diff options
| author | Dmitry Baryshkov <dbaryshkov@gmail.com> | 2020-06-14 21:26:31 +0000 |
|---|---|---|
| committer | Dmitry Baryshkov <dbaryshkov@gmail.com> | 2020-06-14 21:26:31 +0000 |
| commit | 19684cc408a44cf2993a3d59a9cb651072166b8e (patch) | |
| tree | 98277c2792283bb59be800bc9b8ca28ae0175196 | |
| parent | bf6d31b09c2e72adc0da003dcc7ef8ac3b1b89e8 (diff) | |
| parent | b82ed6412d1736e36b3edfe4901d494c6ebc3520 (diff) | |
| download | gnutls-19684cc408a44cf2993a3d59a9cb651072166b8e.tar.gz | |
Merge branch 'better_SSL3.0_tests' into 'master'
refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS
See merge request gnutls/gnutls!1251
| -rw-r--r-- | src/cli-debug.c | 3 | ||||
| -rw-r--r-- | src/tests.c | 26 |
2 files changed, 24 insertions, 5 deletions
diff --git a/src/cli-debug.c b/src/cli-debug.c index ece03a2729..c98c0c6f4a 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -85,6 +85,9 @@ static const TLS_TEST tls_tests[] = { test_send_record_with_allow_small_records, "yes", "no", "dunno"}, #ifdef ENABLE_SSL3 {"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"}, + /* The following test will disable extensions if the server + * does support SSL 3.0, but only incompletely and without + * extensions. */ {"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"}, {"for SSL 3.0 with cipher suites not in SSL 3.0 spec", test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"}, diff --git a/src/tests.c b/src/tests.c index 8cc06347c1..c7f2662efe 100644 --- a/src/tests.c +++ b/src/tests.c @@ -635,8 +635,16 @@ test_code_t test_ssl3_with_extensions(gnutls_session_t session) gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); ret = test_do_handshake(session); - if (ret == TEST_SUCCEED) - ssl3_ok = 1; + if (ssl3_ok != 0 && ret != TEST_SUCCEED) { + /* We need to disable extensions before trying TLS 1.0, because + * it also may not work with extensions. There are known servers + * which partially support both SSL 3.0 and TLS 1.0, but *both* + * only with disabled extensions: + * https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384 + */ + tls_ext_ok = 0; + strcat(rest, ":%NO_EXTENSIONS"); + } return ret; } @@ -645,7 +653,7 @@ test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session) { int ret; sprintf(prio_str, INIT_STR - ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" + ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%s", rest); _gnutls_priority_set_direct(session, prio_str); @@ -1040,7 +1048,8 @@ test_code_t test_record_padding(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls1_ok = 1; strcat(rest, ":%COMPAT"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1050,6 +1059,12 @@ test_code_t test_no_extensions(gnutls_session_t session) { int ret; +#ifdef ENABLE_SSL3 + /* If already disabled by test_ssl3_with_extensions */ + if (ssl3_ok != 0 && tls_ext_ok == 0) + return TEST_FAILED; +#endif + sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); @@ -1071,7 +1086,8 @@ test_code_t test_no_extensions(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls_ext_ok = 0; strcat(rest, ":%NO_EXTENSIONS"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; |