SSL tests' => sub { ###################################################################### plan tests => 19; @@ -527,6 +527,44 @@ sub testssl { } }; + subtest 'SSL security level failure tests' => sub { + ###################################################################### + plan tests => 3; + + SKIP: { + skip "SSLv3 is not supported by this OpenSSL build", 1 + if disabled("ssl3"); + + skip "SSLv3 is not supported by the FIPS provider", 1 + if $provider eq "fips"; + + is(run(test([@ssltest, "-bio_pair", "-ssl3", "-cipher", '@SECLEVEL=1'])), + 0, "test sslv3 fails at security level 1, expecting failure"); + } + + SKIP: { + skip "TLSv1.0 is not supported by this OpenSSL build", 1 + if $no_tls1; + + skip "TLSv1.0 is not supported by the FIPS provider", 1 + if $provider eq "fips"; + + is(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", '@SECLEVEL=1'])), + 0, 'test tls1 fails at security level 1, expecting failure'); + } + + SKIP: { + skip "TLSv1.1 is not supported by this OpenSSL build", 1 + if $no_tls1_1; + + skip "TLSv1.1 is not supported by the FIPS provider", 1 + if $provider eq "fips"; + + is(run(test([@ssltest, "-bio_pair", "-tls1_1", "-cipher", '@SECLEVEL=1'])), + 0, 'test tls1.1 fails at security level 1, expecting failure'); + } + }; + subtest 'RSA/(EC)DHE/PSK tests' => sub { ###################################################################### @@ -579,14 +617,14 @@ sub testssl { } SKIP: { - skip "TLSv1.1 is not supported by this OpenSSL build", 4 - if $no_tls1_1; + skip "TLSv1.2 is not supported by this OpenSSL build", 4 + if $no_tls1_2; SKIP: { skip "skipping auto DHE PSK test at SECLEVEL 3", 1 if ($no_dh || $no_psk); - ok(run(test(['ssl_old_test', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), + ok(run(test(['ssl_old_test', '-tls1_2', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), 'test auto DHE PSK meets security strength'); } @@ -594,7 +632,7 @@ sub testssl { skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1 if ($no_ec || $no_psk); - ok(run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), + ok(run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), 'test auto ECDHE PSK meets security strength'); } @@ -602,7 +640,7 @@ sub testssl { skip "skipping no RSA PSK at SECLEVEL 3 test", 1 if ($no_rsa || $no_psk); - ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), + ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), 'test auto RSA PSK does not meet security level 3 requirements (PFS)'); } @@ -610,7 +648,7 @@ sub testssl { skip "skipping no PSK at SECLEVEL 3 test", 1 if ($no_psk); - ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), + ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), 'test auto PSK does not meet security level 3 requirements (PFS)'); } } diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index 79dcd4c8f4..819c72b5a8 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -1119,11 +1119,11 @@ client = 34-Only RSA-PSS Certificate, TLS v1.1-client [34-Only RSA-PSS Certificate, TLS v1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem [34-Only RSA-PSS Certificate, TLS v1.1-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index 30cde592c6..f0bc80886d 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -585,9 +585,14 @@ my @tests_pss = ( my @tests_tls_1_1 = ( { name => "Only RSA-PSS Certificate, TLS v1.1", - server => $server_pss_only, + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "Certificate" => test_pem("server-pss-cert.pem"), + "PrivateKey" => test_pem("server-pss-key.pem"), + }, client => { "MaxProtocol" => "TLSv1.1", + "CipherString" => "DEFAULT:\@SECLEVEL=0", }, test => { "ExpectedResult" => "ServerFail" |