[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Mon Mar 19 17:24:58 UTC 2018
The branch master has been updated
via 7d7f6834e542e53f604b46a72d57fad773d4b2bc (commit)
via 2e2faa8c4802f2fcecea699ddda246929b2ca329 (commit)
via 43110de041b77aef08bf744cba9330969895a321 (commit)
from dad8c264c78d1bc57b6fcf6c0204a00523c13940 (commit)
- Log -----------------------------------------------------------------
commit 7d7f6834e542e53f604b46a72d57fad773d4b2bc
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Mar 19 09:08:06 2018 +0100
Enhance ssltestlib's create_ssl_ctx_pair to take min and max proto version
Have all test programs using that function specify those versions.
Additionally, have the remaining test programs that use SSL_CTX_new
directly specify at least the maximum protocol version.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5663)
commit 2e2faa8c4802f2fcecea699ddda246929b2ca329
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Mar 19 08:44:04 2018 +0100
In TLSProxy::Proxy, specify TLSv1.3 as maximum allowable protocol
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5663)
commit 43110de041b77aef08bf744cba9330969895a321
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Mar 19 07:46:10 2018 +0100
Support "-min_protocol" and "-max_protocol" in s_server and s_client
If for nothing else, they are needed when doing a regression test
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5663)
-----------------------------------------------------------------------
Summary of changes:
apps/apps.h | 5 +++
test/asynciotest.c | 3 +-
test/clienthellotest.c | 2 +
test/dtlstest.c | 5 ++-
test/fatalerrtest.c | 5 ++-
test/recordlentest.c | 1 +
test/ssl_test.c | 27 +++++++++++++
test/sslapitest.c | 95 +++++++++++++++++++++++++--------------------
test/sslbuffertest.c | 1 +
test/sslcorrupttest.c | 6 +--
test/ssltest_old.c | 21 ++++++----
test/ssltestlib.c | 17 ++++++++
test/ssltestlib.h | 1 +
test/tls13ccstest.c | 1 +
util/perl/TLSProxy/Proxy.pm | 4 +-
15 files changed, 134 insertions(+), 60 deletions(-)
diff --git a/apps/apps.h b/apps/apps.h
index 8f2590e..4d4aae7 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -231,6 +231,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
+ OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
# define OPT_S_OPTIONS \
@@ -274,6 +275,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
"Elliptic curve used for ECDHE (server-side only)" }, \
{"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \
{"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
+ {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
+ {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
{"record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to."}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
@@ -309,6 +312,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
case OPT_S_CIPHERSUITES: \
case OPT_S_RECORD_PADDING: \
case OPT_S_NO_RENEGOTIATION: \
+ case OPT_S_MINPROTO: \
+ case OPT_S_MAXPROTO: \
case OPT_S_DEBUGBROKE: \
case OPT_S_NO_MIDDLEBOX
diff --git a/test/asynciotest.c b/test/asynciotest.c
index 179fe26..8d15fcb 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -299,7 +299,8 @@ static int test_asyncio(int test)
char buf[sizeof(testdata)];
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- &serverctx, &clientctx, cert, privkey)))
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &serverctx, &clientctx, cert, privkey)))
goto end;
/*
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index 5eded83..10e3b1b 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -78,6 +78,8 @@ static int test_client_hello(int currtest)
ctx = SSL_CTX_new(TLS_method());
if (!TEST_ptr(ctx))
goto end;
+ if (!TEST_true(SSL_CTX_set_max_proto_version(ctx, TLS_MAX_VERSION)))
+ goto end;
switch(currtest) {
case TEST_SET_SESSION_TICK_DATA_VER_NEG:
diff --git a/test/dtlstest.c b/test/dtlstest.c
index 7e511f7..f4f9924 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -61,8 +61,9 @@ static int test_dtls_unprocessed(int testidx)
timer_cb_count = 0;
if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
- DTLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA")))
diff --git a/test/fatalerrtest.c b/test/fatalerrtest.c
index 85b11c8..d3a23e5 100644
--- a/test/fatalerrtest.c
+++ b/test/fatalerrtest.c
@@ -28,8 +28,9 @@ static int test_fatalerr(void)
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
- if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(), &sctx, &cctx,
- cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto err;
/*
diff --git a/test/recordlentest.c b/test/recordlentest.c
index 824c09f..17e5499 100644
--- a/test/recordlentest.c
+++ b/test/recordlentest.c
@@ -103,6 +103,7 @@ static int test_record_overflow(int idx)
