Bug 1228555 - Remove support for SSLv2 r=mt,wtc,ekr

author: Tim Taubert <ttaubert@mozilla.com> 2016-03-11 11:52:04 +0100
committer: Tim Taubert <ttaubert@mozilla.com> 2016-03-11 11:52:04 +0100
commit: f83759faedaff3ec275ac5bfb2e71a5cdc84c605 (patch)
tree: 48582892e21db6fef3b9da5883b51bdad679b14e /tests/ssl
parent: 4a18517e2130ec789aed957e3f9ffafd30f04075 (diff)
download: nss-hg-f83759faedaff3ec275ac5bfb2e71a5cdc84c605.tar.gz
3 files changed, 8 insertions, 48 deletions
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
index 125ad59cc..4143b67ef 100755
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -86,14 +86,13 @@ ssl_init()
   if [ -z "$NSS_DISABLE_ECC" ] ; then
       ECC_STRING=" - with ECC"
       # List of cipher suites to test, including ECC cipher suites.
-      CIPHER_SUITES="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
+      CIPHER_SUITES="-c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
   else
       ECC_STRING=""
       # List of cipher suites to test, excluding ECC cipher suites.
-      CIPHER_SUITES="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2:CCAAcdefgijklmnvyz"
+      CIPHER_SUITES="-c :0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2:CCAAcdefgijklmnvyz"
   fi
 
-
   if [ "${OS_ARCH}" != "WINNT" ]; then
       ulimit -n 1000 # make sure we have enough file descriptors
   fi
@@ -267,7 +266,7 @@ ssl_cov()
   mixed=0
   start_selfserv # Launch the server
 
-  VMIN="ssl2"
+  VMIN="ssl3"
   VMAX="tls1.1"
                
   exec < ${SSLCOV}
@@ -275,26 +274,10 @@ ssl_cov()
   do
       echo "${testname}" | grep "EXPORT" > /dev/null 
       EXP=$?
-      echo "${testname}" | grep "SSL2" > /dev/null
-      SSL2=$?
 
-      if [ "${SSL2}" -eq 0 ] ; then
-          # We cannot use asynchronous cert verification with SSL2
-          SSL2_FLAGS=-O
-          VMIN="ssl2"
-      else
-          # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
-          # default in libssl but it is enabled by default in tstclnt; we want
-          # to test the libssl default whenever possible.
-          SSL2_FLAGS=
-          VMIN="ssl3"
-      fi
-      
-      if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
-          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+      if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
-      elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
+      elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
           echo "$SCRIPTNAME: running $testname ----------------------------"
@@ -337,11 +320,11 @@ ssl_cov()
             fi
           fi
 
-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
           echo "        -f -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE}"
 
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${SSL2_FLAGS} ${CLIENT_OPTIONS} -f \
+          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
                   -d ${P_R_CLIENTDIR} -v -w nss < ${REQUEST_FILE} \
                   >${TMP}/$HOST.tmp.$$  2>&1
           ret=$?
@@ -585,19 +568,13 @@ ssl_stress()
           continue
       fi
 
-      echo "${testname}" | grep "SSL2" > /dev/null
-      SSL2=$?
       echo "${testname}" | grep "client auth" > /dev/null
       CAUTH=$?
 
-      if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
-          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+      if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
-      elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
-          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
@@ -747,7 +724,6 @@ ssl_policy()
   exec < ${SSLPOLICY}
   while read value ectype testmax param policy testname
   do
-      SSL2_FLAGS=
       VMIN="ssl3"
 
       if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
diff --git a/tests/ssl/sslcov.txt b/tests/ssl/sslcov.txt
index da6f23e76..4dbe207be 100644
--- a/tests/ssl/sslcov.txt
+++ b/tests/ssl/sslcov.txt
@@ -4,23 +4,9 @@
 #
 # This file enables test coverage of the various SSL ciphers
 #
-# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
-# mix up the enable functions so we can tests boths paths.
-#
 # Enable Enable Cipher Test Name 
 #  EC     TLS
 #
-  noECC  SSL3   A    SSL2_RC4_128_WITH_MD5
-  noECC  TLS10   B    SSL2_RC4_128_EXPORT40_WITH_MD5
-  noECC  TLS10   C    SSL2_RC2_128_CBC_WITH_MD5
-  noECC  SSL3   D    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
-  noECC  TLS10   E    SSL2_DES_64_CBC_WITH_MD5
-  noECC  SSL3   F    SSL2_DES_192_EDE3_CBC_WITH_MD5
-#
-  noECC  TLS11   B    SSL2_RC4_128_EXPORT40_WITH_MD5
-  noECC  TLS11   C    SSL2_RC2_128_CBC_WITH_MD5
-  noECC  TLS11   E    SSL2_DES_64_CBC_WITH_MD5
-#
   noECC  SSL3   c    SSL3_RSA_WITH_RC4_128_MD5
   noECC  SSL3   d    SSL3_RSA_WITH_3DES_EDE_CBC_SHA
   noECC  SSL3   e    SSL3_RSA_WITH_DES_CBC_SHA
diff --git a/tests/ssl/sslstress.txt b/tests/ssl/sslstress.txt
index 738d69041..3da588c41 100644
--- a/tests/ssl/sslstress.txt
+++ b/tests/ssl/sslstress.txt
@@ -8,7 +8,6 @@
 # Enable  return  server     client                         Test Case name
 #  ECC    value   params     params
 # ------- ------  ------     ------                         ---------------
-  noECC     0      _         -c_1000_-C_A                  Stress SSL2 RC4 128 with MD5
   noECC     0      _         -c_1000_-C_c_-V_:ssl3               Stress SSL3 RC4 128 with MD5
   noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
   noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
@@ -21,7 +20,6 @@
 #
 # add client auth versions here...
 #
-  noECC     0      -r_-r     -c_100_-C_A_-N_-n_TestUser    Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
   noECC     0      -r_-r     -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
   noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
   noECC     0      -r_-r_-u  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
author	Tim Taubert <ttaubert@mozilla.com>	2016-03-11 11:52:04 +0100
committer	Tim Taubert <ttaubert@mozilla.com>	2016-03-11 11:52:04 +0100
commit	f83759faedaff3ec275ac5bfb2e71a5cdc84c605 (patch)
tree	48582892e21db6fef3b9da5883b51bdad679b14e /tests/ssl
parent	4a18517e2130ec789aed957e3f9ffafd30f04075 (diff)
download	nss-hg-f83759faedaff3ec275ac5bfb2e71a5cdc84c605.tar.gz