ANON,SRP,NULL ciphersuites: when set do not negotiate TLS1.3 or later

The reason is that these ciphersuites cannot be negotiated using TLS1.3.
There is a different strategy followed for these.

 * NULL ciphersuites: they are not something normally enabled and used
   for debugging purposes mostly. When set both in client and server side
   only TLS1.2 can be used.

 * SRP ciphersuites: they are used on client side when the client is actually
   performing a username-password authentication with SRP. On server side we
   can have indeed a server support SRP and non-SRP. In that case we limit
   both on TLS1.2. That an unfortunate restriction, but is not a regression
   and IMHO these servers would most likely be phased out as very few would
   want to stick to TLS1.2 connections for SRP; or we may have an SRP update
   for TLS1.3 which could lift that limitation in the future.

 * ANON ciphersuites: they are used in certain client/server setups where very
   basic level of security is required, and in opportunistic encryption scenarios.
   There is a difference in the handling of these cases. In the case of Anon-only
   server/clients they provide the session with anonymous credentials structure; in
   the case of opportunistic encryption they provide both certificate and anonymous
   credentials. Thus we allow the protocol (TLS1.3) be in the priorities, but if we
   see no certificate or PSK credentials we disable TLS1.3 negotiation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

14 files changed, 184 insertions, 90 deletions

diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index a7c8a55112..79aa58bd7e 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -179,6 +179,16 @@ ARCFOUR-128 is a compatible algorithm with RSA's RC4 algorithm, which is conside
 secret. It is a considered to be broken, and is only used for compatibility
 purposed. For this reason it is not enabled by default.
 
+@item NULL @tab
+Legacy (stream) @tab
+TLS 1.0, TLS 1.1, TLS 1.2 @tab
+NULL is the empty/identity cipher which doesn't encrypt any data. It can be
+combined with data authentication under TLS 1.2 or earlier, but is only used
+transiently under TLS 1.3 until encryption starts. This cipher cannot be negotiated
+by default (need to be explicitly enabled) under TLS 1.2, and cannot be
+negotiated at all under TLS 1.3. When enabled, TLS 1.3 (or later) support will be
+implicitly disabled.
+
 @end multitable
 @caption{Supported ciphers in TLS.}
 @end float
diff --git a/doc/cha-shared-key.texi b/doc/cha-shared-key.texi
index 8d1b4db4c8..394fd7952f 100644
--- a/doc/cha-shared-key.texi
+++ b/doc/cha-shared-key.texi
@@ -101,7 +101,8 @@ follow those conventions. The srptool program, discussed in the next section
 is a tool to manipulate the SRP parameters.
 
 The implementation in @acronym{GnuTLS} is based on @xcite{TLSSRP}. The
-supported key exchange methods are shown below.
+supported key exchange methods are shown below. Enabling any of these
+key exchange methods in a session disables support for TLS1.3.
 
 @table @code
 
@@ -145,7 +146,8 @@ an alternative with better properties, such as key continuity, is trust on first
 
 The available key exchange algorithms for anonymous authentication are
 shown below, but note that few public servers support them, and they 
-have to be explicitly enabled.
+have to be explicitly enabled. These ciphersuites are negotiated only under
+TLS 1.2.
 
 @table @code
 
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 871ff08ceb..c46f0c733e 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -32,7 +32,7 @@
 #include <algorithms.h>
 #include "auth/psk.h"
 #include "auth/cert.h"
-#include "auth/anon.h"
+#include "handshake.h"
 #include "../ecc.h"
 #include "../algorithms.h"
 #include "pk.h"
@@ -649,6 +649,9 @@ key_share_send_params(gnutls_session_t session,
 		if (unlikely(ver == NULL || ver->key_shares == 0))
 			return 0;
 
+		if (!have_creds_for_tls13(session))
+			return 0;
+
 		/* write the total length later */
 		lengthp = &extdata->data[extdata->length];
 
diff --git a/lib/ext/srp.h b/lib/ext/srp.h
index ed89857ae7..5d60cd83c2 100644
--- a/lib/ext/srp.h
+++ b/lib/ext/srp.h
@@ -25,11 +25,11 @@
 
