diff options
Diffstat (limited to 'test/recipes/70-test_sslsigalgs.t')
| -rw-r--r-- | test/recipes/70-test_sslsigalgs.t | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index c9dbc9cc68..3548704138 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -138,32 +138,32 @@ SKIP: { $proxy->filter(\&sigalgs_filter); - #Test 10: Sending no sig algs extension in TLSv1.2 should succeed at - # security level 1 + #Test 10: Sending no sig algs extension in TLSv1.2 will make it use + # SHA1, which is only supported at security level 0. $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=1"); - $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1"); + $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); + $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0"); $proxy->start(); - ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1"); + ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0"); #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security - # level 2 since it will try to use SHA1. Testing client at level 1, - # server level 2. + # level 1 since it will try to use SHA1. Testing client at level 0, + # server level 1. $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1"); - $proxy->ciphers("DEFAULT:\@SECLEVEL=2"); + $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0"); + $proxy->ciphers("DEFAULT:\@SECLEVEL=1"); $proxy->start(); - ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2"); + ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1"); #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security - # level 2 since it will try to use SHA1. Testing client at level 2, - # server level 1. + # level 1 since it will try to use SHA1. Testing client at level 1, + # server level 0. $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=2"); - $proxy->ciphers("DEFAULT:\@SECLEVEL=1"); + $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1"); + $proxy->ciphers("DEFAULT:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2"); @@ -221,15 +221,16 @@ SKIP: { ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs"); $proxy->filter(\&sigalgs_filter); - #Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed + #Test 19: No sig algs extension, ECDSA cert, will use SHA1, + # TLSv1.2 should succeed at security level 0 $proxy->clear(); $testtype = NO_SIG_ALGS_EXT; - $proxy->clientflags("-no_tls1_3"); + $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); $proxy->serverflags("-cert " . srctop_file("test", "certs", "server-ecdsa-cert.pem") . " -key " . srctop_file("test", "certs", "server-ecdsa-key.pem")), - $proxy->ciphers("ECDHE-ECDSA-AES128-SHA"); + $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA"); } @@ -245,7 +246,7 @@ SKIP: { $proxy->filter(\&modify_sigalgs_filter); $proxy->start(); ok($dsa_status && $sha1_status && $sha224_status, - "DSA/SHA2 sigalg sent for 1.3-only ClientHello"); + "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello"); #Test 21: signature_algorithms with backwards compatible ClientHello SKIP: { @@ -253,10 +254,11 @@ SKIP: { $testtype = COMPAT_SIGALGS; $dsa_status = $sha1_status = $sha224_status = 0; $proxy->clear(); + $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0"); $proxy->filter(\&modify_sigalgs_filter); $proxy->start(); ok($dsa_status && $sha1_status && $sha224_status, - "DSA sigalg not sent for compat ClientHello"); + "backwards compatible sigalg sent for compat ClientHello"); } } |