OpenSSL 3 fixes: Disable TLS 1.3 when testing renegotiation support

TLS 1.3 does not support renegotation - it has been removed from the
protocol. Disable TLS 1.3 when testing this, so we negotiate an older
protocol version

diff --git a/test/regress_openssl.c b/test/regress_openssl.c
index f74cae1ce6a8c3305f3cfe7cea7ac5ca59529211..6bddb65394d6a1d87b9e13ec5d87fcd0ebdd947b 100644 (file)
--- a/test/regress_openssl.c
+++ b/test/regress_openssl.c
@@ -122,12 +122,26 @@ get_ssl_ctx(void)
        the_ssl_ctx = SSL_CTX_new(SSLv23_method());
        if (!the_ssl_ctx)
                return NULL;
+
+#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION
+       /*
+        * OpenSSL 3 disables client renegotiation by default. Enable it if
+        * the option is defined.
+        */
+       SSL_CTX_set_options(the_ssl_ctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
+#endif
+
        if (disable_tls_11_and_12) {
 #ifdef SSL_OP_NO_TLSv1_2
                SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2);
 #endif
 #ifdef SSL_OP_NO_TLSv1_1
                SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1);
+#endif
+       }
+       if (disable_tls_13) {
+#ifdef SSL_OP_NO_TLSv1_3
+               SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_3);
 #endif
        }
        return the_ssl_ctx;
@@ -163,7 +177,7 @@ ssl_test_setup(const struct testcase_t *testcase)
        the_cert = ssl_getcert(the_key);
        EVUTIL_ASSERT(the_cert);
 
-       disable_tls_11_and_12 = 0;
+       disable_tls_11_and_12 = disable_tls_13 = 0;
 
        return basic_test_setup(testcase);
 }

diff --git a/test/regress_ssl.c b/test/regress_ssl.c
index c53d249da6b4c3b0f0ebc91358cae2913c86588d..19b29b564e30f3b8affa392a55e31b4749cf87cf 100644 (file)
--- a/test/regress_ssl.c
+++ b/test/regress_ssl.c
@@ -93,6 +93,7 @@ static const char KEY[] =
     "-----END RSA PRIVATE KEY-----\n";
 
 static int disable_tls_11_and_12 = 0;
+static int disable_tls_13 = 0;
 static int test_is_done;
 static int n_connected;
 static int got_close;
@@ -323,6 +324,12 @@ regress_bufferevent_openssl(void *arg)
        type = (enum regress_openssl_type)data->setup_data;
 
        if (type & REGRESS_OPENSSL_RENEGOTIATE) {
+               /*
+                * Disable TLS 1.3, so we negotiate something older to test
+                * renegotiation - renegotiation is not supported by the
+                * protocol any more.
+                */
+               disable_tls_13 = 1;
                if (OPENSSL_VERSION_NUMBER >= 0x10001000 &&
                    OPENSSL_VERSION_NUMBER <  0x1000104f) {
                        /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2