diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2015-12-06 17:56:41 +0100 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-02 10:47:52 -0500 |
commit | 7946ab33cecce60afcc00afc8fc18f31f9e66bff (patch) | |
tree | fa178fbc42a649e87e201820cc11796dc3c7d6de | |
parent | 1e0784ff95cd69090e26e2205bfec6305038db56 (diff) | |
download | openssl-new-7946ab33cecce60afcc00afc8fc18f31f9e66bff.tar.gz |
Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-rw-r--r-- | CHANGES | 8 | ||||
-rw-r--r-- | doc/ssl/SSL_CONF_cmd.pod | 73 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_new.pod | 126 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_min_proto_version.pod | 42 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 10 | ||||
-rw-r--r-- | include/openssl/dtls1.h | 1 | ||||
-rw-r--r-- | include/openssl/ssl.h | 13 | ||||
-rw-r--r-- | ssl/d1_lib.c | 16 | ||||
-rw-r--r-- | ssl/ssl_conf.c | 81 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 16 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 9 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 64 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 41 | ||||
-rw-r--r-- | test/recipes/80-test_ssl.t | 518 | ||||
-rw-r--r-- | test/ssltest.c | 142 |
15 files changed, 1063 insertions, 97 deletions
@@ -4,6 +4,14 @@ Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + *) Add support for setting the minimum and maximum supported protocol. + It can bet set via the SSL_set_min_proto_version() and + SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and + MaxProtcol. It's recommended to use the new APIs to disable + protocols instead of disabling individual protocols using + SSL_set_options() or SSL_CONF's Protocol. + [Kurt Roeckx] + *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl. [Andy Polyakov] diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index bebd20485c..cfac7e22d2 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -74,7 +74,7 @@ B<prime256v1>). Curve names are case sensitive. =item B<-named_curve> -This sets the temporary curve used for ephemeral ECDH modes. Only used by +This sets the temporary curve used for ephemeral ECDH modes. Only used by servers The B<value> argument is a curve name or the special value B<auto> which @@ -85,7 +85,7 @@ can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name =item B<-cipher> Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is -currently not performed unless a B<SSL> or B<SSL_CTX> structure is +currently not performed unless a B<SSL> or B<SSL_CTX> structure is associated with B<cctx>. =item B<-cert> @@ -109,9 +109,14 @@ Attempts to use the file B<value> as the set of temporary DH parameters for the appropriate context. This option is only supported if certificate operations are permitted. +=item B<-min_protocol>, B<-max_protocol> + +Sets the minimum and maximum supported protocol. +Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. + =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> -Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 by setting the corresponding options B<SSL_OP_NO_SSL3>, B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. @@ -177,7 +182,7 @@ Note: the command prefix (if set) alters the recognised B<cmd> values. =item B<CipherString> Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is -currently not performed unless an B<SSL> or B<SSL_CTX> structure is +currently not performed unless an B<SSL> or B<SSL_CTX> structure is associated with B<cctx>. =item B<Certificate> @@ -250,7 +255,7 @@ B<prime256v1>). Curve names are case sensitive. =item B<ECDHParameters> -This sets the temporary curve used for ephemeral ECDH modes. Only used by +This sets the temporary curve used for ephemeral ECDH modes. Only used by servers The B<value> argument is a curve name or the special value B<Automatic> which @@ -258,16 +263,37 @@ picks an appropriate curve based on client and server preferences. The curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g B<prime256v1>). Curve names are case sensitive. +=item B<MinProtocol> + +This sets the minimum supported SSL, TLS or DTLS version. + +Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. + +=item B<MaxProtocol> + +This sets the maximum supported SSL, TLS or DTLS version. + +Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. + =item B<Protocol> -The supported versions of the SSL or TLS protocol. +This can be used to enable or disable certain versions of the SSL, TLS or DTLS protocol. + +The B<value> argument is a comma separated list of supported protocols to enable or disable. +If a protocol is preceded by B<-> that version is disabled. + +All protocol versions are enabled by default. +You need to disable at least 1 protocol version for this setting have any effect. +Only enabling some protocol versions does not disable the other protocol versions. + +Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. +The special value B<ALL> refers to all supported versions. -The B<value> argument is a comma separated list of supported protocols to -enable or disable. If an protocol is preceded by B<-> that version is disabled. -All versions are enabled by default, though applications may choose to -explicitly disable some. Currently supported protocol values are -B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers -to all supported versions. +This can't enable protocols that are disabled using B<MinProtocol> or B<MaxProtocol>, but can disable protocols that are still allowed by them. + +The B<Protocol> command is fragile and deprecated; do not use it. +Use B<MinProtocol> and B<MaxProtocol> instead. +If you do use B<Protocol>, make sure that the resulting range of enabled protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also leave TLS 1.1 enabled. =item B<Options> @@ -404,7 +430,7 @@ can be checked instead. If -3 is returned a required argument is missing and an error is indicated. If 0 is returned some other error occurred and this can be reported