[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon Jul 18 13:32:45 UTC 2016
The branch master has been updated
via 23dd09b5e96039300ba0196c122046d1d0b31af1 (commit)
via eb5561cd775ca533a919f93fc0e1d13aa70f3760 (commit)
via 0f512756e2bd8a6b855c925373670b698540fd9f (commit)
via 7d2c13a705acfad1827634e89356a72999a641a2 (commit)
via 1b5c44b810f8d807ba9a98d766bfef8f53b08960 (commit)
via 149c2ef5ec64f246de978c5c917405dafc6983dc (commit)
via 672f3337c36d932bf214edf0a1a65fd069142282 (commit)
via 10e6d235494f69365914f959f83b448b0b21dca2 (commit)
via 78cbe94f89417150d5d334f6c02ed697f62029fe (commit)
via 05c4f1d563bf7978543e3b5bdb292cbf11688886 (commit)
from 3c49b2e0cdb1c82f424ba172ca819360fa6ccfe2 (commit)
- Log -----------------------------------------------------------------
commit 23dd09b5e96039300ba0196c122046d1d0b31af1
Author: Matt Caswell <matt at openssl.org>
Date: Mon Jul 18 14:17:42 2016 +0100
Fix formatting in statem_srvr.c based on review feedback
Also elaborated a comment based on feedback.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit eb5561cd775ca533a919f93fc0e1d13aa70f3760
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jul 15 10:46:01 2016 +0100
Ensure Travis tests SSLv3
Switch on Travis testing of SSLv3.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 0f512756e2bd8a6b855c925373670b698540fd9f
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jul 15 10:36:42 2016 +0100
Try and make the transition tests for CKE message clearer
The logic testing whether a CKE message is allowed or not was a little
difficult to follow. This tries to clean it up.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 7d2c13a705acfad1827634e89356a72999a641a2
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jul 15 10:04:11 2016 +0100
Simplify key_exchange_expected() logic
The static function key_exchange_expected() used to return -1 on error.
Commit 361a119127 changed that so that it can never fail. This means that
some tidy up can be done to simplify error handling in callers of that
function.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 1b5c44b810f8d807ba9a98d766bfef8f53b08960
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 22 23:22:00 2016 +0100
Fix client auth test_ssl_new failures when enabling/disabling protocols
If configuring for anything other than the default TLS protocols then
test failures were occuring.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 149c2ef5ec64f246de978c5c917405dafc6983dc
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 22 14:37:57 2016 +0100
Make sure we call ssl3_digest_cached_records() when necessary
Having received a ClientKeyExchange message instead of a Certificate we
know that we are not going to receive a CertificateVerify message. This
means we can free up the handshake_buffer. However we better call
ssl3_digest_cached_records() instead of just freeing it up, otherwise we
later try and use it anyway and a core dump results. This could happen,
for example, in SSLv3 where we send a CertificateRequest but the client
sends no Certificate message at all. This is valid in SSLv3 (in TLS
clients are required to send an empty Certificate message).