 #include <hello_ext.h>
 
-#ifdef ENABLE_SRP
-
 #define IS_SRP_KX(kx) ((kx == GNUTLS_KX_SRP || (kx == GNUTLS_KX_SRP_RSA) || \
 	  kx == GNUTLS_KX_SRP_DSS)?1:0)
 
+#ifdef ENABLE_SRP
+
 extern const hello_ext_entry_st ext_mod_srp;
 
 typedef struct {
diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c
index e9e0b88337..e2857c5e84 100644
--- a/lib/ext/supported_versions.c
+++ b/lib/ext/supported_versions.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2001-2012 Free Software Foundation, Inc.
- * Copyright (C) 2017 Red Hat, Inc.
+ * Copyright (C) 2017-2018 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -53,7 +53,6 @@ const hello_ext_entry_st ext_mod_supported_versions = {
 	.cannot_be_overriden = 1
 };
 
-/* Only client sends this extension. */
 static int
 supported_versions_recv_params(gnutls_session_t session,
 			       const uint8_t * data, size_t _data_size)
@@ -104,6 +103,14 @@ supported_versions_recv_params(gnutls_session_t session,
 	} else { /* client */
 		const version_entry_st *vers;
 
+		if (!have_creds_for_tls13(session)) {
+			/* if we don't have certificate or PSK (which work under TLS1.3)
+			 * don't try to negotiate version using the extension. We fallback
+			 * instead to the normal TLS negotiation which has a cap on TLS1.2.
+			 */
+			return 0;
+		}
+
 		DECR_LEN(data_size, 2);
 
 		if (data_size != 0)
@@ -150,6 +157,17 @@ supported_versions_send_params(gnutls_session_t session,
 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
 		vers = _gnutls_version_max(session);
 
+		/* Do not advertise this extension if we are not doing certificate
+		 * or PSK authentication; i.e., do not try to do TLS1.3 if we have
+		 * credentials which do not fit it. */
+		if (!have_creds_for_tls13(session)) {
+			/* if we don't have certificate or PSK (which work under TLS1.3)
+			 * don't try to negotiate version using the extension. We fallback
+			 * instead to the normal TLS negotiation which has a cap on TLS1.2.
+			 */
+			return 0;
+		}
+
 		/* do not advertise this extension when we haven't TLS1.3
 		 * enabled. */
 		if (vers && !vers->tls13_sem)
diff --git a/lib/handshake.c b/lib/handshake.c
index 5d2bf9b852..baae557c63 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -246,7 +246,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *
 
 	/* check whether the server random value is set according to
 	 * to TLS 1.3. p4.1.3 requirements */
-	if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2) {
+	if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) {
 
 		max = _gnutls_version_max(session);
 		if (max->id <= GNUTLS_TLS1_2)
diff --git a/lib/handshake.h b/lib/handshake.h
index 1096226410..2175d6f2db 100644
--- a/lib/handshake.h
+++ b/lib/handshake.h
@@ -26,6 +26,7 @@
 
 #include "errors.h"
 #include "record.h"
+#include <assert.h>
 
 #define IMED_RET( str, ret, allow_alert) do { \
 	if (ret < 0) { \
@@ -107,6 +108,20 @@ inline static int handshake_remaining_time(gnutls_session_t session)
 	return 0;
 }
 
+/* Returns non-zero if the present credentials are sufficient for TLS1.3 negotiation.
+ * This is to be used in client side only. On server side, it is allowed to start
+ * without credentials.
+ */
+inline static unsigned have_creds_for_tls13(gnutls_session_t session)
+{
+	assert(session->security_parameters.entity == GNUTLS_CLIENT);
+	if (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) != NULL ||
+	    _gnutls_get_cred(session, GNUTLS_CRD_PSK) != NULL)
+		return 1;
+
+	return 0;
+}
+
 int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t *shash);
 
 int _gnutls_check_id_for_change(gnutls_session_t session);
diff --git a/lib/priority.c b/lib/priority.c
index fef7d5f9ba..89aabef7d8 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -33,6 +33,7 @@
 #include <hello_ext.h>
 #include "fips.h"
 #include "errno.h"
+#include "ext/srp.h"
 #include <gnutls/gnutls.h>
 
