]> granicus.if.org Git - libevent/commitdiff
Fix renegotiation test to work around openssl 1.0.1 bug
authorNick Mathewson <nickm@torproject.org>
Thu, 15 Nov 2012 16:42:14 +0000 (11:42 -0500)
committerNick Mathewson <nickm@torproject.org>
Thu, 15 Nov 2012 16:43:45 +0000 (11:43 -0500)
There's a bug in openssl 1.0.1 where TLS1.1 and TLS1.2 can't
renegotiate with themselves.  When testing renegotiation with OpenSSL
>=1.0.1 and <1.0.1d, disable those protocols.

test/regress_ssl.c

index 580c2919a0fcace5afc07acc12db898203be3c40..1be32036167fc3f3ece7226eb03fae33eb54a7f8 100644 (file)
@@ -129,6 +129,7 @@ end:
        return NULL;
 }
 
+static int disable_tls_11_and_12 = 0;
 static SSL_CTX *the_ssl_ctx = NULL;
 
 static SSL_CTX *
@@ -136,7 +137,18 @@ get_ssl_ctx(void)
 {
        if (the_ssl_ctx)
                return the_ssl_ctx;
-       return (the_ssl_ctx = SSL_CTX_new(SSLv23_method()));
+       the_ssl_ctx = SSL_CTX_new(SSLv23_method());
+       if (!the_ssl_ctx)
+               return NULL;
+       if (disable_tls_11_and_12) {
+#ifdef SSL_OP_NO_TLSv1_2
+               SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2);
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+               SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1);
+#endif
+       }
+       return the_ssl_ctx;
 }
 
 static void
@@ -280,6 +292,16 @@ regress_bufferevent_openssl(void *arg)
 
        init_ssl();
 
+       if (strstr((char*)data->setup_data, "renegotiate")) {
+               if (SSLeay() >= 0x10001000 &&
+                   SSLeay() <  0x1000104f) {
+                       /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2
+                        * can't renegotiate with themselves. Disable. */
+                       disable_tls_11_and_12 = 1;
+               }
+               renegotiate_at = 600;
+       }
+
        ssl1 = SSL_new(get_ssl_ctx());
        ssl2 = SSL_new(get_ssl_ctx());
 
@@ -289,9 +311,6 @@ regress_bufferevent_openssl(void *arg)
        if (! start_open)
                flags |= BEV_OPT_CLOSE_ON_FREE;
 
-       if (strstr((char*)data->setup_data, "renegotiate"))
-               renegotiate_at = 600;
-
        if (!filter) {
                tt_assert(strstr((char*)data->setup_data, "socketpair"));
                fd_pair = data->pair;