From cd1370e8d857e6d170c69d59b7872624ac646a87 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 12 Mar 2024 16:07:48 +0100 Subject: [PATCH 1/8] ssl-opt.sh: Group G->m server version selection checks Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 118 ++++++++++++++++++++++++----------------------- 1 file changed, 60 insertions(+), 58 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fd2fc0a1b1..8ca2312593 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2047,64 +2047,6 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" -# GnuTLS can be setup to send a ClientHello containing a supported versions -# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case, -# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and -# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS -# client then detects the downgrade indication and aborts the handshake even -# if TLS 1.2 was its preferred version. Keeping the test even if the -# handshake fails eventually as it exercices parts of the Mbed TLS -# implementation that are otherwise not exercised. -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2 over TLS 1.3" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ - 1 \ - -c "Detected downgrade to TLS 1.2 from TLS 1.3" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ - 0 \ - -s "Protocol is TLSv1.2" \ - -c "HTTP/1.0 200 OK" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \ - 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \ - 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" - requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "TLS client auth: required" \ "$P_SRV auth_mode=required" \ @@ -6940,6 +6882,66 @@ run_test "Version check: all -> 1.2" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" +# Tests of version negotiation on server side against GnuTLS client + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Server selecting TLS 1.2" \ + "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ + 0 \ + -s "Protocol is TLSv1.2" \ + -c "HTTP/1.0 200 OK" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \ + "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \ + 0 \ + -s "Protocol is TLSv1.3" \ + -c "HTTP/1.0 200 OK" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ + "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \ + 0 \ + -s "Protocol is TLSv1.3" \ + -c "HTTP/1.0 200 OK" + +# GnuTLS can be setup to send a ClientHello containing a supported versions +# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case, +# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and +# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS +# client then detects the downgrade indication and aborts the handshake even +# if TLS 1.2 was its preferred version. Keeping the test even if the +# handshake fails eventually as it exercices parts of the Mbed TLS +# implementation that are otherwise not exercised. +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Server selecting TLS 1.2 over TLS 1.3" \ + "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ + 1 \ + -c "Detected downgrade to TLS 1.2 from TLS 1.3" + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Not supported version check: cli TLS 1.0" \ "$P_SRV" \ From 98bdcc4f29e776e2d898a11bb9761bf9a977ab51 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:00:42 +0100 Subject: [PATCH 2/8] ssl-opt.sh: Change G->m server version selection tests Change description and dependencies before to expand G->m server version selection tests. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 81 ++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 48 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8ca2312593..24ff82d474 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6884,43 +6884,35 @@ run_test "Version check: all -> 1.2" \ # Tests of version negotiation on server side against GnuTLS client -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ - -s "Protocol is TLSv1.2" \ - -c "HTTP/1.0 200 OK" + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \ +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \ +requires_gnutls_next_disable_tls13_compat +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \ 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" # GnuTLS can be setup to send a ClientHello containing a supported versions # extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case, @@ -6930,37 +6922,30 @@ run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ # if TLS 1.2 was its preferred version. Keeping the test even if the # handshake fails eventually as it exercices parts of the Mbed TLS # implementation that are otherwise not exercised. -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2 over TLS 1.3" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \ + "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ 1 \ -c "Detected downgrade to TLS 1.2 from TLS 1.3" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: cli TLS 1.0" \ +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \ 1 \ -s "Handshake protocol not within min/max boundaries" \ - -c "Error in protocol version" \ - -S "Protocol is TLSv1.0" \ - -C "Handshake was completed" + -S "Protocol is TLSv1.0" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: cli TLS 1.1" \ +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \ 1 \ -s "Handshake protocol not within min/max boundaries" \ - -c "Error in protocol version" \ - -S "Protocol is TLSv1.1" \ - -C "Handshake was completed" + -S "Protocol is TLSv1.1" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Not supported version check: srv max TLS 1.0" \ From dfad493e8b699389589f1db045f2c96aadccbe0e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:05:14 +0100 Subject: [PATCH 3/8] ssl-opt.sh: Expand G->m server version selection tests Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 109 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 105 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 24ff82d474..99066aae3f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6884,16 +6884,46 @@ run_test "Version check: all -> 1.2" \ # Tests of version negotiation on server side against GnuTLS client -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ +run_test "Server version nego check G->m: 1.2 / 1.2+(1.3) -> 1.2" \ "$P_SRV" \ - "$G_NEXT_CLI localhost --priority=NORMAL" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ 0 \ -S "mbedtls_ssl_handshake returned" \ -s "Protocol is