back to the user. -The function SSL_CONF_cmd_value_type() can be used by applications to +The function SSL_CONF_cmd_value_type() can be used by applications to check for the existence of a command or to perform additional syntax checking or translation of the command value. For example if the return value is B<SSL_CONF_TYPE_FILE> an application could translate a relative @@ -416,12 +442,29 @@ Set supported signature algorithms: SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); -Enable all protocols except SSLv3: +There are various ways to select the supported procotols. + +This set the minimum protocol version to TLSv1, and so disables SSLv3. +This is the recommended way to disable protocols. + + SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1"); + +The following also disables SSLv3: + + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); + +The following will first enable all protocols, and then disable SSLv3. +If nothing was disabled before it has the same effect as "-SSLv3", but if things were disables it will first enable them again before disabling SSLv3. SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); Only enable TLSv1.2: + SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2"); + SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2"); + +This also only enables TLSv1.2: + SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); Disable TLS session tickets: @@ -474,4 +517,6 @@ B<SSL_CONF_TYPE_NONE> was first added to OpenSSL 1.1.0. In earlier versions of OpenSSL passing a command which didn't take an argument would return B<SSL_CONF_TYPE_UNKNOWN>. +B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0. + =cut diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod index 15011f8fc1..2c2120a647 100644 --- a/doc/ssl/SSL_CTX_new.pod +++ b/doc/ssl/SSL_CTX_new.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions +SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method - create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled functions =head1 SYNOPSIS @@ -10,51 +10,77 @@ SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_metho SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); + const SSL_METHOD *TLS_method(void); + const SSL_METHOD *TLS_server_method(void); + const SSL_METHOD *TLS_client_method(void); + + #define SSLv23_method TLS_method + #define SSLv23_server_method TLS_server_method + #define SSLv23_client_method TLS_client_method + + #ifndef OPENSSL_NO_SSL3_METHOD + const SSL_METHOD *SSLv3_method(void); + const SSL_METHOD *SSLv3_server_method(void); + const SSL_METHOD *SSLv3_client_method(void); + #endif + + const SSL_METHOD *TLSv1_method(void); + const SSL_METHOD *TLSv1_server_method(void); + const SSL_METHOD *TLSv1_client_method(void); + + const SSL_METHOD *TLSv1_1_method(void); + const SSL_METHOD *TLSv1_1_server_method(void); + const SSL_METHOD *TLSv1_1_client_method(void); + + const SSL_METHOD *TLSv1_2_method(void); + const SSL_METHOD *TLSv1_2_server_method(void); + const SSL_METHOD *TLSv1_2_client_method(void); + + const SSL_METHOD *DTLS_method(void); + const SSL_METHOD *DTLS_server_method(void); + const SSL_METHOD *DTLS_client_method(void); + + const SSL_METHOD *DTLSv1_method(void); + const SSL_METHOD *DTLSv1_server_method(void); + const SSL_METHOD *DTLSv1_client_method(void); + + const SSL_METHOD *DTLSv1_2_method(void); + const SSL_METHOD *DTLSv1_2_server_method(void); + const SSL_METHOD *DTLSv1_2_client_method(void); + =head1 DESCRIPTION -SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish -TLS/SSL enabled connections. +SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish TLS/SSL or DTLS enabled connections. =head1 NOTES -The SSL_CTX object uses B<method> as connection method. The methods exist -in a generic type (for client and server use), a server only type, and a -client only type. B<method> can be of the following types: +The SSL_CTX object uses B<method> as connection method. +The methods exist in a generic type (for client and server use), a server only type, and a client only type. +B<method> can be of the following types: =over 4 -=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) +=item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method() -A TLS/SSL connection established with these methods will only understand the -SSLv3 protocol. A client will send out SSLv3 client hello messages -and will indicate that it only understands SSLv3. A server will only understand -SSLv3 client hello messages. +An SSL connection established with these methods will only understand the SSLv3 protocol. +A client will send out a SSLv3 client hello messages and will indicate that it supports SSLv3. +A server will only understand SSLv3 client hello message and only support the SSLv3 protocol. -=item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void) +=item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method() -A TLS/SSL connection established with these methods will only understand the -TLSv1 protocol. A client will send out TLSv1 client hello messages -and will indicate that it only understands TLSv1. A server will only understand -TLSv1 client hello messages. +A TLS connection established with these methods will only understand the TLS 1.0 protocol. -=item TLSv1_1_method(void), TLSv1_1_server_method(void), TLSv1_1_client_method(void) +=item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method() -A TLS/SSL connection established with these methods will only understand the -TLSv1.1 protocol. A client will send out TLSv1.1 client hello messages -and will indicate that it only understands TLSv1.1. A server will only -understand TLSv1.1 client hello messages. +A TLS connection established with these methods will only understand the TLS 1.1 protocol. -=item TLSv1_2_method(void), TLSv1_2_server_method(void), TLSv1_2_client_method(void) +=item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method() -A TLS/SSL connection established with these methods