diff options
| -rw-r--r-- | CHANGES.md | 8 | ||||
| -rw-r--r-- | NEWS.md | 1 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 18 | ||||
| -rw-r--r-- | test/recipes/70-test_renegotiation.t | 3 | ||||
| -rw-r--r-- | test/recipes/70-test_sslextension.t | 1 | ||||
| -rw-r--r-- | test/recipes/70-test_sslrecords.t | 13 | ||||
| -rw-r--r-- | test/recipes/70-test_sslsigalgs.t | 40 | ||||
| -rw-r--r-- | test/recipes/70-test_sslversions.t | 2 | ||||
| -rw-r--r-- | test/recipes/70-test_tls13downgrade.t | 1 | ||||
| -rw-r--r-- | test/ssl-tests/02-protocol-version.cnf | 2704 | ||||
| -rw-r--r-- | test/ssl-tests/04-client_auth.cnf | 144 | ||||
| -rw-r--r-- | test/ssl-tests/04-client_auth.cnf.in | 12 | ||||
| -rw-r--r-- | test/ssl-tests/05-sni.cnf | 4 | ||||
| -rw-r--r-- | test/ssl-tests/05-sni.cnf.in | 2 | ||||
| -rw-r--r-- | test/ssl-tests/07-dtls-protocol-version.cnf | 256 | ||||
| -rw-r--r-- | test/ssl-tests/10-resumption.cnf | 384 | ||||
| -rw-r--r-- | test/ssl-tests/11-dtls_resumption.cnf | 96 | ||||
| -rw-r--r-- | test/ssl-tests/20-cert-select.cnf | 8 | ||||
| -rw-r--r-- | test/ssl-tests/20-cert-select.cnf.in | 25 | ||||
| -rw-r--r-- | test/ssl-tests/protocol_version.pm | 11 | ||||
| -rw-r--r-- | test/sslapitest.c | 4 |
21 files changed, 1915 insertions, 1822 deletions
diff --git a/CHANGES.md b/CHANGES.md index 982e677fcc..8f8ee33415 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -119,6 +119,14 @@ OpenSSL 3.0 *Paul Dale* + * The security strength of SHA1 and MD5 based signatures in TLS has been + reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer + working at the default security level of 1 and instead requires security + level 0. The security level can be changed either using the cipher string + with @SECLEVEL, or calling SSL_CTX_set_security_level(). + + *Kurt Roeckx* + * EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side internal keys, if they correspond to one of those built in types. @@ -63,6 +63,7 @@ OpenSSL 3.0 RC4, RC5 and SEED cipher functions have been deprecated. * All of the low level DH, DSA, ECDH, ECDSA and RSA public key functions have been deprecated. + * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. OpenSSL 1.1.1 ------------- diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b2752cd03d..c9097fcc44 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1413,8 +1413,26 @@ static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) return 0; if (md != NULL) { + int md_type = EVP_MD_type(md); + /* Security bits: half digest bits */ secbits = EVP_MD_size(md) * 4; + /* + * SHA1 and MD5 are known to be broken. Reduce security bits so that + * they're no longer accepted at security level 1. The real values don't + * really matter as long as they're lower than 80, which is our + * security level 1. + * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for + * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 + * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf + * puts a chosen-prefix attack for MD5 at 2^39. + */ + if (md_type == NID_sha1) + secbits = 64; + else if (md_type == NID_md5_sha1) + secbits = 67; + else if (md_type == NID_md5) + secbits = 39; } else { /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ if (lu->sigalg == TLSEXT_SIGALG_ed25519) diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t index 6b11d36932..8cf3e4f54b 100644 --- a/test/recipes/70-test_renegotiation.t +++ b/test/recipes/70-test_renegotiation.t @@ -56,7 +56,8 @@ SKIP: { # handshake $proxy->clear(); $proxy->filter(undef); - $proxy->clientflags("-no_tls1_3"); + $proxy->ciphers("DEFAULT:\@SECLEVEL=0"); + $proxy->clientflags("-no_tls1_3 -cipher AES128-SHA:\@SECLEVEL=0"); $proxy->serverflags("-no_tls1_3 -no_tls1_2"); $proxy->reneg(1); $proxy->start(); diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index f60e352a3c..468025ba0a 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -206,6 +206,7 @@ SKIP: { #Test 3: Sending a zero length extension block should pass $proxy->clear(); $proxy->filter(\&extension_filter); + $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success, "Zero extension length test"); diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index b0ad026110..395b7e0619 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -82,11 +82,17 @@ use constant { FRAGMENTED_IN_SSLV2 => 3, ALERT_BEFORE_SSLV2 => 4 }; + +# The TLSv1.2 in SSLv2 ClientHello need to run at security level 0 +# because in a SSLv2 ClientHello we can't send extentions to indicate +# which signature algorithm we want to use, and the default is SHA1. + #Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello my $sslv2testtype = TLSV1_2_IN_SSLV2; $proxy->clear(); $proxy->filter(\&add_sslv2_filter); $proxy->serverflags("-tls1_2"); +$proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); @@ -96,6 +102,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); $sslv2testtype = SSLV2_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); @@ -105,6 +112,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); $sslv2testtype = FRAGMENTED_IN_TLSV1_2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); @@ -113,6 +121,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); $sslv2testtype = FRAGMENTED_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); @@ -121,6 +130,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); $sslv2testtype = ALERT_BEFORE_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); @@ -140,7 +150,8 @@ SKIP: { #Test 11: Sending an