 #define MAX_ELEMENTS 64
@@ -1192,19 +1193,46 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 	const version_entry_st *dtlsmax = NULL;
 	const version_entry_st *tlsmin = NULL;
 	const version_entry_st *dtlsmin = NULL;
-	unsigned have_tls13 = 0;
-	unsigned have_psk = 0;
+	unsigned have_tls13 = 0, have_srp = 0;
+	unsigned have_psk = 0, have_null = 0;
 
 	priority_cache->cs.size = 0;
 	priority_cache->sigalg.size = 0;
 	priority_cache->groups.size = 0;
 	priority_cache->groups.have_ffdhe = 0;
 
+	for (j=0;j<priority_cache->_cipher.algorithms;j++) {
+		if (priority_cache->_cipher.priority[j] == GNUTLS_CIPHER_NULL) {
+			have_null = 1;
+			break;
+		}
+	}
+
+	for (i = 0; i < priority_cache->_kx.algorithms; i++) {
+		if (IS_SRP_KX(priority_cache->_kx.priority[i])) {
+			have_srp = 1;
+		} else if (_gnutls_kx_is_psk(priority_cache->_kx.priority[i])) {
+			have_psk = 1;
+		}
+	}
+
 	for (i = 0; i < priority_cache->protocol.algorithms; i++) {
 		vers = version_to_entry(priority_cache->protocol.priority[i]);
 		if (!vers)
 			continue;
 
+		/* if we have NULL ciphersuites enabled, remove TLS1.3+ protocol versions;
+		 * they cannot be negotiated under TLS1.3. */
+		if (have_null || have_srp) {
+			if (vers->tls13_sem) {
+				for (j=i+1;j<priority_cache->protocol.algorithms;j++)
+					priority_cache->protocol.priority[j-1] = priority_cache->protocol.priority[j];
+				priority_cache->protocol.algorithms--;
+				i--;
+				continue;
+			}
+		}
+
 		if (vers->transport == GNUTLS_STREAM) { /* TLS */
 			tls_sig_sem |= vers->tls_sig_sem;
 			if (vers->tls13_sem)
@@ -1230,12 +1258,6 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
 	if ((!tlsmax || !tlsmin) && (!dtlsmax || !dtlsmin))
 		return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
-	for (i = 0; i < priority_cache->_kx.algorithms; i++) {
-		if (_gnutls_kx_is_psk(priority_cache->_kx.priority[i])) {
-			have_psk = 1;
-			break;
-		}
-	}
 
 	priority_cache->have_psk = have_psk;
 
diff --git a/tests/anonself.c b/tests/anonself.c
index 79fd5c6646..26e360743f 100644
--- a/tests/anonself.c
+++ b/tests/anonself.c
@@ -1,8 +1,9 @@
 /*
  * Copyright (C) 2004-2012 Free Software Foundation, Inc.
  * Copyright (C) 2013 Adam Sampson <ats@offog.org>
+ * Copyright (C) 2018 Red Hat, Inc.
  *
- * Author: Simon Josefsson
+ * Author: Simon Josefsson, Nikos Mavrogiannopoulos
  *
  * This file is part of GnuTLS.
  *
@@ -21,8 +22,6 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
  */
 
-/* Parts copied from GnuTLS example programs. */
-
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@@ -35,7 +34,6 @@
 
 #if defined(_WIN32)
 
-/* socketpair isn't supported on Win32. */
 int main(int argc, char **argv)
 {
 	exit(77);
@@ -51,6 +49,7 @@ int main(int argc, char **argv)
 #include <sys/wait.h>
 #endif
 #include <unistd.h>
+#include <assert.h>
 #include <gnutls/gnutls.h>
 
 #include "utils.h"
@@ -60,10 +59,10 @@ static void tls_log_func(int level, const char *str)
 	fprintf(stderr, "|<%d>| %s", level, str);
 }
 
-#define MAX_BUF 1024
 #define MSG "Hello TLS"
+#define MAX_BUF 1024
 
-static void client(int sd)
+static void client(int sd, const char *prio)
 {
 	int ret, ii;
 	gnutls_session_t session;
@@ -84,9 +83,9 @@ static void client(int sd)
 	gnutls_init(&session, GNUTLS_CLIENT);
 
