Commit 55665fd6 authored by Alexander Sosedkin's avatar Alexander Sosedkin
Browse files

WIP: tests: add protocol-mark-allowlisting


Signed-off-by: Alexander Sosedkin's avatarAlexander Sosedkin <asosedkin@redhat.com>
parent 6359b5cd
Pipeline #407029532 failed with stages
in 67 minutes and 5 seconds
......@@ -112,7 +112,7 @@ noinst_LTLIBRARIES = libutils.la
libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
libutils_la_LIBADD = ../lib/libgnutls.la
indirect_tests = system-override-hash system-override-sig system-override-sig-tls
indirect_tests = system-override-hash system-override-sig system-override-sig-tls protocol-mark-allowlisting
ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
tls13/post-handshake-with-cert tls13/post-handshake-without-cert \
......@@ -524,7 +524,8 @@ dist_check_SCRIPTS += system-override-sig-allowlist.sh \
system-override-hash-allowlist.sh \
system-override-versions-allowlist.sh \
system-override-curves-allowlist.sh \
system-override-special-allowlist.sh
system-override-special-allowlist.sh \
protocol-mark-allowlisting.sh
endif
dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
......
/*
* Copyright (C) 2021 Red Hat, Inc.
*
* Author: Alexander Sosedkin
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <assert.h>
#include <errno.h>
#include <errno.h>
#include <netinet/tcp.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include "utils.h"
/*
* This is not a test!
* This is a helper for the real test in protocol-mark-allowlisting.sh.
* It executes sequences of commands like:
* > connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
* > protocol_mark_disabled TLS1.2 -> OK
* > connect -> bad priority: (actually, any arrow-less text can go here)
* where `connect` connects to $TEST_SERVER_PORT using $TEST_SERVER_CA,
* and protocol_mark_{disabled,enabled} simply call the underlying API.
* leaving the outer test to check return code and output:
* connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
* protocol_mark_disabled TLS1.2 -> OK
* connect -> bad priority: No or insufficient priorities were set.
*/
#define _assert(cond, format, ...) if (!(cond)) \
_fail("Assertion `" #cond "` failed: " format "\n", ##__VA_ARGS__)
#define _check(cond) if (!(cond)) _fail("Assertion `" #cond "` failed.")
unsigned parse_port(const char* port_str);
gnutls_protocol_t parse_protocol(const char* name);
void test_echo_server(gnutls_session_t session);
void cmd_connect(const char* ca_file, unsigned port);
void cmd_protocol_mark_disabled(const char* name);
void cmd_protocol_mark_enabled(const char* name);
const char* unprefix(const char* s, const char* prefix);
unsigned parse_port(const char* port_str)
{
unsigned port;
errno = 0;
port = strtoul(port_str, NULL, 10);
_assert(!errno, "Could not parse port value '%s'\n", port_str);
_assert(0 < port && port < (1UL << 16), "Invalid port %u\n", port);
return port;
}
gnutls_protocol_t parse_protocol(const char* name)
{
gnutls_protocol_t p;
p = gnutls_protocol_get_id(name);
_assert(p != GNUTLS_VERSION_UNKNOWN, "Unknown protocol `%s`", name);
return p;
}
void test_echo_server(gnutls_session_t session)
{
const char buf_out[] = "1234567\n";
char buf_in[sizeof(buf_out) - 1];
unsigned rd = 0, wr = 0;
unsigned LEN = sizeof(buf_out) - 1;
int r;
do {
r = gnutls_record_send(session, buf_out + wr, LEN - wr);
if (r == GNUTLS_E_AGAIN || r == GNUTLS_E_INTERRUPTED)
continue;
_assert(r > 0, "error in send: %s\n", gnutls_strerror(r));
wr += r;
} while(r > 0 && wr < LEN);
_assert(wr == LEN, "error sending all data (%u/%u)\n", wr, LEN);
do {
r = gnutls_record_recv(session, buf_in + rd, LEN - rd);
if (r == GNUTLS_E_AGAIN || r == GNUTLS_E_INTERRUPTED)
continue;