Found using the BoringSSL test suite.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 672f3337c36d932bf214edf0a1a65fd069142282
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 22 19:43:46 2016 +0100
Fix SSLv3 alert if no Client Ceritifcate sent after a request for one
In TLS if the server sends a CertificateRequest and the client does not
provide one, if the server cannot continue it should send a
HandshakeFailure alert. In SSLv3 the same should happen, but instead we
were sending an UnexpectedMessage alert. This is incorrect - the message
isn't unexpected - it is valid for the client not to send one - its just
that we cannot continue without one.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 10e6d235494f69365914f959f83b448b0b21dca2
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 22 19:41:03 2016 +0100
Fix SSLv3 ClientAuth alert checking
In TLS during ClientAuth if the CA is not recognised you should get an
UnknownCA alert. In SSLv3 this does not exist and you should get a
BadCertificate alert.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 78cbe94f89417150d5d334f6c02ed697f62029fe
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 22 16:34:26 2016 +0100
Fix Client Auth tests
The Client Auth tests were not correctly setting the Protocol, so that this
aspect had no effect. It was testing the same thing lots of times for
TLSv1.2 every time.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 05c4f1d563bf7978543e3b5bdb292cbf11688886
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 22 14:31:32 2016 +0100
Prepare the client certificate earlier
Move the preparation of the client certificate to be post processing work
after reading the CertificateRequest message rather than pre processing
work prior to writing the Certificate message. As part of preparing the
client certificate we may discover that we do not have one available. If
we are also talking SSLv3 then we won't send the Certificate message at
all. However, if we don't discover this until we are about to send the
Certificate message it is too late and we send an empty one anyway. This
is wrong for SSLv3.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
.travis.yml | 2 +-
ssl/statem/statem.c | 3 +-
ssl/statem/statem_clnt.c | 20 ++++----
ssl/statem/statem_srvr.c | 49 ++++++++++++-------
test/recipes/80-test_ssl_new.t | 1 +
test/ssl-tests/04-client_auth.conf | 90 +++++++++++++++++++++++------------
test/ssl-tests/04-client_auth.conf.in | 40 +++++++++++-----
test/ssl_test_ctx.c | 1 +
8 files changed, 134 insertions(+), 72 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 2232649..6df5163 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -36,7 +36,7 @@ matrix:
env: CONFIG_OPTS="no-shared enable-asan"
- os: linux
compiler: clang-3.6
- env: CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 -fno-sanitize=alignment"
+ env: CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method -fno-sanitize=alignment"
- os: linux
compiler: clang-3.6
env: CONFIG_OPTS="no-shared no-asm enable-asan enable-rc5 enable-md2"
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 28483e7..c34110b 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -531,8 +531,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) {
* to that state if so
*/
if(!transition(s, mt)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
- SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE);
+ ossl_statem_set_error(s);
return SUB_STATE_ERROR;
}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5eefa2a..bcbb0fd 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -90,7 +90,6 @@ static ossl_inline int cert_req_allowed(SSL *s)
* Return values are:
* 1: Yes
* 0: No
- * -1: Error
*/
static int key_exchange_expected(SSL *s)
{
@@ -174,8 +173,6 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
}
} else {
ske_expected = key_exchange_expected(s);
- if (ske_expected < 0)
- return 0;
/* SKE is optional for some PSK ciphersuites */
if (ske_expected
|| ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
@@ -209,8 +206,6 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
case TLS_ST_CR_CERT_STATUS:
ske_expected = key_exchange_expected(s);
- if (ske_expected < 0)
- return 0;
/* SKE is optional for some PSK ciphersuites */
if (ske_expected
|| ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
@@ -219,7 +214,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
st->hand_state = TLS_ST_CR_KEY_EXCH;
return 1;
}
- return 0;
+ goto err;
}
/* Fall through */
@@ -229,7 +224,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
st->hand_state = TLS_ST_CR_CERT_REQ;
return 1;
}
- return 0;
+ goto err;
}
/* Fall through */
@@ -270,7 +265,10 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
break;
}
+ err:
/* No valid transition found */
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
+ SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE);
return 0;
}
@@ -398,9 +396,6 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
}
break;
- case TLS_ST_CW_CERT:
- return tls_prepare_client_certificate(s, wst);
-
case TLS_ST_CW_CHANGE:
if (SSL_IS_DTLS(s)) {
if (s->hit) {
@@ -665,6 +660,9 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
OSSL_STATEM *st = &s->statem;
switch(st->hand_state) {
+ case TLS_ST_CR_CERT_REQ:
+ return tls_prepare_client_certificate(s, wst);
+
#ifndef OPENSSL_NO_SCTP
case TLS_ST_CR_SRVR_DONE:
/* We only get here if we are using SCTP and we are renegotiating */
@@ -1799,7 +1797,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
s->s3->tmp.ca_names = ca_sk;
ca_sk = NULL;
- ret = MSG_PROCESS_CONTINUE_READING;
+ ret = MSG_PROCESS_CONTINUE_PROCESSING;
goto done;
err:
ossl_statem_set_error(s);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 773591c..b9d25ee 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -101,13 +101,29 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
* b) We are running SSL3 (in TLS1.0+ the client must return a 0
* list if we requested a certificate)
*/
- if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
- && (!s->s3->tmp.cert_request
- || (!((s->verify_mode & SSL_VERIFY_PEER) &&
- (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
- && (s->version == SSL3_VERSION)))) {
- st->hand_state = TLS_ST_SR_KEY_EXCH;
- return 1;
+ if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
+ if (s->s3->tmp.cert_request) {
+ if (s->version == SSL3_VERSION) {
+ if ((s->verify_mode & SSL_VERIFY_PEER)
+ && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
+ /*
+ * This isn't an unexpected message as such - we're just
+ * not going to accept it because we require a client
+ * cert.
