refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS

This is a follow-up to !1221.

See #958 and https://gitlab.com/openconnect/openconnect/-/issues/145 for a
real-world example of ancient Cisco servers with these deficiencies.

With !1221 only, gnutls-cli-debug reports that these ancient servers only support
SSL 3.0 (but without extensions). Information after this point is
largely erroneous:

    $ gnutls-cli-debug ***vpn.***.com
    GnuTLS debug client 3.6.12
    Checking ***vpn.***.com:443
    whether the server accepts default record size (512 bytes)... no
                      whether %ALLOW_SMALL_RECORDS is required... no
                                 for SSL 3.0 (RFC6101) support... yes
                                   for SSL 3.0 with extensions... no

With this additional change, gnutls-cli-debug correctly reports that such a
server also supports TLS 1.0 (but again with extensions disabled). Below
I've marked some of the significant fields that have changed:

    $ gnutls-cli-debug ***vpn.***.com
    GnuTLS debug client 3.6.12
    Checking ***vpn.***.com:443
    whether the server accepts default record size (512 bytes)... no
                      whether %ALLOW_SMALL_RECORDS is required... no
                                 for SSL 3.0 (RFC6101) support... yes
                                   for SSL 3.0 with extensions... no
                            whether we need to disable TLS 1.2... yes
                            whether we need to disable TLS 1.1... yes
    # This is now correct:
                            whether we need to disable TLS 1.0... no
    # This is now correct:
                            whether %NO_EXTENSIONS is required... yes
    # This is now correct:
                                 for TLS 1.0 (RFC2246) support... yes
                                 for TLS 1.1 (RFC4346) support... no
                                      fallback from TLS 1.1 to... failed
                                 for TLS 1.2 (RFC5246) support... no
    # This is now correct:
                        for known TLS or SSL protocols support... yes
                           TLS1.2 neg fallback from TLS 1.6 to... failed (server requires fallback dance)
                  for inappropriate fallback (RFC7507) support... no
                                         for HTTPS server name... ******
                                   for certificate chain order... sorted
                         for Safe renegotiation support (SCSV)... no
                           for version rollback bug in RSA PMS... no
                      for version rollback bug in Client Hello... no
                whether the server ignores the RSA PMS version... no
    whether small records (512 bytes) are tolerated on handshake... yes
        whether cipher suites not in SSL 3.0 spec are accepted... yes
    whether a bogus TLS record version in the client hello is accepted... yes
             whether the server understands TLS closure alerts... partially
                whether the server supports session resumption... yes
                          for anonymous authentication support... no
                          for ephemeral Diffie-Hellman support... no
                            for RFC7919 Diffie-Hellman support... no
                          for AES-GCM cipher (RFC5288) support... no
                          for AES-CCM cipher (RFC6655) support... no
                        for AES-CCM-8 cipher (RFC6655) support... no
                          for AES-CBC cipher (RFC3268) support... no
                     for CAMELLIA-GCM cipher (RFC6367) support... no
                     for CAMELLIA-CBC cipher (RFC5932) support... no
    # This is now correct:
                         for 3DES-CBC cipher (RFC2246) support... yes
    # This is now correct:
                      for ARCFOUR 128 cipher (RFC2246) support... yes
                for CHACHA20-POLY1305 cipher (RFC7905) support... no
    for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no
                                           for MD5 MAC support... yes
                                          for SHA1 MAC support... yes
                                        for SHA256 MAC support... no
    for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

2 files changed, 24 insertions, 5 deletions

diff --git a/src/cli-debug.c b/src/cli-debug.c
index ece03a2729..c98c0c6f4a 100644
--- a/src/cli-debug.c
+++ b/src/cli-debug.c
@@ -85,6 +85,9 @@ static const TLS_TEST tls_tests[] = {
 	 test_send_record_with_allow_small_records, "yes", "no", "dunno"},
 #ifdef ENABLE_SSL3
 	{"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"},
+	/* The following test will disable extensions if the server
+	 * does support SSL 3.0, but only incompletely and without
+	 * extensions. */
 	{"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"},
 	{"for SSL 3.0 with cipher suites not in SSL 3.0 spec",
 	 test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"},
diff --git a/src/tests.c b/src/tests.c
index 8cc06347c1..c7f2662efe 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -635,8 +635,16 @@ test_code_t test_ssl3_with_extensions(gnutls_session_t session)
 	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 
 	ret = test_do_handshake(session);
-	if (ret == TEST_SUCCEED)
-		ssl3_ok = 1;
+	if (ssl3_ok != 0 && ret != TEST_SUCCEED) {
+		/* We need to disable extensions before trying TLS 1.0, because
+		 * it also may not work with extensions. There are known servers
+		 * which partially support both SSL 3.0 and TLS 1.0, but *both*
+		 * only with disabled extensions:
+		 *   https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384
+		 */
+		tls_ext_ok = 0;
+		strcat(rest, ":%NO_EXTENSIONS");
+	}
 
 	return ret;
 }
@@ -645,7 +653,7 @@ test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session)
 {
 	int ret;
 	sprintf(prio_str, INIT_STR
-		ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:"
+		ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:"
 		ALL_MACS ":" ALL_KX ":%s", rest);
 	_gnutls_priority_set_direct(session, prio_str);
 
@@ -1040,7 +1048,8 @@ test_code_t test_record_padding(gnutls_session_t session)
 		if (ret == TEST_SUCCEED) {
 			tls1_ok = 1;
 			strcat(rest, ":%COMPAT");
-		}
+		} else
+			ret = TEST_IGNORE2; /* neither succeeded */
 	}
 
 	return ret;
@@ -1050,6 +1059,12 @@ test_code_t test_no_extensions(gnutls_session_t session)
 {
 	int ret;
 
+#ifdef ENABLE_SSL3
+	/* If already disabled by test_ssl3_with_extensions */
+	if (ssl3_ok != 0 && tls_ext_ok == 0)
+		return TEST_FAILED;
+#endif
+
 	sprintf(prio_str,
 		INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:"
 		ALL_MACS ":" ALL_KX ":%s", protocol_str, rest);
@@ -1071,7 +1086,8 @@ test_code_t test_no_extensions(gnutls_session_t session)
 		if (ret == TEST_SUCCEED) {
 			tls_ext_ok = 0;
 			strcat(rest, ":%NO_EXTENSIONS");
-		}
+		} else
+			ret = TEST_IGNORE2; /* neither succeeded */
 	}
 
 	return ret;