_assert(r > 0, "error in recv: %s\n", gnutls_strerror(r));
rd += r;
} while(r > 0 && rd < LEN);
_assert(rd == LEN, "error receiving all data (%u/%u)\n", rd, LEN);
_assert(!gnutls_record_check_pending(session), "data left unreceived");
_assert(!memcmp(buf_in, buf_out, LEN), "send/recv data mismatch\n");
}
void cmd_connect(const char* ca_file, unsigned port)
{
char* desc;
int sock, r;
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
int sock_flags = 1;
_check(gnutls_init(&session, GNUTLS_CLIENT) >= 0);
r = gnutls_set_default_priority(session);
if (r < 0) {
printf("connect -> bad priority: %s\n", gnutls_strerror(r));
gnutls_deinit(session);
return;
}
_check(gnutls_server_name_set(session, GNUTLS_NAME_DNS,
"example.com", strlen("example.com")) >= 0);
gnutls_session_set_verify_cert(session, "example.com", 0);
_check(gnutls_certificate_allocate_credentials(&cred) >= 0);
_check(gnutls_certificate_set_x509_trust_file(cred,
ca_file, GNUTLS_X509_FMT_PEM) == 1);
_check(gnutls_credentials_set(session,
GNUTLS_CRD_CERTIFICATE, cred) >= 0);
sock = tcp_connect("127.0.0.1", port);
_assert(sock != -1, "Connection to 127.0.0.1:%u has failed!", port);
_assert(setsockopt(sock, SOL_TCP, TCP_NODELAY,
&sock_flags, sizeof(int)) == 0, "setsockopt failed");
gnutls_transport_set_int(session, sock);
gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
do {
r = gnutls_handshake(session);
} while (r < 0 && !gnutls_error_is_fatal(r));
if (r >= 0) {
desc = gnutls_session_get_desc(session);
_check(desc);
printf("connect -> connection established: %s\n", desc);
gnutls_free(desc);
} else {
printf("connect -> handshake failed: %s\n", gnutls_strerror(r));
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
shutdown(sock, SHUT_RDWR);
close(sock);
gnutls_certificate_free_credentials(cred);
gnutls_deinit(session);
}
void cmd_protocol_mark_disabled(const char* name)
{
_check(gnutls_protocol_mark_disabled(parse_protocol(name)) >= 0);
printf("protocol_mark_disabled %s -> OK\n", name);
}
void cmd_protocol_mark_enabled(const char* name)
{
_check(gnutls_protocol_mark_enabled(parse_protocol(name)) >= 0);
printf("protocol_mark_enabled %s -> OK\n", name);
}
// Returns 0 if `s` doesn't start with `prefix`, pointer past prefix otherwise.
const char* unprefix(const char* s, const char* prefix)
{
while (*s && *prefix && *s == *prefix)
s++, prefix++;
return *prefix ? NULL : s;
}
#define MAX_CMD_LEN 127
void doit(void)
{
unsigned port;
const char* port_str;
const char* ca_file;
const char* p;
char cmd_buf[MAX_CMD_LEN + 1];
char* e;
ca_file = getenv("TEST_SERVER_CA");
_assert(ca_file, "TEST_SERVER_CA is not set");
port_str = getenv("TEST_SERVER_PORT");
_assert(port_str, "TEST_SERVER_PORT is not set");
port = parse_port(port_str);
_check(gnutls_global_init() >= 0);
while (!feof(stdin)) {
memset(cmd_buf, '\0', MAX_CMD_LEN + 1);
fgets(cmd_buf, MAX_CMD_LEN, stdin);
e = strchr(cmd_buf, '\n');
if (e)
*e = '\0';
if (!*cmd_buf)
continue;
else if (!strcmp(cmd_buf, "> connect"))
cmd_connect(ca_file, port);
else if ((p = unprefix(cmd_buf, "> protocol_mark_disabled ")))
cmd_protocol_mark_disabled(p);
else if ((p = unprefix(cmd_buf, "> protocol_mark_enabled ")))
cmd_protocol_mark_enabled(p);
else if (unprefix(cmd_buf, "> "))
_fail("Unknown command `%s`\n", p);
else
_fail("Invalid line `%s`, does not start with `> `\n",
cmd_buf);
}
gnutls_global_deinit();
exit(0);
}
#!/bin/sh
# Copyright (C) 2021 Red Hat, Inc.
#
# Author: Alexander Sosedkin
#
# This file is part of GnuTLS.
#
# GnuTLS is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GnuTLS is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# The test verifies that gnutls_protocol_mark_{disabled,enabled}
