From 975922fd0c6a3089a49b9bcdcd77c672d97e36b2 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 26 Apr 2017 11:43:05 +0100 Subject: [PATCH] Add tests for version/ciphersuite sanity checks The previous commits added sanity checks for where the max enabled protocol version does not have any configured ciphersuites. We should check that we fail in those circumstances. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/3316) --- test/ssl-tests/protocol_version.pm | 31 ++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index f0b3030342..edc0dd2962 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -129,6 +129,37 @@ sub generate_version_tests { } } } + return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls; + + #Add some version/ciphersuite sanity check tests + push @tests, { + "name" => "ciphersuite-sanity-check-client", + "client" => { + #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail + "CipherString" => "AES128-SHA", + }, + "server" => { + "MaxProtocol" => "TLSv1.2" + }, + "test" => { + "ExpectedResult" => "ClientFail", + } + }; + push @tests, { + "name" => "ciphersuite-sanity-check-server", + "client" => { + "CipherString" => "AES128-SHA", + "MaxProtocol" => "TLSv1.2" + }, + "server" => { + #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail + "CipherString" => "AES128-SHA", + }, + "test" => { + "ExpectedResult" => "ServerFail", + } + }; + return @tests; } -- 2.25.1