From 54d028aa0f5dc50ec64a8d99ed43b81519b0443b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 29 Nov 2016 09:49:04 +0000 Subject: [PATCH] Fix mac-then-encrypt test with enable-tls1_3 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Commit b3618f44 added a test for mac-then-encrypt. However the test fails when running with "enable-tls1_3". The problem is that the test creates a connection, which ends up being TLSv1.3. However it also restricts the ciphers to a single mac-then-encrypt ciphersuite that is not TLSv1.3 compatible so the connection aborts and the test fails. Mac-then-encrypt is not relevant to TLSv1.3, so the test should disable that protocol version. Reviewed-by: Emilia Käsper --- test/recipes/80-test_ssl_new.t | 3 +++ test/ssl-tests/19-mac-then-encrypt.conf | 6 ++++++ test/ssl-tests/19-mac-then-encrypt.conf.in | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index de94495e0d..7b624acd22 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -39,7 +39,9 @@ my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); +my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); my $no_tls = alldisabled(available_protocols("tls")); +my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); my $no_npn = disabled("nextprotoneg"); my $no_ct = disabled("ct"); @@ -76,6 +78,7 @@ my %skip = ( "15-certstatus.conf" => $no_tls || $no_ocsp, "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp, "18-dtls-renegotiate.conf" => $no_dtls, + "19-mac-then-encrypt.conf" => $no_pre_tls1_3 ); foreach my $conf (@conf_files) { diff --git a/test/ssl-tests/19-mac-then-encrypt.conf b/test/ssl-tests/19-mac-then-encrypt.conf index 40480edbf8..bba44d1703 100644 --- a/test/ssl-tests/19-mac-then-encrypt.conf +++ b/test/ssl-tests/19-mac-then-encrypt.conf @@ -25,6 +25,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-disable-encrypt-then-mac-server-sha-client] CipherString = AES128-SHA +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -48,6 +49,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-disable-encrypt-then-mac-client-sha-client] CipherString = AES128-SHA +MaxProtocol = TLSv1.2 Options = -EncryptThenMac VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -73,6 +75,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-disable-encrypt-then-mac-both-sha-client] CipherString = AES128-SHA +MaxProtocol = TLSv1.2 Options = -EncryptThenMac VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -93,6 +96,7 @@ client = 3-disable-encrypt-then-mac-server-sha2-client [3-disable-encrypt-then-mac-server-sha2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +MaxProtocol = TLSv1.2 Options = -EncryptThenMac PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem @@ -121,6 +125,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [4-disable-encrypt-then-mac-client-sha2-client] CipherString = AES128-SHA256 +MaxProtocol = TLSv1.2 Options = -EncryptThenMac VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -146,6 +151,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [5-disable-encrypt-then-mac-both-sha2-client] CipherString = AES128-SHA256 +MaxProtocol = TLSv1.2 Options = -EncryptThenMac VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/19-mac-then-encrypt.conf.in b/test/ssl-tests/19-mac-then-encrypt.conf.in index 01afe251a7..096423bde2 100644 --- a/test/ssl-tests/19-mac-then-encrypt.conf.in +++ b/test/ssl-tests/19-mac-then-encrypt.conf.in @@ -19,6 +19,7 @@ our @tests = ( }, client => { "CipherString" => "AES128-SHA", + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedResult" => "Success", @@ -31,6 +32,7 @@ our @tests = ( client => { "CipherString" => "AES128-SHA", "Options" => "-EncryptThenMac", + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedResult" => "Success", @@ -44,6 +46,7 @@ our @tests = ( client => { "CipherString" => "AES128-SHA", "Options" => "-EncryptThenMac", + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedResult" => "Success", @@ -53,6 +56,7 @@ our @tests = ( name => "disable-encrypt-then-mac-server-sha2", server => { "Options" => "-EncryptThenMac", + "MaxProtocol" => "TLSv1.2" }, client => { "CipherString" => "AES128-SHA256", @@ -68,6 +72,7 @@ our @tests = ( client => { "CipherString" => "AES128-SHA256", "Options" => "-EncryptThenMac", + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedResult" => "Success", @@ -81,6 +86,7 @@ our @tests = ( client => { "CipherString" => "AES128-SHA256", "Options" => "-EncryptThenMac", + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedResult" => "Success", -- 2.25.1