diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5243ceb138..ceb31af399 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2047,64 +2047,6 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" -# GnuTLS can be setup to send a ClientHello containing a supported versions -# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case, -# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and -# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS -# client then detects the downgrade indication and aborts the handshake even -# if TLS 1.2 was its preferred version. Keeping the test even if the -# handshake fails eventually as it exercices parts of the Mbed TLS -# implementation that are otherwise not exercised. -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2 over TLS 1.3" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ - 1 \ - -c "Detected downgrade to TLS 1.2 from TLS 1.3" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ - 0 \ - -s "Protocol is TLSv1.2" \ - -c "HTTP/1.0 200 OK" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \ - 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \ - 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" - requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "TLS client auth: required" \ "$P_SRV auth_mode=required" \ @@ -6929,36 +6871,456 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ 0 \ -c "Read from server: .* bytes read" -# Tests for version negotiation +# Tests for version negotiation, MbedTLS client and server -run_test "Version check: all -> 1.2" \ +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2 / 1.2 -> 1.2" \ "$P_SRV" \ - "$P_CLI force_version=tls12" \ + "$P_CLI" \ 0 \ -S "mbedtls_ssl_handshake returned" \ -C "mbedtls_ssl_handshake returned" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: cli TLS 1.0" \ +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$P_CLI max_version=tls12" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" \ + -c "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Version negotiation check m->m: 1.3 / 1.3 -> 1.3" \ + "$P_SRV" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$P_CLI min_version=tls13" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.2+1.3 / 1.2+1.3 -> 1.3" \ + "$P_SRV" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" \ + -c "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \ + "$P_SRV" \ + "$P_CLI max_version=tls12" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" \ + -c "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.2+1.3 -> 1.3" \ + "$P_SRV" \ + "$P_CLI min_version=tls13" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \ + "$P_SRV min_version=tls13" \ + "$P_CLI max_version=tls12" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" \ + -C "Protocol is TLSv1.2" \ + -S "Protocol is TLSv1.3" \ + -C "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check m->m: 1.3 (min=1.3) / 1.2 (max=1.2)" \ + "$P_SRV max_version=tls12" \ + "$P_CLI min_version=tls13" \ + 1 \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.2" \ + -C "Protocol is TLSv1.2" \ + -S "Protocol is TLSv1.3" \ + -C "Protocol is TLSv1.3" + +# Tests of version negotiation on server side against GnuTLS client + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2 / 1.2+(1.3) -> 1.2" \ + "$P_SRV" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_gnutls_next_disable_tls13_compat +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +# GnuTLS can be setup to send a ClientHello containing a supported versions +# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case, +# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and +# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS +# client then detects the downgrade indication and aborts the handshake even +# if TLS 1.2 was its preferred version. Keeping the test even if the +# handshake fails eventually as it exercices parts of the Mbed TLS +# implementation that are otherwise not exercised. +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ + 1 \ + -c "Detected downgrade to TLS 1.2 from TLS 1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \ 1 \ -s "Handshake protocol not within min/max boundaries" \ - -c "Error in protocol version" \ - -S "Protocol is TLSv1.0" \ - -C "Handshake was completed" + -S "Protocol is TLSv1.0" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: cli TLS 1.1" \ +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \ 1 \ -s "Handshake protocol not within min/max boundaries" \ - -c "Error in protocol version" \ - -S "Protocol is TLSv1.1" \ - -C "Handshake was completed" + -S "Protocol is TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Not supported version check G->m: 1.2 / 1.3" \ + "$P_SRV" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check G->m: 1.3 / 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check G->m: 1.2 / 1.3 (min=1.3)" \ + "$P_SRV min_version=tls13" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \ + "$P_SRV max_version=tls12" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +# Tests of version negotiation on server side against OpenSSL client + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2 / 1.2+(1.3) -> 1.2" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$O_NEXT_CLI -tls1_2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$O_NEXT_CLI -tls1_3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Server version nego check O->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI -no_middlebox" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2+1.3 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check O->m: 1.0 / (1.2)+(1.3)" \ + "$P_SRV" \ + "$O_CLI -tls1" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check O->m: 1.1 / (1.2)+(1.3)" \ + "$P_SRV" \ + "$O_CLI -tls1_1" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Not supported version check O->m: 1.2 / 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check O->m: 1.3 / 1.2" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check O->m: 1.2 / 1.3 (min=1.3)" \ + "$P_SRV min_version=tls13" \ + "$O_NEXT_CLI -tls1_2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check O->m: 1.3 / 1.2 (max=1.2)" \ + "$P_SRV max_version=tls12" \ + "$O_NEXT_CLI -tls1_3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +# Tests of version negotiation on client side against GnuTLS and OpenSSL server requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Not supported version check: srv max TLS 1.0" \ @@ -6980,6 +7342,88 @@ run_test "Not supported version check: srv max TLS 1.1" \ -S "Version: TLS1.1" \ -C "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.0" \ + -C "Protocol is TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.1" \ + -C "Protocol is TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \ + "$P_CLI force_version=tls13 debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -c "is a fatal alert message (msg 40)" \ + -S "Version: TLS1.2" \ + -C "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \ + "$O_NEXT_SRV -msg -tls1" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -c "is a fatal alert message (msg 70)" \ + -S "Version: TLS1.0" \ + -C "Protocol : TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \ + "$O_NEXT_SRV -msg -tls1_1" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -c "is a fatal alert message (msg 70)" \ + -S "Version: TLS1.1" \ + -C "Protocol : TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \ + "$O_NEXT_SRV -msg -tls1_2" \ + "$P_CLI force_version=tls13 debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -c "is a fatal alert message (msg 70)" \ + -S "Version: TLS1.2" \ + -C "Protocol : TLSv1.2" + # Tests for ALPN extension requires_key_exchange_with_cert_in_tls12_or_tls13_enabled @@ -11866,103 +12310,6 @@ run_test "TLS 1.3: server alpn - gnutls" \ -s "HTTP/1.0 200 OK" \ -s "Application Layer Protocol is h2" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "Client's version: 3.3" \ - -S "Version: TLS1.0" \ - -C "Protocol is TLSv1.0" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "Client's version: 3.3" \ - -S "Version: TLS1.1" \ - -C "Protocol is TLSv1.1" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \ - "$P_CLI force_version=tls13 debug_level=4" \ - 1 \ - -s "Client's version: 3.3" \ - -c "is a fatal alert message (msg 40)" \ - -S "Version: TLS1.2" \ - -C "Protocol is TLSv1.2" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \ - "$O_NEXT_SRV -msg -tls1" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "fatal protocol_version" \ - -c "is a fatal alert message (msg 70)" \ - -S "Version: TLS1.0" \ - -C "Protocol : TLSv1.0" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \ - "$O_NEXT_SRV -msg -tls1_1" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "fatal protocol_version" \ - -c "is a fatal alert message (msg 70)" \ - -S "Version: TLS1.1" \ - -C "Protocol : TLSv1.1" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \ - "$O_NEXT_SRV -msg -tls1_2" \ - "$P_CLI force_version=tls13 debug_level=4" \ - 1 \ - -s "fatal protocol_version" \ - -c "is a fatal alert message (msg 70)" \ - -S "Version: TLS1.2" \ - -C "Protocol : TLSv1.2" - -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \ - "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \ - "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \ - 1 \ - -c "The SSL configuration is tls12 only" \ - -c "supported_versions(43) extension does not exist." \ - -c "A fatal alert message was received from our peer" \ - -s "The SSL configuration is tls13 only" \ - -s "TLS 1.2 not supported." - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C