will only understand the -TLSv1.2 protocol. A client will send out TLSv1.2 client hello messages -and will indicate that it only understands TLSv1.2. A server will only -understand TLSv1.2 client hello messages. +A TLS connection established with these methods will only understand the TLS 1.2 protocol. -=item TLS_method(void), TLS_server_method(void), TLS_client_method(void) +=item TLS_method(), TLS_server_method(), TLS_client_method() -A TLS/SSL connection established with these methods may understand the -SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. +A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. If extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and @@ -62,26 +88,36 @@ will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern. -=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) +=item SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() -Use of these functions is deprecated. They have been replaced with TLS_Method(), +Use of these functions is deprecated. They have been replaced with TLS_method(), TLS_server_method() and TLS_client_method() respectively. New code should use those functions instead. +=item DTLS_method(), DTLS_server_method(), DTLS_client_method() + +A DTLS connection established with those methods understands all supported DTLS protocols. +Currently supported protocols are DTLS 1.0 and DTLS 1.2. + +=item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method() + +A DTLS connection established with these methods will only understand the DTLS 1.0 protocol. + +=item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method() + +A DTLS connection established with these methods will only understand the DTLS 1.2 protocol. + =back -The list of protocols available can later be limited using the -SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 -options of the SSL_CTX_set_options() or SSL_set_options() functions. -Using these options it is possible to choose e.g. TLS_server_method() and -be able to negotiate with all possible clients, but to only allow newer -protocols like TLSv1, TLSv1.1 or TLS v1.2. +TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(), DTLS_server_method() and DTLS_client_method() are the version flexible methods. +All other methods only support 1 specific protocol version. +It's recommended to use those methods instead of the version specific methods. -Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3. +If you want to limit the supported protocols for the version flexible methods you can use SSL_CTX_set_min_proto_version(), SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and SSL_set_max_proto_version() functions. +They can also be limited using by using an option like SSL_OP_NO_SSLv3 of the SSL_CTX_set_options() or SSL_set_options() functions, but that's not recommended. +Using these functions it is possible to choose e.g. TLS_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like TLS v1, TLS v1.1 or TLS v1.2. -SSL_CTX_new() initializes the list of ciphers, the session cache setting, -the callbacks, the keys and certificates and the options to its default -values. +SSL_CTX_new() initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to its default values. =head1 RETURN VALUES @@ -102,14 +138,14 @@ The return value points to an allocated SSL_CTX object. =head1 HISTORY -SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in -OpenSSL 1.1.0. SSLv23_method, SSLv23_server_method and SSLv23_client_method were -deprecated and TLS_method, TLS_server_method and TLS_client_method -were introduced in OpenSSL 1.1.0. +SSLv3 +SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in OpenSSL 1.1.0. +SSLv23_method, SSLv23_server_method and SSLv23_client_method were deprecated and TLS_method, TLS_server_method and TLS_client_method were introduced in OpenSSL 1.1.0. =head1 SEE ALSO L<SSL_CTX_free(3)>, L<SSL_accept(3)>, +L<SSL_CTX_set_min_proto_version(3)>, L<ssl(3)>, L<SSL_set_connect_state(3)> =cut diff --git a/doc/ssl/SSL_CTX_set_min_proto_version.pod b/doc/ssl/SSL_CTX_set_min_proto_version.pod new file mode 100644 index 0000000000..4cb4c43a2d --- /dev/null +++ b/doc/ssl/SSL_CTX_set_min_proto_version.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +SSL_CTX_set_min_proto_version, SSL_CTX_set_max_proto_version, SSL_set_min_proto_version, SSL_set_max_proto_version - Set minimum and maximum supported protocol version + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); + int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); + int SSL_set_min_proto_version(SSL *ssl, int version); + int SSL_set_max_proto_version(SSL *ssl, int version); + +=head1 DESCRIPTION + +The functions set the minimum and maximum supported portocol versions for the B<ctx> or B<ssl>. +This works in combination with the options set via SSL_CTX_set_options() that allows to disable specific protocol versions. +You should use these functions instead of disabling a specific protocol version. + +When setting the minimum or maximum version to 0 it will use the lowest or highest supported version, respectively, by the library. + +Currently supported versions are B<SSL3_VERSION>, B<TLS1_VERSION>, B<TLS1_1_VERSION>, B<TLS1_2_VERSION>, B<DTLS1_VERSION> and B<DTLS1_2_VERSION>. + +=head1 RETURN VALUES + +The function returns 1 on success and 0 on failure. + +=head1 NOTES + +All these functions are implemented using macros. + +=head1 HISTORY + +The functions were added in OpenSSL 1.1.0 + +=head1 SEE ALSO + +L<SSL_CTX_set_options(3)>, L<SSL_CONF_cmd(3)> + +=cut diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index cf137a5ed4..bf7f7fd318 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -153,13 +153,10 @@ own preferences. ... -=item SSL_OP_NO_SSLv3 +=item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 -Do not use the SSLv3 protocol. - -=item SSL_OP_NO_TLSv1 - -Do not use the TLSv1 protocol. +Do not use the SSLv3 or TLSv1 protocol, respectively. +You should avoid using those settings and instead use SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version(). =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION @@ -269,6 +266,7 @@ secure renegotiation and 0 if it does not. L<ssl(3)>, L<SSL_new(3)>, L<SSL_clear(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>, +L<SSL_CTX_set_min_proto_version(3)>, L<dhparam(1)> =head1 HISTORY diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index f214296d4b..1de5f68b6e 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -66,6 +66,7 @@ extern "C" { # define DTLS1_VERSION 0xFEFF # define DTLS1_2_VERSION 0xFEFD +# define DTLS_MIN_VERSION DTLS1_VERSION # define DTLS_MAX_VERSION DTLS1_2_VERSION # define DTLS1_VERSION_MAJOR 0xFE diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 8d82a6e0c1..a0d66fa0c4 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -438,6 +438,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, # define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\ SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2) +# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2) + /* Removed from previous versions */ # define SSL_OP_PKCS1_CHECK_1 0x0 @@ -1219,6 +1221,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define DTLS_CTRL_SET_LINK_MTU 120 # define DTLS_CTRL_GET_LINK_MIN_MTU 121 # define SSL_CTRL_GET_EXTMS_SUPPORT 122 +# define SSL_CTRL_SET_MIN_PROTO_VERSION 123 +# define SSL_CTRL_SET_MAX_PROTO_VERSION 124 # define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_SERVER 3 @@ -1350,6 +1354,15 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst) # define SSL_get0_ec_point_formats(s, plst) \ SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,plst) +#define SSL_CTX_set_min_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) +#define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) +#define SSL_set_min_proto_version(s, version) \ + SSL_ctrl(s, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) +#define SSL_set_max_proto_version(s, version) \ + SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) + __owur BIO_METHOD *BIO_f_ssl(void); __owur BIO *BIO_new_ssl(SSL_CTX *ctx, int client); diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 0fdfd51091..a510b5bebe 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -259,14 +259,24 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_CHECK_PROTO_VERSION: /* * For library-internal use; checks that the current protocol is the - * highest enabled version (according to s->ctx->method, as version - * negotiation may have changed s->method). + * is the highest enabled version. + */ + if (s->max_proto_version == 0 && s->version == DTLS_MAX_VERSION) + return 1; + if (s->max_proto_version != 0 && s->version == s->max_proto_version) + return 1; + /* We're not limited by the max_proto_version but might still have + * other reasons why we use an older version like not using a + * version-flexible SSL_METHOD. Check s->ctx->method as version + * negotiation may have changed s->method. + * This check can be removed when we only have version-flexible + * SSL_METHODs */ if (s->version == s->ctx->method->version) return 1; /* * Apparently we're using a version-flexible SSL_METHOD (not at its - * highest protocol version). + * highest protocol version, not limited by max_proto_version). */ if (s->ctx->method->version == DTLS_method()->version) { #if DTLS_MAX_VERSION != DTLS1_2_VERSION diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 21aa2652fc..1e14a4497e 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -142,6 +142,10 @@ struct ssl_conf_ctx_st { uint32_t *pcert_flags; /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ uint32_t *pvfy_flags; + /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ + int *min_version; + /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ + int *max_version; /* Current flag table being worked on */ const ssl_flag_tbl *tbl; /* Size of table */ @@ -307,13 +311,78 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), - SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) + SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), + SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), + SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) }; cctx->tbl = ssl_protocol_list; cctx->ntbl = OSSL_NELEM(ssl_protocol_list); return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); } +/* + * protocol_from_string - converts a protocol version string to a number + * + * Returns -1 on failure or the version on success + */ +static int protocol_from_string(const char *value) +{ + struct protocol_versions { + const char *name; + int version; + }; + static const struct protocol_versions versions[] = { + {"SSLv3", SSL3_VERSION}, + {"TLSv1", TLS1_VERSION}, + {"TLSv1.1", TLS1_1_VERSION}, + {"TLSv1.2", TLS1_2_VERSION}, + {"DTLSv1", DTLS1_VERSION}, + {"DTLSv1.2", DTLS1_2_VERSION}}; + size_t i; + size_t n = OSSL_NELEM(versions); + + for (i = 0; i < n; i++) + if (strcmp(versions[i].name, value) == 0) + return versions[i].version; + return -1; +} + +/* + * cmd_MinProtocol - Set min protocol version + * @cctx: config structure to save settings in + * @value: The min protocol version in string form + * + * Returns 1 on success and 0 on failure. + */ +static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) +{ + int version = protocol_from_string(value); + + if (version < 0) + return 0; + + *(cctx->min_version) = version; + return 1; +} + +/* + * cmd_MaxProtocol - Set max protocol version + * @cctx: config structure to save settings in + * @value: The max protocol version in string form + * + * Returns 1 on success and 0 on failure. + */ +static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) +{ + int version = protocol_from_string(value); + + if (version < 0) + return 0; + + *(cctx->max_version) = version; + return 1; +} + static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) { static const ssl_flag_tbl ssl_option_list[] = { @@ -527,6 +596,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { #endif SSL_CONF_CMD_STRING(CipherString, "cipher", 0), SSL_CONF_CMD_STRING(Protocol, NULL, 0), + SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CLIENT), + SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CLIENT), SSL_CONF_CMD_STRING(Options, NULL, 0), SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, @@ -831,10 +902,14 @@ void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) cctx->ctx = NULL; if (ssl) { cctx->poptions = &ssl->options; + cctx->min_version = &ssl->min_proto_version; + cctx->max_version = &ssl->max_proto_version; cctx->pcert_flags = &ssl->cert->cert_flags; cctx->pvfy_flags = &ssl->verify_mode; } else { cctx->poptions = NULL; + cctx->min_version = NULL; + cctx->max_version = NULL; cctx->pcert_flags = NULL; cctx->pvfy_flags = NULL; } @@ -846,10 +921,14 @@ void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) cctx->ssl = NULL; if (ctx) { cctx->poptions = &ctx->options; + cctx->min_version = &ctx->min_proto_version; + cctx->max_version = &ctx->max_proto_version; cctx->pcert_flags = &ctx->cert->cert_flags; cctx->pvfy_flags = &ctx->verify_mode; } else { cctx->poptions = NULL; + cctx->min_version = NULL; + cctx->max_version = NULL; cctx->pcert_flags = NULL; cctx->pvfy_flags = NULL; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 7f4bca058b..cfc73de9ca 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -293,6 +293,8 @@ SSL *SSL_new(SSL_CTX *ctx) RECORD_LAYER_init(&s->rlayer, s); s->options = ctx->options; + s->min_proto_version = ctx->min_proto_version; + s->max_proto_version = ctx->max_proto_version; s->mode = ctx->mode; s->max_cert_list = ctx->max_cert_list; s->references = 1; @@ -1198,6 +1200,12 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; else return 0; + case SSL_CTRL_SET_MIN_PROTO_VERSION: + s->min_proto_version = larg; + return 1; + case SSL_CTRL_SET_MAX_PROTO_VERSION: + s->max_proto_version = larg; + return 1; default: return (s->method->ssl_ctrl(s, cmd, larg, parg)); } @@ -1314,6 +1322,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (ctx->cert->cert_flags |= larg); case SSL_CTRL_CLEAR_CERT_FLAGS: return (ctx->cert->cert_flags &= ~larg); + case SSL_CTRL_SET_MIN_PROTO_VERSION: + ctx->min_proto_version = larg; + return 1; + case SSL_CTRL_SET_MAX_PROTO_VERSION: + ctx->max_proto_version = larg; + return 1; default: return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); } @@ -1794,6 +1808,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err; ret->method = meth; + ret->min_proto_version = 0; + ret->max_proto_version = 0; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; /* We take the system default. */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4db32a9294..9482fc91ad 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -264,6 +264,11 @@ c[1]=(unsigned char)(((l)>> 8)&0xff), \ c[2]=(unsigned char)(((l) )&0xff)),c+=3) +#define DTLS_VERSION_GT(v1, v2) ((v1) < (v2)) +#define DTLS_VERSION_GE(v1, v2) ((v1) <= (v2)) +#define DTLS_VERSION_LT(v1, v2) ((v1) > (v2)) +#define DTLS_VERSION_LE(v1, v2) ((v1) >= (v2)) + /* LOCAL STUFF */ # define SSL_DECRYPT 0 @@ -796,6 +801,8 @@ struct ssl_ctx_st { uint32_t options; uint32_t mode; + int min_proto_version; + int max_proto_version; long max_cert_list; struct cert_st /* CERT */ *cert; @@ -1066,6 +1073,8 @@ struct ssl_st { uint32_t options; /* API behaviour */ uint32_t mode; + int min_proto_version; + int max_proto_version; long max_cert_list; int first_packet; /* what was passed, used for SSLv3/TLS rollback check */ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d168b19cb8..26acdc5488 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -852,6 +852,14 @@ static int ssl_set_version(SSL *s) s->version = SSL3_VERSION; #endif + if (s->max_proto_version != 0 && (s->version > s->max_proto_version)) + s->version = s->max_proto_version; + if (s->version < s->min_proto_version) + { + SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE); + return 0; + } + if (s->version != TLS1_2_VERSION && tls1_suiteb(s)) { SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE); @@ -864,9 +872,17 @@ static int ssl_set_version(SSL *s) } } else if (s->method->version == DTLS_ANY_VERSION) { - /* Determine which DTLS version to use */ + int max_version = DTLS_MAX_VERSION; + int min_version = DTLS_MIN_VERSION; + + if (s->max_proto_version != 0) + max_version = s->max_proto_version; + if (s->min_proto_version != 0) + min_version = s->min_proto_version; + /* If DTLS 1.2 disabled correct the version number */ - if (options & SSL_OP_NO_DTLSv1_2) { + if (options & SSL_OP_NO_DTLSv1_2 + || DTLS_VERSION_GT(DTLS1_2_VERSION, max_version)) { if (tls1_suiteb(s)) { SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE); @@ -875,7 +891,8 @@ static int ssl_set_version(SSL *s) /* * Disabling all versions is silly: return an error. */ - if (options & SSL_OP_NO_DTLSv1) { + if (options & SSL_OP_NO_DTLSv1 + || DTLS_VERSION_GT(min_version, DTLS1_VERSION)) { SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_WRONG_SSL_VERSION); return 0; } @@ -888,7 +905,8 @@ static int ssl_set_version(SSL *s) /* * We only support one version: update method */ - if (options & SSL_OP_NO_DTLSv1) + if (options & SSL_OP_NO_DTLSv1 + || DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)) s->method = DTLSv1_2_client_method(); s->version = DTLS1_2_VERSION; } @@ -1129,6 +1147,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) if (s->method->version == TLS_ANY_VERSION) { unsigned int sversion; + int max_version = TLS_MAX_VERSION; + + if (s->max_proto_version != 0) + max_version = s->max_proto_version; if (!PACKET_get_net_2(pkt, &sversion)) { al = SSL_AD_DECODE_ERROR; @@ -1140,7 +1162,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) #error Code needs updating for new TLS version #endif #ifndef OPENSSL_NO_SSL3 - if ((sversion == SSL3_VERSION) && !(s->options & SSL_OP_NO_SSLv3)) { + if ((sversion == SSL3_VERSION) && !