int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
{
int i;
- size_t totlen = 0, len, maxlen;
+ size_t totlen = 0, len, maxlen, maxverok = 0;
int empty_reneg_info_scsv = !s->renegotiate;
/* Set disabled masks for this session */
ssl_set_client_disabled(s);
return 0;
}
+ /* Sanity check that the maximum version we offer has ciphers enabled */
+ if (!maxverok) {
+ if (SSL_IS_DTLS(s)) {
+ if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver)
+ && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver))
+ maxverok = 1;
+ } else {
+ if (c->max_tls >= s->s3->tmp.max_ver
+ && c->min_tls <= s->s3->tmp.max_ver)
+ maxverok = 1;
+ }
+ }
+
totlen += len;
}
- if (totlen == 0) {
+ if (totlen == 0 || !maxverok) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
+
+ if (!maxverok)
+ ERR_add_error_data(1, "No ciphers enabled for max supported "
+ "SSL/TLS version");
+
return 0;
}
[0-curve-sect163k1-client]
CipherString = ECDHE
Curves = sect163k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[1-curve-sect163r1-client]
CipherString = ECDHE
Curves = sect163r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[2-curve-sect163r2-client]
CipherString = ECDHE
Curves = sect163r2
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[3-curve-sect193r1-client]
CipherString = ECDHE
Curves = sect193r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[4-curve-sect193r2-client]
CipherString = ECDHE
Curves = sect193r2
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[5-curve-sect233k1-client]
CipherString = ECDHE
Curves = sect233k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[6-curve-sect233r1-client]
CipherString = ECDHE
Curves = sect233r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[7-curve-sect239k1-client]
CipherString = ECDHE
Curves = sect239k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[8-curve-sect283k1-client]
CipherString = ECDHE
Curves = sect283k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[9-curve-sect283r1-client]
CipherString = ECDHE
Curves = sect283r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[10-curve-sect409k1-client]
CipherString = ECDHE
Curves = sect409k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[11-curve-sect409r1-client]
CipherString = ECDHE
Curves = sect409r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[12-curve-sect571k1-client]
CipherString = ECDHE
Curves = sect571k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[13-curve-sect571r1-client]
CipherString = ECDHE
Curves = sect571r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[14-curve-secp160k1-client]
CipherString = ECDHE
Curves = secp160k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[15-curve-secp160r1-client]
CipherString = ECDHE
Curves = secp160r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[16-curve-secp160r2-client]
CipherString = ECDHE
Curves = secp160r2
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[17-curve-secp192k1-client]
CipherString = ECDHE
Curves = secp192k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[18-curve-prime192v1-client]
CipherString = ECDHE
Curves = prime192v1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[19-curve-secp224k1-client]
CipherString = ECDHE
Curves = secp224k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[20-curve-secp224r1-client]
CipherString = ECDHE
Curves = secp224r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[21-curve-secp256k1-client]
CipherString = ECDHE
Curves = secp256k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[22-curve-prime256v1-client]
CipherString = ECDHE
Curves = prime256v1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[23-curve-secp384r1-client]
CipherString = ECDHE
Curves = secp384r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[24-curve-secp521r1-client]
CipherString = ECDHE
Curves = secp521r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[25-curve-brainpoolP256r1-client]
CipherString = ECDHE
Curves = brainpoolP256r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[26-curve-brainpoolP384r1-client]
CipherString = ECDHE
Curves = brainpoolP384r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[27-curve-brainpoolP512r1-client]
CipherString = ECDHE
Curves = brainpoolP512r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[28-curve-X25519-client]
CipherString = ECDHE
Curves = X25519
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
foreach (0..$#curves) {
my $curve = $curves[$_];
push @tests, {
- name => "curve-${curve}",
+ name => "curve-${curve}",
server => {
"Curves" => $curve,
# TODO(TLS1.3): Can we get this to work for TLSv1.3?
"MaxProtocol" => "TLSv1.2"
},
client => {
- "CipherString" => "ECDHE",
+ "CipherString" => "ECDHE",
+ "MaxProtocol" => "TLSv1.2",
"Curves" => $curve
},
test => {
[6-renegotiate-aead-to-non-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-renegotiate-aead-to-non-aead-client]
CipherString = AES128-GCM-SHA256
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[7-renegotiate-non-aead-to-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-renegotiate-non-aead-to-aead-client]
CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[8-renegotiate-non-aead-to-non-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-renegotiate-non-aead-to-non-aead-client]
CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[9-renegotiate-aead-to-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-renegotiate-aead-to-aead-client]
CipherString = AES128-GCM-SHA256
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
name => "renegotiate-aead-to-non-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-GCM-SHA256",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES128-SHA"
}
name => "renegotiate-non-aead-to-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-SHA",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES128-GCM-SHA256"
}
name => "renegotiate-non-aead-to-non-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-SHA",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES256-SHA"
}
name => "renegotiate-aead-to-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-GCM-SHA256",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES256-GCM-SHA384"
}
[3-disable-encrypt-then-mac-server-sha2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = -EncryptThenMac
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-disable-encrypt-then-mac-server-sha2-client]
CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
name => "disable-encrypt-then-mac-server-sha2",
server => {
"Options" => "-EncryptThenMac",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-SHA256",
+ "MaxProtocol" => "TLSv1.2"
},
test => {
"ExpectedResult" => "Success",
[0-ECDSA CipherString Selection-client]
CipherString = aECDSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[1-RSA CipherString Selection-client]
CipherString = aRSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[2-ECDSA CipherString Selection, no ECDSA certificate-client]
CipherString = aECDSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
server => $server,
client => {
"CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
},
test => {
"ExpectedServerCertType" =>, "P-256",
server => $server,
client => {
"CipherString" => "aRSA",
+ "MaxProtocol" => "TLSv1.2",
},
test => {
"ExpectedServerCertType" =>, "RSA",
"MaxProtocol" => "TLSv1.2"
},
client => {
- "CipherString" => "aECDSA"
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2"
},
test => {
"ExpectedResult" => "ServerFail"