From: Nick Mathewson Date: Thu, 15 Nov 2012 16:42:14 +0000 (-0500) Subject: Fix renegotiation test to work around openssl 1.0.1 bug X-Git-Tag: release-2.0.21-stable~8 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c2f30863e24b67c7890ec0a97f8216cc2785a45d;p=libevent Fix renegotiation test to work around openssl 1.0.1 bug There's a bug in openssl 1.0.1 where TLS1.1 and TLS1.2 can't renegotiate with themselves. When testing renegotiation with OpenSSL >=1.0.1 and <1.0.1d, disable those protocols. --- diff --git a/test/regress_ssl.c b/test/regress_ssl.c index 580c2919..1be32036 100644 --- a/test/regress_ssl.c +++ b/test/regress_ssl.c @@ -129,6 +129,7 @@ end: return NULL; } +static int disable_tls_11_and_12 = 0; static SSL_CTX *the_ssl_ctx = NULL; static SSL_CTX * @@ -136,7 +137,18 @@ get_ssl_ctx(void) { if (the_ssl_ctx) return the_ssl_ctx; - return (the_ssl_ctx = SSL_CTX_new(SSLv23_method())); + the_ssl_ctx = SSL_CTX_new(SSLv23_method()); + if (!the_ssl_ctx) + return NULL; + if (disable_tls_11_and_12) { +#ifdef SSL_OP_NO_TLSv1_2 + SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2); +#endif +#ifdef SSL_OP_NO_TLSv1_1 + SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1); +#endif + } + return the_ssl_ctx; } static void @@ -280,6 +292,16 @@ regress_bufferevent_openssl(void *arg) init_ssl(); + if (strstr((char*)data->setup_data, "renegotiate")) { + if (SSLeay() >= 0x10001000 && + SSLeay() < 0x1000104f) { + /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2 + * can't renegotiate with themselves. Disable. */ + disable_tls_11_and_12 = 1; + } + renegotiate_at = 600; + } + ssl1 = SSL_new(get_ssl_ctx()); ssl2 = SSL_new(get_ssl_ctx()); @@ -289,9 +311,6 @@ regress_bufferevent_openssl(void *arg) if (! start_open) flags |= BEV_OPT_CLOSE_ON_FREE; - if (strstr((char*)data->setup_data, "renegotiate")) - renegotiate_at = 600; - if (!filter) { tt_assert(strstr((char*)data->setup_data, "socketpair")); fd_pair = data->pair;