unrecognised record type in TLS1.1 should fail $fatal_alert = 0; $proxy->clear(); - $proxy->clientflags("-tls1_1"); + $proxy->clientflags("-tls1_1 -cipher DEFAULT:\@SECLEVEL=0"); + $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok($fatal_alert, "Unrecognised record type in TLS1.1"); } diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index c9dbc9cc68..3548704138 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -138,32 +138,32 @@ SKIP: { $proxy->filter(\&sigalgs_filter); - #Test 10: Sending no sig algs extension in TLSv1.2 should succeed at - # security level 1 + #Test 10: Sending no sig algs extension in TLSv1.2 will make it use + # SHA1, which is only supported at security level 0. $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=1"); - $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1"); + $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); + $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0"); $proxy->start(); - ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1"); + ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0"); #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security - # level 2 since it will try to use SHA1. Testing client at level 1, - # server level 2. + # level 1 since it will try to use SHA1. Testing client at level 0, + # server level 1. $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1"); - $proxy->ciphers("DEFAULT:\@SECLEVEL=2"); + $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0"); + $proxy->ciphers("DEFAULT:\@SECLEVEL=1"); $proxy->start(); - ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2"); + ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1"); #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security - # level 2 since it will try to use SHA1. Testing client at level 2, - # server level 1. + # level 1 since it will try to use SHA1. Testing client at level 1, + # server level 0. $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=2"); - $proxy->ciphers("DEFAULT:\@SECLEVEL=1"); + $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1"); + $proxy->ciphers("DEFAULT:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2"); @@ -221,15 +221,16 @@ SKIP: { ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs"); $proxy->filter(\&sigalgs_filter); - #Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed + #Test 19: No sig algs extension, ECDSA cert, will use SHA1, + # TLSv1.2 should succeed at security level 0 $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-no_tls1_3"); + $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); $proxy->serverflags("-cert " . srctop_file("test", "certs", "server-ecdsa-cert.pem") . " -key " . srctop_file("test", "certs", "server-ecdsa-key.pem")), - $proxy->ciphers("ECDHE-ECDSA-AES128-SHA"); + $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA"); } @@ -245,7 +246,7 @@ SKIP: { $proxy->filter(\&modify_sigalgs_filter); $proxy->start(); ok($dsa_status && $sha1_status && $sha224_status, - "DSA/SHA2 sigalg sent for 1.3-only ClientHello"); + "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello"); #Test 21: signature_algorithms with backwards compatible ClientHello SKIP: { @@ -253,10 +254,11 @@ SKIP: { $testtype = COMPAT_SIGALGS; $dsa_status = $sha1_status = $sha224_status = 0; $proxy->clear(); + $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0"); $proxy->filter(\&modify_sigalgs_filter); $proxy->start(); ok($dsa_status && $sha1_status && $sha224_status, - "DSA sigalg not sent for compat ClientHello"); + "backwards compatible sigalg sent for compat ClientHello"); } } diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index f3cc71215d..864f4f5283 100644 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -95,6 +95,8 @@ ok(TLSProxy::Message->success() #Test 6: no TLSv1.3 or TLSv1.2 version in supported versions extension, but #TLSv1.1 and TLSv1.0 are present. Should just use TLSv1.1 and succeed $proxy->clear(); +$proxy->clientflags("-cipher DEFAULT:\@SECLEVEL=0"); +$proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $testtype = TLS1_1_AND_1_0_ONLY; $proxy->start(); $record = pop @{$proxy->record_list}; diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index 5de90657f9..e3b7ce8361 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -79,6 +79,7 @@ SKIP: { $proxy->clear(); $proxy->filter(undef); $proxy->clientflags("-no_tls1_2"); + $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole"); diff --git a/test/ssl-tests/02-protocol-version.cnf b/test/ssl-tests/02-protocol-version.cnf index 4b7d7df218..ef5e994277 100644 --- a/test/ssl-tests/02-protocol-version.cnf +++ b/test/ssl-tests/02-protocol-version.cnf @@ -691,12 +691,12 @@ client = 0-version-negotiation-client [0-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -716,12 +716,12 @@ client = 1-version-negotiation-client [1-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -741,12 +741,12 @@ client = 2-version-negotiation-client [2-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -766,12 +766,12 @@ client = 3-version-negotiation-client [3-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [3-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -791,12 +791,12 @@ client = 4-version-negotiation-client [4-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [4-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -816,11 +816,11 @@ client = 5-version-negotiation-client [5-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [5-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -840,13 +840,13 @@ client = 6-version-negotiation-client [6-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [6-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -866,13 +866,13 @@ client = 7-version-negotiation-client [7-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [7-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -892,13 +892,13 @@ client = 8-version-negotiation-client [8-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [8-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -918,13 +918,13 @@ client = 9-version-negotiation-client [9-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [9-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -944,13 +944,13 @@ client = 10-version-negotiation-client [10-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [10-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -970,12 +970,12 @@ client = 11-version-negotiation-client [11-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [11-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -995,13 +995,13 @@ client = 12-version-negotiation-client [12-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [12-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1021,13 +1021,13 @@ client = 13-version-negotiation-client [13-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [13-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1047,13 +1047,13 @@ client = 14-version-negotiation-client [14-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [14-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1073,13 +1073,13 @@ client = 15-version-negotiation-client [15-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [15-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1099,12 +1099,12 @@ client = 16-version-negotiation-client [16-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [16-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1124,13 +1124,13 @@ client = 17-version-negotiation-client [17-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [17-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1150,13 +1150,13 @@ client = 18-version-negotiation-client [18-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [18-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1176,13 +1176,13 @@ client = 19-version-negotiation-client [19-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [19-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1202,12 +1202,12 @@ client = 20-version-negotiation-client [20-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [20-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1227,13 +1227,13 @@ client = 21-version-negotiation-client [21-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [21-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1253,13 +1253,13 @@ client = 22-version-negotiation-client [22-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [22-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1279,12 +1279,12 @@ client = 23-version-negotiation-client [23-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [23-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1304,13 +1304,13 @@ client = 24-version-negotiation-client [24-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [24-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1330,12 +1330,12 @@ client = 25-version-negotiation-client [25-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [25-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1355,12 +1355,12 @@ client = 26-version-negotiation-client [26-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [26-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1380,12 +1380,12 @@ client = 27-version-negotiation-client [27-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [27-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1406,12 +1406,12 @@ client = 28-version-negotiation-client [28-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [28-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1432,12 +1432,12 @@ client = 29-version-negotiation-client [29-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [29-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1458,12 +1458,12 @@ client = 30-version-negotiation-client [30-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [30-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1484,11 +1484,11 @@ client = 31-version-negotiation-client [31-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [31-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1509,13 +1509,13 @@ client = 32-version-negotiation-client [32-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = SSLv3 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [32-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1535,13 +1535,13 @@ client = 33-version-negotiation-client [33-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [33-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1562,13 +1562,13 @@ client = 34-version-negotiation-client [34-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [34-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1589,13 +1589,13 @@ client = 35-version-negotiation-client [35-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [35-version-negotiation-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1616,13 +1616,13 @@ client = 36-version-negotiation-client [36-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.3 MinProtocol = SSLv3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem |