mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-01-26 12:35:20 +00:00
ssl-opt.sh: Force TLS 1.2 on server
To maximize the number of tests where MbedTLS client proposes both TLS 1.2 and TLS 1.3 to the server, force the TLS 1.2 version on the server side rather than on the client side in TLS 1.2 specific tests. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
parent
f660655b84
commit
f3b425bbde
111
tests/ssl-opt.sh
111
tests/ssl-opt.sh
@ -1196,7 +1196,7 @@ run_test_psa() {
|
||||
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "PSA-supported ciphersuite: $1" \
|
||||
"$P_SRV debug_level=3 force_version=tls12" \
|
||||
"$P_CLI debug_level=3 force_version=tls12 force_ciphersuite=$1" \
|
||||
"$P_CLI debug_level=3 force_ciphersuite=$1" \
|
||||
0 \
|
||||
-c "PSA calc verify" \
|
||||
-c "calc PSA finished" \
|
||||
@ -1216,7 +1216,7 @@ run_test_psa_force_curve() {
|
||||
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "PSA - ECDH with $1" \
|
||||
"$P_SRV debug_level=4 force_version=tls12 curves=$1" \
|
||||
"$P_CLI debug_level=4 force_version=tls12 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
|
||||
"$P_CLI debug_level=4 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
|
||||
0 \
|
||||
-c "PSA calc verify" \
|
||||
-c "calc PSA finished" \
|
||||
@ -1245,7 +1245,7 @@ run_test_memory_after_hanshake_with_mfl()
|
||||
|
||||
run_test "Handshake memory usage (MFL $1)" \
|
||||
"$P_SRV debug_level=3 auth_mode=required force_version=tls12" \
|
||||
"$P_CLI debug_level=3 force_version=tls12 \
|
||||
"$P_CLI debug_level=3 \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
|
||||
0 \
|
||||
@ -1264,7 +1264,7 @@ run_tests_memory_after_hanshake()
|
||||
MEMORY_USAGE_MFL_16K=0
|
||||
run_test "Handshake memory usage initial (MFL 16384 - default)" \
|
||||
"$P_SRV debug_level=3 auth_mode=required force_version=tls12" \
|
||||
"$P_CLI debug_level=3 force_version=tls12 \
|
||||
"$P_CLI debug_level=3 \
|
||||
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
|
||||
0 \
|
||||
@ -2790,9 +2790,9 @@ run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "CBC Record splitting: TLS 1.2, no splitting" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
|
||||
request_size=123 force_version=tls12" \
|
||||
request_size=123" \
|
||||
0 \
|
||||
-s "Read from client: 123 bytes read" \
|
||||
-S "Read from client: 1 bytes read" \
|
||||
@ -5021,11 +5021,11 @@ run_test "Authentication, CA callback: client max_int chain, server required"
|
||||
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
|
||||
"$P_SRV crt_file=data_files/server5.crt \
|
||||
"$P_SRV force_version=tls12 crt_file=data_files/server5.crt \
|
||||
key_file=data_files/server5.key \
|
||||
crt_file2=data_files/server5-sha1.crt \
|
||||
key_file2=data_files/server5.key" \
|
||||
"$P_CLI force_version=tls12" \
|
||||
"$P_CLI" \
|
||||
0 \
|
||||
-c "signed using.*ECDSA with SHA256" \
|
||||
-C "signed using.*ECDSA with SHA1"
|
||||
@ -6535,40 +6535,40 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small client packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=1 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=1 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=1 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small client packet TLS 1.2 AEAD" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=1 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small client packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=1 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
@ -6597,41 +6597,36 @@ run_test "Small client packet DTLS 1.2, without EtM" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small server packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV response_size=1" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV response_size=1" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
|
||||
"$P_SRV response_size=1" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small server packet TLS 1.2 AEAD" \
|
||||
"$P_SRV response_size=1" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Small server packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV response_size=1" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
@ -6664,8 +6659,8 @@ fragments_for_write() {
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large client packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
@ -6673,16 +6668,16 @@ run_test "Large client packet TLS 1.2 BlockCipher" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls12 etm=0 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
@ -6690,8 +6685,8 @@ run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large client packet TLS 1.2 AEAD" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
@ -6699,8 +6694,8 @@ run_test "Large client packet TLS 1.2 AEAD" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large client packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls12 \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
@ -6709,51 +6704,45 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \
|
||||
# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large server packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV response_size=16384" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV response_size=16384" \
|
||||
"$P_CLI force_version=tls12 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI etm=0 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "16384 bytes written in 1 fragments" \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
|
||||
"$P_SRV response_size=16384" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
"$P_SRV response_size=16384 trunc_hmac=1" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
"$P_SRV response_size=16384 trunc_hmac=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-s "16384 bytes written in 1 fragments" \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large server packet TLS 1.2 AEAD" \
|
||||
"$P_SRV response_size=16384" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
run_test "Large server packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV response_size=16384" \
|
||||
"$P_CLI force_version=tls12 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user