mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-14 01:26:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #8918 from ronald-cron-arm/improve-tls-srv-version-nego-testing

Browse Source 
TLS: Improve server version negotiation testing
This commit is contained in:
Manuel Pégourié-Gonnard 2024-03-15 14:29:56 +00:00 committed by GitHub
commit 62ac993d89
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 515 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

683
tests/ssl-opt.sh
View File

@ -2047,64 +2047,6 @@ run_test "Default, DTLS" \
-s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
# GnuTLS can be setup to send a ClientHello containing a supported versions
# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case,
# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and
# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS
# client then detects the downgrade indication and aborts the handshake even
# if TLS 1.2 was its preferred version. Keeping the test even if the
# handshake fails eventually as it exercices parts of the Mbed TLS
# implementation that are otherwise not exercised.
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
run_test "Server selecting TLS 1.2 over TLS 1.3" \
"$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
1 \
-c "Detected downgrade to TLS 1.2 from TLS 1.3"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
run_test "Server selecting TLS 1.2" \
"$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
0 \
-s "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 OK"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \
"$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \
0 \
-s "Protocol is TLSv1.3" \
-c "HTTP/1.0 200 OK"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \
"$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \
0 \
-s "Protocol is TLSv1.3" \
-c "HTTP/1.0 200 OK"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "TLS client auth: required" \
"$P_SRV auth_mode=required" \
@ -6929,36 +6871,456 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
0 \
-c "Read from server: .* bytes read"
# Tests for version negotiation
# Tests for version negotiation, MbedTLS client and server
run_test "Version check: all -> 1.2" \
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Version negotiation check m->m: 1.2 / 1.2 -> 1.2" \
"$P_SRV" \
"$P_CLI force_version=tls12" \
"$P_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2" \
-c "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Not supported version check: cli TLS 1.0" \
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2 (max=1.2) -> 1.2" \
"$P_SRV max_version=tls12" \
"$P_CLI max_version=tls12" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2" \
-c "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Version negotiation check m->m: 1.3 / 1.3 -> 1.3" \
"$P_SRV" \
"$P_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3" \
-c "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.3 (min=1.3) -> 1.3" \
"$P_SRV min_version=tls13" \
"$P_CLI min_version=tls13" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3" \
-c "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Version negotiation check m->m: 1.2+1.3 / 1.2+1.3 -> 1.3" \
"$P_SRV" \
"$P_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3" \
-c "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Version negotiation check m->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \
"$P_SRV min_version=tls13" \
"$P_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3" \
-c "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Version negotiation check m->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \
"$P_SRV max_version=tls12" \
"$P_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2" \
-c "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \
"$P_SRV" \
"$P_CLI max_version=tls12" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2" \
-c "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.2+1.3 -> 1.3" \
"$P_SRV" \
"$P_CLI min_version=tls13" \
0 \
-S "mbedtls_ssl_handshake returned" \
-C "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3" \
-c "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \
"$P_SRV min_version=tls13" \
"$P_CLI max_version=tls12" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.2" \
-C "Protocol is TLSv1.2" \
-S "Protocol is TLSv1.3" \
-C "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check m->m: 1.3 (min=1.3) / 1.2 (max=1.2)" \
"$P_SRV max_version=tls12" \
"$P_CLI min_version=tls13" \
1 \
-s "The handshake negotiation failed" \
-S "Protocol is TLSv1.2" \
-C "Protocol is TLSv1.2" \
-S "Protocol is TLSv1.3" \
-C "Protocol is TLSv1.3"
# Tests of version negotiation on server side against GnuTLS client
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check G->m: 1.2 / 1.2+(1.3) -> 1.2" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check G->m: 1.2 / 1.2 (max=1.2) -> 1.2" \
"$P_SRV max_version=tls12" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check G->m: 1.3 / (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check G->m: 1.3 / 1.3 (min=1.3) -> 1.3" \
"$P_SRV min_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_gnutls_next_disable_tls13_compat
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
# GnuTLS can be setup to send a ClientHello containing a supported versions
# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case,
# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and
# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS
# client then detects the downgrade indication and aborts the handshake even
# if TLS 1.2 was its preferred version. Keeping the test even if the
# handshake fails eventually as it exercices parts of the Mbed TLS
# implementation that are otherwise not exercised.
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
1 \
-c "Detected downgrade to TLS 1.2 from TLS 1.3"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check G->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \
"$P_SRV min_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check G->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \
"$P_SRV max_version=tls12" \
"$G_NEXT_CLI localhost --priority=NORMAL" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-c "Error in protocol version" \
-S "Protocol is TLSv1.0" \
-C "Handshake was completed"
-S "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Not supported version check: cli TLS 1.1" \
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-c "Error in protocol version" \
-S "Protocol is TLSv1.1" \
-C "Handshake was completed"
-S "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Not supported version check G->m: 1.2 / 1.3" \
"$P_SRV" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check G->m: 1.3 / 1.2" \
