From 6e4d806edee17e0d0ea3e0362958d85f55ac1b45 Mon Sep 17 00:00:00 2001
From: Kiko Fernandez-Reyes <kiko@erlang.org>
Date: Wed, 22 Feb 2023 11:59:41 +0100
Subject: ssl: use macros instead of hardcoded version numbers

---
 lib/ssl/test/property_test/ssl_eqc_handshake.erl | 51 ++++++-------
 lib/ssl/test/ssl_ECC_SUITE.erl                   | 27 +++----
 lib/ssl/test/ssl_api_SUITE.erl                   | 96 +++++++++++++-----------
 lib/ssl/test/ssl_cert_SUITE.erl                  |  3 +-
 lib/ssl/test/ssl_cert_tests.erl                  |  4 +-
 lib/ssl/test/ssl_cipher_SUITE.erl                | 43 +++++------
 lib/ssl/test/ssl_handshake_SUITE.erl             | 45 ++++++-----
 lib/ssl/test/ssl_mfl_SUITE.erl                   |  3 +-
 lib/ssl/test/ssl_npn_hello_SUITE.erl             |  4 +-
 lib/ssl/test/ssl_reject_SUITE.erl                | 23 +++---
 lib/ssl/test/ssl_renegotiate_SUITE.erl           | 25 ++----
 lib/ssl/test/ssl_session_SUITE.erl               |  6 +-
 lib/ssl/test/tls_1_3_record_SUITE.erl            | 16 ++--
 lib/ssl/test/tls_api_SUITE.erl                   | 14 ++--
 lib/ssl/test/tls_server_session_ticket_SUITE.erl |  3 +-
 15 files changed, 174 insertions(+), 189 deletions(-)

(limited to 'lib/ssl/test')

diff --git a/lib/ssl/test/property_test/ssl_eqc_handshake.erl b/lib/ssl/test/property_test/ssl_eqc_handshake.erl
index 6fccaf6440..a3d6375de2 100644
--- a/lib/ssl/test/property_test/ssl_eqc_handshake.erl
+++ b/lib/ssl/test/property_test/ssl_eqc_handshake.erl
@@ -57,11 +57,8 @@
 -include_lib("ssl/src/ssl_handshake.hrl").
 -include_lib("ssl/src/ssl_alert.hrl").
 -include_lib("ssl/src/ssl_internal.hrl").
+-include_lib("ssl/src/ssl_record.hrl").
 
--define('TLS_v1.3', {3,4}).
--define('TLS_v1.2', {3,3}).
--define('TLS_v1.1', {3,2}).
--define('TLS_v1',   {3,1}).
 
 %%--------------------------------------------------------------------
 %% Properties --------------------------------------------------------
@@ -87,7 +84,7 @@ prop_tls_hs_encode_decode() ->
 %% Message Generators  -----------------------------------------------
 %%--------------------------------------------------------------------
 
-tls_msg(?'TLS_v1.3'= Version) ->
+tls_msg(?'TLS-1.3'= Version) ->
     oneof([client_hello(Version),
            server_hello(Version),
            %%new_session_ticket()
@@ -116,9 +113,9 @@ tls_msg(Version) ->
 %%
 %% Shared messages
 %%
-client_hello(?'TLS_v1.3' = Version) ->
+client_hello(?'TLS-1.3' = Version) ->
     #client_hello{session_id = session_id(),
-                  client_version = ?'TLS_v1.2',
+                  client_version = ?'TLS-1.2',
                   cipher_suites = cipher_suites(Version),
                   compression_methods = compressions(Version),
                   random = client_random(Version),
@@ -133,8 +130,8 @@ client_hello(Version) ->
 		  extensions = client_hello_extensions(Version)    
                  }.
 
-server_hello(?'TLS_v1.3' = Version) ->
-    #server_hello{server_version = ?'TLS_v1.2',
+server_hello(?'TLS-1.3' = Version) ->
+    #server_hello{server_version = ?'TLS-1.2',
 		  session_id = session_id(),
                   random = server_random(Version),
                   cipher_suite = cipher_suite(Version),
@@ -184,7 +181,7 @@ finished() ->
 %%
 
 encrypted_extensions() ->
-    ?LET(Exts, extensions(?'TLS_v1.3', encrypted_extensions),
+    ?LET(Exts, extensions(?'TLS-1.3', encrypted_extensions),
          #encrypted_extensions{extensions = Exts}).
 
 
@@ -197,7 +194,7 @@ key_update() ->
 %%--------------------------------------------------------------------
 
 tls_version() ->
-    oneof([?'TLS_v1.3', ?'TLS_v1.2', ?'TLS_v1.1', ?'TLS_v1']).
+    oneof([?'TLS-1.3', ?'TLS-1.2', ?'TLS-1.1', ?'TLS-1.0']).
 
 cipher_suite(Version) ->
     oneof(cipher_suites(Version)).
@@ -290,7 +287,7 @@ pre_shared_keyextension() ->
 %% |                                                  |             |
 %% | signature_algorithms_cert (RFC 8446)             |      CH, CR |
 %% +--------------------------------------------------+-------------+
-extensions(?'TLS_v1.3' = Version, MsgType = client_hello) ->
+extensions(?'TLS-1.3' = Version, MsgType = client_hello) ->
      ?LET({
            ServerName,
            %% MaxFragmentLength,
@@ -398,7 +395,7 @@ extensions(Version, client_hello) ->
                        srp => SRP
                        %% renegotiation_info => RenegotiationInfo
                       }));
-extensions(?'TLS_v1.3' = Version, MsgType = server_hello) ->
+extensions(?'TLS-1.3' = Version, MsgType = server_hello) ->
     ?LET({
           KeyShare,
           PreSharedKey,
@@ -443,7 +440,7 @@ extensions(Version, server_hello) ->
                        next_protocol_negotiation => NextP
                        %% renegotiation_info => RenegotiationInfo
                       }));
-extensions(?'TLS_v1.3' = Version, encrypted_extensions) ->
+extensions(?'TLS-1.3' = Version, encrypted_extensions) ->
      ?LET({
            ServerName,
            %% MaxFragmentLength,
@@ -551,7 +548,7 @@ signature() ->
       76,105,212,176,25,6,148,49,194,106,253,241,212,200,
       37,154,227,53,49,216,72,82,163>>.
 
