diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-07 09:56:56 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-07 16:52:05 +0100 |
| commit | b9709cac12a0f98442042d20c02a5d1e3c8efe5a (patch) | |
| tree | 84162b69d0641349d1e08f47768205531da1d899 | |
| parent | 531ab0943acdedd0ab5c17d3f230dad3aac0d123 (diff) | |
| download | gnutls-tmp-fix-ci-runs.tar.gz | |
testcompat-openssl: do not test DSS or small curves with 1.1.1tmp-fix-ci-runs
DSA uses 1024-bit parameters, and these together with curves of
less than 256 bits are not accepted by debian's openssl.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rwxr-xr-x | tests/suite/testcompat-main-openssl | 64 |
1 files changed, 39 insertions, 25 deletions
diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index ce035b9e36..d2708bfa8c 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -62,7 +62,7 @@ if test ${SV} != 0; then exit 77 fi -test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled" +. "${srcdir}/testcompat-common" ${SERV} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1 HAVE_X25519=$? @@ -74,6 +74,7 @@ NO_TLS1_2=$? test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" + ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 if test $? = 0;then NO_DH_PARAMS=0 @@ -81,6 +82,25 @@ else NO_DH_PARAMS=1 fi +# Do not use DSS or curves <=256 bits in 1.1.1+ because these +# are not accepted by openssl on debian. +${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1 +if test $? = 0;then + NO_DSS=1 + FIPS_CURVES=1 +else + ${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 + NO_DSS=$? +fi + +test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled" + +if test $NO_DSS != 0;then + echo "Disabling interop tests for DSS ciphersuites" +else + DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}" +fi + ${SERV} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1 NO_CAMELLIA=$? @@ -96,17 +116,11 @@ NO_3DES=$? test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites" -${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 -NO_DSS=$? - -test $NO_DSS != 0 && echo "Disabling interop tests for DSS ciphersuites" - ${SERV} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1 NO_NULL=$? test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" -. "${srcdir}/testcompat-common" if test "${NO_DH_PARAMS}" = 0;then OPENSSL_DH_PARAMS_OPT="" @@ -147,7 +161,7 @@ run_client_suite() { # It seems debian disabled SSL 3.0 completely on openssl eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -173,7 +187,7 @@ run_client_suite() { if test "${NO_RC4}" != 1; then eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-MD5 >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-MD5 >/dev/null PID=$! wait_server ${PID} @@ -189,7 +203,7 @@ run_client_suite() { if test "${NO_NULL}" = 0; then #-cipher RSA-NULL eval "${GETPORT}" - launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -204,7 +218,7 @@ run_client_suite() { #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -255,7 +269,7 @@ run_client_suite() { if test "${FIPS_CURVES}" != 1; then eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -269,7 +283,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -284,7 +298,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -298,7 +312,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -312,7 +326,7 @@ run_client_suite() { #-cipher PSK eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null PID=$! wait_server ${PID} @@ -327,7 +341,7 @@ run_client_suite() { # Tests requiring openssl 1.0.1 - TLS 1.2 #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -358,7 +372,7 @@ run_client_suite() { if test "${HAVE_X25519}" = 0; then eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -curves X25519 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -curves X25519 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -373,7 +387,7 @@ run_client_suite() { if test "${FIPS_CURVES}" != 1; then #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -387,7 +401,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -401,7 +415,7 @@ run_client_suite() { if test "${FIPS_CURVES}" != 1; then #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -416,7 +430,7 @@ run_client_suite() { #-cipher PSK eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null PID=$! wait_server ${PID} @@ -428,7 +442,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -441,7 +455,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -455,7 +469,7 @@ run_client_suite() { if test "${NO_DSS}" = 0; then eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null 2>&1 + launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} |