(s->options & SSL_OP_NO_SSLv3) && + (s->min_proto_version <= SSL3_VERSION) && + (max_version >= SSL3_VERSION)) { if (FIPS_mode()) { SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); @@ -1150,13 +1174,19 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->method = SSLv3_client_method(); } else #endif - if ((sversion == TLS1_VERSION) && !(s->options & SSL_OP_NO_TLSv1)) { + if ((sversion == TLS1_VERSION) && !(s->options & SSL_OP_NO_TLSv1) && + (s->min_proto_version <= TLS1_VERSION) && + (max_version >= TLS1_VERSION)) { s->method = TLSv1_client_method(); } else if ((sversion == TLS1_1_VERSION) && - !(s->options & SSL_OP_NO_TLSv1_1)) { + !(s->options & SSL_OP_NO_TLSv1_1) && + (s->min_proto_version <= TLS1_1_VERSION) && + (max_version >= TLS1_1_VERSION)) { s->method = TLSv1_1_client_method(); } else if ((sversion == TLS1_2_VERSION) && - !(s->options & SSL_OP_NO_TLSv1_2)) { + !(s->options & SSL_OP_NO_TLSv1_2) && + (s->min_proto_version <= TLS1_2_VERSION) && + (max_version >= TLS1_2_VERSION)) { s->method = TLSv1_2_client_method(); } else { SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); @@ -1165,7 +1195,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) } s->session->ssl_version = s->version = s->method->version; - if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { + if ((s->version < s->min_proto_version) + || !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_VERSION_TOO_LOW); al = SSL_AD_PROTOCOL_VERSION; goto f_err; @@ -1174,6 +1205,13 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) /* Work out correct protocol version to use */ unsigned int hversion; int options; + int max_version = DTLS_MAX_VERSION; + int min_version = DTLS_MIN_VERSION; + + if (s->max_proto_version != 0) + max_version = s->max_proto_version; + if (s->min_proto_version != 0) + min_version = s->min_proto_version; if (!PACKET_get_net_2(pkt, &hversion)) { al = SSL_AD_DECODE_ERROR; @@ -1182,7 +1220,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) } options = s->options; - if (hversion == DTLS1_2_VERSION && !(options & SSL_OP_NO_DTLSv1_2)) + if (hversion == DTLS1_2_VERSION && !(options & SSL_OP_NO_DTLSv1_2) && + DTLS_VERSION_LE(min_version, DTLS1_2_VERSION) && + DTLS_VERSION_GE(max_version, DTLS1_2_VERSION)) s->method = DTLSv1_2_client_method(); else if (tls1_suiteb(s)) { SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, @@ -1190,7 +1230,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->version = hversion; al = SSL_AD_PROTOCOL_VERSION; goto f_err; - } else if (hversion == DTLS1_VERSION && !(options & SSL_OP_NO_DTLSv1)) + } else if (hversion == DTLS1_VERSION && !(options & SSL_OP_NO_DTLSv1) && + DTLS_VERSION_LE(min_version, DTLS1_VERSION) && + DTLS_VERSION_GE(max_version, DTLS1_VERSION)) s->method = DTLSv1_client_method(); else { SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 66ff3e61e2..a1163ed986 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1044,10 +1044,17 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) protverr = 0; } } else if (s->client_version >= SSL3_VERSION) { + int max_version = TLS_MAX_VERSION; + + if (s->max_proto_version != 0) + max_version = s->max_proto_version; + switch(s->client_version) { default: case TLS1_2_VERSION: - if(!(s->options & SSL_OP_NO_TLSv1_2)) { + if(!(s->options & SSL_OP_NO_TLSv1_2) && + (max_version >= TLS1_2_VERSION) && + (s->min_proto_version <= TLS1_2_VERSION)) { s->version = TLS1_2_VERSION; s->method = TLSv1_2_server_method(); protverr = 0; @@ -1055,7 +1062,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } /* Deliberately fall through */ case TLS1_1_VERSION: - if(!(s->options & SSL_OP_NO_TLSv1_1)) { + if(!(s->options & SSL_OP_NO_TLSv1_1) && + (max_version >= TLS1_1_VERSION) && + (s->min_proto_version <= TLS1_1_VERSION)) { s->version = TLS1_1_VERSION; s->method = TLSv1_1_server_method(); protverr = 0; @@ -1063,7 +1072,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } /* Deliberately fall through */ case TLS1_VERSION: - if(!(s->options & SSL_OP_NO_TLSv1)) { + if(!(s->options & SSL_OP_NO_TLSv1) && + (max_version >= TLS1_VERSION) && + (s->min_proto_version <= TLS1_VERSION)) { s->version = TLS1_VERSION; s->method = TLSv1_server_method(); protverr = 0; @@ -1072,7 +1083,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* Deliberately fall through */ case SSL3_VERSION: #ifndef OPENSSL_NO_SSL3 - if(!(s->options & SSL_OP_NO_SSLv3)) { + if(!(s->options & SSL_OP_NO_SSLv3) && + (max_version >= SSL3_VERSION) && + (s->min_proto_version <= SSL3_VERSION)) { s->version = SSL3_VERSION; s->method = SSLv3_server_method(); protverr = 0; @@ -1254,8 +1267,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } if (s->method->version == DTLS_ANY_VERSION) { /* Select version to use */ - if (s->client_version <= DTLS1_2_VERSION && - !(s->options & SSL_OP_NO_DTLSv1_2)) { + int max_version = DTLS_MAX_VERSION; + int min_version = DTLS_MIN_VERSION; + + if (s->max_proto_version != 0) + max_version = s->max_proto_version; + if (s->min_proto_version != 0) + min_version = s->min_proto_version; + + if (DTLS_VERSION_GE(s->client_version, DTLS1_2_VERSION) && + !(s->options & SSL_OP_NO_DTLSv1_2) && + DTLS_VERSION_GE(max_version, DTLS1_2_VERSION) && + DTLS_VERSION_LE(min_version, DTLS1_2_VERSION)) { s->version = DTLS1_2_VERSION; s->method = DTLSv1_2_server_method(); } else if (tls1_suiteb(s)) { @@ -1264,8 +1287,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) s->version = s->client_version; al = SSL_AD_PROTOCOL_VERSION; goto f_err; - } else if (s->client_version <= DTLS1_VERSION && - !(s->options & SSL_OP_NO_DTLSv1)) { + } else if (DTLS_VERSION_GE(s->client_version, DTLS1_VERSION) && + !