-client_hello_versions(?'TLS_v1.3') ->
+client_hello_versions(?'TLS-1.3') ->
     ?LET(SupportedVersions,
          oneof([[{3,4}],
                 %% This list breaks the property but can be used for negative tests
@@ -626,11 +623,11 @@ cert_conf()->
                                       peer => [{key, ssl_test_lib:hardcode_rsa_key(6)}]}}).
 
 cert_auths() ->
-    certificate_authorities(?'TLS_v1.3').
+    certificate_authorities(?'TLS-1.3').
 
 certificate_request_1_3() ->
     #certificate_request_1_3{certificate_request_context = <<>>,
-                             extensions = #{certificate_authorities => certificate_authorities(?'TLS_v1.3')}
+                             extensions = #{certificate_authorities => certificate_authorities(?'TLS-1.3')}
                             }.
 certificate_request(Version) ->
     #certificate_request{certificate_types = certificate_types(Version),
@@ -666,9 +663,9 @@ hash_alg(Version) ->
          {hash_algorithm(Version, Alg), Alg}
        ).
 
-hash_algorithm(?'TLS_v1.3', _) ->
+hash_algorithm(?'TLS-1.3', _) ->
     oneof([sha, sha224, sha256, sha384, sha512]);
-hash_algorithm(?'TLS_v1.2', rsa) ->
+hash_algorithm(?'TLS-1.2', rsa) ->
     oneof([sha, sha224, sha256, sha384, sha512]);
 hash_algorithm(_, rsa) ->
     oneof([md5, sha, sha224, sha256, sha384, sha512]);
@@ -677,19 +674,19 @@ hash_algorithm(_, ecdsa) ->
 hash_algorithm(_, dsa) ->
     sha.
 
-sign_algorithm(?'TLS_v1.3') ->
+sign_algorithm(?'TLS-1.3') ->
     oneof([rsa, ecdsa]);
 sign_algorithm(_) ->
     oneof([rsa, dsa, ecdsa]).
 
-
 use_srtp() ->
     FullProfiles = [<<0,1>>, <<0,2>>, <<0,5>>],
     NullProfiles = [<<0,5>>],
     ?LET(PP, oneof([FullProfiles, NullProfiles]), #use_srtp{protection_profiles = PP, mki = <<>>}).
 
-certificate_authorities(?'TLS_v1.3') ->
-    Auths = certificate_authorities(?'TLS_v1.2'),
+certificate_authorities(?'TLS-1.3') ->
+    Auths = certificate_authorities(?'TLS-1.2'),
+
     #certificate_authorities{authorities = Auths};
 certificate_authorities(_) ->
     #{server_config := ServerConf} = cert_conf(), 
@@ -718,13 +715,13 @@ ec_point_formats() ->
 ec_point_format_list() ->
     [?ECPOINT_UNCOMPRESSED].
 
-elliptic_curves({_, Minor}) when Minor < 4 ->
-    Curves = tls_v1:ecc_curves(Minor),
+elliptic_curves(Version) when Version < ?'TLS-1.3' ->
+    Curves = tls_v1:ecc_curves(Version),
     #elliptic_curves{elliptic_curve_list = Curves}.
 
 %% RFC 8446 (TLS 1.3) renamed the "elliptic_curve" extension.
-supported_groups({_, Minor}) when Minor >= 4 ->
-    SupportedGroups = tls_v1:groups(Minor),
+supported_groups(?'TLS-1.X'=Version) when Version >= ?'TLS-1.3' ->
+    SupportedGroups = tls_v1:groups(),
     #supported_groups{supported_groups = SupportedGroups}.
 
 
diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl
index 7d4633095d..ed11926469 100644
--- a/lib/ssl/test/ssl_ECC_SUITE.erl
+++ b/lib/ssl/test/ssl_ECC_SUITE.erl
@@ -24,6 +24,7 @@
 
 -behaviour(ct_suite).
 
+-include_lib("ssl/src/ssl_record.hrl").
 -include_lib("common_test/include/ct.hrl").
 -include_lib("public_key/include/public_key.hrl").
 
@@ -180,7 +181,7 @@ client_ecdsa_server_ecdsa_with_raw_key(Config)  when is_list(Config) ->
 
 ecc_default_order(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -195,7 +196,7 @@ ecc_default_order(Config) ->
 
 ecc_default_order_custom_curves(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -210,7 +211,7 @@ ecc_default_order_custom_curves(Config) ->
 
 ecc_client_order(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -225,7 +226,7 @@ ecc_client_order(Config) ->
 
 ecc_client_order_custom_curves(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                         {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -252,7 +253,7 @@ ecc_unknown_curve(Config) ->
 
 client_ecdh_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                        {client_chain, Default}],
                                                         ecdh_rsa, ecdhe_ecdsa, Config),
@@ -266,7 +267,7 @@ client_ecdh_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
 
 client_ecdh_rsa_server_ecdhe_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdh_rsa, ecdhe_rsa, Config),
@@ -281,7 +282,7 @@ client_ecdh_rsa_server_ecdhe_rsa_server_custom(Config) ->
 
 client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdhe_rsa, ecdhe_ecdsa, Config),
@@ -295,7 +296,7 @@ client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
 
 client_ecdhe_rsa_server_ecdhe_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdhe_rsa, ecdhe_rsa, Config),
@@ -309,7 +310,7 @@ client_ecdhe_rsa_server_ecdhe_rsa_server_custom(Config) ->
      end.
 client_ecdhe_rsa_server_ecdh_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     Ext = x509_test:extensions([{key_usage, [keyEncipherment]}]),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, [[], [], [{extensions, Ext}]]},
                                                          {client_chain, Default}],
@@ -327,7 +328,7 @@ client_ecdhe_rsa_server_ecdh_rsa_server_custom(Config) ->
 
 client_ecdhe_ecdsa_server_ecdhe_ecdsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                        {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa, Config),
@@ -341,7 +342,7 @@ client_ecdhe_ecdsa_server_ecdhe_ecdsa_server_custom(Config) ->
 
 client_ecdhe_ecdsa_server_ecdhe_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_rsa, Config),
@@ -355,7 +356,7 @@ client_ecdhe_ecdsa_server_ecdhe_rsa_server_custom(Config) ->
 
 client_ecdhe_ecdsa_server_ecdhe_ecdsa_client_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                        {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa, Config),
@@ -369,7 +370,7 @@ client_ecdhe_ecdsa_server_ecdhe_ecdsa_client_custom(Config) ->
 
 client_ecdhe_rsa_server_ecdhe_ecdsa_client_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(?'TLS-1.0'))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                          {client_chain, Default}],
                                                          ecdhe_rsa, ecdhe_ecdsa, Config),
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index 664f59a47d..c922339541 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -27,6 +27,7 @@
 -include_lib("ssl/src/ssl_api.hrl").
 -include_lib("ssl/src/ssl_internal.hrl").
 -include_lib("public_key/include/public_key.hrl").
+-include("ssl_record.hrl").
 