# behave sensibly. The test requires allowlisting and is to be executed
# from within the shell wrapper protocol-mark-allowlisting.sh
# The shell part of it feeds commands into a C helper
# and compares its output to the reference output.
: ${srcdir=.}
: ${builddir=.}
: ${CERTTOOL=../src/certtool${EXEEXT}}
: ${SERV=../src/gnutls-serv${EXEEXT}}
: ${CLI=../src/gnutls-cli${EXEEXT}}
: ${GREP=grep}
: ${DIFF=diff}
: ${SED=sed}
: ${CAT=cat}
. "${srcdir}/scripts/common.sh"
for tool in "${CERTTOOL}" "${SERV}" "${CLI}"; do
if ! test -x "$tool"; then
exit 77
fi
done
if ! test -z "${VALGRIND}"; then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
fi
TMPFILE_TEMPLATE=template.$$.tmpl.tmp
TMPFILE_CERT=cert.$$.pem.tmp
TMPFILE_KEY=key.$$.pem.tmp
TMPFILE_CONFIG=cfg.$$.tmp
TMPFILE_LIST=lst.$$.tmp
TMPFILE_INPUT_SCRIPT=input.$$.script.tmp
TMPFILE_OBSERVED_LOG=observed.$$.log.tmp
TMPFILE_EXPECTED_LOG=expected.$$.log.tmp
# Set up cleanup
SERVER_PID=""
cleanup() {
test -z "${SERVER_PID}" || kill "${SERVER_PID}"
rm -f "${TMPFILE_CERT}" "${TMPFILE_KEY}"
rm -f "${TMPFILE_CONFIG}" "${TMPFILE_LIST}"
rm -f "${TMPFILE_INPUT_SCRIPT}"
rm -f "${TMPFILE_OBSERVED_LOG}" "${TMPFILE_EXPECTED_LOG}"
}
trap cleanup 1 15 2 EXIT
# Generate server keys
${CAT} > "$TMPFILE_TEMPLATE" << EOF
organization = test
cn = example.com
ca
tls_www_server
dns_name = example.com
EOF
"${CERTTOOL}" --generate-privkey --key-type=rsa --hash sha256 \
--outfile "${TMPFILE_KEY}"
"${CERTTOOL}" --generate-self-signed --load-privkey "${TMPFILE_KEY}" \
--template "${TMPFILE_TEMPLATE}" --outfile "${TMPFILE_CERT}"
# Set up a configuration file using allowlisting allowing for TLS 1.2 only,
# but also allowing to enable 1.1 and 1.3.
${CAT} <<_EOF_ > "${TMPFILE_CONFIG}"
# this following is listed to allow
# 1.3's TLS_AES_128_GCM_SHA256, but not allowlist 1.3 itself
# 1.2's TLS_RSA_AES_128_GCM_SHA256
# 1.1's TLS_RSA_AES_128_CBC_SHA1, but not allowlist 1.1 itself
[global]
override-mode = allowlist
[overrides]
secure-hash = SHA256
tls-enabled-mac = AEAD # for 1.2, 1.3
tls-enabled-mac = SHA1 # for 1.1
tls-enabled-group = GROUP-FFDHE3072
secure-sig = RSA-PSS-RSAE-SHA256 # for 1.3
secure-sig = RSA-SHA256 # for 1.2, 1.1
tls-enabled-cipher = AES-128-GCM # for 1.2, 1.3
tls-enabled-cipher = AES-128-CBC # for 1.1
tls-enabled-kx = RSA
# enabled-version = TLS1.3 # intentional, to be tested for reenablement
enabled-version = TLS1.2 # to be tested for disabling later
# enabled-version = TLS1.1 # intentional, to be tested for reenablement
_EOF_
with_config_file() {
GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE_CONFIG}" \
GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
"$@" # preserve $?, callers rely on it
}
# Smoke --list, @SYSTEM
with_config_file "${CLI}" --list -d 4 --priority @SYSTEM &>"${TMPFILE_LIST}"
if test $? != 0; then
${CAT} "${TMPFILE_LIST}"
echo 'fails with just @SYSTEM'
exit 1
fi
if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.2' "${TMPFILE_LIST}"; then
${CAT} "${TMPFILE_LIST}"
echo 'unexpected protocol list with @SYSTEM, must be just VERS-TLS1.2'
exit 1
fi
# Smoke-test that TLS 1.3 is enableable with these algorithms
with_config_file \
"${CLI}" --list -d 4 --priority @SYSTEM:+VERS-TLS1.3 &>"${TMPFILE_LIST}"
if test $? != 0; then
${CAT} "${TMPFILE_LIST}"
