From c2f30863e24b67c7890ec0a97f8216cc2785a45d Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 15 Nov 2012 11:42:14 -0500 Subject: [PATCH] Fix renegotiation test to work around openssl 1.0.1 bug There's a bug in openssl 1.0.1 where TLS1.1 and TLS1.2 can't renegotiate with themselves. When testing renegotiation with OpenSSL >=1.0.1 and <1.0.1d, disable those protocols. --- test/regress_ssl.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/test/regress_ssl.c b/test/regress_ssl.c index 580c2919..1be32036 100644 --- a/test/regress_ssl.c +++ b/test/regress_ssl.c @@ -129,6 +129,7 @@ end: return NULL; } +static int disable_tls_11_and_12 = 0; static SSL_CTX *the_ssl_ctx = NULL; static SSL_CTX * @@ -136,7 +137,18 @@ get_ssl_ctx(void) { if (the_ssl_ctx) return the_ssl_ctx; - return (the_ssl_ctx = SSL_CTX_new(SSLv23_method())); + the_ssl_ctx = SSL_CTX_new(SSLv23_method()); + if (!the_ssl_ctx) + return NULL; + if (disable_tls_11_and_12) { +#ifdef SSL_OP_NO_TLSv1_2 + SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_2); +#endif +#ifdef SSL_OP_NO_TLSv1_1 + SSL_CTX_set_options(the_ssl_ctx, SSL_OP_NO_TLSv1_1); +#endif + } + return the_ssl_ctx; } static void @@ -280,6 +292,16 @@ regress_bufferevent_openssl(void *arg) init_ssl(); + if (strstr((char*)data->setup_data, "renegotiate")) { + if (SSLeay() >= 0x10001000 && + SSLeay() < 0x1000104f) { + /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2 + * can't renegotiate with themselves. Disable. */ + disable_tls_11_and_12 = 1; + } + renegotiate_at = 600; + } + ssl1 = SSL_new(get_ssl_ctx()); ssl2 = SSL_new(get_ssl_ctx()); @@ -289,9 +311,6 @@ regress_bufferevent_openssl(void *arg) if (! start_open) flags |= BEV_OPT_CLOSE_ON_FREE; - if (strstr((char*)data->setup_data, "renegotiate")) - renegotiate_at = 600; - if (!filter) { tt_assert(strstr((char*)data->setup_data, "socketpair")); fd_pair = data->pair; -- 2.40.0