 %% Common test
 -export([all/0,
@@ -3856,13 +3857,10 @@ active_n_common(S, N) ->
 ok({ok,V}) -> V.
 
 repeat(N, Fun) ->
-    repeat(N, N, Fun).
+    Repeat = fun F(Arg) when is_integer(Arg), Arg > 0 -> Fun(N - Arg), F(Arg - 1);
+                        F(_) -> ok end,
+    Repeat(N).
 
-repeat(N, T, Fun) when is_integer(N), N > 0 ->
-    Fun(T-N),
-    repeat(N-1, T, Fun);
-repeat(_, _, _) ->
-    ok.
 
 get_close(Pid, Where) ->
     receive
@@ -4022,55 +4020,63 @@ log(#{msg:={report,_Report}},#{config:=Pid}) ->
 log(_,_) ->
     ok.
 
-length_exclusive({3,_} = Version) ->
+length_exclusive(?'TLS-1.X' = Version) ->
     length(exclusive_default_up_to_version(Version, [])) +
         length(exclusive_non_default_up_to_version(Version, []));
-length_exclusive({254,_} = Version) ->
+length_exclusive(?'DTLS-1.X' = Version) ->
     length(dtls_exclusive_default_up_to_version(Version, [])) +
         length(dtls_exclusive_non_default_up_to_version(Version, [])).
 
 length_all(Version) ->
     length(ssl:cipher_suites(all, Version)).
 
-exclusive_default_up_to_version({3, 1} = Version, Acc) ->
-    ssl:cipher_suites(exclusive, Version) ++ Acc;
-exclusive_default_up_to_version({3, Minor} = Version, Acc) when Minor =< 4 ->
-    Suites = ssl:cipher_suites(exclusive, Version),
-    exclusive_default_up_to_version({3, Minor-1}, Suites ++ Acc).
-
-dtls_exclusive_default_up_to_version({254, 255} = Version, Acc) ->
-    ssl:cipher_suites(exclusive, Version) ++ Acc;
-dtls_exclusive_default_up_to_version({254, 253} = Version, Acc) ->
-    Suites = ssl:cipher_suites(exclusive, Version),
-    dtls_exclusive_default_up_to_version({254, 255}, Suites ++ Acc).
-
-exclusive_non_default_up_to_version({3, 1} = Version, Acc) ->
-    exclusive_non_default_version(Version) ++ Acc;
-exclusive_non_default_up_to_version({3, 4}, Acc) ->
-    exclusive_non_default_up_to_version({3, 3}, Acc);
-exclusive_non_default_up_to_version({3, Minor} = Version, Acc) when Minor =< 3 ->
-    Suites = exclusive_non_default_version(Version),
-    exclusive_non_default_up_to_version({3, Minor-1}, Suites ++ Acc).
-
-dtls_exclusive_non_default_up_to_version({254, 255} = Version, Acc) ->
-    dtls_exclusive_non_default_version(Version) ++ Acc;
-dtls_exclusive_non_default_up_to_version({254, 253} = Version, Acc) ->
-    Suites = dtls_exclusive_non_default_version(Version),
-    dtls_exclusive_non_default_up_to_version({254, 255}, Suites ++ Acc).
-
-exclusive_non_default_version({_, Minor}) ->
-    tls_v1:psk_exclusive(Minor) ++
-        tls_v1:srp_exclusive(Minor) ++
-        tls_v1:rsa_exclusive(Minor) ++
-        tls_v1:des_exclusive(Minor) ++
-        tls_v1:rc4_exclusive(Minor).
+exclusive_default_up_to_version(?'TLS-1.0', Acc) ->
+    lists:flatmap(fun (Vsn) -> ssl:cipher_suites(exclusive, Vsn) end
+                 , [?'TLS-1.0' | Acc]);
+exclusive_default_up_to_version(?'TLS-1.1', Acc) ->
+    exclusive_default_up_to_version(?'TLS-1.0', [?'TLS-1.1' | Acc]);
+exclusive_default_up_to_version(?'TLS-1.2', Acc) ->
+    exclusive_default_up_to_version(?'TLS-1.1', [?'TLS-1.2' | Acc]);
+exclusive_default_up_to_version(?'TLS-1.3', Acc) ->
+    exclusive_default_up_to_version(?'TLS-1.2', [?'TLS-1.3' | Acc]).
+
+dtls_exclusive_default_up_to_version(?'DTLS-1.0', Acc) ->
+    lists:flatmap( fun (Vsn) -> ssl:cipher_suites(exclusive, Vsn) end
+                 , [?'DTLS-1.0' | Acc]);
+dtls_exclusive_default_up_to_version(?'DTLS-1.2', Acc) ->
+    dtls_exclusive_default_up_to_version(?'DTLS-1.0', [?'DTLS-1.2' | Acc]).
+
+%% TODO: wip
+exclusive_non_default_up_to_version(?'TLS-1.0', Acc) ->
+    lists:flatmap(fun exclusive_non_default_version/1, [?'TLS-1.0' | Acc]);
+exclusive_non_default_up_to_version(?'TLS-1.1', Acc) ->
+    exclusive_non_default_up_to_version(?'TLS-1.0', [?'TLS-1.1' | Acc]);
+exclusive_non_default_up_to_version(?'TLS-1.2', Acc) ->
+    exclusive_non_default_up_to_version(?'TLS-1.1', [?'TLS-1.2' | Acc]);
+exclusive_non_default_up_to_version(?'TLS-1.3', Acc) ->
+    exclusive_non_default_up_to_version(?'TLS-1.2', Acc).
+
+
+dtls_exclusive_non_default_up_to_version(?'DTLS-1.0', Acc) ->
+    lists:flatmap(fun dtls_exclusive_non_default_version/1, [?'DTLS-1.0' | Acc]);
+dtls_exclusive_non_default_up_to_version(?'DTLS-1.2', Acc) ->
+    dtls_exclusive_non_default_up_to_version(?'DTLS-1.0', [?'DTLS-1.2' | Acc]).
+
+exclusive_non_default_version(Version) ->
+    Ls = [ fun tls_v1:psk_exclusive/1
+         , fun tls_v1:srp_exclusive/1
+         , fun tls_v1:rsa_exclusive/1
+         , fun tls_v1:des_exclusive/1
+         , fun tls_v1:rc4_exclusive/1],
+    lists:flatmap(fun(Fn) -> Fn(Version) end, Ls).
 
 dtls_exclusive_non_default_version(DTLSVersion) ->        
-    {_,Minor} = ssl:tls_version(DTLSVersion),
-    tls_v1:psk_exclusive(Minor) ++
-        tls_v1:srp_exclusive(Minor) ++
-        tls_v1:rsa_exclusive(Minor) ++ 
-        tls_v1:des_exclusive(Minor).
+    Version = ssl:tls_version(DTLSVersion),
+    Fns = [ fun tls_v1:psk_exclusive/1
+          , fun tls_v1:srp_exclusive/1
+          , fun tls_v1:rsa_exclusive/1
+          , fun tls_v1:des_exclusive/1],
+    lists:flatmap(fun (Fn) -> Fn(Version) end, Fns).
 
 selected_peer(ExpectedClient,
               ExpectedServer, ClientOpts, ServerOpts, Config) ->
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index d445072d7b..5b42624af6 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -25,6 +25,7 @@
 
 -include_lib("common_test/include/ct.hrl").
 -include_lib("public_key/include/public_key.hrl").
+-include("ssl_record.hrl").
 