 	/* Use default priorities */
-	gnutls_priority_set_direct(session,
-				   "NONE:+VERS-TLS1.2:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
-				   NULL);
+	assert(gnutls_priority_set_direct(session,
+					  prio,
+					  NULL) >= 0);
 
 	/* put the anonymous credentials to the current session
 	 */
@@ -107,7 +106,8 @@ static void client(int sd)
 			success("client: Handshake was completed\n");
 	}
 
-	print_dh_params_info(session);
+	if (debug)
+		print_dh_params_info(session);
 
 	if (debug)
 		success("client: TLS version is: %s\n",
@@ -158,54 +158,15 @@ static void client(int sd)
 	gnutls_global_deinit();
 }
 
-/* This is a sample TLS 1.0 echo server, for anonymous authentication only.
- */
-
-#define MAX_BUF 1024
 #define DH_BITS 1024
 
-/* These are global */
-gnutls_anon_server_credentials_t anoncred;
-
-static gnutls_session_t initialize_tls_session(void)
-{
-	gnutls_session_t session;
-
-	gnutls_init(&session, GNUTLS_SERVER);
-
-	/* avoid calling all the priority functions, since the defaults
-	 * are adequate.
-	 */
-	gnutls_priority_set_direct(session,
-				   "NONE:+VERS-TLS1.2:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
-				   NULL);
-
-	gnutls_handshake_set_timeout(session, 20 * 1000);
-	gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
-
-	gnutls_dh_set_prime_bits(session, DH_BITS);
-
-	return session;
-}
-
-static gnutls_dh_params_t dh_params;
-
-static int generate_dh_params(void)
+static void server(int sd, const char *prio)
 {
 	const gnutls_datum_t p3 = { (void *) pkcs3, strlen(pkcs3) };
-	gnutls_dh_params_init(&dh_params);
-	return gnutls_dh_params_import_pkcs3(dh_params, &p3,
-					     GNUTLS_X509_FMT_PEM);
-}
-
-int err, ret;
-char topbuf[512];
-gnutls_session_t session;
-char buffer[MAX_BUF + 1];
-int optval = 1;
-
-static void server(int sd)
-{
+	gnutls_anon_server_credentials_t anoncred;
+	gnutls_dh_params_t dh_params;
+	int ret;
+	gnutls_session_t session;
 	gnutls_packet_t packet;
 
 	/* this must be called once in the program
@@ -221,11 +182,20 @@ static void server(int sd)
 	if (debug)
 		success("Launched, generating DH parameters...\n");
 
-	generate_dh_params();
+	assert(gnutls_dh_params_init(&dh_params)>=0);
+	assert(gnutls_dh_params_import_pkcs3(dh_params, &p3,
+					     GNUTLS_X509_FMT_PEM)>=0);
 
 	gnutls_anon_set_server_dh_params(anoncred, dh_params);
 
-	session = initialize_tls_session();
+	assert(gnutls_init(&session, GNUTLS_SERVER)>=0);
+
+	assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
+
+	gnutls_handshake_set_timeout(session, 20 * 1000);
+	gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
+
+	gnutls_dh_set_prime_bits(session, DH_BITS);
 
 	gnutls_transport_set_int(session, sd);
 	ret = gnutls_handshake(session);
@@ -244,7 +214,8 @@ static void server(int sd)
 			gnutls_protocol_get_name
 			(gnutls_protocol_get_version(session)));
 
-	print_dh_params_info(session);
+	if (debug)
+		print_dh_params_info(session);
 
 	for (;;) {
 		ret = gnutls_record_recv_packet(session, &packet);
@@ -286,11 +257,13 @@ static void server(int sd)
 		success("server: finished\n");
 }
 
-void doit(void)
+static
+void start(const char *name, const char *prio)
 {
 	pid_t child;
-	int sockets[2];
+	int sockets[2], err;
 
+	success("testing: %s\n", name);
 	err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
 	if (err == -1) {
 		perror("socketpair");
@@ -308,13 +281,23 @@ void doit(void)
 	if (child) {
 		int status;
 		/* parent */
-		server(sockets[0]);
+		server(sockets[0], prio);
 		wait(&status);
 		check_wait_status(status);
 	} else {
-		client(sockets[1]);
+		client(sockets[1], prio);
 		exit(0);
 	}
 }
 