+ */
+ ssl3_send_alert(s, SSL3_AL_FATAL,
+ SSL3_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_READ_STATE_MACHINE,
+ SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+ return 0;
+ }
+ st->hand_state = TLS_ST_SR_KEY_EXCH;
+ return 1;
+ }
+ } else {
+ st->hand_state = TLS_ST_SR_KEY_EXCH;
+ return 1;
+ }
} else if (s->s3->tmp.cert_request) {
if (mt == SSL3_MT_CERTIFICATE) {
st->hand_state = TLS_ST_SR_CERT;
@@ -197,6 +213,8 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
}
/* No valid transition found */
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
+ SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE);
return 0;
}
@@ -2574,17 +2592,16 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
}
#endif
- if (s->statem.no_cert_verify) {
- /* No certificate verify so we no longer need the handshake_buffer */
- BIO_free(s->s3->handshake_buffer);
- s->s3->handshake_buffer = NULL;
+ if (s->statem.no_cert_verify || !s->session->peer) {
+ /* No certificate verify or no peer certificate so we no longer need the
+ * handshake_buffer
+ */
+ if (!ssl3_digest_cached_records(s, 0)) {
+ ossl_statem_set_error(s);
+ return WORK_ERROR;
+ }
return WORK_FINISHED_CONTINUE;
} else {
- if (!s->session->peer) {
- /* No peer certificate so we no longer need the handshake_buffer */
- BIO_free(s->s3->handshake_buffer);
- return WORK_FINISHED_CONTINUE;
- }
if (!s->s3->handshake_buffer) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index a024753..258164f 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -39,6 +39,7 @@ my $no_dtls = alldisabled(available_protocols("dtls"));
my %conf_dependent_tests = (
"02-protocol-version.conf" => !$is_default_tls,
+ "04-client_auth.conf" => !$is_default_tls,
"05-dtls-protocol-version.conf" => !$is_default_dtls,
);
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
index 02cba53..04bb234 100644
--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -161,12 +161,14 @@ client = 5-server-auth-TLSv1-client
[5-server-auth-TLSv1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1
[5-server-auth-TLSv1-client]
CipherString = DEFAULT
-Protocol = TLSv1
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -186,13 +188,15 @@ client = 6-client-auth-TLSv1-request-client
[6-client-auth-TLSv1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1
VerifyMode = Request
[6-client-auth-TLSv1-request-client]
CipherString = DEFAULT
-Protocol = TLSv1
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -212,14 +216,16 @@ client = 7-client-auth-TLSv1-require-fail-client
[7-client-auth-TLSv1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[7-client-auth-TLSv1-require-fail-client]
CipherString = DEFAULT
-Protocol = TLSv1
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -240,16 +246,18 @@ client = 8-client-auth-TLSv1-require-client
[8-client-auth-TLSv1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[8-client-auth-TLSv1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -269,15 +277,17 @@ client = 9-client-auth-TLSv1-noroot-client
[9-client-auth-TLSv1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1
VerifyMode = Require
[9-client-auth-TLSv1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -298,12 +308,14 @@ client = 10-server-auth-TLSv1.1-client
[10-server-auth-TLSv1.1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.1
[10-server-auth-TLSv1.1-client]
CipherString = DEFAULT
-Protocol = TLSv1.1
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -323,13 +335,15 @@ client = 11-client-auth-TLSv1.1-request-client
[11-client-auth-TLSv1.1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.1
VerifyMode = Request
[11-client-auth-TLSv1.1-request-client]
CipherString = DEFAULT
-Protocol = TLSv1.1
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -349,14 +363,16 @@ client = 12-client-auth-TLSv1.1-require-fail-client
[12-client-auth-TLSv1.1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[12-client-auth-TLSv1.1-require-fail-client]
CipherString = DEFAULT
-Protocol = TLSv1.1
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -377,16 +393,18 @@ client = 13-client-auth-TLSv1.1-require-client
[13-client-auth-TLSv1.1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[13-client-auth-TLSv1.1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -406,15 +424,17 @@ client = 14-client-auth-TLSv1.1-noroot-client