echo 'listing algorithms fails with @SYSTEM:+VERS-TLS1.3'
exit 1
fi
if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.2, VERS-TLS1.3' "${TMPFILE_LIST}"; then
${CAT} "${TMPFILE_LIST}"
echo 'could not enable TLS 1.3 with a @SYSTEM:+VERS-TLS1.3'
exit 1
fi
# Smoke-test that TLS 1.1 is enableable with these algorithms
with_config_file \
"${CLI}" --list -d 4 --priority @SYSTEM:+VERS-TLS1.1 &>"${TMPFILE_LIST}"
if test $? != 0; then
${CAT} "${TMPFILE_LIST}"
echo 'listing algorithms fails with @SYSTEM:+VERS-TLS1.1'
exit 1
fi
if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.2, VERS-TLS1.1' "${TMPFILE_LIST}"; then
${CAT} "${TMPFILE_LIST}"
echo 'could not enable TLS 1.1 with a @SYSTEM:+VERS-TLS1.1'
exit 1
fi
### Harness for the actual tests
test_with_helper() {
${CAT} > "$TMPFILE_EXPECTED_LOG"
${SED} 's/\(.*\) -> .*/> \1/' "${TMPFILE_EXPECTED_LOG}" \
> "${TMPFILE_INPUT_SCRIPT}"
with_config_file env \
TEST_SERVER_PORT=$PORT \
TEST_SERVER_CA="$TMPFILE_CERT" \
GNUTLS_DEBUG_LEVEL=9 \
"${builddir}/protocol-mark-allowlisting" \
< "${TMPFILE_INPUT_SCRIPT}" > "${TMPFILE_OBSERVED_LOG}"
RETCODE=$?
${DIFF} -u "${TMPFILE_EXPECTED_LOG}" "${TMPFILE_OBSERVED_LOG}"
DIFF_RETCODE=$?
if [ $DIFF_RETCODE != 0 ]; then
echo
echo 'protocol-mark-allowlisting(.c) output is unexpected'
echo '--- expected ---'
${CAT} "${TMPFILE_EXPECTED_LOG}"
echo '--- observed ---'
${CAT} "${TMPFILE_OBSERVED_LOG}"
exit 1
fi
if [ $RETCODE != 0 ]; then
echo "protocol-mark-allowlisting(.c) failed with $RETCODE"
exit 1
fi
}
### Tests against a TLS 1.2 -only server
eval "${GETPORT}"
# server is launched without allowlisting config file in effect
launch_server --echo --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" \
--x509keyfile "${TMPFILE_KEY}" --x509certfile "${TMPFILE_CERT}"
SERVER_PID=$!
wait_server ${SERVER_PID}
# ["gnutls_protocol_mark_disabled disables, TLS"]
# With a configuration file allowlisting a specific TLS protocol version (1.2),
# gnutls_protocol_mark_disabled with that version.
test_with_helper <<EOF
connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
protocol_mark_disabled TLS1.2 -> OK
connect -> bad priority: No or insufficient priorities were set.
EOF
# ["gnutls_protocol_mark_disabled disables revertibly, TLS"]
# consecutive gnutls_protocol_mark_enabled makes connection possible
# (with a different session handle).
test_with_helper <<EOF
connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
protocol_mark_disabled TLS1.2 -> OK
connect -> bad priority: No or insufficient priorities were set.
protocol_mark_enabled TLS1.2 -> OK
connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
EOF
# Just a random long-ish scenario
test_with_helper <<EOF
connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
protocol_mark_disabled TLS1.2 -> OK
connect -> bad priority: No or insufficient priorities were set.
protocol_mark_enabled TLS1.3 -> OK
connect -> bad priority: No or insufficient priorities were set.
protocol_mark_disabled TLS1.3 -> OK
protocol_mark_enabled TLS1.2 -> OK
connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
EOF
# !!! CURRENTLY NOT WORKING AS EXPECTED !!!
# Insufficient priority vs handshake failed
#test_with_helper <<EOF
#protocol_mark_disabled TLS1.2 -> OK
#connect -> bad priority: No or insufficient priorities were set.
