From 63fa6f2e4ba7641fd5f10c70eaa0c3a4b42e124c Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 9 Mar 2020 09:05:27 +0000
Subject: Revert "Stop accepting certificates signed using SHA1 at security
 level 1"

This reverts commit 68436f0a8964e911eb4f864bc8b31d7ca4d29585.

The OMC did not vote in favour of backporting this to 1.1.1, so this
change should be reverted.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11282)
---
 test/recipes/25-test_verify.t | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'test')

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 5e5bc9ef1e..b80a1cde3e 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -336,14 +336,14 @@ ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cer
 ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
    "Name constraints nested DNS name excluded");
 
-ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
-    "Accept PSS signature using SHA1 at auth level 0");
+ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
+    "Certificate PSS signature using SHA1");
 
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
     "CA with PSS signature using SHA256");
 
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
-    "Reject PSS signature using SHA1 and auth level 1");
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+    "Reject PSS signature using SHA1 and auth level 2");
 
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");
-- 
cgit v1.2.3