"$P_SRV" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
1 \
-S "Handshake protocol not within min/max boundaries" \
-s "The handshake negotiation failed" \
-S "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check G->m: 1.2 / 1.3 (min=1.3)" \
"$P_SRV min_version=tls13" \
"$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \
"$P_SRV max_version=tls12" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
1 \
-S "Handshake protocol not within min/max boundaries" \
-s "The handshake negotiation failed" \
-S "Protocol is TLSv1.3"
# Tests of version negotiation on server side against OpenSSL client
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check O->m: 1.2 / 1.2+(1.3) -> 1.2" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_2" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check O->m: 1.2 / 1.2 (max=1.2) -> 1.2" \
"$P_SRV max_version=tls12" \
"$O_NEXT_CLI -tls1_2" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check O->m: 1.3 / (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_3" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check O->m: 1.3 / 1.3 (min=1.3) -> 1.3" \
"$P_SRV min_version=tls13" \
"$O_NEXT_CLI -tls1_3" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check O->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$O_NEXT_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Server version nego check O->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \
"$P_SRV" \
"$O_NEXT_CLI -no_middlebox" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Server version nego check O->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \
"$P_SRV min_version=tls13" \
"$O_NEXT_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.3"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check O->m: 1.2+1.3 / 1.2 -> 1.2" \
"$P_SRV" \
"$O_NEXT_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Server version nego check O->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \
"$P_SRV max_version=tls12" \
"$O_NEXT_CLI" \
0 \
-S "mbedtls_ssl_handshake returned" \
-s "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "Not supported version check O->m: 1.0 / (1.2)+(1.3)" \
"$P_SRV" \
"$O_CLI -tls1" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "Not supported version check O->m: 1.1 / (1.2)+(1.3)" \
"$P_SRV" \
"$O_CLI -tls1_1" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Not supported version check O->m: 1.2 / 1.3" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_2" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check O->m: 1.3 / 1.2" \
"$P_SRV" \
"$O_NEXT_CLI -tls1_3" \
1 \
-S "Handshake protocol not within min/max boundaries" \
-s "The handshake negotiation failed" \
-S "Protocol is TLSv1.3"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check O->m: 1.2 / 1.3 (min=1.3)" \
"$P_SRV min_version=tls13" \
"$O_NEXT_CLI -tls1_2" \
1 \
-s "Handshake protocol not within min/max boundaries" \
-S "Protocol is TLSv1.2"
requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
run_test "Not supported version check O->m: 1.3 / 1.2 (max=1.2)" \
"$P_SRV max_version=tls12" \
"$O_NEXT_CLI -tls1_3" \
1 \
-S "Handshake protocol not within min/max boundaries" \
-s "The handshake negotiation failed" \
-S "Protocol is TLSv1.3"
# Tests of version negotiation on client side against GnuTLS and OpenSSL server
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Not supported version check: srv max TLS 1.0" \
@ -6980,6 +7342,88 @@ run_test "Not supported version check: srv max TLS 1.1" \
-S "Version: TLS1.1" \
-C "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \
"$P_CLI debug_level=4" \
1 \
-s "Client's version: 3.3" \
-S "Version: TLS1.0" \
-C "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \
"$P_CLI debug_level=4" \
1 \
-s "Client's version: 3.3" \
-S "Version: TLS1.1" \
-C "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \
"$P_CLI force_version=tls13 debug_level=4" \
1 \
-s "Client's version: 3.3" \
-c "is a fatal alert message (msg 40)" \
-S "Version: TLS1.2" \
-C "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \
"$O_NEXT_SRV -msg -tls1" \
"$P_CLI debug_level=4" \
1 \
-s "fatal protocol_version" \
-c "is a fatal alert message (msg 70)" \
-S "Version: TLS1.0" \
-C "Protocol : TLSv1.0"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \
"$O_NEXT_SRV -msg -tls1_1" \
"$P_CLI debug_level=4" \
1 \
-s "fatal protocol_version" \
-c "is a fatal alert message (msg 70)" \
-S "Version: TLS1.1" \
-C "Protocol : TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \
"$O_NEXT_SRV -msg -tls1_2" \
"$P_CLI force_version=tls13 debug_level=4" \
1 \
-s "fatal protocol_version" \
-c "is a fatal alert message (msg 70)" \
-S "Version: TLS1.2" \
-C "Protocol : TLSv1.2"
# Tests for ALPN extension
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
@ -11866,103 +12310,6 @@ run_test "TLS 1.3: server alpn - gnutls" \
-s "HTTP/1.0 200 OK" \
-s "Application Layer Protocol is h2"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \
"$P_CLI debug_level=4" \
1 \
-s "Client's version: 3.3" \
-S "Version: TLS1.0" \
-C "Protocol is TLSv1.0"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \
"$P_CLI debug_level=4" \
1 \
-s "Client's version: 3.3" \
-S "Version: TLS1.1" \
-C "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_gnutls_tls1_3
run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \
"$P_CLI force_version=tls13 debug_level=4" \
1 \
-s "Client's version: 3.3" \
-c "is a fatal alert message (msg 40)" \
-S "Version: TLS1.2" \
-C "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \
"$O_NEXT_SRV -msg -tls1" \
"$P_CLI debug_level=4" \
1 \
-s "fatal protocol_version" \
-c "is a fatal alert message (msg 70)" \
-S "Version: TLS1.0" \
-C "Protocol : TLSv1.0"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \
"$O_NEXT_SRV -msg -tls1_1" \
"$P_CLI debug_level=4" \
1 \
-s "fatal protocol_version" \
-c "is a fatal alert message (msg 70)" \
-S "Version: TLS1.1" \
-C "Protocol : TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
skip_handshake_stage_check
requires_openssl_next
run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \
"$O_NEXT_SRV -msg -tls1_2" \
"$P_CLI force_version=tls13 debug_level=4" \
1 \
-s "fatal protocol_version" \
-c "is a fatal alert message (msg 70)" \
-S "Version: TLS1.2" \
-C "Protocol : TLSv1.2"
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \
"$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \
"$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \
1 \
-c "The SSL configuration is tls12 only" \
-c "supported_versions(43) extension does not exist." \
-c "A fatal alert message was received from our peer" \
-s "The SSL configuration is tls13 only" \
-s "TLS 1.2 not supported."
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C