ERR_clear_error();
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
goto end;
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 778c330..ddb338b 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -406,15 +406,27 @@ static int test_handshake(int idx)
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx,
+ DTLS_MAX_VERSION)))
+ goto err;
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
if (!TEST_ptr(server2_ctx = SSL_CTX_new(DTLS_server_method())))
goto err;
}
client_ctx = SSL_CTX_new(DTLS_client_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx,
+ DTLS_MAX_VERSION)))
+ goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(DTLS_server_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ DTLS_MAX_VERSION)))
+ goto err;
resume_client_ctx = SSL_CTX_new(DTLS_client_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ DTLS_MAX_VERSION)))
+ goto err;
if (!TEST_ptr(resume_server_ctx)
|| !TEST_ptr(resume_client_ctx))
goto err;
@@ -423,17 +435,32 @@ static int test_handshake(int idx)
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx,
+ TLS_MAX_VERSION)))
+ goto err;
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
goto err;
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
+ TLS_MAX_VERSION)))
+ goto err;
}
client_ctx = SSL_CTX_new(TLS_client_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx,
+ TLS_MAX_VERSION)))
+ goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(TLS_server_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ TLS_MAX_VERSION)))
+ goto err;
resume_client_ctx = SSL_CTX_new(TLS_client_method());
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ TLS_MAX_VERSION)))
+ goto err;
if (!TEST_ptr(resume_server_ctx)
|| !TEST_ptr(resume_client_ctx))
goto err;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index a0da25f..3dcf735 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -272,6 +272,7 @@ static int test_keylog(void)
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -349,9 +350,9 @@ static int test_keylog_no_master_key(void)
server_log_buffer_index = 0;
error_writing_log = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
@@ -452,9 +453,9 @@ static int test_client_hello_cb(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testctr = 0, testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
@@ -490,7 +491,9 @@ end:
#endif
static int execute_test_large_message(const SSL_METHOD *smeth,
- const SSL_METHOD *cmeth, int read_ahead)
+ const SSL_METHOD *cmeth,
+ int min_version, int max_version,
+ int read_ahead)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -508,8 +511,8 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
if (!TEST_ptr(chaincert))
goto end;
- if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
+ &sctx, &cctx, cert, privkey)))
goto end;
if (read_ahead) {
@@ -566,12 +569,14 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
static int test_large_message_tls(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
0);
}
static int test_large_message_tls_read_ahead(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
1);
}
@@ -583,7 +588,9 @@ static int test_large_message_dtls(void)
* read_ahead is set.
*/
return execute_test_large_message(DTLS_server_method(),
- DTLS_client_method(), 0);
+ DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION,
+ 0);
}
#endif
@@ -642,8 +649,9 @@ static int test_tlsext_status_type(void)
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey))
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey))
return 0;
if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
@@ -806,9 +814,9 @@ static int execute_test_session(int maxprot, int use_int_cache,
new_called = remove_called = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
/*
@@ -1341,9 +1349,9 @@ static int test_set_sigalgs(int idx)
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
/*
@@ -1558,9 +1566,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
SSL **serverssl, SSL_SESSION **sess, int idx)
{
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), sctx,
- cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ sctx, cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(*sctx,
SSL3_RT_MAX_PLAIN_LENGTH))
|| !TEST_true(SSL_CTX_set_max_early_data(*cctx,
@@ -2440,9 +2448,9 @@ static int test_ciphersuite_change(void)
const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
@@ -2573,9 +2581,9 @@ static int test_tls13_psk(int idx)
};
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
/*
@@ -2808,9 +2816,9 @@ static int test_stateless(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
/* The arrival of CCS messages can confuse the test */
@@ -3032,14 +3040,15 @@ static int test_custom_exts(int tst)
clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
snicb = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
if (tst == 2
- && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
- NULL, cert, privkey)))
+ && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx2, NULL, cert, privkey)))
goto end;
@@ -3308,9 +3317,9 @@ static int test_export_key_mat(int tst)
if (tst == 3)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
@@ -3488,9 +3497,9 @@ static int test_ssl_clear(int idx)
#endif
/* Create an initial connection */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey))
|| (idx == 1
&& !TEST_true(SSL_CTX_set_max_proto_version(cctx,
TLS1_2_VERSION)))
@@ -3644,8 +3653,8 @@ static int test_pha_key_update(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c
index a1c3c6a..7616eea 100644
--- a/test/sslbuffertest.c
+++ b/test/sslbuffertest.c
@@ -166,6 +166,7 @@ int setup_tests(void)
return 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&serverctx, &clientctx, cert, pkey)) {
TEST_error("Failed to create SSL_CTX pair\n");
return 0;
diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index 1923100..b06ce81 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -193,9 +193,9 @@ static int test_ssl_corrupt(int testidx)
TEST_info("Starting #%d, %s", testidx, cipher_list[testidx]);
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher_list[testidx])))
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 7d31d36..0661a42 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -1330,17 +1330,24 @@ int main(int argc, char *argv[])
} else if (tls1_2) {
min_version = TLS1_2_VERSION;
max_version = TLS1_2_VERSION;
+ } else {
+ min_version = SSL3_VERSION;
+ max_version = TLS_MAX_VERSION;
}
#endif
#ifndef OPENSSL_NO_DTLS
- if (dtls || dtls1 || dtls12)
+ if (dtls || dtls1 || dtls12) {
meth = DTLS_method();
- if (dtls1) {
- min_version = DTLS1_VERSION;
- max_version = DTLS1_VERSION;
- } else if (dtls12) {
- min_version = DTLS1_2_VERSION;
- max_version = DTLS1_2_VERSION;
+ if (dtls1) {
+ min_version = DTLS1_VERSION;
+ max_version = DTLS1_VERSION;
+ } else if (dtls12) {
+ min_version = DTLS1_2_VERSION;
+ max_version = DTLS1_2_VERSION;
+ } else {
+ min_version = DTLS_MIN_VERSION;
+ max_version = DTLS_MAX_VERSION;
+ }
}
#endif
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index 4473c67..f7dc65f 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -511,6 +511,7 @@ static int mempacket_test_puts(BIO *bio, const char *str)
}
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+ int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile)
{
@@ -521,6 +522,22 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
|| (cctx != NULL && !TEST_ptr(clientctx = SSL_CTX_new(cm))))
goto err;
+ if ((min_proto_version > 0
+ && !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
+ min_proto_version)))
+ || (max_proto_version > 0
+ && !TEST_true(SSL_CTX_set_max_proto_version(serverctx,
+ max_proto_version))))
+ goto err;
+ if (clientctx != NULL
+ && ((min_proto_version > 0
+ && !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
+ min_proto_version)))
+ || (max_proto_version > 0
+ && !TEST_true(SSL_CTX_set_max_proto_version(serverctx,
+ max_proto_version)))))
+ goto err;
+
if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile,
SSL_FILETYPE_PEM), 1)
|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, privkeyfile,
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index 385833b..9d1ceb0 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -13,6 +13,7 @@
# include <openssl/ssl.h>
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+ int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile);
int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c
index afea0ea..41e4896 100644
--- a/test/tls13ccstest.c
+++ b/test/tls13ccstest.c
@@ -255,6 +255,7 @@ static int test_tls13ccs(int tst)
chsessidlen = 0;
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
SSL3_RT_MAX_PLAIN_LENGTH))
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index db7b19c..7b4ad05 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -192,7 +192,7 @@ sub start
$pid = fork();
if ($pid == 0) {
my $execcmd = $self->execute
- ." s_server -no_comp -rev -engine ossltest -accept "
+ ." s_server -max_protocol TLSv1.3 -no_comp -rev -engine ossltest -accept "
.($self->server_port)
." -cert ".$self->cert." -cert2 ".$self->cert
." -naccept ".$self->serverconnects;
@@ -233,7 +233,7 @@ sub clientstart
$echostr = "test";
}
my $execcmd = "echo ".$echostr." | ".$self->execute
- ." s_client -engine ossltest -connect "
+ ." s_client -max_protocol TLSv1.3 -engine ossltest -connect "
.($self->proxy_addr).":".($self->proxy_port);
unless ($self->supports_IPv6) {
$execcmd .= " -4";
More information about the openssl-commits
mailing list