 %% Common test
 -export([all/0,
@@ -1377,7 +1378,7 @@ rsa_alg(rsa_pss_pss_1_3) ->
 rsa_alg(Atom) ->
     Atom.
 
-no_reuse({3, N}) when N >= 4 ->
+no_reuse(?'TLS-1.3') ->
     [];
 no_reuse(_) ->
     [{reuse_sessions, false}].
diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl
index be3f651a13..8df08398da 100644
--- a/lib/ssl/test/ssl_cert_tests.erl
+++ b/lib/ssl/test/ssl_cert_tests.erl
@@ -467,8 +467,8 @@ test_ciphers(_, 'tlsv1.3' = Version) ->
                  end, Ciphers);
 test_ciphers(_, Version) when Version == 'dtlsv1';
                                 Version == 'dtlsv1.2' ->
-    {_, Minor} = dtls_record:protocol_version(Version),
-    Ciphers = [ssl_cipher_format:suite_bin_to_map(Bin) ||  Bin <- dtls_v1:suites(Minor)],
+    NVersion = dtls_record:protocol_version(Version),
+    Ciphers = [ssl_cipher_format:suite_bin_to_map(Bin) ||  Bin <- dtls_v1:suites(NVersion)],
     ct:log("Version ~p Testing  ~p~n", [Version, Ciphers]),
     OpenSSLCiphers = openssl_ciphers(),
     ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]),
diff --git a/lib/ssl/test/ssl_cipher_SUITE.erl b/lib/ssl/test/ssl_cipher_SUITE.erl
index def13d0860..c2d92e859d 100644
--- a/lib/ssl/test/ssl_cipher_SUITE.erl
+++ b/lib/ssl/test/ssl_cipher_SUITE.erl
@@ -25,6 +25,7 @@
 -include_lib("common_test/include/ct.hrl").
 -include("tls_record.hrl").
 -include("ssl_cipher.hrl").
+-include("ssl_record.hrl").
 
 %% Callback functions
 -export([all/0,
@@ -96,10 +97,9 @@ aes_decipher_good() ->
 aes_decipher_good(Config) when is_list(Config) ->
     HashSz = 32,
     CipherState = correct_cipher_state(),
-    decipher_check_good(HashSz, CipherState, {3,0}),
-    decipher_check_good(HashSz, CipherState, {3,1}),
-    decipher_check_good(HashSz, CipherState, {3,2}),
-    decipher_check_good(HashSz, CipherState, {3,3}).
+    decipher_check_good(HashSz, CipherState, ?'TLS-1.0'),
+    decipher_check_good(HashSz, CipherState, ?'TLS-1.1'),
+    decipher_check_good(HashSz, CipherState, ?'TLS-1.2').
 
 %%--------------------------------------------------------------------
 aes_decipher_fail() ->
@@ -108,19 +108,17 @@ aes_decipher_fail() ->
 aes_decipher_fail(Config) when is_list(Config) ->
     HashSz = 32,
     CipherState = incorrect_cipher_state(),
-    decipher_check_fail(HashSz, CipherState, {3,0}),
-    decipher_check_fail(HashSz, CipherState, {3,1}),
-    decipher_check_fail(HashSz, CipherState, {3,2}),
-    decipher_check_fail(HashSz, CipherState, {3,3}).
+    decipher_check_fail(HashSz, CipherState, ?'TLS-1.0'),
+    decipher_check_fail(HashSz, CipherState, ?'TLS-1.1'),
+    decipher_check_fail(HashSz, CipherState, ?'TLS-1.2').
 
 %%--------------------------------------------------------------------
 padding_test(Config) when is_list(Config)  ->
     HashSz = 16,
     CipherState = correct_cipher_state(),
-    pad_test(HashSz, CipherState, {3,0}),
-    pad_test(HashSz, CipherState, {3,1}),
-    pad_test(HashSz, CipherState, {3,2}),
-    pad_test(HashSz, CipherState, {3,3}).
+    pad_test(HashSz, CipherState, ?'TLS-1.0'),
+    pad_test(HashSz, CipherState, ?'TLS-1.1'),
+    pad_test(HashSz, CipherState, ?'TLS-1.2').
 
 %%--------------------------------------------------------------------    
 % Internal functions  --------------------------------------------------------
@@ -135,21 +133,14 @@ decipher_check_fail(HashSz, CipherState, Version) ->
     true = {Content, Mac, #cipher_state{iv = NextIV}} =/= 
 	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, aes_fragment(Version), Version, true).
 
-pad_test(HashSz, CipherState, {3,0} = Version) ->
-    %% 3.0 does not have padding test
-    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
-    {Content, Mac, #cipher_state{iv = NextIV}} = 
-	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, true),    
-    {Content, Mac, #cipher_state{iv = NextIV}} = 
-	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, false);
-pad_test(HashSz, CipherState, {3,1} = Version) ->
+pad_test(HashSz, CipherState, ?'TLS-1.0' = Version) ->
     %% 3.1 should have padding test, but may be disabled
     {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
     BadCont = badpad_content(Content),
     {Content, Mac, #cipher_state{iv = NextIV}} = 
-	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,1}) , {3,1}, false),
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment(?'TLS-1.0') , ?'TLS-1.0', false),
     {BadCont, Mac, #cipher_state{iv = NextIV}} = 
-	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,1}), {3,1}, true);
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment(?'TLS-1.0'), ?'TLS-1.0', true);
 pad_test(HashSz, CipherState, Version) ->
     %% 3.2 and 3.3 must have padding test
     {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
@@ -159,7 +150,7 @@ pad_test(HashSz, CipherState, Version) ->
     {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState,  
 								     badpad_aes_fragment(Version), Version, true).
     
