diff options
author | Péter Dimitrov <peterdmv@erlang.org> | 2020-04-01 12:31:04 +0200 |
---|---|---|
committer | Péter Dimitrov <peterdmv@erlang.org> | 2020-04-01 12:31:04 +0200 |
commit | 54aad59898321ae57b282519268ebff895beb37d (patch) | |
tree | 2e7ef44086ad6acf467293f03ece9eff0bb14369 | |
parent | dbe913ff43218cb4e3ab27b285d69392f09651e7 (diff) | |
parent | 8efcbfa9e1f99304edae66c0ff9cf446024b0f19 (diff) | |
download | erlang-54aad59898321ae57b282519268ebff895beb37d.tar.gz |
Merge branch 'peterdmv/ssl/cuddle-ft'
* peterdmv/ssl/cuddle-ft:
ssl: Fix the ssl_cipher_suite_SUITE
ssl: Fix the ssl_api_SUITE
ssl: Fix the openssl_cipher_suite_SUITE
ssl: Add cleanup to testcases in ssl_app_env_SUITE
ssl: Improve tests for TLS 1.3 support
ssl: Fix the ssl_app_env_SUITE
ssl: Fix the openssl_sni_SUITE
ssl: Fix the openssl_server_cert_SUITE
ssl: Fix the openssl_renegotiate_SUITE
ssl: Fix the openssl_alpn_SUITE
ssl: Fix the openssl_client_cert_SUITE
ssl: Fix the openssl_session_ticket_SUITE
-rw-r--r-- | lib/ssl/src/tls_record.erl | 43 | ||||
-rw-r--r-- | lib/ssl/test/openssl_alpn_SUITE.erl | 37 | ||||
-rw-r--r-- | lib/ssl/test/openssl_cipher_suite_SUITE.erl | 33 | ||||
-rw-r--r-- | lib/ssl/test/openssl_client_cert_SUITE.erl | 22 | ||||
-rw-r--r-- | lib/ssl/test/openssl_npn_SUITE.erl | 2 | ||||
-rw-r--r-- | lib/ssl/test/openssl_renegotiate_SUITE.erl | 10 | ||||
-rw-r--r-- | lib/ssl/test/openssl_server_cert_SUITE.erl | 21 | ||||
-rw-r--r-- | lib/ssl/test/openssl_sni_SUITE.erl | 24 | ||||
-rw-r--r-- | lib/ssl/test/ssl_api_SUITE.erl | 37 | ||||
-rw-r--r-- | lib/ssl/test/ssl_app_env_SUITE.erl | 31 | ||||
-rw-r--r-- | lib/ssl/test/ssl_cipher_suite_SUITE.erl | 17 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 40 |
12 files changed, 128 insertions, 189 deletions
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl index f246a69c9f..dfdc0bd50b 100644 --- a/lib/ssl/src/tls_record.erl +++ b/lib/ssl/src/tls_record.erl @@ -387,17 +387,40 @@ sufficient_crypto_support(CryptoSupport, 'tlsv1.2') -> andalso (proplists:get_bool(ecdsa, PKeys) orelse proplists:get_bool(rsa, PKeys) orelse proplists:get_bool(dss, PKeys)) andalso - (proplists:get_bool(ecdh, PKeys) orelse proplists:get_bool(dh, PKeys)); + (proplists:get_bool(ecdh, PKeys) orelse proplists:get_bool(dh, PKeys)); + +%% A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 +%% [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 +%% [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see +%% Appendix B.4). +%% +%% A TLS-compliant application MUST support digital signatures with +%% rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for +%% CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A +%% TLS-compliant application MUST support key exchange with secp256r1 +%% (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748]. sufficient_crypto_support(CryptoSupport, 'tlsv1.3') -> - Hashes = proplists:get_value(hashs, CryptoSupport), - PKeys = proplists:get_value(public_keys, CryptoSupport), - proplists:get_bool(sha256, Hashes) - andalso - proplists:get_bool(aes_gcm, proplists:get_value(ciphers, CryptoSupport)) - andalso - (proplists:get_bool(ecdsa, PKeys) orelse proplists:get_bool(rsa, PKeys)) %% TODO: orelse proplists:get_bool(eddsa, PKeys)) - andalso - (proplists:get_bool(ecdh, PKeys) orelse proplists:get_bool(dh, PKeys)). + Fun = fun({Group, Algorithm}) -> + is_algorithm_supported(CryptoSupport, Group, Algorithm) + end, + L = [{ciphers, aes_gcm}, %% TLS_AES_*_GCM_* + {ciphers, chacha20_poly1305}, %% TLS_CHACHA20_POLY1305_SHA256 + {hashs, sha256}, %% TLS_AES_128_GCM_SHA256 + {hashs, sha384}, %% TLS_AES_256_GCM_SHA384 + {rsa_opts, rsa_pkcs1_padding}, %% rsa_pkcs1_sha256 + {rsa_opts, rsa_pkcs1_pss_padding}, %% rsa_pss_rsae_* + {rsa_opts, rsa_pss_saltlen}, %% rsa_pss_rsae_* + {public_keys, ecdh}, + {public_keys, dh}, + {public_keys, rsa}, + {public_keys, ecdsa}, + %% {public_keys, eddsa}, %% TODO + {curves, secp256r1}, %% key exchange with secp256r1 + {curves, x25519}], %% key exchange with X25519 + lists:all(Fun, L). + +is_algorithm_supported(CryptoSupport, Group, Algorithm) -> + proplists:get_bool(Algorithm, proplists:get_value(Group, CryptoSupport)). -spec is_acceptable_version(tls_version()) -> boolean(). is_acceptable_version({N,_}) diff --git a/lib/ssl/test/openssl_alpn_SUITE.erl b/lib/ssl/test/openssl_alpn_SUITE.erl index 48659b5305..fc18d053aa 100644 --- a/lib/ssl/test/openssl_alpn_SUITE.erl +++ b/lib/ssl/test/openssl_alpn_SUITE.erl @@ -118,30 +118,10 @@ end_per_suite(_Config) -> ssl_test_lib:kill_openssl(). init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:supports_ssl_tls_version(GroupName) of - true -> - case ssl_test_lib:check_sane_openssl_version(GroupName) of - true -> - ssl_test_lib:init_tls_version(GroupName, Config); - false -> - {skip, openssl_does_not_support_version} - end; - false -> - {skip, openssl_does_not_support_version} - end; - _ -> - Config - end. + ssl_test_lib:init_per_group_openssl(GroupName, Config). end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(TestCase, Config) -> ct:timetrap({seconds, 30}), @@ -149,14 +129,19 @@ init_per_testcase(TestCase, Config) -> special_init(erlang_client_alpn_openssl_server_alpn_renegotiate, Config) -> {ok, Version} = application:get_env(ssl, protocol_version), - ssl_test_lib:check_sane_openssl_renegotaite(Config, Version); + case ssl_test_lib:check_sane_openssl_renegotaite(Config, Version) of + {skip, _} = Skip -> + Skip; + Config -> + ssl_test_lib:openssl_allows_server_renegotiate(Config) + end; special_init(erlang_server_alpn_openssl_client_alpn_renegotiate, Config) -> {ok, Version} = application:get_env(ssl, protocol_version), case ssl_test_lib:check_sane_openssl_renegotaite(Config, Version) of + {skip, _} = Skip -> + Skip; Config -> - ssl_test_lib:openssl_allows_client_renegotaite(Config); - Skip -> - Skip + ssl_test_lib:openssl_allows_client_renegotiate(Config) end; special_init(_, Config) -> Config. diff --git a/lib/ssl/test/openssl_cipher_suite_SUITE.erl b/lib/ssl/test/openssl_cipher_suite_SUITE.erl index 88ac205b4c..f143444402 100644 --- a/lib/ssl/test/openssl_cipher_suite_SUITE.erl +++ b/lib/ssl/test/openssl_cipher_suite_SUITE.erl @@ -217,24 +217,14 @@ end_per_suite(_Config) -> ssl_test_lib:kill_openssl(). %%-------------------------------------------------------------------- -init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:supports_ssl_tls_version(GroupName) of - true -> - case ssl_test_lib:check_sane_openssl_version(GroupName) of - true -> - ssl_test_lib:init_tls_version(GroupName, Config), - do_init_per_group(GroupName, Config); - false -> - {skip, openssl_does_not_support_version} - end; - false -> - {skip, {openssl_does_not_support, GroupName}} - end; - false -> - do_init_per_group(GroupName, Config) - end. +init_per_group(GroupName, Config0) -> + case ssl_test_lib:init_per_group(GroupName, Config0) of + {skip, _} = Skip -> + Skip; + Config -> + do_init_per_group(GroupName, Config) + end. + do_init_per_group(openssl_client, Config0) -> Config = proplists:delete(server_type, proplists:delete(client_type, Config0)), [{client_type, openssl}, {server_type, erlang} | Config]; @@ -301,12 +291,7 @@ do_init_per_group(GroupName, Config0) -> end. end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(TestCase, Config) when TestCase == psk_3des_ede_cbc; TestCase == srp_anon_3des_ede_cbc; diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl index a094b8ab39..d04ba601cf 100644 --- a/lib/ssl/test/openssl_client_cert_SUITE.erl +++ b/lib/ssl/test/openssl_client_cert_SUITE.erl @@ -203,27 +203,11 @@ init_per_group(Group, Config0) when Group == dsa -> {skip, "Missing DSS crypto support"} end; init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:check_sane_openssl_version(GroupName) of - true -> - [{version, GroupName} - | ssl_test_lib:init_tls_version(GroupName, Config)]; - false -> - {skip, "Missing openssl support"} - end; - _ -> - ssl:start(), - Config - end. + ssl_test_lib:init_per_group_openssl(GroupName, Config). end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). + init_per_testcase(TestCase, Config) when TestCase == client_auth_empty_cert_accepted; TestCase == client_auth_empty_cert_rejected -> diff --git a/lib/ssl/test/openssl_npn_SUITE.erl b/lib/ssl/test/openssl_npn_SUITE.erl index 7322e228bd..11b2e46358 100644 --- a/lib/ssl/test/openssl_npn_SUITE.erl +++ b/lib/ssl/test/openssl_npn_SUITE.erl @@ -124,7 +124,7 @@ special_init(erlang_server_openssl_client_npn_renegotiate, Config) -> {ok, Version} = application:get_env(ssl, protocol_version), case ssl_test_lib:check_sane_openssl_renegotaite(Config, Version) of Config -> - ssl_test_lib:openssl_allows_client_renegotaite(Config); + ssl_test_lib:openssl_allows_client_renegotiate(Config); Skip -> Skip end; diff --git a/lib/ssl/test/openssl_renegotiate_SUITE.erl b/lib/ssl/test/openssl_renegotiate_SUITE.erl index f548b75abe..78cd4446fc 100644 --- a/lib/ssl/test/openssl_renegotiate_SUITE.erl +++ b/lib/ssl/test/openssl_renegotiate_SUITE.erl @@ -102,9 +102,9 @@ init_per_group(GroupName, Config) -> true -> case ssl_test_lib:check_sane_openssl_version(GroupName) of true -> - ssl_test_lib:check_sane_openssl_renegotaite(ssl_test_lib:init_tls_version(GroupName, - Config), - GroupName); + ssl_test_lib:check_sane_openssl_renegotiate( + ssl_test_lib:init_tls_version(GroupName, Config), + GroupName); false -> {skip, openssl_does_not_support_version} end; @@ -124,8 +124,8 @@ end_per_group(GroupName, Config) -> end. init_per_testcase(erlang_client_openssl_server_nowrap_seqnum, Config) -> ct:timetrap(?DEFAULT_TIMEOUT), - ssl_test_lib:openssl_allows_client_renegotaite(Config); -init_per_testcase(TestCase, Config) -> + ssl_test_lib:openssl_allows_client_renegotiate(Config); +init_per_testcase(_TestCase, Config) -> ct:timetrap(?DEFAULT_TIMEOUT), Config. diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl index b0713ab37d..9d8e095460 100644 --- a/lib/ssl/test/openssl_server_cert_SUITE.erl +++ b/lib/ssl/test/openssl_server_cert_SUITE.erl @@ -240,27 +240,10 @@ init_per_group(Group, Config0) when Group == dsa -> {skip, "Missing DSS crypto support"} end; init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:check_sane_openssl_version(GroupName) of - true -> - [{version, GroupName} - | ssl_test_lib:init_tls_version(GroupName, Config)]; - false -> - {skip, "Missing openssl support"} - end; - _ -> - ssl:start(), - Config - end. + ssl_test_lib:init_per_group_openssl(GroupName, Config). end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(_TestCase, Config) -> ssl_test_lib:ct_log_supported_protocol_versions(Config), diff --git a/lib/ssl/test/openssl_sni_SUITE.erl b/lib/ssl/test/openssl_sni_SUITE.erl index 446f62d950..3010eabf4e 100644 --- a/lib/ssl/test/openssl_sni_SUITE.erl +++ b/lib/ssl/test/openssl_sni_SUITE.erl @@ -118,30 +118,10 @@ end_per_suite(_Config) -> ssl_test_lib:kill_openssl(). init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:supports_ssl_tls_version(GroupName) of - true -> - case ssl_test_lib:check_sane_openssl_version(GroupName) of - true -> - ssl_test_lib:init_tls_version(GroupName, Config); - false -> - {skip, openssl_does_not_support_version} - end; - false -> - {skip, openssl_does_not_support_version} - end; - _ -> - Config - end. + ssl_test_lib:init_per_group_openssl(GroupName, Config). end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(_TestCase, Config) -> ct:timetrap({seconds, 10}), diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index b656f38644..a80363227f 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -159,29 +159,17 @@ end_per_suite(_Config) -> application:unload(ssl), application:stop(crypto). - -init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:sufficient_crypto_support(GroupName) of - true -> - [{client_type, erlang}, - {server_type, erlang} | ssl_test_lib:init_tls_version(GroupName, Config)]; - false -> - {skip, "Missing crypto support"} - end; - _ -> - ssl:start(), - Config +init_per_group(GroupName, Config0) -> + case ssl_test_lib:init_per_group(GroupName, Config0) of + {skip, _} = Skip -> + Skip; + Config -> + [{client_type, erlang}, + {server_type, erlang}|Config] end. end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(prf, Config) -> ssl_test_lib:ct_log_supported_protocol_versions(Config), @@ -200,6 +188,15 @@ init_per_testcase(prf, Config) -> {md5sha, <<63,136,3,217,205,123,200,177,251,211,17,229,132,4,173,80>>}], TestPlan = prf_create_plan([Version], PRFS, ExpectedPrfResults), [{prf_test_plan, TestPlan} | Config]; +init_per_testcase(handshake_continue_tls13_client, Config) -> + case ssl_test_lib:sufficient_crypto_support('tlsv1.3') of + true -> + ssl_test_lib:ct_log_supported_protocol_versions(Config), + ct:timetrap({seconds, 10}), + Config; + false -> + {skip, "Missing crypto support: TLS 1.3 not supported"} + end; init_per_testcase(_TestCase, Config) -> ssl_test_lib:ct_log_supported_protocol_versions(Config), ct:timetrap({seconds, 10}), diff --git a/lib/ssl/test/ssl_app_env_SUITE.erl b/lib/ssl/test/ssl_app_env_SUITE.erl index 233985c729..b0ce8ef1f3 100644 --- a/lib/ssl/test/ssl_app_env_SUITE.erl +++ b/lib/ssl/test/ssl_app_env_SUITE.erl @@ -74,33 +74,22 @@ end_per_suite(_Config) -> application:unload(ssl), application:stop(crypto). - -init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:sufficient_crypto_support(GroupName) of - true -> - [{client_type, erlang}, - {server_type, erlang} | ssl_test_lib:init_tls_version(GroupName, Config)]; - false -> - {skip, "Missing crypto support"} - end; - _ -> - ssl:start(), - Config +init_per_group(GroupName, Config0) -> + case ssl_test_lib:init_per_group(GroupName, Config0) of + {skip, _} = Skip -> + Skip; + Config -> + [{client_type, erlang}, + {server_type, erlang}| Config] end. end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(internal_active_1, Config) -> ssl:stop(), application:load(ssl), + ssl_test_lib:clean_env(), application:set_env(ssl, internal_active_n, 1), ssl:start(), ct:timetrap({seconds, 5}), @@ -111,11 +100,13 @@ init_per_testcase(protocol_versions, Config) -> "d" ++ _ -> ssl:stop(), application:load(ssl), + ssl_test_lib:clean_env(), application:set_env(ssl, dtls_protocol_version, [Version]), ssl:start(); _ -> ssl:stop(), application:load(ssl), + ssl_test_lib:clean_env(), application:set_env(ssl, protocol_version, [Version]), ssl:start() end, diff --git a/lib/ssl/test/ssl_cipher_suite_SUITE.erl b/lib/ssl/test/ssl_cipher_suite_SUITE.erl index 307737cea9..4b19314a7a 100644 --- a/lib/ssl/test/ssl_cipher_suite_SUITE.erl +++ b/lib/ssl/test/ssl_cipher_suite_SUITE.erl @@ -239,20 +239,15 @@ init_per_group(dhe_psk = GroupName, Config) -> {skip, "Missing SRP crypto support"} end; init_per_group(GroupName, Config0) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:init_tls_version(GroupName, end_per_group(GroupName, Config0)); - false -> - init_certs(GroupName, Config0) + case ssl_test_lib:init_per_group(GroupName, Config0) of + {skip, _} = Skip -> + Skip; + Config -> + init_certs(GroupName, Config) end. end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(TestCase, Config) when TestCase == psk_3des_ede_cbc; TestCase == srp_anon_3des_ede_cbc; diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 31dc781858..2050c43ada 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -93,7 +93,7 @@ init_per_group(GroupName, Config) -> end. init_per_group_openssl(GroupName, Config) -> - case is_tls_version(GroupName) of + case is_tls_version(GroupName) andalso sufficient_crypto_support(GroupName) of true -> case check_sane_openssl_version(GroupName) of true -> @@ -102,8 +102,13 @@ init_per_group_openssl(GroupName, Config) -> {skip, "Missing openssl support"} end; _ -> - ssl:start(), - Config + case sufficient_crypto_support(GroupName) of + true -> + ssl:start(), + Config; + false -> + {skip, "Missing crypto support"} + end end. end_per_group(GroupName, Config) -> @@ -2694,7 +2699,7 @@ check_sane_openssl_version(Version) -> false -> false end. -check_sane_openssl_renegotaite(Config, Version) when Version == 'tlsv1'; +check_sane_openssl_renegotiate(Config, Version) when Version == 'tlsv1'; Version == 'tlsv1.1'; Version == 'tlsv1.2' -> case portable_cmd("openssl", ["version"]) of @@ -2707,14 +2712,16 @@ check_sane_openssl_renegotaite(Config, Version) when Version == 'tlsv1'; "OpenSSL 1.0.1 " ++ _ -> {skip, "Known renegotiation bug in OpenSSL"}; "LibreSSL 3.0.2" ++ _ -> - {skip, "Known renegotiation bug in OpenSSL"}; + {skip, "Known renegotiation bug in LibreSSL"}; + "LibreSSL 3.1" ++ _ -> + {skip, "Known renegotiation bug in LibreSSL"}; _ -> - check_sane_openssl_renegotaite(Config) + check_sane_openssl_renegotiate(Config) end; -check_sane_openssl_renegotaite(Config, _) -> - check_sane_openssl_renegotaite(Config). - -check_sane_openssl_renegotaite(Config) -> +check_sane_openssl_renegotiate(Config, _) -> + check_sane_openssl_renegotiate(Config). + +check_sane_openssl_renegotiate(Config) -> case os:cmd("openssl version") of "OpenSSL 1.0.0" ++ _ -> {skip, "Known renegotiation bug in OpenSSL"}; @@ -2724,12 +2731,13 @@ check_sane_openssl_renegotaite(Config) -> {skip, "Known renegotiation bug in OpenSSL"}; "LibreSSL 2." ++ _ -> {skip, "Known renegotiation bug in LibreSSL"}; - + "LibreSSL 3.1" ++ _ -> + {skip, "Known renegotiation bug in LibreSSL"}; _ -> Config end. -openssl_allows_client_renegotaite(Config) -> +openssl_allows_client_renegotiate(Config) -> case os:cmd("openssl version") of "OpenSSL 1.1" ++ _ -> {skip, "OpenSSL does not allow client renegotiation"}; @@ -2739,6 +2747,14 @@ openssl_allows_client_renegotaite(Config) -> Config end. +openssl_allows_server_renegotiate(Config) -> + case os:cmd("openssl version") of + "LibreSSL 3.1" ++ _ -> + {skip, "LibreSSL 3.1 does not allow server renegotiation"}; + _ -> + Config + end. + workaround_openssl_s_clinent() -> %% http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683159 %% https://bugs.archlinux.org/task/33919 |