#protocol_mark_enabled TLS1.3 -> OK
#connect -> handshake failed: A packet with illegal or unsupported version was received.
#EOF
terminate_proc ${SERVER_PID}
### Tests against a NORMAL server (all three TLS versions enabled)
eval "${GETPORT}"
# server is launched without allowlisting config file in effect
launch_server -d9 --echo --priority NORMAL \
--x509keyfile "${TMPFILE_KEY}" --x509certfile "${TMPFILE_CERT}"
SERVER_PID=$!
wait_server ${SERVER_PID}
# !!! CURRENTLY NOT WORKING AS EXPECTED !!!
# smoke-test protocol_mark_enabled
#test_with_helper <<EOF
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_enabled TLS1.3 -> OK
#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
#EOF
# !!! CURRENTLY NOT WORKING AS EXPECTED !!!
# ["gnutls_protocol_mark_enabled enables, TLS"]
# with a configuration file not allowlisting a specific TLS protocol version,
# gnutls_protocol_mark_enabled with that version allows
# connecting to a server accepting this TLS protocol version alone,
#test_with_helper <<EOF
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_enabled TLS1.3 -> OK
#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
#EOF
# !!! CURRENTLY NOT WORKING AS EXPECTED !!!
# ["gnutls_protocol_mark_enabled enables revertibly, TLS"]
# consecutive gnutls_protocol_mark_disabled
# prevents the client from connecting (with a different session handle)
#test_with_helper <<EOF
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_enabled TLS1.1 -> OK
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_disabled TLS1.2 -> OK
#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1)
#protocol_mark_disabled TLS1.1 -> OK
#connect -> bad priority: No or insufficient priorities were set.
#EOF
# Alternative one
#test_with_helper <<EOF
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_enabled TLS1.3 -> OK
#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
#protocol_mark_disabled TLS1.3 -> OK
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#EOF
# !!! CURRENTLY NOT WORKING AS EXPECTED !!!
# ["gnutls_protocol_mark_disabled disables selectively, TLS"]
# gnutls_protocol_mark_disabled with a specific version
# doesn't disable other previously enabled version.
# ["gnutls_protocol_mark_enabled enables selectively, TLS"]
# gnutls_protocol_mark_enabled with a specific version
# doesn't enable other previously disabled version.
#test_with_helper <<EOF
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_enabled TLS1.3 -> OK
#protocol_mark_enabled TLS1.2 -> OK
#protocol_mark_enabled TLS1.1 -> OK
#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
#protocol_mark_disabled TLS1.3 -> OK
#connect -> connection established: (TLS1.2)-(RSA)-(AES-128-GCM)
#protocol_mark_disabled TLS1.2 -> OK
#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1)
#protocol_mark_disabled TLS1.1 -> OK
#connect -> bad priority: No or insufficient priorities were set.
#protocol_mark_enabled TLS1.1 -> OK
#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1)
#protocol_mark_enabled TLS1.2 -> OK
#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1)
#protocol_mark_enabled TLS1.3 -> OK
#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
#EOF
terminate_proc ${SERVER_PID}
### Tests against a TLS 1.1 & 1.3 server (1.2 disabled)
eval "${GETPORT}"
# server is launched without allowlisting config file in effect
launch_server -d9 --echo \
--priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.3" \
--x509keyfile "${TMPFILE_KEY}" --x509certfile "${TMPFILE_CERT}"
SERVER_PID=$!
wait_server ${SERVER_PID}
# !!! CURRENTLY NOT WORKING AS EXPECTED !!!
#test_with_helper <<EOF
#connect -> handshake failed: A packet with illegal or unsupported version was received.
#protocol_mark_enabled TLS1.1 -> OK
#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1)
#protocol_mark_enabled TLS1.3 -> OK
#connect -> connection established: (TLS1.3)-(DHE-FFDHE3072)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
#protocol_mark_disabled TLS1.3 -> OK
#connect -> connection established: (TLS1.1)-(RSA)-(AES-128-CBC)-(SHA1)
#protocol_mark_disabled TLS1.1 -> OK
#connect -> handshake failed: A packet with illegal or unsupported version was received.
#protocol_mark_disabled TLS1.2 -> OK
#connect -> bad priority: No or insufficient priorities were set.
#EOF
terminate_proc ${SERVER_PID}
exit 0
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment