[openssl] master update
beldmit at gmail.com
beldmit at gmail.com
Sat Oct 9 17:59:34 UTC 2021
The branch master has been updated
via 518ce65d93692ecd4c004b96b47d58da8e5922ea (commit)
via a4c4090c21058a75e8bf1ffcc469b6d9755c55ce (commit)
via 61cab65029e787d59d3f3138e0160adb8df85f99 (commit)
via b3a33dac8880b88038083b64d234506659921436 (commit)
from 78de5a94d8e2b0a27ae026de29c195e944a49c6d (commit)
- Log -----------------------------------------------------------------
commit 518ce65d93692ecd4c004b96b47d58da8e5922ea
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 8 13:45:51 2021 +0100
Update gost-engine to the latest version
Update the gost-engine submodule to pick up the latest version
including fixes for the default security level of 2.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
commit a4c4090c21058a75e8bf1ffcc469b6d9755c55ce
Author: Matt Caswell <matt at openssl.org>
Date: Wed Oct 6 15:08:43 2021 +0100
Update document for default security level change
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
commit 61cab65029e787d59d3f3138e0160adb8df85f99
Author: Matt Caswell <matt at openssl.org>
Date: Tue Oct 5 17:30:09 2021 +0100
Fix tests for new default security level
Fix tests that were expecting a default security level of 1 to work with
the new default of 2.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
commit b3a33dac8880b88038083b64d234506659921436
Author: Matt Caswell <matt at openssl.org>
Date: Tue Oct 5 17:29:35 2021 +0100
Increase the default security level to 2
OTC voted to increase the security level from 1 to 2
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 9 ++
doc/man3/SSL_CTX_set_security_level.pod | 8 +-
gost-engine | 2 +-
include/openssl/tls1.h | 2 +-
test/ssl-tests/12-ct.cnf | 24 ++--
test/ssl-tests/12-ct.cnf.in | 18 ++-
test/ssl-tests/14-curves.cnf | 220 ++++++++++++++++----------------
test/ssl-tests/14-curves.cnf.in | 9 +-
test/ssl-tests/22-compression.cnf | 32 ++---
test/ssl-tests/22-compression.cnf.in | 16 +++
test/sslapitest.c | 24 +++-
11 files changed, 207 insertions(+), 157 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 963289ca09..4902332206 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,15 @@ OpenSSL 3.1
### Changes between 3.0 and 3.1 [xx XXX xxxx]
+ * The default SSL/TLS security level has been changed from 1 to 2. RSA,
+ DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
+ of 160 bits and above and less than 224 bits were previously accepted by
+ default but are now no longer allowed. By default TLS compression was
+ already disabled in previous OpenSSL versions. At security level 2 it cannot
+ be enabled.
+
+ *Matt Caswell*
+
* The SSL_CTX_set_cipher_list family functions now accept ciphers using their
IANA standard names.
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index d9965572c8..85dae713f0 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -75,10 +75,8 @@ OpenSSL.
The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result RSA,
DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
-are prohibited. All export cipher suites are prohibited since they all offer
-less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
-using MD5 for the MAC is also prohibited. Any cipher suites using CCM with
-a 64 bit authentication tag are prohibited.
+are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any
+cipher suites using CCM with a 64 bit authentication tag are prohibited.
=item B<Level 2>
@@ -116,7 +114,7 @@ I<Documentation to be provided.>
=head1 NOTES
The default security level can be configured when OpenSSL is compiled by
-setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
+setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 2 is used.