-aes_fragment({3,N}) when N == 0; N == 1->
+aes_fragment(?'TLS-1.0') ->
     <<197,9,6,109,242,87,80,154,85,250,110,81,119,95,65,185,53,206,216,153,246,169,
       119,177,178,238,248,174,253,220,242,81,33,0,177,251,91,44,247,53,183,198,165,
       63,20,194,159,107>>;
@@ -170,7 +161,7 @@ aes_fragment(_) ->
       198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
       108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>.
 
-badpad_aes_fragment({3,N})  when N == 0; N == 1 ->
+badpad_aes_fragment(?'TLS-1.0') ->
     <<186,139,125,10,118,21,26,248,120,108,193,104,87,118,145,79,225,55,228,10,105,
       30,190,37,1,88,139,243,210,99,65,41>>;
 badpad_aes_fragment(_) ->
@@ -178,7 +169,7 @@ badpad_aes_fragment(_) ->
       94,121,137,117,157,109,99,113,61,190,138,131,229,201,120,142,179,172,48,77,
       234,19,240,33,38,91,93>>.
 
-content_nextiv_mac({3,N})  when N == 0; N == 1 ->
+content_nextiv_mac(?'TLS-1.0') ->
     {<<"HELLO\n">>,
      <<72,196,247,97,62,213,222,109,210,204,217,186,172,184, 197,148>>,
      <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>};
@@ -187,7 +178,7 @@ content_nextiv_mac(_) ->
      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
      <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}.
 
-badpad_content_nextiv_mac({3,N})  when N == 0; N == 1 ->
+badpad_content_nextiv_mac(?'TLS-1.0') ->
     {<<"HELLO\n">>,
      <<225,55,228,10,105,30,190,37,1,88,139,243,210,99,65,41>>,
       <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 074a795556..b50d93b5d1 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -126,7 +126,7 @@ decode_hello_handshake(_Config) ->
 		    16#00, 16#00, 16#33, 16#74, 16#00, 16#07, 16#06, 16#73,
 		    16#70, 16#64, 16#79, 16#2f, 16#32>>,
 	
-    Version = {3, 0},
+    Version = ?'SSL-3.0',
     DefOpts = ssl:update_options([{verify, verify_none}], client, #{}),
     {Records, _Buffer} = tls_handshake:get_tls_handshakes(Version, HelloPacket, <<>>, DefOpts),
 
@@ -136,7 +136,7 @@ decode_hello_handshake(_Config) ->
 
 decode_single_hello_extension_correctly(_Config) -> 
     Renegotiation = <<?UINT16(?RENEGOTIATION_EXT), ?UINT16(1), 0>>,
-    Extensions = ssl_handshake:decode_extensions(Renegotiation, {3,3}, undefined),
+    Extensions = ssl_handshake:decode_extensions(Renegotiation, ?'TLS-1.2', undefined),
     #{renegotiation_info := #renegotiation_info{renegotiated_connection = <<0>>}} = Extensions.
 
 decode_supported_elliptic_curves_hello_extension_correctly(_Config) ->
@@ -148,13 +148,13 @@ decode_supported_elliptic_curves_hello_extension_correctly(_Config) ->
     Len = ListLen + 2,
     Extension = <<?UINT16(?ELLIPTIC_CURVES_EXT), ?UINT16(Len), ?UINT16(ListLen), EllipticCurveList/binary>>,
     % after decoding we should see only valid curves
-    Extensions = ssl_handshake:decode_hello_extensions(Extension, {3,2}, {3,2}, client),
+    Extensions = ssl_handshake:decode_hello_extensions(Extension, ?'TLS-1.1', ?'TLS-1.1', client),
     #{elliptic_curves := #elliptic_curves{elliptic_curve_list = [?sect233k1, ?sect193r2]}} = Extensions. 
 
 decode_unknown_hello_extension_correctly(_Config) ->
     FourByteUnknown = <<16#CA,16#FE, ?UINT16(4), 3, 0, 1, 2>>,
     Renegotiation = <<?UINT16(?RENEGOTIATION_EXT), ?UINT16(1), 0>>,
-    Extensions = ssl_handshake:decode_hello_extensions(<<FourByteUnknown/binary, Renegotiation/binary>>, {3,2}, {3,2}, client),
+    Extensions = ssl_handshake:decode_hello_extensions(<<FourByteUnknown/binary, Renegotiation/binary>>, ?'TLS-1.1', ?'TLS-1.1', client),
     #{renegotiation_info := #renegotiation_info{renegotiated_connection = <<0>>}} = Extensions.
 
 
@@ -169,21 +169,21 @@ encode_single_hello_sni_extension_correctly(_Config) ->
 decode_single_hello_sni_extension_correctly(_Config) ->
     SNI = <<16#00, 16#00, 16#00, 16#0d, 16#00, 16#0b, 16#00, 16#00, 16#08,
 	    $t,    $e,    $s,    $t,    $.,    $c,    $o,    $m>>,
-    Decoded = ssl_handshake:decode_hello_extensions(SNI, {3,3}, {3,3}, client),
+    Decoded = ssl_handshake:decode_hello_extensions(SNI, ?'TLS-1.2', ?'TLS-1.2', client),
     #{sni := #sni{hostname = "test.com"}} = Decoded.
 
 decode_empty_server_sni_correctly(_Config) ->
     SNI = <<?UINT16(?SNI_EXT),?UINT16(0)>>,
-    Decoded = ssl_handshake:decode_hello_extensions(SNI, {3,3}, {3,3}, server),
+    Decoded = ssl_handshake:decode_hello_extensions(SNI, ?'TLS-1.2', ?'TLS-1.2', server),
     #{sni := #sni{hostname = ""}} = Decoded.
 
 
 select_proper_tls_1_2_rsa_default_hashsign(_Config) ->
     % RFC 5246 section 7.4.1.4.1 tells to use {sha1,rsa} as default signature_algorithm for RSA key exchanges
-    {sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,3}),
+    {sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, ?'TLS-1.2'),
     % Older versions use MD5/SHA1 combination
-    {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,2}),
-    {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,0}).
+    {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, ?'TLS-1.1'),
+    {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, ?'SSL-3.0').
 
