The branch master has been updated
via 0e1e4045c469f03294e33c0344d882e71dbd0d07 (commit)
via cf34d54d82c1e51d018e81a95ea4a70598070eb3 (commit)
from 5c718b9e46f6bbe5381556dbcfdd40ba2d65df77 (commit)
- Log -----------------------------------------------------------------
commit 0e1e4045c469f03294e33c0344d882e71dbd0d07
Author: Benjamin Kaduk <[email protected]>
Date: Wed Apr 5 13:32:18 2017 -0500
TLS 1.3 client sigalgs test no longer needs TLS 1.2
Per the TODO comment, we now have proper certificate selection for
TLS 1.3 client certificates, so this test can move into its own
block. (It cannot merge with the previous block, as it requires EC.)
Verified that the test passes when configured with enable-tls1_3
no-tls1 no-tls1_1 no-tls1_2.
Reviewed-by: Rich Salz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/3131)
commit cf34d54d82c1e51d018e81a95ea4a70598070eb3
Author: Benjamin Kaduk <[email protected]>
Date: Thu Mar 23 11:00:08 2017 -0500
drop some no-longer-relevant TODO(TLS1.3) entries
We prevent compression both when the server is parsing the ClientHello
and when the client is constructing the ClientHello. A 1.3 ServerHello
has no way to hand us back a compression method, and we already check
that the server does not try to give us back a compression method that
we did not request, so these checks seem sufficient.
Weaken the INSTALL note slightly, as we do now expect to interoperate
with other implementations.
Reviewed-by: Rich Salz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/3131)
-----------------------------------------------------------------------
Summary of changes:
INSTALL | 5 +++--
ssl/record/rec_layer_s3.c | 3 ---
test/recipes/70-test_sslsigalgs.t | 16 ++++++++--------
3 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/INSTALL b/INSTALL
index 8ae0644..3deb7ff 100644
--- a/INSTALL
+++ b/INSTALL
@@ -484,8 +484,9 @@
enable-tls1_3
TODO(TLS1.3): Make this enabled by default
Build support for TLS1.3. Note: This is a WIP feature and
- does not currently interoperate with other TLS1.3
- implementations! Use with caution!!
+ only a single draft version is supported. Implementations
+ of different draft versions will negotiate TLS 1.2 instead
+ of (draft) TLS 1.3. Use with caution!!
no-<prot>
Don't build support for negotiating the specified SSL/TLS
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 0c40905..68c427e 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -841,9 +841,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char
*buf,
/* first we compress */
if (s->compress != NULL) {
- /*
- * TODO(TLS1.3): Make sure we prevent compression!!!
- */
if (!ssl3_do_compress(s, thiswr)
|| !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL))
{
SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);
diff --git a/test/recipes/70-test_sslsigalgs.t
b/test/recipes/70-test_sslsigalgs.t
index dbd4870..832a4ba 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -92,20 +92,20 @@ SKIP: {
}
SKIP: {
- skip "EC, TLSv1.3 or TLSv1.2 disabled", 2
- if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");
-
+ skip "EC or TLSv1.3 disabled", 1
+ if disabled("tls1_3") || disabled("ec");
#Test 7: Sending a valid sig algs list but not including a sig type that
- # matches the certificate should fail in TLSv1.3. We need TLSv1.2
- # enabled for this test - otherwise the client will not attempt to
- # connect due to no TLSv1.3 ciphers being available.
- # TODO(TLS1.3): When proper TLSv1.3 certificate selection is working
- # we can move this test into the section above
+ # matches the certificate should fail in TLSv1.3.
$proxy->clear();
$proxy->clientflags("-sigalgs ECDSA+SHA256");
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
+}
+
+SKIP: {
+ skip "EC, TLSv1.3 or TLSv1.2 disabled", 1
+ if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");
#Test 8: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
# should succeed
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