(s->options & SSL_OP_NO_DTLSv1) && + DTLS_VERSION_GE(max_version, DTLS1_VERSION) && + DTLS_VERSION_LE(min_version, DTLS1_VERSION)) { s->version = DTLS1_VERSION; s->method = DTLSv1_server_method(); } else { diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t index 5f520ded11..0f96b5b5ff 100644 --- a/test/recipes/80-test_ssl.t +++ b/test/recipes/80-test_ssl.t @@ -11,8 +11,8 @@ use OpenSSL::Test::Utils; setup("test_ssl"); -my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk) = - disabled qw/rsa dsa dh ec srp psk/; +my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, $no_ssl3, $no_dtls) = + disabled qw/rsa dsa dh ec srp psk ssl3 dtls/; my $digest = "-sha1"; my @reqcmd = ("openssl", "req"); @@ -55,7 +55,7 @@ my $P2intermediate="tmp_intP2.ss"; plan tests => 1 # For testss + 1 # For ssltest -test_cipherlist - + 8 # For the first testssl + + 9 # For the first testssl + 16 # For the first testsslproxy + 16 # For the second testsslproxy ; @@ -316,7 +316,7 @@ sub testssl { } - # plan tests => 7; + # plan tests => 9; subtest 'standard SSL tests' => sub { ###################################################################### @@ -567,6 +567,516 @@ sub testssl { } } }; + + subtest 'Version min/max tests' => sub { + + plan tests => 425; + + SKIP : { + skip "ssl3 disabled", 76 if $no_ssl3; + + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1", "-should_negotiate", "tls1"]))); + + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + } + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1", "-should_negotiate", "tls1"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "fail-server"]))); + } + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 19 if $no_ssl3; + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + } + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + } + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.1", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1", "-should_negotiate", "tls1"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + } + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_min_proto", "tls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + } + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-server_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "ssl3 disabled", 6 if $no_ssl3; + ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_min_proto", "ssl3", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_max_proto", "ssl3", "-should_negotiate", "ssl3"]))); + } + ok(run(test([@ssltest, "-client_min_proto", "tls1", "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1.1", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1.2", "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1.1", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_min_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-client_max_proto", "tls1", "-should_negotiate", "tls1"]))); + ok(run(test([@ssltest, "-client_max_proto", "tls1.1", "-should_negotiate", "tls1.1"]))); + ok(run(test([@ssltest, "-client_max_proto", "tls1.2", "-should_negotiate", "tls1.2"]))); + ok(run(test([@ssltest, "-should_negotiate", "tls1.2"]))); + + SKIP : { + skip "dtls disabled", 64 if $no_dtls; + + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-server_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-server_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_min_proto", "dtls1.2", "-should_negotiate", "fail-client"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_max_proto", "dtls1", "-should_negotiate", "fail-server"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-server_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + + ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1.2", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-client_min_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-client_max_proto", "dtls1", "-should_negotiate", "dtls1"]))); + ok(run(test([@ssltest, "-dtls", "-client_max_proto", "dtls1.2", "-should_negotiate", "dtls1.2"]))); + ok(run(test([@ssltest, "-dtls", "-should_negotiate", "dtls1.2"]))); + } + }; } sub testsslproxy { diff --git a/test/ssltest.c b/test/ssltest.c index 01b6058648..58e0f82030 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -367,6 +367,11 @@ static const char *alpn_client; static const char *alpn_server; static const char *alpn_expected; static unsigned char *alpn_selected; +static const char *server_min_proto; +static const char *server_max_proto; +static const char *client_min_proto; +static const char *client_max_proto; +static const char *should_negotiate; /*- * next_protos_parse parses a comma separated list of strings into a string @@ -776,6 +781,7 @@ static void sv_usage(void) #endif fprintf(stderr, " -tls1 - use TLSv1\n"); #ifndef OPENSSL_NO_DTLS + fprintf(stderr, " -dtls - use DTLS\n"); fprintf(stderr, " -dtls1 - use DTLSv1\n"); fprintf(stderr, " -dtls12 - use DTLSv1.2\n"); #endif @@ -818,6 +824,11 @@ static void sv_usage(void) fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n"); fprintf(stderr, " -alpn_expected <string> - the ALPN protocol that should be negotiated\n"); + fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n"); + fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n"); + fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n"); + fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n"); + fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n"); } static void print_key_details(BIO *out, EVP_PKEY *key) @@ -942,13 +953,58 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) } } +/* + * protocol_from_string - converts a protocol version string to a number + * + * Returns -1 on failure or the version on success + */ +static int protocol_from_string(const char *value) +{ + struct protocol_versions { + const char *name; + int version; + }; + static const struct protocol_versions versions[] = { + {"ssl3", SSL3_VERSION}, + {"tls1", TLS1_VERSION}, + {"tls1.1", TLS1_1_VERSION}, + {"tls1.2", TLS1_2_VERSION}, + {"dtls1", DTLS1_VERSION}, + {"dtls1.2", DTLS1_2_VERSION}}; + size_t i; + size_t n = OSSL_NELEM(versions); + + for (i = 0; i < n; i++) + if (strcmp(versions[i].name, value) == 0) + return versions[i].version; + return -1; +} + +/* + * set_protocol_version - Sets protocol version minimum or maximum + * + * Returns 0 on failure and 1 on success + */ +static int set_protocol_version(const