 
 ignore_hassign_extension_pre_tls_1_2(Config) ->
@@ -191,11 +191,10 @@ ignore_hassign_extension_pre_tls_1_2(Config) ->
     CertFile = proplists:get_value(certfile, Opts),
     [{_, Cert, _}] = ssl_test_lib:pem_to_der(CertFile),
     HashSigns = #hash_sign_algos{hash_sign_algos = [{sha512, rsa}, {sha, dsa}, {sha256, rsa}]},
-    {sha512, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs([{3,3}]), {3,3}),
+    {sha512, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs([?'TLS-1.2']), ?'TLS-1.2'),
     %%% Ignore
-    {md5sha, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs([{3,2}]), {3,2}),
-    {md5sha, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs([{3,0}]), {3,0}).
-
+    {md5sha, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs([?'TLS-1.1']), ?'TLS-1.1'),
+    {md5sha, rsa} = ssl_handshake:select_hashsign({HashSigns, undefined}, Cert, ecdhe_rsa, tls_v1:default_signature_algs([?'SSL-3.0']), ?'SSL-3.0').
 
 signature_algorithms(Config) ->
     Opts = proplists:get_value(server_opts, Config),
@@ -212,16 +211,16 @@ signature_algorithms(Config) ->
     {sha512, rsa} = ssl_handshake:select_hashsign(
                       {HashSigns0, Schemes0},
                       Cert, ecdhe_rsa,
-                      tls_v1:default_signature_algs([{3,3}]),
-                      {3,3}),
+                      tls_v1:default_signature_algs([?'TLS-1.2']),
+                      ?'TLS-1.2'),
     HashSigns1 = #hash_sign_algos{
                     hash_sign_algos = [{sha, dsa},
                                        {sha256, rsa}]},
     {sha256, rsa} = ssl_handshake:select_hashsign(
                       {HashSigns1, Schemes0},
                       Cert, ecdhe_rsa,
-                      tls_v1:default_signature_algs([{3,3}]),
-                      {3,3}),
+                      tls_v1:default_signature_algs([?'TLS-1.2']),
+                      ?'TLS-1.2'),
     Schemes1 = #signature_algorithms_cert{
                   signature_scheme_list = [rsa_pkcs1_sha1,
                                            ecdsa_sha1]},
@@ -229,22 +228,22 @@ signature_algorithms(Config) ->
     #alert{} = ssl_handshake:select_hashsign(
                  {HashSigns1, Schemes1},
                  Cert, ecdhe_rsa,
-                 tls_v1:default_signature_algs([{3,3}]),
-                 {3,3}),
+                 tls_v1:default_signature_algs([?'TLS-1.2']),
+                 ?'TLS-1.2'),
     %% No scheme, hashsign is used
     {sha256, rsa} = ssl_handshake:select_hashsign(
                       {HashSigns1, undefined},
                       Cert, ecdhe_rsa,
-                      tls_v1:default_signature_algs([{3,3}]),
-                      {3,3}),
+                      tls_v1:default_signature_algs([?'TLS-1.2']),
+                      ?'TLS-1.2'),
     HashSigns2 = #hash_sign_algos{
                     hash_sign_algos = [{sha, dsa}]},
     %% Signature not supported
     #alert{} = ssl_handshake:select_hashsign(
                  {HashSigns2, Schemes1},
                  Cert, ecdhe_rsa,
-                 tls_v1:default_signature_algs([{3,3}]),
-                 {3,3}).
+                 tls_v1:default_signature_algs([?'TLS-1.2']),
+                 ?'TLS-1.2').
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
diff --git a/lib/ssl/test/ssl_mfl_SUITE.erl b/lib/ssl/test/ssl_mfl_SUITE.erl
index 362cc3ac31..a9e1a6a8f9 100644
--- a/lib/ssl/test/ssl_mfl_SUITE.erl
+++ b/lib/ssl/test/ssl_mfl_SUITE.erl
@@ -22,6 +22,7 @@
 -behaviour(ct_suite).
 
 -include_lib("common_test/include/ct.hrl").
+-include("ssl_record.hrl").
 
 %% Common test
 -export([all/0,
@@ -186,7 +187,7 @@ run_mfl_handshake_continue(Config, MFL) ->
                     receive {Client, {ext, ClientExt}} ->
                             ct:log("Client handshake Ext ~p~n", [ClientExt]),
                             case maps:get(server_hello_selected_version, ClientExt, undefined) of
-                                {3,4} ->
+                                ?'TLS-1.3' ->
                                     %% For TLS 1.3 the ssl {handshake, hello} API is inconsistent:
                                     %% the server gets all the extensions CH+EE, but the client only CH
                                     ignore;
diff --git a/lib/ssl/test/ssl_npn_hello_SUITE.erl b/lib/ssl/test/ssl_npn_hello_SUITE.erl
index 2a98eb71d0..f1cd8f84b8 100644
--- a/lib/ssl/test/ssl_npn_hello_SUITE.erl
+++ b/lib/ssl/test/ssl_npn_hello_SUITE.erl
@@ -123,12 +123,12 @@ encode_and_decode_npn_server_hello_test(Config) ->
 
 %%--------------------------------------------------------------------
 create_server_hello_with_no_advertised_protocols_test(_Config) ->
-    Hello = ssl_handshake:server_hello(<<>>, {3, 0}, create_connection_states(), #{}),
+    Hello = ssl_handshake:server_hello(<<>>, ?'SSL-3.0', create_connection_states(), #{}),
     Extensions = Hello#server_hello.extensions,
     #{} = Extensions.
 %%--------------------------------------------------------------------
 create_server_hello_with_advertised_protocols_test(_Config) ->
-    Hello = ssl_handshake:server_hello(<<>>, {3, 0}, create_connection_states(),
+    Hello = ssl_handshake:server_hello(<<>>, ?'SSL-3.0', create_connection_states(),
 				       #{next_protocol_negotiation => [<<"spdy/1">>, <<"http/1.0">>, <<"http/1.1">>]}),
     Extensions = Hello#server_hello.extensions,
     #{next_protocol_negotiation := [<<"spdy/1">>, <<"http/1.0">>, <<"http/1.1">>]} = Extensions.
diff --git a/lib/ssl/test/ssl_reject_SUITE.erl b/lib/ssl/test/ssl_reject_SUITE.erl
index 7221b629ac..a068c4be36 100644
--- a/lib/ssl/test/ssl_reject_SUITE.erl
+++ b/lib/ssl/test/ssl_reject_SUITE.erl
@@ -22,7 +22,7 @@
 -module(ssl_reject_SUITE).
 
 -include_lib("common_test/include/ct.hrl").
--include_lib("ssl/src/ssl_record.hrl").
+-include("ssl_record.hrl").
 -include_lib("ssl/src/ssl_alert.hrl").
 -include_lib("ssl/src/ssl_handshake.hrl").
 
@@ -48,15 +48,15 @@
          accept_sslv3_record_hello/1
         ]).
 
