if (vers == TLS1_2_VERSION
&& ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
*dgrd = DOWNGRADE_TO_1_2;
- } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION
- && (ssl_version_supported(s, TLS1_2_VERSION, NULL)
- || ssl_version_supported(s, TLS1_3_VERSION, NULL))) {
+ } else if (!SSL_IS_DTLS(s)
+ && vers < TLS1_2_VERSION
+ /*
+ * We need to ensure that a server that disables TLSv1.2
+ * (creating a hole between TLSv1.3 and TLSv1.1) can still
+ * complete handshakes with clients that support TLSv1.2 and
+ * below. Therefore we do not enable the sentinel if TLSv1.3 is
+ * enabled and TLSv1.2 is not.
+ */
+ && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
*dgrd = DOWNGRADE_TO_1_1;
} else {
*dgrd = DOWNGRADE_NONE;
$proxy->filter(\&downgrade_filter);
my $testtype = DOWNGRADE_TO_TLS_1_2;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 5;
+plan tests => 6;
ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2");
#Test 2: Downgrade from TLSv1.3 to TLSv1.1
"Fallback from TLSv1.3");
SKIP: {
- skip "TLSv1.1 disabled", 1 if disabled("tls1_1");
- #Test 5: A protocol "hole" should not be detected as a downgrade
+ skip "TLSv1.1 disabled", 2 if disabled("tls1_1");
+ #Test 5: A client side protocol "hole" should not be detected as a downgrade
$proxy->clear();
$proxy->filter(undef);
$proxy->clientflags("-no_tls1_2");
$proxy->start();
- ok(TLSProxy::Message->success(), "TLSv1.2 protocol hole");
+ ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole");
+
+ #Test 6: A server side protocol "hole" should not be detected as a downgrade
+ $proxy->clear();
+ $proxy->filter(undef);
+ $proxy->serverflags("-no_tls1_2");
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole");
}
sub downgrade_filter
projects / oweals / openssl.git / commitdiff