diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2020-03-27 08:54:24 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2020-03-27 08:54:24 +0000 |
| commit | 8492a5cea6960116705e3acd8c3f655a6577f021 (patch) | |
| tree | de69ba88fb668fae86449df82fa26badfcdc6836 | |
| parent | 0b06c99dd730e6239db38553386a26a25c27e6cb (diff) | |
| parent | 0d11fdfadba2c2b52438cd2192223999adc9dcc3 (diff) | |
| download | gnutls-8492a5cea6960116705e3acd8c3f655a6577f021.tar.gz | |
Merge branch 'better_SSL3.0_tests' into 'master'
improve gnutls-cli-debug testing of old SSL 3.0 servers
See merge request gnutls/gnutls!1221
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | src/cli-debug.c | 7 | ||||
| -rw-r--r-- | src/tests.c | 39 | ||||
| -rw-r--r-- | src/tests.h | 2 |
4 files changed, 49 insertions, 2 deletions
@@ -27,6 +27,9 @@ gnutls_psk_set_client_credentials2: Added gnutls_psk_set_client_credentials_function2: Added gnutls_psk_set_server_credentials_function2: Added +** gnutls-cli-debug: Improved support for old servers that only support + SSL 3.0. + * Version 3.6.12 (released 2020-02-01) ** libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) diff --git a/src/cli-debug.c b/src/cli-debug.c index 06e47fd55e..ece03a2729 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -85,15 +85,20 @@ static const TLS_TEST tls_tests[] = { test_send_record_with_allow_small_records, "yes", "no", "dunno"}, #ifdef ENABLE_SSL3 {"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"}, + {"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"}, + {"for SSL 3.0 with cipher suites not in SSL 3.0 spec", + test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"}, +#endif /* The following tests will disable TLS 1.x if the server is * buggy */ -#endif {"whether we need to disable TLS 1.2", test_tls_disable2, "no", "yes", "dunno"}, {"whether we need to disable TLS 1.1", test_tls_disable1, "no", "yes", "dunno"}, {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes", "dunno"}, + /* The following test will disable extensions if the server + * is buggy */ {"whether %NO_EXTENSIONS is required", test_no_extensions, "no", "yes", "dunno"}, {"whether %COMPAT is required", test_record_padding, "no", "yes", diff --git a/src/tests.c b/src/tests.c index 82474b0995..8cc06347c1 100644 --- a/src/tests.c +++ b/src/tests.c @@ -128,9 +128,12 @@ char prio_str[768] = ""; #define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS #define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC" +#define SSL3_CIPHERS "+ARCFOUR-128:+3DES-CBC" #define ALL_COMP "+COMP-NULL" #define ALL_MACS "+MAC-ALL:+MD5:+SHA1" GOST_MACS +#define SSL3_MACS "+MD5:+SHA1" #define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" GOST_KX +#define SSL3_KX "+RSA:+DHE-RSA:+DHE-DSS" #define INIT_STR "NONE:" char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST; @@ -608,7 +611,41 @@ test_code_t test_ssl3(gnutls_session_t session) { int ret; sprintf(prio_str, INIT_STR - ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" + SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" + SSL3_MACS ":" SSL3_KX ":%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + if (ret == TEST_SUCCEED) + ssl3_ok = 1; + + return ret; +} + +test_code_t test_ssl3_with_extensions(gnutls_session_t session) +{ + int ret; + sprintf(prio_str, INIT_STR + SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" + SSL3_MACS ":" SSL3_KX ":%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + if (ret == TEST_SUCCEED) + ssl3_ok = 1; + + return ret; +} + +test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session) +{ + int ret; + sprintf(prio_str, INIT_STR + ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" ALL_MACS ":" ALL_KX ":%s", rest); _gnutls_priority_set_direct(session, prio_str); diff --git a/src/tests.h b/src/tests.h index a8326019ca..d9721a70e2 100644 --- a/src/tests.h +++ b/src/tests.h @@ -36,6 +36,8 @@ test_code_t test_dhe(gnutls_session_t state); test_code_t test_rfc7919(gnutls_session_t state); test_code_t test_dhe_group(gnutls_session_t state); test_code_t test_ssl3(gnutls_session_t state); +test_code_t test_ssl3_with_extensions(gnutls_session_t state); +test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t state); test_code_t test_aes(gnutls_session_t state); test_code_t test_camellia_cbc(gnutls_session_t state); test_code_t test_camellia_gcm(gnutls_session_t state); |