The security framework disables or reject parameters inconsistent with the
set security level. In the past this was difficult as applications had to set
diff --git a/gost-engine b/gost-engine
index 9869058423..a6014f3569 160000
--- a/gost-engine
+++ b/gost-engine
@@ -1 +1 @@
-Subproject commit 986905842330e4a54e61334eb508fe3147c43e38
+Subproject commit a6014f3569ca1819b6d3060124f8cdc5125f074e
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index d6e9331fa1..7be6d473f8 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -28,7 +28,7 @@ extern "C" {
/* Default security level if not overridden at config time */
# ifndef OPENSSL_TLS_SECURITY_LEVEL
-# define OPENSSL_TLS_SECURITY_LEVEL 1
+# define OPENSSL_TLS_SECURITY_LEVEL 2
# endif
/* TLS*_VERSION constants are defined in prov_ssl.h */
diff --git a/test/ssl-tests/12-ct.cnf b/test/ssl-tests/12-ct.cnf
index 2e6e9dea67..369c5d4e8e 100644
--- a/test/ssl-tests/12-ct.cnf
+++ b/test/ssl-tests/12-ct.cnf
@@ -19,11 +19,11 @@ client = 0-ct-permissive-without-scts-client
[0-ct-permissive-without-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-ct-permissive-without-scts-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -46,11 +46,11 @@ client = 1-ct-permissive-with-scts-client
[1-ct-permissive-with-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[1-ct-permissive-with-scts-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
@@ -73,11 +73,11 @@ client = 2-ct-strict-without-scts-client
[2-ct-strict-without-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-ct-strict-without-scts-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -101,11 +101,11 @@ client = 3-ct-strict-with-scts-client
[3-ct-strict-with-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[3-ct-strict-with-scts-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
@@ -130,11 +130,11 @@ resume-client = 4-ct-permissive-resumption-client
[4-ct-permissive-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[4-ct-permissive-resumption-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
@@ -162,11 +162,11 @@ resume-client = 5-ct-strict-resumption-resume-client
[5-ct-strict-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[5-ct-strict-resumption-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/12-ct.cnf.in b/test/ssl-tests/12-ct.cnf.in
index bf34e4b5e7..93890b9fce 100644
--- a/test/ssl-tests/12-ct.cnf.in
+++ b/test/ssl-tests/12-ct.cnf.in
@@ -18,8 +18,11 @@ package ssltests;
our @tests = (
{
name => "ct-permissive-without-scts",
- server => { },
+ server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
+ },
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
extra => {
"CTValidation" => "Permissive",
},
@@ -31,10 +34,12 @@ our @tests = (
{
name => "ct-permissive-with-scts",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Permissive",
@@ -46,8 +51,11 @@ our @tests = (
},
{
name => "ct-strict-without-scts",
- server => { },
+ server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
+ },
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
extra => {
"CTValidation" => "Strict",
},
@@ -60,10 +68,12 @@ our @tests = (
{
name => "ct-strict-with-scts",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Strict",
@@ -76,10 +86,12 @@ our @tests = (
{
name => "ct-permissive-resumption",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Permissive",
@@ -94,10 +106,12 @@ our @tests = (
{
name => "ct-strict-resumption",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Strict",
diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf
index 824a9f9a0e..7f4534c29d 100644
--- a/test/ssl-tests/14-curves.cnf
+++ b/test/ssl-tests/14-curves.cnf
@@ -68,13 +68,13 @@ client = 0-curve-prime256v1-client
[0-curve-prime256v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = prime256v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-curve-prime256v1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = prime256v1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -97,13 +97,13 @@ client = 1-curve-secp384r1-client
[1-curve-secp384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-curve-secp384r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp384r1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -126,13 +126,13 @@ client = 2-curve-secp521r1-client
[2-curve-secp521r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp521r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-curve-secp521r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp521r1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -155,13 +155,13 @@ client = 3-curve-X25519-client
[3-curve-X25519-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = X25519
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-curve-X25519-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = X25519
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -184,13 +184,13 @@ client = 4-curve-X448-client
[4-curve-X448-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = X448
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-curve-X448-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = X448
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -213,13 +213,13 @@ client = 5-curve-sect233k1-client
[5-curve-sect233k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-curve-sect233k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -242,13 +242,13 @@ client = 6-curve-sect233r1-client
[6-curve-sect233r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-curve-sect233r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -271,13 +271,13 @@ client = 7-curve-sect283k1-client
[7-curve-sect283k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-curve-sect283k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -300,13 +300,13 @@ client = 8-curve-sect283r1-client