char *version, SSL *ssl, int setting) +{ + if (version != NULL) { + int ver = protocol_from_string(version); + if (ver < 0) { + BIO_printf(bio_err, "Error parsing: %s\n", version); + return 0; + } + return SSL_ctrl(ssl, setting, ver, NULL); + } + return 1; +} + int main(int argc, char *argv[]) { char *CApath = NULL, *CAfile = NULL; int badop = 0; int bio_pair = 0; int force = 0; - int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl3 = 0, ret = 1; + int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = @@ -1136,6 +1192,11 @@ int main(int argc, char *argv[]) no_protocol = 1; #endif dtls12 = 1; + } else if (strcmp(*argv, "-dtls") == 0) { +#ifdef OPENSSL_NO_DTLS + no_protocol = 1; +#endif + dtls = 1; } else if (strncmp(*argv, "-num", 4) == 0) { if (--argc < 1) goto bad; @@ -1225,6 +1286,26 @@ int main(int argc, char *argv[]) if (--argc < 1) goto bad; alpn_expected = *(++argv); + } else if (strcmp(*argv, "-server_min_proto") == 0) { + if (--argc < 1) + goto bad; + server_min_proto = *(++argv); + } else if (strcmp(*argv, "-server_max_proto") == 0) { + if (--argc < 1) + goto bad; + server_max_proto = *(++argv); + } else if (strcmp(*argv, "-client_min_proto") == 0) { + if (--argc < 1) + goto bad; + client_min_proto = *(++argv); + } else if (strcmp(*argv, "-client_max_proto") == 0) { + if (--argc < 1) + goto bad; + client_max_proto = *(++argv); + } else if (strcmp(*argv, "-should_negotiate") == 0) { + if (--argc < 1) + goto bad; + should_negotiate = *(++argv); } else { int rv; arg = argv[0]; @@ -1283,8 +1364,8 @@ int main(int argc, char *argv[]) goto end; } - if (ssl3 + tls1 + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl3, -tls1, -dtls1 or -dtls12 should " + if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should " "be requested.\n"); EXIT(1); } @@ -1301,10 +1382,10 @@ int main(int argc, char *argv[]) goto end; } - if (!ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { + if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl3, -tls1, -dtls1, -dtls12, -reuse\n" + "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } @@ -1378,6 +1459,8 @@ int main(int argc, char *argv[]) meth = DTLSv1_method(); else if (dtls12) meth = DTLSv1_2_method(); + else if (dtls) + meth = DTLS_method(); else #endif if (tls1) @@ -1659,6 +1742,15 @@ int main(int argc, char *argv[]) c_ssl = SSL_new(c_ctx); s_ssl = SSL_new(s_ctx); + if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) + goto end; + if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) + goto end; + if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) + goto end; + if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) + goto end; + BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes); for (i = 0; i < number; i++) { if (!reuse) { @@ -1674,6 +1766,23 @@ int main(int argc, char *argv[]) if (ret) break; } + if (should_negotiate && ret == 0 && + strcmp(should_negotiate, "fail-server") != 0 && + strcmp(should_negotiate, "fail-client") != 0) { + int version = protocol_from_string(should_negotiate); + if (version < 0) { + BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate); + ret = 1; + goto err; + } + if (SSL_version(c_ssl) != version) { + BIO_printf(bio_err, "Unxpected version negotiated. " + "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl)); + ret = 1; + goto err; + } + } + if (!verbose) { print_details(c_ssl, ""); } @@ -1696,6 +1805,7 @@ int main(int argc, char *argv[]) #endif } + err: SSL_free(s_ssl); SSL_free(c_ssl); @@ -1728,6 +1838,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; int ret = 1; + int err_in_client = 0; + int err_in_server = 0; size_t bufsiz = 256; /* small buffer for testing */ @@ -1820,6 +1932,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(c_ssl_bio)) { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; goto err; } /* @@ -1845,6 +1958,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(c_ssl_bio)) { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; goto err; } /* @@ -1897,6 +2011,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(s_ssl_bio)) { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; goto err; } /* Ignore "BIO_should_retry". */ @@ -1917,6 +2032,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(s_ssl_bio)) { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; goto err; } /* blah, blah */ @@ -2084,6 +2200,11 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, BIO_free(s_ssl_bio); BIO_free(c_ssl_bio); + if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) + ret = (err_in_client != 0) ? 0 : 1; + else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) + ret = (err_in_server != 0) ? 0 : 1; + return ret; } @@ -2109,6 +2230,8 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) int c_write, s_write; int do_server = 0, do_client = 0; int max_frag = 5 * 1024; + int err_in_client = 0; + int err_in_server = 0; bufsiz = count > 40 * 1024 ? 40 * 1024 : count; @@ -2201,6 +2324,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) c_w = 1; } else { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; ERR_print_errors(bio_err); goto err; } @@ -2229,6 +2353,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) c_w = 1; } else { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; ERR_print_errors(bio_err); goto err; } @@ -2265,6 +2390,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) s_w = 1; } else { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; ERR_print_errors(bio_err); goto err; } @@ -2300,6 +2426,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) s_w = 1; } else { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; ERR_print_errors(bio_err); goto err; } @@ -2370,6 +2497,11 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) OPENSSL_free(cbuf); OPENSSL_free(sbuf); + if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) + ret = (err_in_client != 0) ? 0 : 1; + else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) + ret = (err_in_server != 0) ? 0 : 1; + return (ret); } |