TLSv1.2" +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE @@ -6931,6 +6961,37 @@ run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \ 1 \ -c "Detected downgrade to TLS 1.2 from TLS 1.3" +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + requires_config_enabled MBEDTLS_SSL_SRV_C run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \ "$P_SRV" \ @@ -6947,6 +7008,46 @@ run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \ -s "Handshake protocol not within min/max boundaries" \ -S "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Not supported version check G->m: 1.2 / 1.3" \ + "$P_SRV" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check G->m: 1.3 / 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check G->m: 1.2 / 1.3 (min=1.3)" \ + "$P_SRV min_version=tls13" \ + "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \ + "$P_SRV max_version=tls12" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +# Tests of version negotiation on client side against GnuTLS server + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Not supported version check: srv max TLS 1.0" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \ From a1e7b6a66aaed9e426304352c0a0417008155778 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:13:49 +0100 Subject: [PATCH 4/8] ssl-opt.sh: Group cli ver nego tests against GnuTLS and OpenSSL Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 166 +++++++++++++++++++++++------------------------ 1 file changed, 83 insertions(+), 83 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 99066aae3f..43cbeaf3d6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -7046,7 +7046,7 @@ run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \ -s "The handshake negotiation failed" \ -S "Protocol is TLSv1.3" -# Tests of version negotiation on client side against GnuTLS server +# Tests of version negotiation on client side against GnuTLS and OpenSSL server requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Not supported version check: srv max TLS 1.0" \ @@ -7068,6 +7068,88 @@ run_test "Not supported version check: srv max TLS 1.1" \ -S "Version: TLS1.1" \ -C "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.0" \ + -C "Protocol is TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.1" \ + -C "Protocol is TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \ + "$P_CLI force_version=tls13 debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -c "is a fatal alert message (msg 40)" \ + -S "Version: TLS1.2" \ + -C "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \ + "$O_NEXT_SRV -msg -tls1" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -c "is a fatal alert message (msg 70)" \ + -S "Version: TLS1.0" \ + -C "Protocol : TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \ + "$O_NEXT_SRV -msg -tls1_1" \ + "$P_CLI debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -c "is a fatal alert message (msg 70)" \ + -S "Version: TLS1.1" \ + -C "Protocol : TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \ + "$O_NEXT_SRV -msg -tls1_2" \ + "$P_CLI force_version=tls13 debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -c "is a fatal alert message (msg 70)" \ + -S "Version: TLS1.2" \ + -C "Protocol : TLSv1.2" + # Tests for ALPN extension requires_key_exchange_with_cert_in_tls12_or_tls13_enabled @@ -11954,88 +12036,6 @@ run_test "TLS 1.3: server alpn - gnutls" \ -s "HTTP/1.0 200 OK" \ -s "Application Layer Protocol is h2" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "Client's version: 3.3" \ - -S "Version: TLS1.0" \ - -C "Protocol is TLSv1.0" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "Client's version: 3.3" \ - -S "Version: TLS1.1" \ - -C "Protocol is TLSv1.1" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \ - "$P_CLI force_version=tls13 debug_level=4" \ - 1 \ - -s "Client's version: 3.3" \ - -c "is a fatal alert message (msg 40)" \ - -S "Version: TLS1.2" \ - -C "Protocol is TLSv1.2" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \ - "$O_NEXT_SRV -msg -tls1" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "fatal protocol_version" \ - -c "is a fatal alert message (msg 70)" \ - -S "Version: TLS1.0" \ - -C "Protocol : TLSv1.0" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \ - "$O_NEXT_SRV -msg -tls1_1" \ - "$P_CLI debug_level=4" \ - 1 \ - -s "fatal protocol_version" \ - -c "is a fatal alert message (msg 70)" \ - -S "Version: TLS1.1" \ - -C "Protocol : TLSv1.1" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -skip_handshake_stage_check -requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \ - "$O_NEXT_SRV -msg -tls1_2" \ - "$P_CLI force_version=tls13 debug_level=4" \ - 1 \ - -s "fatal protocol_version" \ - -c "is a fatal alert message (msg 70)" \ - -S "Version: TLS1.2" \ - -C "Protocol : TLSv1.2" - requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CLI_C From fe18d8db76468813a15cd1f421718997868ad785 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:19:55 +0100 Subject: [PATCH 5/8] ssl-opt.sh: Group MbedTLS only version negotiation tests Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 43cbeaf3d6..bcaa9d2292 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6871,7 +6871,7 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ 0 \ -c "Read from server: .* bytes read" -# Tests for version negotiation +# Tests for version negotiation, MbedTLS client and server run_test "Version check: all -> 1.2" \ "$P_SRV" \ @@ -6882,6 +6882,21 @@ run_test "Version check: all -> 1.2" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \ + "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \ + "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \ + 1 \ + -c "The SSL configuration is tls12 only" \ + -c "supported_versions(43) extension does not exist." \ + -c "A fatal alert message was received from our peer" \ + -s "The SSL configuration is tls13 only" \ + -s "TLS 1.2 not supported." + # Tests of version negotiation on server side against GnuTLS client requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 @@ -12036,21 +12051,6 @@ run_test "TLS 1.3: server alpn - gnutls" \ -s "HTTP/1.0 200 OK" \ -s "Application Layer Protocol is h2" -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \ - "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \ - "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \ - 1 \ - -c "The SSL configuration is tls12 only" \ - -c "supported_versions(43) extension does not exist." \ - -c "A fatal alert message was received from our peer" \ - -s "The SSL configuration is tls13 only" \ - -s "TLS 1.2 not supported." - requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C From dcfd00c128b3f9aa4647d2bbd70b27fa3654ea81 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:58:50 +0100 Subject: [PATCH 6/8] ssl-opt.sh: Change MbedTLS only version negotiation tests Change description and dependencies before to expand MbedTLS only version negotiation tests. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bcaa9d2292..451b5beff4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6873,29 +6873,30 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ # Tests for version negotiation, MbedTLS client and server -run_test "Version check: all -> 1.2" \ +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \ "$P_SRV" \ - "$P_CLI force_version=tls12" \ + "$P_CLI max_version=tls12" \ 0 \ -S "mbedtls_ssl_handshake returned" \ -C "mbedtls_ssl_handshake returned" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \ - "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \ - "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \ - 1 \ - -c "The SSL configuration is tls12 only" \ - -c "supported_versions(43) extension does not exist." \ - -c "A fatal alert message was received from our peer" \ - -s "The SSL configuration is tls13 only" \ - -s "TLS 1.2 not supported." +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \ + "$P_SRV min_version=tls13" \ + "$P_CLI max_version=tls12" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" \ + -C "Protocol is TLSv1.2" \ + -S "Protocol is TLSv1.3" \ + -C "Protocol is TLSv1.3" # Tests of version negotiation on server side against GnuTLS client From 114c5f0321828661260e83bec656fbfddfd7852c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:24:41 +0100 Subject: [PATCH 7/8] ssl-opt.sh: Expand MbedTLS only version negotiation tests Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 107 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 451b5beff4..aea029546e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6873,9 +6873,93 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ # Tests for version negotiation, MbedTLS client and server +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" \ + -c "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$P_CLI max_version=tls12" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" \ + -c "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Version negotiation check m->m: 1.3 / 1.3 -> 1.3" \ + "$P_SRV" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$P_CLI min_version=tls13" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.2+1.3 / 1.2+1.3 -> 1.3" \ + "$P_SRV" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Version negotiation check m->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$P_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" \ + -c "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \ "$P_SRV" \ "$P_CLI max_version=tls12" \ @@ -6888,6 +6972,17 @@ run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.2+1.3 -> 1.3" \ + "$P_SRV" \ + "$P_CLI min_version=tls13" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -C "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" \ + -c "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \ "$P_SRV min_version=tls13" \ "$P_CLI max_version=tls12" \ @@ -6898,6 +6993,18 @@ run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \ -S "Protocol is TLSv1.3" \ -C "Protocol is TLSv1.3" +requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check m->m: 1.3 (min=1.3) / 1.2 (max=1.2)" \ + "$P_SRV max_version=tls12" \ + "$P_CLI min_version=tls13" \ + 1 \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.2" \ + -C "Protocol is TLSv1.2" \ + -S "Protocol is TLSv1.3" \ + -C "Protocol is TLSv1.3" + # Tests of version negotiation on server side against GnuTLS client requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 From 10797e3da15efe3ab6b498554e28663c04bca926 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 7 Mar 2024 08:27:24 +0100 Subject: [PATCH 8/8] ssl-opt.sh: Add O->m server version selection tests Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 151 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index aea029546e..178aa5087e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -7169,6 +7169,157 @@ run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \ -s "The handshake negotiation failed" \ -S "Protocol is TLSv1.3" +# Tests of version negotiation on server side against OpenSSL client + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2 / 1.2+(1.3) -> 1.2" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$O_NEXT_CLI -tls1_2" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$O_NEXT_CLI -tls1_3" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Server version nego check O->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI -no_middlebox" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check O->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ + "$P_SRV min_version=tls13" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2+1.3 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check O->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ + "$P_SRV max_version=tls12" \ + "$O_NEXT_CLI" \ + 0 \ + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check O->m: 1.0 / (1.2)+(1.3)" \ + "$P_SRV" \ + "$O_CLI -tls1" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check O->m: 1.1 / (1.2)+(1.3)" \ + "$P_SRV" \ + "$O_CLI -tls1_1" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Not supported version check O->m: 1.2 / 1.3" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check O->m: 1.3 / 1.2" \ + "$P_SRV" \ + "$O_NEXT_CLI -tls1_3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check O->m: 1.2 / 1.3 (min=1.3)" \ + "$P_SRV min_version=tls13" \ + "$O_NEXT_CLI -tls1_2" \ + 1 \ + -s "Handshake protocol not within min/max boundaries" \ + -S "Protocol is TLSv1.2" + +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 +run_test "Not supported version check O->m: 1.3 / 1.2 (max=1.2)" \ + "$P_SRV max_version=tls12" \ + "$O_NEXT_CLI -tls1_3" \ + 1 \ + -S "Handshake protocol not within min/max boundaries" \ + -s "The handshake negotiation failed" \ + -S "Protocol is TLSv1.3" + # Tests of version negotiation on client side against GnuTLS and OpenSSL server requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2