[8-curve-sect283r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-curve-sect283r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -329,13 +329,13 @@ client = 9-curve-sect409k1-client
[9-curve-sect409k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-curve-sect409k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -358,13 +358,13 @@ client = 10-curve-sect409r1-client
[10-curve-sect409r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[10-curve-sect409r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -387,13 +387,13 @@ client = 11-curve-sect571k1-client
[11-curve-sect571k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[11-curve-sect571k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -416,13 +416,13 @@ client = 12-curve-sect571r1-client
[12-curve-sect571r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[12-curve-sect571r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -445,13 +445,13 @@ client = 13-curve-secp224r1-client
[13-curve-secp224r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[13-curve-secp224r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -474,13 +474,13 @@ client = 14-curve-sect163k1-client
[14-curve-sect163k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[14-curve-sect163k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -503,13 +503,13 @@ client = 15-curve-sect163r2-client
[15-curve-sect163r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[15-curve-sect163r2-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -532,13 +532,13 @@ client = 16-curve-prime192v1-client
[16-curve-prime192v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[16-curve-prime192v1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -561,13 +561,13 @@ client = 17-curve-sect163r1-client
[17-curve-sect163r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[17-curve-sect163r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -590,13 +590,13 @@ client = 18-curve-sect193r1-client
[18-curve-sect193r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[18-curve-sect193r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -619,13 +619,13 @@ client = 19-curve-sect193r2-client
[19-curve-sect193r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[19-curve-sect193r2-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -648,13 +648,13 @@ client = 20-curve-sect239k1-client
[20-curve-sect239k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[20-curve-sect239k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -677,13 +677,13 @@ client = 21-curve-secp160k1-client
[21-curve-secp160k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[21-curve-secp160k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -706,13 +706,13 @@ client = 22-curve-secp160r1-client
[22-curve-secp160r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[22-curve-secp160r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -735,13 +735,13 @@ client = 23-curve-secp160r2-client
[23-curve-secp160r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[23-curve-secp160r2-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -764,13 +764,13 @@ client = 24-curve-secp192k1-client
[24-curve-secp192k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[24-curve-secp192k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -793,13 +793,13 @@ client = 25-curve-secp224k1-client
[25-curve-secp224k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[25-curve-secp224k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -822,13 +822,13 @@ client = 26-curve-secp256k1-client
[26-curve-secp256k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[26-curve-secp256k1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -851,13 +851,13 @@ client = 27-curve-brainpoolP256r1-client
[27-curve-brainpoolP256r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[27-curve-brainpoolP256r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -880,13 +880,13 @@ client = 28-curve-brainpoolP384r1-client
[28-curve-brainpoolP384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[28-curve-brainpoolP384r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -909,13 +909,13 @@ client = 29-curve-brainpoolP512r1-client
[29-curve-brainpoolP512r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[29-curve-brainpoolP512r1-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -938,13 +938,13 @@ client = 30-curve-sect233k1-tls13-client
[30-curve-sect233k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[30-curve-sect233k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect233k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -965,13 +965,13 @@ client = 31-curve-sect233r1-tls13-client
[31-curve-sect233r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[31-curve-sect233r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect233r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -992,13 +992,13 @@ client = 32-curve-sect283k1-tls13-client
[32-curve-sect283k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[32-curve-sect283k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect283k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1019,13 +1019,13 @@ client = 33-curve-sect283r1-tls13-client
[33-curve-sect283r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[33-curve-sect283r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect283r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1046,13 +1046,13 @@ client = 34-curve-sect409k1-tls13-client
[34-curve-sect409k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[34-curve-sect409k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect409k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1073,13 +1073,13 @@ client = 35-curve-sect409r1-tls13-client
[35-curve-sect409r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[35-curve-sect409r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect409r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1100,13 +1100,13 @@ client = 36-curve-sect571k1-tls13-client
