diff options
| author | Richard Levitte <levitte@openssl.org> | 2016-12-25 17:56:52 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2016-12-29 15:42:22 +0100 |
| commit | 7638e378465433ecfc4333ef3033e59c77cb0006 (patch) | |
| tree | bb434e5f0656848c7d010c4b03b5b7dab94b48c6 /test | |
| parent | f6e752c0ac2e1ba8bcecc27bc54e30b895e0a1d3 (diff) | |
70-test_sslvertol.t: Make sure to check a max TLS version that matches configuration
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2144)
Diffstat (limited to 'test')
| -rwxr-xr-x | test/recipes/70-test_sslvertol.t | 66 |
1 files changed, 55 insertions, 11 deletions
diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t index 108166f33e..272b825930 100755 --- a/test/recipes/70-test_sslvertol.t +++ b/test/recipes/70-test_sslvertol.t @@ -34,33 +34,64 @@ my $proxy = TLSProxy::Proxy->new( (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); +my @available_tls_versions = (); +foreach (available_protocols("tls")) { + unless (disabled($_)) { + note("Checking enabled protocol $_"); + m|^([a-z]+)(\d)(_\d)?|; + my $versionname; + if (defined $3) { + $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.$3; + note("'$1', '$2', '$3' => $versionname"); + } else { + $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.'_0'; + note("'$1', '$2' => $versionname"); + } + push @available_tls_versions, eval $versionname; + } +} +note("TLS versions we can expect: ", join(", ", @available_tls_versions)); + #This file does tests without the supported_versions extension. #See 70-test_sslversions.t for tests with supported versions. -#Test 1: Asking for TLS1.4 should pass and negotiate TLS1.2 +#Test 1: Asking for TLS1.4 should pass and negotiate the maximum +#available TLS version according to configuration below TLS1.3 my $client_version = TLSProxy::Record::VERS_TLS_1_4; $proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 3; my $record = pop @{$proxy->record_list}; -ok(TLSProxy::Message->success() - && $record->version() == TLSProxy::Record::VERS_TLS_1_2, - "Version tolerance test, TLS 1.4"); +ok((note("Record version received: ". + (defined $record ? $record->version() : "none")), + TLSProxy::Message->success()) + && $record->version() == tls_version_below(TLSProxy::Record::VERS_TLS_1_3), + "Version tolerance test, below TLS 1.4 and not TLS 1.3"); -#Test 2: Asking for TLS1.3 should succeed and negotiate TLS1.2 +#Test 2: Asking for TLS1.3 with that disabled should succeed and negotiate +#the highest configured TLS version below that. +$client_version = TLSProxy::Record::VERS_TLS_1_3; $proxy->clear(); $proxy->clientflags("-no_tls1_3"); $proxy->start(); $record = pop @{$proxy->record_list}; -ok(TLSProxy::Message->success() - && $record->version() == TLSProxy::Record::VERS_TLS_1_2, - "Version tolerance test, TLS 1.3"); +ok((note("Record version received: ". + (defined $record ? $record->version() : "none")), + TLSProxy::Message->success()) + && $record->version() == tls_version_below(TLSProxy::Record::VERS_TLS_1_3), + "Version tolerance test, max version but not TLS 1.3"); -#Test 3: Testing something below SSLv3 should fail +#Test 3: Testing something below SSLv3 should fail. We must disable TLS 1.3 +#to avoid having the 'supported_versions' extension kick in and override our +#desires. $client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; $proxy->clear(); $proxy->clientflags("-no_tls1_3"); $proxy->start(); -ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0"); +$record = pop @{$proxy->record_list}; +ok((note("Record version received: ". + (defined $record ? $record->version() : "none")), + TLSProxy::Message->fail()), + "Version tolerance test, SSL < 3.0"); sub vers_tolerance_filter { @@ -74,10 +105,23 @@ sub vers_tolerance_filter foreach my $message (@{$proxy->message_list}) { if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { #Set the client version - #Anything above the max supported version (TLS1.2) should succeed + #Anything above the max supported version should succeed #Anything below SSLv3 should fail $message->client_version($client_version); $message->repack(); } } } + +sub tls_version_below { + if (@_) { + my $term = shift; + my $res = undef; + + foreach (@available_tls_versions) { + $res = $_ if $_ < $term; + } + return $res; + } + return $available_tls_versions[-1]; +} |