[14-client-auth-TLSv1.1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.1
VerifyMode = Require
[14-client-auth-TLSv1.1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -435,12 +455,14 @@ client = 15-server-auth-TLSv1.2-client
[15-server-auth-TLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.2
[15-server-auth-TLSv1.2-client]
CipherString = DEFAULT
-Protocol = TLSv1.2
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -460,13 +482,15 @@ client = 16-client-auth-TLSv1.2-request-client
[16-client-auth-TLSv1.2-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.2
VerifyMode = Request
[16-client-auth-TLSv1.2-request-client]
CipherString = DEFAULT
-Protocol = TLSv1.2
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -486,14 +510,16 @@ client = 17-client-auth-TLSv1.2-require-fail-client
[17-client-auth-TLSv1.2-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[17-client-auth-TLSv1.2-require-fail-client]
CipherString = DEFAULT
-Protocol = TLSv1.2
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -514,16 +540,18 @@ client = 18-client-auth-TLSv1.2-require-client
[18-client-auth-TLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[18-client-auth-TLSv1.2-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -543,15 +571,17 @@ client = 19-client-auth-TLSv1.2-noroot-client
[19-client-auth-TLSv1.2-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-Protocol = TLSv1.2
VerifyMode = Require
[19-client-auth-TLSv1.2-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index 36d13df..495db02 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -26,15 +26,23 @@ sub generate_tests() {
foreach (0..$#protocols) {
my $protocol = $protocols[$_];
my $protocol_name = $protocol || "flex";
+ my $caalert;
if (!$is_disabled[$_]) {
+ if ($protocol_name eq "SSLv3") {
+ $caalert = "BadCertificate";
+ } else {
+ $caalert = "UnknownCA";
+ }
# Sanity-check simple handshake.
push @tests, {
name => "server-auth-${protocol_name}",
server => {
- "Protocol" => $protocol
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol
},
client => {
- "Protocol" => $protocol
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol
},
test => { "ExpectedResult" => "Success" },
};
@@ -43,11 +51,13 @@ sub generate_tests() {
push @tests, {
name => "client-auth-${protocol_name}-request",
server => {
- "Protocol" => $protocol,
- "VerifyMode" => "Request",
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
+ "VerifyMode" => "Request"
},
client => {
- "Protocol" => $protocol
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol
},
test => { "ExpectedResult" => "Success" },
};
@@ -56,12 +66,14 @@ sub generate_tests() {
push @tests, {
name => "client-auth-${protocol_name}-require-fail",
server => {
- "Protocol" => $protocol,
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Require",
},
client => {
- "Protocol" => $protocol,
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol
},
test => {
"ExpectedResult" => "ServerFail",
@@ -73,12 +85,14 @@ sub generate_tests() {
push @tests, {
name => "client-auth-${protocol_name}-require",
server => {
- "Protocol" => $protocol,
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Request",
},
client => {
- "Protocol" => $protocol,
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
@@ -89,17 +103,19 @@ sub generate_tests() {
push @tests, {
name => "client-auth-${protocol_name}-noroot",
server => {
- "Protocol" => $protocol,
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
"VerifyMode" => "Require",
},
client => {
- "Protocol" => $protocol,
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
test => {
"ExpectedResult" => "ServerFail",
- "ServerAlert" => "UnknownCA",
+ "ServerAlert" => $caalert,
},
};
}
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index b06ab48..4d038d2 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -83,6 +83,7 @@ static const test_enum ssl_alerts[] = {
{"UnknownCA", SSL_AD_UNKNOWN_CA},
{"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
{"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+ {"BadCertificate", SSL_AD_BAD_CERTIFICATE}
};
__owur static int parse_alert(int *alert, const char *value)
More information about the openssl-commits
mailing list