Enable all ciphers in OpenSSL >=1.1.0

OpenSSL may be configured to support features such as cipher suites or
protocol versions that are disabled by default. Enable them all: we're
testing, we don't care about enabling insecure stuff. This is not needed
with the builds of OpenSSL that we're currently using on the Jenkins CI, but
it's needed with more recent versions such as typically found on developer
machines, and with future CI additions.

The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we
don't need to do anything special with earlier versions.

With OpenSSL 1.1.1f on Ubuntu 20.04, this allows SHA-1 in certificates,
which is still needed for a few test cases in ssl-opt.sh. Curiously, this is
also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and
no other, including other DHE-PSK or ARIA cipher suites).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2022-11-24 22:21:15 +01:00
parent 6157fee306
commit 4bdb9fbfa2
2 changed files with 28 additions and 0 deletions

View File

@ -595,6 +595,20 @@ setup_arguments()
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
# a way to discover it from -help, so check the openssl version.
case $($OPENSSL_CMD version) in
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
*)
O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
;;
esac
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"

View File

@ -1689,6 +1689,20 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
fi
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
# a way to discover it from -help, so check the openssl version.
case $($OPENSSL_CMD version) in
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
*)
O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
;;
esac
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"