| |
@@ -45,6 +45,7 @@
|
| |
'ECDHE-RSA-CAMELLIA128-SHA256',
|
| |
'DHE-RSA-CAMELLIA128-SHA256',
|
| |
'DHE-RSA-CAMELLIA256-SHA256',
|
| |
+ 'TLS_AES_128_CCM_SHA256',
|
| |
]
|
| |
|
| |
CIPHERS_NOT_IN_OPENSSL = [
|
| |
@@ -59,7 +60,7 @@
|
| |
]
|
| |
|
| |
OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA" \
|
| |
- ":-SRP:-AESCCM:-AESCCM8"
|
| |
+ ":-SRP:-AESCCM:-AESCCM8:-RC4:-ARIA"
|
| |
|
| |
if ENABLE_SERVER_DHE == 0:
|
| |
OPENSSL_CIPHERS_IGNORE += ':-DH'
|
| |
@@ -76,8 +77,13 @@
|
| |
(out, err, rc) = run([openssl, 'ciphers', 'tls1_3'])
|
| |
return rc == 0
|
| |
|
| |
+ def openssl_has_ciphersuites():
|
| |
+ (out, err, rc) = run(["openssl", "ciphers", "-ciphersuites", "", "AES"])
|
| |
+ return rc == 0
|
| |
+
|
| |
OPENSSL_CHACHA20 = openssl_CHACHA20()
|
| |
OPENSSL_TLS13 = openssl_tls13()
|
| |
+ OPENSSL_HAS_CIPHERSUITES = openssl_has_ciphersuites()
|
| |
|
| |
tls13_ciphers = [
|
| |
'TLS-AES-128-GCM-SHA256',
|
| |
@@ -86,12 +92,21 @@
|
| |
]
|
| |
|
| |
|
| |
- def assert_equal_openssl(ciphers):
|
| |
+ def assert_equal_openssl(ciphers, tls13=False):
|
| |
nss_ciphers = ciphers + ":-EXP:-LOW:-RC4:-EDH"
|
| |
ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE
|
| |
+
|
| |
+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:
|
| |
+ # Disable TLSv1.3 ciphers to match default output in openssl ciphers
|
| |
+ nss_ciphers = nss_ciphers + ":-TLSv1.3"
|
| |
(nss, err, rc) = run([exe, "--o", nss_ciphers])
|
| |
assert rc == 0
|
| |
- (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers])
|
| |
+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:
|
| |
+ # Disable TLSv1.3 ciphers to match previous behavior
|
| |
+ cmd = [openssl, "ciphers", "-ciphersuites", "", ossl_ciphers]
|
| |
+ else:
|
| |
+ cmd = [openssl, "ciphers", ossl_ciphers]
|
| |
+ (ossl, err, rc) = run(cmd)
|
| |
assert rc == 0
|
| |
|
| |
nss_list = nss.strip().split(':')
|
| |
@@ -134,9 +149,9 @@
|
| |
elif len(ossl_list) > len(nss_list):
|
| |
diff = set(ossl_list) - set(nss_list)
|
| |
else:
|
| |
- diff = ''
|
| |
+ diff = None
|
| |
|
| |
- assert nss_list == ossl_list, '%r != %r. Difference %r' % (
|
| |
+ assert diff is None, '%r != %r. Difference %r' % (
|
| |
':'.join(nss_list), ':'.join(ossl_list), diff)
|
| |
|
| |
|
| |
@@ -228,6 +243,10 @@
|
| |
def test_TLSv12(self):
|
| |
assert_equal_openssl("TLSv1.2")
|
| |
|
| |
+ def test_TLSv13(self):
|
| |
+ if OPENSSL_TLS13:
|
| |
+ assert_equal_openssl("TLSv1.3", tls13=True)
|
| |
+
|
| |
def test_NULL(self):
|
| |
assert_equal_openssl("NULL")
|
| |
|
| |
The ciphers command behavior that the tests relies on what modified:
*) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
would otherwise inadvertently disable all TLSv1.3 ciphersuites the
configuration has been separated out. See the ciphers man page or the
SSL_CTX_set_ciphersuites() man page for more information.
[Matt Caswell]
Update the tests to handle this change plus some other modifications.