diff options
-rw-r--r-- | cfg.mk | 1 | ||||
m--------- | gnulib | 0 | ||||
-rw-r--r-- | lib/nettle/cipher.c | 10 | ||||
-rw-r--r-- | lib/nettle/gost/gost28147.c | 19 | ||||
-rw-r--r-- | lib/nettle/mac.c | 2 | ||||
-rwxr-xr-x | tests/suite/testcompat-main-openssl | 73 |
6 files changed, 45 insertions, 60 deletions
@@ -35,6 +35,7 @@ local-checks-to-skip = sc_GPL_version sc_bindtextdomain \ sc_immutable_NEWS sc_program_name sc_prohibit_atoi_atof \ sc_prohibit_always_true_header_tests \ sc_prohibit_empty_lines_at_EOF sc_prohibit_hash_without_use \ + sc_prohibit_gnu_make_extensions \ sc_prohibit_have_config_h sc_prohibit_magic_number_exit \ sc_prohibit_strcmp sc_require_config_h \ sc_require_config_h_first sc_texinfo_acronym sc_trailing_blank \ diff --git a/gnulib b/gnulib -Subproject 07fb4954db5032be9c61af7e014521efb6f7d20 +Subproject 02c8a3da2c4462ecf78944af9f6fd2c986fa536 diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c index 28f676a480..5e9f25b2ec 100644 --- a/lib/nettle/cipher.c +++ b/lib/nettle/cipher.c @@ -166,36 +166,36 @@ _cfb_decrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst, static void _gost28147_set_key_tc26z(void *ctx, const uint8_t *key) { - gost28147_set_key(ctx, key); gost28147_set_param(ctx, &gost28147_param_TC26_Z); + gost28147_set_key(ctx, key); } static void _gost28147_set_key_cpa(void *ctx, const uint8_t *key) { - gost28147_set_key(ctx, key); gost28147_set_param(ctx, &gost28147_param_CryptoPro_A); + gost28147_set_key(ctx, key); } static void _gost28147_set_key_cpb(void *ctx, const uint8_t *key) { - gost28147_set_key(ctx, key); gost28147_set_param(ctx, &gost28147_param_CryptoPro_B); + gost28147_set_key(ctx, key); } static void _gost28147_set_key_cpc(void *ctx, const uint8_t *key) { - gost28147_set_key(ctx, key); gost28147_set_param(ctx, &gost28147_param_CryptoPro_C); + gost28147_set_key(ctx, key); } static void _gost28147_set_key_cpd(void *ctx, const uint8_t *key) { - gost28147_set_key(ctx, key); gost28147_set_param(ctx, &gost28147_param_CryptoPro_D); + gost28147_set_key(ctx, key); } static void diff --git a/lib/nettle/gost/gost28147.c b/lib/nettle/gost/gost28147.c index d6a278ab09..8d648c1045 100644 --- a/lib/nettle/gost/gost28147.c +++ b/lib/nettle/gost/gost28147.c @@ -2292,25 +2292,18 @@ static void gost28147_key_mesh_cryptopro(struct gost28147_ctx *ctx) ctx->key_count = 0; } -static void -_gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) +void +gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) { unsigned i; + assert(key); for (i = 0; i < 8; i++, key += 4) ctx->key[i] = LE_READ_UINT32(key); ctx->key_count = 0; } void -gost28147_set_key(struct gost28147_ctx *ctx, const uint8_t *key) -{ - assert(key); - _gost28147_set_key(ctx, key); - gost28147_set_param(ctx, &gost28147_param_TC26_Z); -} - -void gost28147_set_param(struct gost28147_ctx *ctx, const struct gost28147_param *param) { assert(param); @@ -2419,8 +2412,8 @@ gost28147_cnt_init(struct gost28147_cnt_ctx *ctx, const uint8_t *key, const struct gost28147_param *param) { - gost28147_set_key(&ctx->ctx, key); gost28147_set_param(&ctx->ctx, param); + gost28147_set_key(&ctx->ctx, key); ctx->bytes = 0; } @@ -2487,10 +2480,8 @@ gost28147_imit_set_key(struct gost28147_imit_ctx *ctx, assert(length == GOST28147_IMIT_KEY_SIZE); assert(key); - _gost28147_set_key(&ctx->cctx, key); _gost28147_imit_reinit(ctx); - if (!ctx->cctx.sbox) - gost28147_set_param(&ctx->cctx, &gost28147_param_TC26_Z); + gost28147_set_key(&ctx->cctx, key); } void diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c index f997cf3d46..4e14a9475b 100644 --- a/lib/nettle/mac.c +++ b/lib/nettle/mac.c @@ -140,8 +140,8 @@ struct nettle_mac_ctx { static void _wrap_gost28147_imit_set_key_tc26z(void *ctx, size_t len, const uint8_t * key) { - gost28147_imit_set_key(ctx, len, key); gost28147_imit_set_param(ctx, &gost28147_param_TC26_Z); + gost28147_imit_set_key(ctx, len, key); } #endif diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index 197243086a..9c50a652b5 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -74,7 +74,6 @@ NO_TLS1_2=$? test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" - ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 if test $? = 0;then NO_DH_PARAMS=0 @@ -82,18 +81,8 @@ else NO_DH_PARAMS=1 fi -# Do not use DSS or curves <=256 bits in 1.1.1+ because these -# are not accepted by openssl on debian. -${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1 -if test $? = 0;then - NO_DSS=1 - FIPS_CURVES=1 -else - ${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 - NO_DSS=$? -fi - -test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled" +${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 +NO_DSS=$? if test $NO_DSS != 0;then echo "Disabling interop tests for DSS ciphersuites" @@ -121,6 +110,10 @@ NO_NULL=$? test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" +${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 +NO_PRIME192v1=$? + +test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" if test "${NO_DH_PARAMS}" = 0;then OPENSSL_DH_PARAMS_OPT="" @@ -218,7 +211,7 @@ run_client_suite() { #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -267,9 +260,9 @@ run_client_suite() { kill ${PID} wait - if test "${FIPS_CURVES}" != 1; then + if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -283,7 +276,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -298,7 +291,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -312,7 +305,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -326,7 +319,7 @@ run_client_suite() { #-cipher PSK eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null PID=$! wait_server ${PID} @@ -341,7 +334,7 @@ run_client_suite() { # Tests requiring openssl 1.0.1 - TLS 1.2 #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -442,7 +435,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -455,7 +448,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -469,7 +462,7 @@ run_client_suite() { if test "${NO_DSS}" = 0; then eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -483,7 +476,7 @@ run_client_suite() { fi eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -495,7 +488,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -508,7 +501,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -628,7 +621,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -641,7 +634,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -655,7 +648,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-RSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -669,7 +662,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -683,7 +676,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -696,7 +689,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -710,7 +703,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -724,7 +717,7 @@ run_server_suite() { wait_server ${PID} #-cipher PSK-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ + ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ fail ${PID} "Failed" kill ${PID} @@ -763,7 +756,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -805,7 +798,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -875,7 +868,7 @@ run_server_suite() { PID=$! wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -889,7 +882,7 @@ run_server_suite() { wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -903,7 +896,7 @@ run_server_suite() { wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} |