+void doit(void)
+{
+	start("tls1.2 anon-dh", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ANON-DH");
+	start("tls1.2 anon-ecdh", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ANON-ECDH");
+	start("tls1.3 anon-dh", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:-KX-ALL:+ANON-DH");
+	start("tls1.3 anon-ecdh", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:-KX-ALL:+ANON-ECDH");
+	start("default anon-dh", "NORMAL:-KX-ALL:+ANON-DH");
+	start("default anon-ecdh", "NORMAL:-KX-ALL:+ANON-ECDH");
+}
+
 #endif				/* _WIN32 */
diff --git a/tests/common-cert-key-exchange.c b/tests/common-cert-key-exchange.c
index 3f3ce085f5..9d8fbb217b 100644
--- a/tests/common-cert-key-exchange.c
+++ b/tests/common-cert-key-exchange.c
@@ -196,7 +196,7 @@ void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algori
 		assert(gnutls_priority_set_direct(server, server_priority, NULL) >= 0);
 	else
 		assert(gnutls_priority_set_direct(server,
-				   "NORMAL:+VERS-TLS1.3:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",
+				   "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",
 				   NULL)>=0);
 	gnutls_transport_set_push_function(server, server_push);
 	gnutls_transport_set_pull_function(server, server_pull);
diff --git a/tests/srp.c b/tests/srp.c
index 9143293f7e..78eed5b1b0 100644
--- a/tests/srp.c
+++ b/tests/srp.c
@@ -194,7 +194,7 @@ static void terminate(void)
 
 static void server(int fd, const char *prio)
 {
-	int ret;
+	int ret, kx;
 	gnutls_session_t session;
 	gnutls_srp_server_credentials_t s_srp_cred;
 	gnutls_certificate_credentials_t s_x509_cred;
@@ -250,6 +250,11 @@ static void server(int fd, const char *prio)
 			gnutls_protocol_get_name
 			(gnutls_protocol_get_version(session)));
 
+	kx = gnutls_kx_get(session);
+	if (kx != GNUTLS_KX_SRP && kx != GNUTLS_KX_SRP_RSA &&
+	    kx != GNUTLS_KX_SRP_DSS)
+		fail("server: unexpected key exchange: %s\n", gnutls_kx_get_name(kx));
+
 	/* do not wait for the peer to close the connection.
 	 */
 	gnutls_bye(session, GNUTLS_SHUT_WR);
@@ -340,18 +345,21 @@ void doit(void)
 	fwrite(tpasswd_file, 1, strlen(tpasswd_file), fd);
 	fclose(fd);
 
-	start("srp-1024", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test", "test", 0);
-	start("srp-1536", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test2", "test2", 0);
-	start("srp-2048", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test3", "test3", 0);
-	start("srp-3072", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test4", "test4", 0);
-	start("srp-4096", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test5", "test5", 0);
-	start("srp-8192", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test7", "test7", 0);
-	start("srp-other", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test9", "test9", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+	start("tls1.2 srp-1024", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test", "test", 0);
+	start("tls1.2 srp-1536", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test2", "test2", 0);
+	start("tls1.2 srp-2048", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test3", "test3", 0);
+	start("tls1.2 srp-3072", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test4", "test4", 0);
+	start("tls1.2 srp-4096", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test5", "test5", 0);
+	start("tls1.2 srp-8192", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test7", "test7", 0);
+	start("tls1.2 srp-other", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test9", "test9", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+	start("tls1.2 srp-rsa", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP-RSA", "test", "test", 0);
 
-	start("srp-rsa", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP-RSA", "test", "test", 0);
+	/* check whether SRP works with TLS1.3 being prioritized */
+	start("tls1.3 and srp-1024", "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1", "test", "test", 0);
 