[36-curve-sect571k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[36-curve-sect571k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect571k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1127,13 +1127,13 @@ client = 37-curve-sect571r1-tls13-client
[37-curve-sect571r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[37-curve-sect571r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect571r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1154,13 +1154,13 @@ client = 38-curve-secp224r1-tls13-client
[38-curve-secp224r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[38-curve-secp224r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp224r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1181,13 +1181,13 @@ client = 39-curve-sect163k1-tls13-client
[39-curve-sect163k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[39-curve-sect163k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect163k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1208,13 +1208,13 @@ client = 40-curve-sect163r2-tls13-client
[40-curve-sect163r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[40-curve-sect163r2-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect163r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1235,13 +1235,13 @@ client = 41-curve-prime192v1-tls13-client
[41-curve-prime192v1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[41-curve-prime192v1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = prime192v1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1262,13 +1262,13 @@ client = 42-curve-sect163r1-tls13-client
[42-curve-sect163r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[42-curve-sect163r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect163r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1289,13 +1289,13 @@ client = 43-curve-sect193r1-tls13-client
[43-curve-sect193r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[43-curve-sect193r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect193r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1316,13 +1316,13 @@ client = 44-curve-sect193r2-tls13-client
[44-curve-sect193r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[44-curve-sect193r2-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect193r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1343,13 +1343,13 @@ client = 45-curve-sect239k1-tls13-client
[45-curve-sect239k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[45-curve-sect239k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = sect239k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1370,13 +1370,13 @@ client = 46-curve-secp160k1-tls13-client
[46-curve-secp160k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[46-curve-secp160k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp160k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1397,13 +1397,13 @@ client = 47-curve-secp160r1-tls13-client
[47-curve-secp160r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[47-curve-secp160r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp160r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1424,13 +1424,13 @@ client = 48-curve-secp160r2-tls13-client
[48-curve-secp160r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[48-curve-secp160r2-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp160r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1451,13 +1451,13 @@ client = 49-curve-secp192k1-tls13-client
[49-curve-secp192k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[49-curve-secp192k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp192k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1478,13 +1478,13 @@ client = 50-curve-secp224k1-tls13-client
[50-curve-secp224k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[50-curve-secp224k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp224k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1505,13 +1505,13 @@ client = 51-curve-secp256k1-tls13-client
[51-curve-secp256k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[51-curve-secp256k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = secp256k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1532,13 +1532,13 @@ client = 52-curve-brainpoolP256r1-tls13-client
[52-curve-brainpoolP256r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[52-curve-brainpoolP256r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = brainpoolP256r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1559,13 +1559,13 @@ client = 53-curve-brainpoolP384r1-tls13-client
[53-curve-brainpoolP384r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[53-curve-brainpoolP384r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = brainpoolP384r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -1586,13 +1586,13 @@ client = 54-curve-brainpoolP512r1-tls13-client
[54-curve-brainpoolP512r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[54-curve-brainpoolP512r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE at SECLEVEL=1
Curves = brainpoolP512r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in
index 4c905a8ea8..6426b175b5 100644
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
@@ -36,10 +36,11 @@ sub generate_tests() {
name => "curve-${curve}",
server => {
"Curves" => $curve,
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"MaxProtocol" => "TLSv1.3"
},
client => {
- "CipherString" => "ECDHE",
+ "CipherString" => 'ECDHE at SECLEVEL=1',
"MaxProtocol" => "TLSv1.3",
"Curves" => $curve
},
@@ -56,10 +57,11 @@ sub generate_tests() {
name => "curve-${curve}",
server => {
"Curves" => $curve,
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"MaxProtocol" => "TLSv1.3"
},
client => {
- "CipherString" => "ECDHE",
