In version 1.0.1, the TLS unit test script does not invoke any of the TLS 1.2 methods.
The attached patch resolves this problem by adding support for the -tls1_2 option to ssl/ssltest.c. The test/testssl script is also modified to utilize this new option.
Index: ssl/ssltest.c =================================================================== --- ssl/ssltest.c (revision 352) +++ ssl/ssltest.c (working copy) @@ -350,6 +350,7 @@ #endif #ifndef OPENSSL_NO_TLS1 fprintf(stderr," -tls1 - use TLSv1\n"); + fprintf(stderr," -tls1_2 - use TLSv1.2\n"); #endif fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); @@ -504,7 +505,7 @@ int badop=0; int bio_pair=0; int force=0; - int tls1=0,ssl2=0,ssl3=0,ret=1; + int tls12=0,tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; struct app_verify_arg app_verify_arg = @@ -661,6 +662,8 @@ ssl2=1; else if (strcmp(*argv,"-tls1") == 0) tls1=1; + else if (strcmp(*argv,"-tls1_2") == 0) + tls12=1; else if (strcmp(*argv,"-ssl3") == 0) ssl3=1; else if (strncmp(*argv,"-num",4) == 0) @@ -794,7 +797,7 @@ { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl2, -ssl3, -tls1, -reuse\n" + "or add one of -ssl2, -ssl3, -tls1, -tls1_2, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } @@ -874,6 +877,9 @@ else if (tls1) meth=TLSv1_method(); + else + if (tls12) + meth=TLSv1_2_method(); else if (ssl3) meth=SSLv3_method(); Index: test/testssl =================================================================== --- test/testssl (revision 352) +++ test/testssl (working copy) @@ -158,4 +158,31 @@ $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 fi +if ../util/shlib_wrap.sh ../apps/openssl no-dh; then + echo skipping anonymous DH tests +else + echo test tls1.2 with 1024bit anonymous DH, multiple handshakes + $ssltest -v -bio_pair -tls1_2 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then + echo skipping RSA tests +else + echo 'test tls1.2 with 1024bit RSA, no (EC)DHE, multiple handshakes' + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1_2 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 + + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then + echo skipping RSA+DHE tests + else + echo test tls1.2 with 1024bit RSA, 1024bit DHE, multiple handshakes + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1_2 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + fi +fi + +echo test tls1.2 with PSK +$ssltest -tls1_2 -cipher PSK -psk abc123 $extra || exit 1 + +echo test tls1.2 with PSK via BIO pair +$ssltest -bio_pair -tls1_2 -cipher PSK -psk abc123 $extra || exit 1 + exit 0
<<inline: foleyj.vcf>>