 	/* check whether SRP works with the default protocol set */
-	start("srp-1024", "NORMAL:-KX-ALL:+SRP", "test", "test", 0);
+	start("default srp-1024", "NORMAL:-KX-ALL:+SRP", "test", "test", 0);
 
 	remove("tpasswd");
 	remove("tpasswd.conf");
diff --git a/tests/tls12-cipher-neg.c b/tests/tls12-cipher-neg.c
index 775ccdb9f4..3e2352d677 100644
--- a/tests/tls12-cipher-neg.c
+++ b/tests/tls12-cipher-neg.c
@@ -39,6 +39,20 @@
 
 test_case_st tests[] = {
 	{
+		.name = "server TLS 1.2: NULL (server)",
+		.not_on_fips = 1,
+		.cipher = GNUTLS_CIPHER_NULL,
+		.server_prio = "NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
+		.client_prio = "NORMAL:+NULL"
+	},
+	{
+		.name = "client TLS 1.2: NULL (client)",
+		.not_on_fips = 1,
+		.cipher = GNUTLS_CIPHER_NULL,
+		.server_prio = "NORMAL:+NULL",
+		.client_prio = "NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+	},
+	{
 		.name = "server TLS 1.2: AES-128-GCM (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
diff --git a/tests/tls13-cert-key-exchange.c b/tests/tls13-cert-key-exchange.c
index 5cf60a7189..dc1e8ccb15 100644
--- a/tests/tls13-cert-key-exchange.c
+++ b/tests/tls13-cert-key-exchange.c
@@ -39,7 +39,12 @@ void doit(void)
 {
 	global_init();
 
-	/* TLS 1.3 no clin cert */
+	server_priority = "NORMAL:+ANON-DH:+ANON-ECDH:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519";
+	try("TLS 1.3 with ffdhe2048 rsa no-cli-cert / anon on server", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+
+	server_priority = "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519";
+
+	/* TLS 1.3 no client cert */
 	try("TLS 1.3 with ffdhe2048 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
 	try("TLS 1.3 with ffdhe3072 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE3072", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
 	try("TLS 1.3 with ffdhe4096 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE4096", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
@@ -90,7 +95,7 @@ void doit(void)
 	try_ks("TLS 1.3 with x25519 -> ffdhe3072 key share", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP384R1:+GROUP-FFDHE3072", GNUTLS_KX_DHE_RSA, GNUTLS_GROUP_FFDHE3072);
 
 	/* TLS 1.2 fallback */
-	server_priority = "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",
+	server_priority = "NORMAL:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",
 
 	try_with_key_ks("TLS 1.2 fallback with x25519 ed25519 no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:-KX-ALL:+ECDHE-ECDSA:-CURVE-ALL:+CURVE-X25519:-SIGN-ALL:+SIGN-EDDSA-ED25519", GNUTLS_KX_ECDHE_ECDSA, GNUTLS_SIGN_EDDSA_ED25519, GNUTLS_SIGN_UNKNOWN,
 		&server_ca3_eddsa_cert, &server_ca3_eddsa_key, NULL, NULL, 0, 0);
diff --git a/tests/tls13-cipher-neg.c b/tests/tls13-cipher-neg.c
index b2d402cb85..df8d8de035 100644
--- a/tests/tls13-cipher-neg.c
+++ b/tests/tls13-cipher-neg.c
@@ -45,6 +45,20 @@
 
 test_case_st tests[] = {
 	{
+		.name = "server TLS 1.3: NULL (server - exp fallback)",
+		.not_on_fips = 1,
+		.cipher = GNUTLS_CIPHER_NULL,
+		.server_prio = SPRIO":+VERS-TLS1.2:-CIPHER-ALL:+NULL:+CIPHER-ALL:%SERVER_PRECEDENCE:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL",
+		.client_prio = CPRIO":+VERS-TLS1.2:+NULL:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1"
+	},
+	{
+		.name = "client TLS 1.3: NULL (client)",
+		.not_on_fips = 1,
+		.cipher = GNUTLS_CIPHER_NULL,
+		.server_prio = SPRIO":+VERS-TLS1.2:+NULL:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1",
+		.client_prio = CPRIO":-CIPHER-ALL:+NULL:+CIPHER-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL"
+	},
+	{
 		.name = "server TLS 1.3: AES-128-GCM with SECP256R1 (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.group = GNUTLS_GROUP_SECP256R1,