--define(TLS_MAJOR, 3).
--define(SSL_3_0_MAJOR, 3).
--define(SSL_3_0_MINOR, 0).
--define(TLS_1_0_MINOR, 1).
--define(TLS_1_1_MINOR, 2).
--define(TLS_1_2_MINOR, 3).
--define(TLS_1_3_MINOR, 4).
--define(SSL_2_0_MAJOR, 0).
--define(SSL_2_0_MINOR, 1).
+-define(TLS_MAJOR,     (element(1, ?'TLS-1.2'))).
+-define(SSL_3_0_MAJOR, (element(1, ?'SSL-3.0'))).
+-define(SSL_3_0_MINOR, (element(2, ?'SSL-3.0'))).
+-define(TLS_1_0_MINOR, (element(2, ?'TLS-1.0'))).
+-define(TLS_1_1_MINOR, (element(2, ?'TLS-1.1'))).
+-define(TLS_1_2_MINOR, (element(2, ?'TLS-1.2'))).
+-define(TLS_1_3_MINOR, (element(2, ?'TLS-1.3'))).
+-define(SSL_2_0_MAJOR, (element(1, ?'SSL-2.0'))).
+-define(SSL_2_0_MINOR, (element(2, ?'SSL-2.0'))).
 
 %%--------------------------------------------------------------------
 %% Common Test interface functions -----------------------------------
@@ -194,10 +194,11 @@ accept_sslv3_record_hello(Config) when is_list(Config) ->
 
     {ok, Socket} = gen_tcp:connect(Hostname, Port, [{active, false}]),
     gen_tcp:send(Socket, ClientHello),
+    TLS_Major = ?TLS_MAJOR,
     case gen_tcp:recv(Socket, 3, 5000) of
         %% Minor needs to be a TLS version that is a version
         %% above SSL-3.0
-        {ok, [?HANDSHAKE, ?TLS_MAJOR, Minor]} when Minor > ?SSL_3_0_MINOR ->
+        {ok, [?HANDSHAKE, TLS_Major, Minor]} when Minor > ?SSL_3_0_MINOR ->
             ok;
         {error, timeout} ->
             ct:fail(ssl3_record_not_accepted)
diff --git a/lib/ssl/test/ssl_renegotiate_SUITE.erl b/lib/ssl/test/ssl_renegotiate_SUITE.erl
index 4b46863415..aa5a32c8aa 100644
--- a/lib/ssl/test/ssl_renegotiate_SUITE.erl
+++ b/lib/ssl/test/ssl_renegotiate_SUITE.erl
@@ -26,6 +26,7 @@
 
 -include_lib("common_test/include/ct.hrl").
 -include_lib("public_key/include/public_key.hrl").
+-include("ssl_record.hrl").
 
 %% Common test
 -export([all/0,
@@ -87,11 +88,10 @@ all() ->
 
 groups() ->
     [{'dtlsv1.2', [], renegotiate_tests()},
-     {'dtlsv1', [], renegotiate_tests()},
-     {'tlsv1.3', [], renegotiate_tests()},
-     {'tlsv1.2', [], renegotiate_tests()},
-     {'tlsv1.1', [], renegotiate_tests()},
-     {'tlsv1', [], renegotiate_tests()}
+     {'dtlsv1',   [], renegotiate_tests()},
+     {'tlsv1.2',  [], renegotiate_tests()},
+     {'tlsv1.1',  [], renegotiate_tests()},
+     {'tlsv1',    [], renegotiate_tests()}
     ].
 
 renegotiate_tests() ->
@@ -107,17 +107,6 @@ renegotiate_tests() ->
      renegotiate_dos_mitigate_passive,
      renegotiate_dos_mitigate_absolute].
 
-ssl3_renegotiate_tests() ->
-    [client_renegotiate,
-     server_renegotiate,
-     client_renegotiate_reused_session,
-     server_renegotiate_reused_session,
-     client_no_wrap_sequence_number,
-     server_no_wrap_sequence_number,
-     renegotiate_dos_mitigate_active,
-     renegotiate_dos_mitigate_passive,
-     renegotiate_dos_mitigate_absolute].
-
 init_per_suite(Config) ->
     catch crypto:stop(),
     try crypto:start() of
@@ -518,9 +507,7 @@ renegotiate_rejected(Socket) ->
     ok.
 
 %% First two clauses handles 1/n-1 splitting countermeasure Rizzo/Duong-Beast
-treashold(N, {3,0}) ->
-    (N div 2) + 1;
-treashold(N, {3,1}) ->
+treashold(N, ?'TLS-1.0') ->
     (N div 2) + 1;
 treashold(N, _) ->
     N + 1.
diff --git a/lib/ssl/test/ssl_session_SUITE.erl b/lib/ssl/test/ssl_session_SUITE.erl
index 40fff3bbbd..f67f998806 100644
--- a/lib/ssl/test/ssl_session_SUITE.erl
+++ b/lib/ssl/test/ssl_session_SUITE.erl
@@ -660,9 +660,9 @@ faulty_client(Host, Port) ->
 
 
 encode_client_hello(CH, Random) ->
-    HSBin = tls_handshake:encode_handshake(CH, {3,3}),
+    HSBin = tls_handshake:encode_handshake(CH, ?'TLS-1.2'),
     CS = connection_states(Random),
-    {Encoded, _} = tls_record:encode_handshake(HSBin, {3,3}, CS),
+    {Encoded, _} = tls_record:encode_handshake(HSBin, ?'TLS-1.2', CS),
     Encoded.
 
 client_hello(Random) ->
@@ -738,7 +738,7 @@ client_hello(Random) ->
 		   srp =>
 		       undefined},
 
-    #client_hello{client_version = {3,3},
+    #client_hello{client_version = ?'TLS-1.2',
 		  random = Random,
 		  session_id = crypto:strong_rand_bytes(32),
 		  cipher_suites = CipherSuites,
diff --git a/lib/ssl/test/tls_1_3_record_SUITE.erl b/lib/ssl/test/tls_1_3_record_SUITE.erl
index 75819d0565..951df01810 100644
--- a/lib/ssl/test/tls_1_3_record_SUITE.erl
+++ b/lib/ssl/test/tls_1_3_record_SUITE.erl
@@ -174,9 +174,9 @@ encode_decode(_Config) ->
                    146,152,146,151,107,126,216,210,9,93,0,0>>],
 
     {[_Header|Encoded], _} = tls_record_1_3:encode_plain_text(22, PlainText, ConnectionStates),
-    CipherText = #ssl_tls{type = 23, version = {3,3}, fragment = Encoded},
+    CipherText = #ssl_tls{type = 23, version = ?'TLS-1.2', fragment = Encoded},
 
