In version 1.0.1, the TLS unit test script does not invoke any of the
TLS 1.2 methods.
The attached patch resolves this problem by adding support for the
-tls1_2 option to ssl/ssltest.c. The test/testssl script is also
modified to utilize this new option.
Index: ssl/ssltest.c
===
--- ssl/ssltest.c (revision 352)
+++ ssl/ssltest.c (working copy)
@@ -350,6 +350,7 @@
#endif
#ifndef OPENSSL_NO_TLS1
fprintf(stderr, -tls1 - use TLSv1\n);
+ fprintf(stderr, -tls1_2 - use TLSv1.2\n);
#endif
fprintf(stderr, -CApath arg - PEM format directory of CA's\n);
fprintf(stderr, -CAfile arg - PEM format file of CA's\n);
@@ -504,7 +505,7 @@
int badop=0;
int bio_pair=0;
int force=0;
- int tls1=0,ssl2=0,ssl3=0,ret=1;
+ int tls12=0,tls1=0,ssl2=0,ssl3=0,ret=1;
int client_auth=0;
int server_auth=0,i;
struct app_verify_arg app_verify_arg =
@@ -661,6 +662,8 @@
ssl2=1;
else if (strcmp(*argv,-tls1) == 0)
tls1=1;
+ else if (strcmp(*argv,-tls1_2) == 0)
+ tls12=1;
else if (strcmp(*argv,-ssl3) == 0)
ssl3=1;
else if (strncmp(*argv,-num,4) == 0)
@@ -794,7 +797,7 @@
{
fprintf(stderr, This case cannot work. Use -f to perform
the test anyway (and\n-d to see what happens),
- or add one of -ssl2, -ssl3, -tls1, -reuse\n
+ or add one of -ssl2, -ssl3, -tls1, -tls1_2, -reuse\n
to avoid protocol mismatch.\n);
EXIT(1);
}
@@ -874,6 +877,9 @@
else
if (tls1)
meth=TLSv1_method();
+ else
+ if (tls12)
+ meth=TLSv1_2_method();
else
if (ssl3)
meth=SSLv3_method();
Index: test/testssl
===
--- test/testssl (revision 352)
+++ test/testssl (working copy)
@@ -158,4 +158,31 @@
$ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123
fi
+if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+ echo skipping anonymous DH tests
+else
+ echo test tls1.2 with 1024bit anonymous DH, multiple handshakes
+ $ssltest -v -bio_pair -tls1_2 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+fi
+
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
+ echo skipping RSA tests
+else
+ echo 'test tls1.2 with 1024bit RSA, no (EC)DHE, multiple handshakes'
+ ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1_2 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
+
+ if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+echo skipping RSA+DHE tests
+ else
+echo test tls1.2 with 1024bit RSA, 1024bit DHE, multiple handshakes
+../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1_2 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+ fi
+fi
+
+echo test tls1.2 with PSK
+$ssltest -tls1_2 -cipher PSK -psk abc123 $extra || exit 1
+
+echo test tls1.2 with PSK via BIO pair
+$ssltest -bio_pair -tls1_2 -cipher PSK -psk abc123 $extra || exit 1
+
exit 0
inline: foleyj.vcf