diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-02 09:13:40 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-06 12:52:41 +0100 |
commit | aaf286293050a4a2dbcd98d9eb2d69eca99c502a (patch) | |
tree | b8e74a52a784152ebc2d733f999e66add9e30bb7 /tests/tls13-cert-key-exchange.c | |
parent | daf6650142f63c0f602b99c92ba941ff1d9f851c (diff) | |
download | gnutls-aaf286293050a4a2dbcd98d9eb2d69eca99c502a.tar.gz |
Fallback to TLS 1.2 when incompatible with signature certs are provided
This only takes into account certificates in the credentials structure.
If certificates are provided in a callback, these must be checked by
the provider. For that we assume that the credentials structure is
filled when associated with a session; if not then the fallback mechanism
will not work and the handshake will fail.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/tls13-cert-key-exchange.c')
-rw-r--r-- | tests/tls13-cert-key-exchange.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/tests/tls13-cert-key-exchange.c b/tests/tls13-cert-key-exchange.c index 066c7d2fb0..3a214f9ad1 100644 --- a/tests/tls13-cert-key-exchange.c +++ b/tests/tls13-cert-key-exchange.c @@ -143,6 +143,11 @@ void doit(void) GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, NULL, NULL); + try_with_key_fail("TLS 1.3 and TLS 1.2 with rsa encryption cert", + "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", + GNUTLS_E_SUCCESS, GNUTLS_E_SUCCESS, + &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, NULL, NULL); + try_with_key_fail("TLS 1.3 with (forced) rsa encryption cert - client should detect", "NORMAL:-VERS-ALL:+VERS-TLS1.3:%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS", GNUTLS_E_AGAIN, GNUTLS_E_KEY_USAGE_VIOLATION, @@ -150,7 +155,7 @@ void doit(void) try_with_key_fail("TLS 1.3 with client rsa encryption cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3", - GNUTLS_E_AGAIN, GNUTLS_E_KEY_USAGE_VIOLATION, + GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_CREDENTIALS, &server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key); try_with_key_fail("TLS 1.3 with (forced) client rsa encryption cert - server should detect", |