__owur int ssl_set_version_bound(int method_version, int version, int *bound);
__owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello);
__owur int ssl_choose_client_version(SSL *s, int version);
-int ssl_get_client_min_max_version(const SSL *s, int *min_version,
- int *max_version);
+int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
}
if ((context & EXT_CLIENT_HELLO) != 0) {
- reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
+ reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
goto err;
return 0;
}
- reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
+ reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
return 0;
return 0;
if (s->server) {
+ STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
+ int i, ver_min, ver_max, ok = 0;
+
+ /*
+ * Sanity check that the maximum version we accept has ciphers
+ * enabled. For clients we do this check during construction of the
+ * ClientHello.
+ */
+ if (ssl_get_min_max_version(s, &ver_min, &ver_max) != 0) {
+ SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
+ }
+ for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+ const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
+
+ if (SSL_IS_DTLS(s)) {
+ if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
+ DTLS_VERSION_LE(ver_max, c->max_dtls))
+ ok = 1;
+ } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
+ ok = 1;
+ }
+ if (ok)
+ break;
+ }
+ if (!ok) {
+ SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, SSL_R_NO_CIPHERS_AVAILABLE);
+ ERR_add_error_data(1, "No ciphers enabled for max supported "
+ "SSL/TLS version");
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ return 0;
+ }
if (SSL_IS_FIRST_HANDSHAKE(s)) {
s->ctx->stats.sess_accept++;
} else if (!s->s3->send_connection_binding &&
}
/*
- * ssl_get_client_min_max_version - get minimum and maximum client version
+ * ssl_get_min_max_version - get minimum and maximum protocol version
* @s: The SSL connection
* @min_version: The minimum supported version
* @max_version: The maximum supported version
* Returns 0 on success or an SSL error reason number on failure. On failure
* min_version and max_version will also be set to 0.
*/
-int ssl_get_client_min_max_version(const SSL *s, int *min_version,
- int *max_version)
+int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version)
{
int version;
int hole;
{
int ver_min, ver_max, ret;
- ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max);
+ ret = ssl_get_min_max_version(s, &ver_min, &ver_max);
if (ret != 0)
return ret;
s->s3->tmp.mask_a = 0;
s->s3->tmp.mask_k = 0;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
- ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
+ ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
#ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
if (!s->psk_client_callback) {
skip "No EC support in this OpenSSL build", 1 if disabled("ec");
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
+ $proxy->serverflags("-no_tls1_3");
$proxy->ciphers("ECDHE-RSA-AES128-SHA");
$proxy->start();
checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
VerifyMode = Peer
[test-0]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-6]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-24]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-25]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-156]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-162]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-180]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-181]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-624]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-630]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-648]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-649]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-650]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-656]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-674]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
VerifyMode = Peer
[test-675]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
[0-srp-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-srp-client]
[1-srp-bad-password-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-srp-bad-password-client]
[2-srp-auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = aSRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-srp-auth-client]
[3-srp-auth-bad-password-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = aSRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-srp-auth-bad-password-client]
our @tests = (
{
- name => "srp",
- server => {
- "CipherString" => "SRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp",
+ server => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success"
},
- client => {
- "CipherString" => "SRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
- },
- test => {
- "ExpectedResult" => "Success"
- },
},
{
- name => "srp-bad-password",
- server => {
- "CipherString" => "SRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp-bad-password",
+ server => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "passw0rd",
+ },
+ },
+ test => {
+ # Server fails first with bad client Finished.
+ "ExpectedResult" => "ServerFail"
},
- client => {
- "CipherString" => "SRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "passw0rd",
- },
- },
- test => {
- # Server fails first with bad client Finished.
- "ExpectedResult" => "ServerFail"
- },
},
{
- name => "srp-auth",
- server => {
- "CipherString" => "aSRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp-auth",
+ server => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success"
},
- client => {
- "CipherString" => "aSRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
- },
- test => {
- "ExpectedResult" => "Success"
- },
},
{
- name => "srp-auth-bad-password",
- server => {
- "CipherString" => "aSRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp-auth-bad-password",
+ server => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "passw0rd",
+ },
+ },
+ test => {
+ # Server fails first with bad client Finished.
+ "ExpectedResult" => "ServerFail"
},
- client => {
- "CipherString" => "aSRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "passw0rd",
- },
- },
- test => {
- # Server fails first with bad client Finished.
- "ExpectedResult" => "ServerFail"
- },
},
-);
\ No newline at end of file
+);
$c_max = min $c_max, $max_enabled;
$s_max = min $s_max, $max_enabled;
- if ($c_min > $c_max) {
+ if ($c_min > $c_max && $s_min > $s_max) {
+ # Client will fail to send a hello and server will fail to start. The
+ # client failed first so this is reported as ClientFail.
+ return ("ClientFail", undef);
+ } elsif ($c_min > $c_max) {
# Client should fail to even send a hello.
# This results in an internal error since the server will be
# waiting for input that never arrives.