-    {#ssl_tls{type = 22, version = {3,4}, fragment = DecodedText}, _} =
+    {#ssl_tls{type = 22, version = ?'TLS-1.3', fragment = DecodedText}, _} =
         tls_record_1_3:decode_cipher_text(CipherText, ConnectionStates),
 
     DecodedText = iolist_to_binary(PlainText),
@@ -260,7 +260,7 @@ encode_decode(_Config) ->
           01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01"),
 
     {CHEncrypted, _} =
-	tls_record:encode_handshake(ClientHello, {3,4}, ConnStatesNull),
+	tls_record:encode_handshake(ClientHello, ?'TLS-1.3', ConnStatesNull),
     ClientHelloRecord = iolist_to_binary(CHEncrypted),
 
     %% {server}  extract secret "early":
@@ -515,7 +515,7 @@ encode_decode(_Config) ->
           cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04"),
 
     {SHEncrypted, _} =
-	tls_record:encode_handshake(ServerHello, {3,4}, ConnStatesNull),
+	tls_record:encode_handshake(ServerHello, ?'TLS-1.3', ConnStatesNull),
     ServerHelloRecord = iolist_to_binary(SHEncrypted),
 
     %% {server}  derive write traffic keys for handshake data:
@@ -685,7 +685,7 @@ encode_decode(_Config) ->
 
     FinishedHS = #finished{verify_data = FinishedVerifyData},
 
-    FinishedIOList = tls_handshake:encode_handshake(FinishedHS, {3,4}),
+    FinishedIOList = tls_handshake:encode_handshake(FinishedHS, ?'TLS-1.3'),
     FinishedHSBin = iolist_to_binary(FinishedIOList),
 
     %% {server}  derive secret "tls13 c ap traffic":
@@ -907,7 +907,7 @@ encode_decode(_Config) ->
 
     CFinished = #finished{verify_data = CFinishedVerifyData},
 
-    CFinishedIOList = tls_handshake:encode_handshake(CFinished, {3,4}),
+    CFinishedIOList = tls_handshake:encode_handshake(CFinished, ?'TLS-1.3'),
     CFinishedBin = iolist_to_binary(CFinishedIOList),
 
     %% {client}  derive write traffic keys for application data:
@@ -1054,7 +1054,7 @@ encode_decode(_Config) ->
        ticket_nonce = Nonce,
        ticket = Ticket,
        extensions = _Extensions
-      } = tls_handshake:decode_handshake({3,4}, NWT, TicketBody),
+      } = tls_handshake:decode_handshake(?'TLS-1.3', NWT, TicketBody),
 
     %% ResPRK = resumption master secret
     ResExpanded = tls_v1:pre_shared_key(ResPRK, Nonce, HKDFAlgo),
@@ -1288,7 +1288,7 @@ encode_decode(_Config) ->
 
     <<?BYTE(CH), ?UINT24(_Length), ClientHelloBody/binary>> = ClientHelloRecord,
     #client_hello{extensions = #{pre_shared_key := PreSharedKey}} =
-        tls_handshake:decode_handshake({3,4}, CH, ClientHelloBody),
+        tls_handshake:decode_handshake(?'TLS-1.3', CH, ClientHelloBody),
 
     #pre_shared_key_client_hello{
        offered_psks = #offered_psks{
diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl
index 69dde6b8b9..655b83d0e8 100644
--- a/lib/ssl/test/tls_api_SUITE.erl
+++ b/lib/ssl/test/tls_api_SUITE.erl
@@ -790,8 +790,8 @@ tls_reject_warning_alert_in_initial_hs(Config) when is_list(Config) ->
     ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
     {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
     {Major, Minor} = case ssl_test_lib:protocol_version(Config, tuple) of
-                         {3,4} ->
-                             {3,3};
+                         ?'TLS-1.3' ->
+                             ?'TLS-1.2';
                          Other ->
                              Other
                      end,
@@ -814,8 +814,8 @@ tls_reject_fake_warning_alert_in_initial_hs(Config) when is_list(Config) ->
     ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
     {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
     {Major, Minor} = case ssl_test_lib:protocol_version(Config, tuple) of
-                         {3,4} ->
-                             {3,3};
+                         ?'TLS-1.3' ->
+                             ?'TLS-1.2';
                          Other ->
                              Other
                      end,
@@ -840,8 +840,8 @@ tls_app_data_in_initial_hs_state(Config) when is_list(Config) ->
     {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
     Version = ssl_test_lib:protocol_version(Config, tuple),
     {Major, Minor} = case Version of
-                         {3,4} ->
-                             {3,3};
+                         ?'TLS-1.3' ->
+                             ?'TLS-1.2';
                          Other ->
                              Other
                      end,
@@ -852,7 +852,7 @@ tls_app_data_in_initial_hs_state(Config) when is_list(Config) ->
     Port = ssl_test_lib:inet_port(Server),
     {ok, Socket}  = gen_tcp:connect("localhost", Port, [{active, false}, binary]),
     AppData = case Version of
-                  {3, 4} ->
+                  ?'TLS-1.3' ->
                       <<?BYTE(?APPLICATION_DATA), ?BYTE(3), ?BYTE(3), ?UINT16(4), ?BYTE($F), 
                         ?BYTE($O), ?BYTE($O), ?BYTE(?APPLICATION_DATA)>>;
                   _ ->
diff --git a/lib/ssl/test/tls_server_session_ticket_SUITE.erl b/lib/ssl/test/tls_server_session_ticket_SUITE.erl
index e226ed3143..66e96b0a81 100644
--- a/lib/ssl/test/tls_server_session_ticket_SUITE.erl
+++ b/lib/ssl/test/tls_server_session_ticket_SUITE.erl
@@ -25,6 +25,7 @@
 -include_lib("ssl/src/ssl_cipher.hrl").
 -include_lib("ssl/src/ssl_internal.hrl").
 -include_lib("ssl/src/tls_handshake_1_3.hrl").
+-include("ssl_record.hrl").
 
 %% Callback functions
 -export([all/0,
@@ -53,7 +54,7 @@
 -define(TICKET_STORE_SIZE, 1).
 -define(MASTER_SECRET, "master_secret").
 -define(PRF, sha).
--define(VERSION, {3,4}).
+-define(VERSION, ?'TLS-1.3').
 -define(PSK, <<15,168,18,43,216,33,227,142,114,190,70,183,137,57,64,64,66,152,115,94>>).
 -define(WINDOW_SIZE, 1).
 -define(SEED, <<1,2,3,4,5>>).
-- 
cgit v1.2.1