diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-20 11:30:22 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-27 12:52:23 +0100 |
| commit | 8979d4072d2017c2a58d95d8d4ccb9a1790baa8b (patch) | |
| tree | 364fa646f8530c83ec8a9d82b8b772c4e6de759a /tests/version-checks.c | |
| parent | f7143c4eb99ddbd5bf1b972244f24a0ff7ce22e3 (diff) | |
| download | gnutls-tmp-tls10-tls13-fix.tar.gz | |
Prevent applications from combining legacy versions of TLS with TLS1.3tmp-tls10-tls13-fix
It can happen that an application due to a misconfiguration, enables TLS1.3
in combination with TLS1.0 or TLS1.1 only. In that case a server which is
unaware of the TLS1.3 protocol will reply by selecting the TLS1.2 protocol
instead and that answer will be rejected by the client. With this change
we ensure that TLS1.3 is not enabled in these problematic scenarios.
Resolves: #621
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/version-checks.c')
| -rw-r--r-- | tests/version-checks.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/version-checks.c b/tests/version-checks.c index c02bdbe79e..4f9bac2261 100644 --- a/tests/version-checks.c +++ b/tests/version-checks.c @@ -164,6 +164,13 @@ void doit(void) reset_buffers(); try("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", GNUTLS_TLS1_3); reset_buffers(); + try("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.0", GNUTLS_TLS1_0); + reset_buffers(); + /* similar to above test, but checks a different syntax */ + try("NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.1", GNUTLS_TLS1_1); + reset_buffers(); + try("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", GNUTLS_TLS1_3); + reset_buffers(); #ifdef ENABLE_SSL3 try("NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", -1); reset_buffers(); |