From: Peter Edwards <peadar@arista.com>
Date: Mon, 27 Jun 2022 21:41:47 +0000 (+0100)
Subject: OpenSSL 3 fixes: Disable TLS 1.3 when testing renegotiation support
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=187f6b913b38a0cd5a0d9775f794fdf02c105953;p=libevent

OpenSSL 3 fixes: Disable TLS 1.3 when testing renegotiation support

TLS 1.3 does not support renegotation - it has been removed from the
protocol. Disable TLS 1.3 when testing this, so we negotiate an older
protocol version
---

diff --git a/test/regress_openssl.c b/test/regress_openssl.c
index f74cae1c..6bddb653 100644
--- a/test/regress_openssl.c
+++ b/test/regress_openssl.c
@@ -122,12 +122,26 @@ get_ssl_ctx(void)
 	the_ssl_ctx = SSL_CTX_new(SSLv23_method());
 	if (!the_ssl_ctx)
 		return NULL;
+
+#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION
+	/*
+	 * OpenSSL 3 disables client renegotiation by default. Enable it if
+	 * the option is defined.
+	 */
+	SSL_CTX_set_options(the_ssl_ctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
+#endif
+
 	if (disable_tls_11_and_12) {
 #ifdef SSL_OP_NO_TLSv1_2
 		SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2);
 #endif
 #ifdef SSL_OP_NO_TLSv1_1
 		SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1);
+#endif
+	}
+	if (disable_tls_13) {
+#ifdef SSL_OP_NO_TLSv1_3
+		SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_3);
 #endif
 	}
 	return the_ssl_ctx;
@@ -163,7 +177,7 @@ ssl_test_setup(const struct testcase_t *testcase)
 	the_cert = ssl_getcert(the_key);
 	EVUTIL_ASSERT(the_cert);
 
-	disable_tls_11_and_12 = 0;
+	disable_tls_11_and_12 = disable_tls_13 = 0;
 
 	return basic_test_setup(testcase);
 }
diff --git a/test/regress_ssl.c b/test/regress_ssl.c
index c53d249d..19b29b56 100644
--- a/test/regress_ssl.c
+++ b/test/regress_ssl.c
@@ -93,6 +93,7 @@ static const char KEY[] =
     "-----END RSA PRIVATE KEY-----\n";
 
 static int disable_tls_11_and_12 = 0;
+static int disable_tls_13 = 0;
 static int test_is_done;
 static int n_connected;
 static int got_close;
@@ -323,6 +324,12 @@ regress_bufferevent_openssl(void *arg)
 	type = (enum regress_openssl_type)data->setup_data;
 
 	if (type & REGRESS_OPENSSL_RENEGOTIATE) {
+		/*
+		 * Disable TLS 1.3, so we negotiate something older to test
+		 * renegotiation - renegotiation is not supported by the
+		 * protocol any more.
+		 */
+		disable_tls_13 = 1;
 		if (OPENSSL_VERSION_NUMBER >= 0x10001000 &&
 		    OPENSSL_VERSION_NUMBER <  0x1000104f) {
 			/* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2