+ "CipherString" => 'ECDHE at SECLEVEL=1',
"MaxProtocol" => "TLSv1.2",
"Curves" => $curve
},
@@ -76,10 +78,11 @@ sub generate_tests() {
name => "curve-${curve}-tls13",
server => {
"Curves" => $curve,
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"MaxProtocol" => "TLSv1.3"
},
client => {
- "CipherString" => "ECDHE",
+ "CipherString" => 'ECDHE at SECLEVEL=1',
"MinProtocol" => "TLSv1.3",
"Curves" => $curve
},
diff --git a/test/ssl-tests/22-compression.cnf b/test/ssl-tests/22-compression.cnf
index c85d3129ab..a70f01b7af 100644
--- a/test/ssl-tests/22-compression.cnf
+++ b/test/ssl-tests/22-compression.cnf
@@ -21,12 +21,12 @@ client = 0-tlsv1_3-both-compress-client
[0-tlsv1_3-both-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-tlsv1_3-both-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -47,11 +47,11 @@ client = 1-tlsv1_3-client-compress-client
[1-tlsv1_3-client-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-tlsv1_3-client-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -72,12 +72,12 @@ client = 2-tlsv1_3-server-compress-client
[2-tlsv1_3-server-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-tlsv1_3-server-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -97,11 +97,11 @@ client = 3-tlsv1_3-neither-compress-client
[3-tlsv1_3-neither-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-tlsv1_3-neither-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -121,12 +121,12 @@ client = 4-tlsv1_2-both-compress-client
[4-tlsv1_2-both-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-tlsv1_2-both-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
MaxProtocol = TLSv1.2
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -148,11 +148,11 @@ client = 5-tlsv1_2-client-compress-client
[5-tlsv1_2-client-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-tlsv1_2-client-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
MaxProtocol = TLSv1.2
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -174,12 +174,12 @@ client = 6-tlsv1_2-server-compress-client
[6-tlsv1_2-server-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-tlsv1_2-server-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -200,11 +200,11 @@ client = 7-tlsv1_2-neither-compress-client
[7-tlsv1_2-neither-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-tlsv1_2-neither-compress-client]
-CipherString = DEFAULT
+CipherString = DEFAULT at SECLEVEL=1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/22-compression.cnf.in b/test/ssl-tests/22-compression.cnf.in
index 69a2e7f801..0b8f010b76 100644
--- a/test/ssl-tests/22-compression.cnf.in
+++ b/test/ssl-tests/22-compression.cnf.in
@@ -21,9 +21,11 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-both-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression"
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression"
},
test => {
@@ -34,8 +36,10 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-client-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression"
},
test => {
@@ -46,9 +50,11 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-server-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression"
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
},
test => {
"CompressionExpected" => "No",
@@ -58,8 +64,10 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-neither-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
},
test => {
"CompressionExpected" => "No",
@@ -71,9 +79,11 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-both-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression"
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression",
"MaxProtocol" => "TLSv1.2"
},
@@ -85,8 +95,10 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-client-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression",
"MaxProtocol" => "TLSv1.2"
},
@@ -98,9 +110,11 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-server-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"Options" => "Compression"
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"MaxProtocol" => "TLSv1.2"
},
test => {
@@ -111,8 +125,10 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-neither-compress",
server => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
},
client => {
+ "CipherString" => 'DEFAULT at SECLEVEL=1',
"MaxProtocol" => "TLSv1.2"
},
test => {
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 25dc61b876..e7a00a43e2 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -9196,7 +9196,8 @@ static int test_set_tmp_dh(int idx)
*/
static int test_dh_auto(int idx)
{
- SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
+ SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
EVP_PKEY *tmpkey = NULL;
@@ -9204,14 +9205,21 @@ static int test_dh_auto(int idx)
size_t expdhsize = 0;
const char *ciphersuite = "DHE-RSA-AES128-SHA";
+ if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
+ goto end;
+
switch (idx) {
case 0:
/* The FIPS provider doesn't support this DH size - so we ignore it */
- if (is_fips)
- return 1;
+ if (is_fips) {
+ testresult = 1;
+ goto end;
+ }
thiscert = cert1024;
thiskey = privkey1024;
expdhsize = 1024;
+ SSL_CTX_set_security_level(sctx, 1);
+ SSL_CTX_set_security_level(cctx, 1);
break;
case 1:
/* 2048 bit prime */
@@ -9237,8 +9245,10 @@ static int test_dh_auto(int idx)
/* No certificate cases */
case 5:
/* The FIPS provider doesn't support this DH size - so we ignore it */
- if (is_fips)
- return 1;
+ if (is_fips) {
+ testresult = 1;
+ goto end;
+ }
ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
expdhsize = 1024;
break;
@@ -9251,8 +9261,8 @@ static int test_dh_auto(int idx)
goto end;
}
- if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
- TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
+ NULL,
0,
0,
&sctx, &cctx, thiscert, thiskey)))
More information about the openssl-commits
mailing list