From 521ba2f2ab0e0e89d1776559874b3ecc227442fc Mon Sep 17 00:00:00 2001 From: beck Date: Sun, 2 Jul 2023 17:21:32 +0000 Subject: [PATCH] Disable TLS 1.0 and TLS 1.1 in libssl Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@ --- lib/libssl/s3_lib.c | 4 +- lib/libssl/ssl_versions.c | 12 +--- regress/lib/libssl/Makefile | 6 +- regress/lib/libssl/interop/version/Makefile | 4 +- regress/lib/libssl/ssl/ssltest.c | 16 ++--- regress/lib/libssl/ssl/testssl | 36 +++++----- regress/lib/libssl/tls/tlstest.c | 78 +-------------------- regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | 43 ++++++++++-- regress/lib/libssl/unit/ssl_versions.c | 68 +++++++++--------- 9 files changed, 106 insertions(+), 161 deletions(-) diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 37ca7bd113b..7561060120c 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s) s->s3->in_read_app_data = 0; s->packet_length = 0; - s->version = TLS1_VERSION; + s->version = TLS1_2_VERSION; s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index fbc0004f4b4..82735460622 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; } - if ((options & SSL_OP_NO_TLSv1) == 0) - min_version = TLS1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_1) == 0) - min_version = TLS1_1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_2) == 0) + if ((options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; else if ((options & SSL_OP_NO_TLSv1_3) == 0) min_version = TLS1_3_VERSION; @@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) max_version = TLS1_2_VERSION; if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) - max_version = TLS1_1_VERSION; - if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) - max_version = TLS1_VERSION; - if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ diff --git a/regress/lib/libssl/Makefile b/regress/lib/libssl/Makefile index bae1248ab1b..f9919404f23 100644 --- a/regress/lib/libssl/Makefile +++ b/regress/lib/libssl/Makefile @@ -1,11 +1,11 @@ -# $OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $ +# $OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $ SUBDIR += api SUBDIR += asn1 SUBDIR += buffer SUBDIR += bytestring SUBDIR += ciphers -SUBDIR += client +#SUBDIR += client SUBDIR += dtls SUBDIR += exporter SUBDIR += handshake @@ -13,7 +13,7 @@ SUBDIR += pqueue SUBDIR += quic SUBDIR += record SUBDIR += record_layer -SUBDIR += server +#SUBDIR += server SUBDIR += ssl SUBDIR += tls SUBDIR += tlsext diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile index 9d0ae418bad..c4f7705d638 100644 --- a/regress/lib/libssl/interop/version/Makefile +++ b/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $ +# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -14,7 +14,7 @@ LIBRARIES += openssl11 LIBRARIES += openssl30 .endif -VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3 +VERSIONS = any TLS1_2 TLS1_3 .for cver in ${VERSIONS} .for sver in ${VERSIONS} diff --git a/regress/lib/libssl/ssl/ssltest.c b/regress/lib/libssl/ssl/ssltest.c index b4b10446e6c..6b8e2430735 100644 --- a/regress/lib/libssl/ssl/ssltest.c +++ b/regress/lib/libssl/ssl/ssltest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */ +/* $OpenBSD: ssltest.c,v 1.40 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -336,7 +336,7 @@ sv_usage(void) fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); - fprintf(stderr, " -dtls1 - use DTLSv1\n"); + fprintf(stderr, " -dtls1_2 - use DTLSv1.2\n"); fprintf(stderr, " -tls1 - use TLSv1\n"); fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); @@ -409,7 +409,7 @@ main(int argc, char *argv[]) int badop = 0; int bio_pair = 0; int force = 0; - int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1; + int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; char *app_verify_arg = "Test Callback Argument"; @@ -464,8 +464,8 @@ main(int argc, char *argv[]) no_dhe = 1; else if (strcmp(*argv, "-no_ecdhe") == 0) no_ecdhe = 1; - else if (strcmp(*argv, "-dtls1") == 0) - dtls1 = 1; + else if (strcmp(*argv, "-dtls1_2") == 0) + dtls1_2 = 1; else if (strcmp(*argv, "-tls1") == 0) tls1 = 1; else if (strcmp(*argv, "-tls1_2") == 0) @@ -565,7 +565,7 @@ bad: goto end; } - if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { + if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " @@ -588,8 +588,8 @@ bad: SSL_library_init(); SSL_load_error_strings(); - if (dtls1) - meth = DTLSv1_method(); + if (dtls1_2) + meth = DTLSv1_2_method(); else if (tls1) meth = TLSv1_method(); else if (tls1_2) diff --git a/regress/lib/libssl/ssl/testssl b/regress/lib/libssl/ssl/testssl index 43efaa6460a..70db1752b76 100644 --- a/regress/lib/libssl/ssl/testssl +++ b/regress/lib/libssl/ssl/testssl @@ -95,8 +95,7 @@ done if $openssl no-dh; then echo skipping anonymous DH tests else - echo test tls1 with 1024bit anonymous DH, multiple handshakes - $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 + echo skipping tls1 tests. fi #if $openssl no-rsa; then @@ -117,17 +116,16 @@ fi # DTLS tests # -echo test dtlsv1 -$ssltest -dtls1 $extra || exit 1 +$ssltest -dtls1_2 $extra || exit 1 -echo test dtlsv1 with server authentication -$ssltest -dtls1 -server_auth $CA $extra || exit 1 +echo test dtlsv1_2 with server authentication +$ssltest -dtls1_2 -server_auth $CA $extra || exit 1 -echo test dtlsv1 with client authentication -$ssltest -dtls1 -client_auth $CA $extra || exit 1 +echo test dtlsv1_2 with client authentication +$ssltest -dtls1_2 -client_auth $CA $extra || exit 1 -echo test dtlsv1 with both client and server authentication -$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1 +echo test dtlsv1_2 with both client and server authentication +$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1 echo "Testing DTLS ciphersuites" for protocol in SSLv3; do @@ -136,7 +134,7 @@ for protocol in SSLv3; do awk "/ $protocol / { print \\$1 }" | grep -v RC4`; do echo "Testing $cipher" - $ssltest -cipher $cipher -dtls1 + $ssltest -cipher $cipher -dtls1_2 if [ $? -ne 0 ] ; then echo "Failed $cipher" exit 1 @@ -148,17 +146,17 @@ done # ALPN tests # echo "Testing ALPN..." -$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \ +$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1 +$ssltest -bio_pair -alpn_client foo -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \ +$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \ -alpn_expected foo || exit 1 -$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \ +$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \ -alpn_expected bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \ +$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \ -alpn_expected bar || exit 1 -$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1 +$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1 diff --git a/regress/lib/libssl/tls/tlstest.c b/regress/lib/libssl/tls/tlstest.c index 5c72717e6ef..8154e7576c7 100644 --- a/regress/lib/libssl/tls/tlstest.c +++ b/regress/lib/libssl/tls/tlstest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */ +/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */ /* * Copyright (c) 2020, 2021 Joel Sing * @@ -244,14 +244,6 @@ static const struct tls_test tls_tests[] = { .desc = "Default client and TLSv1.2 server", .server_max_version = TLS1_2_VERSION, }, - { - .desc = "Default client and TLSv1.1 server", - .server_max_version = TLS1_1_VERSION, - }, - { - .desc = "Default client and TLSv1.0 server", - .server_max_version = TLS1_VERSION, - }, { .desc = "Default client and default server with ECDHE KEX", .server_ciphers = "ECDHE-RSA-AES128-SHA", @@ -261,16 +253,6 @@ static const struct tls_test tls_tests[] = { .server_max_version = TLS1_2_VERSION, .server_ciphers = "ECDHE-RSA-AES128-SHA", }, - { - .desc = "Default client and TLSv1.1 server with ECDHE KEX", - .server_max_version = TLS1_1_VERSION, - .server_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and TLSv1.0 server with ECDHE KEX", - .server_max_version = TLS1_VERSION, - .server_ciphers = "ECDHE-RSA-AES128-SHA", - }, { .desc = "Default client and default server with DHE KEX", .server_ciphers = "DHE-RSA-AES128-SHA", @@ -280,16 +262,6 @@ static const struct tls_test tls_tests[] = { .server_max_version = TLS1_2_VERSION, .server_ciphers = "DHE-RSA-AES128-SHA", }, - { - .desc = "Default client and TLSv1.1 server with DHE KEX", - .server_max_version = TLS1_1_VERSION, - .server_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "Default client and TLSv1.0 server with DHE KEX", - .server_max_version = TLS1_VERSION, - .server_ciphers = "DHE-RSA-AES128-SHA", - }, { .desc = "Default client and default server with RSA KEX", .server_ciphers = "AES128-SHA", @@ -299,73 +271,25 @@ static const struct tls_test tls_tests[] = { .server_max_version = TLS1_2_VERSION, .server_ciphers = "AES128-SHA", }, - { - .desc = "Default client and TLSv1.1 server with RSA KEX", - .server_max_version = TLS1_1_VERSION, - .server_ciphers = "AES128-SHA", - }, - { - .desc = "Default client and TLSv1.0 server with RSA KEX", - .server_max_version = TLS1_VERSION, - .server_ciphers = "AES128-SHA", - }, { .desc = "TLSv1.2 client and default server", .client_max_version = TLS1_2_VERSION, }, - { - .desc = "TLSv1.1 client and default server", - .client_max_version = TLS1_1_VERSION, - }, - { - .desc = "TLSv1.0 client and default server", - .client_max_version = TLS1_VERSION, - }, { .desc = "TLSv1.2 client and default server with ECDHE KEX", .client_max_version = TLS1_2_VERSION, .client_ciphers = "ECDHE-RSA-AES128-SHA", }, - { - .desc = "TLSv1.1 client and default server with ECDHE KEX", - .client_max_version = TLS1_1_VERSION, - .client_ciphers = "ECDHE-RSA-AES128-SHA", - }, - { - .desc = "TLSv1.0 client and default server with ECDHE KEX", - .client_max_version = TLS1_VERSION, - .client_ciphers = "ECDHE-RSA-AES128-SHA", - }, { .desc = "TLSv1.2 client and default server with DHE KEX", .server_max_version = TLS1_2_VERSION, .client_ciphers = "DHE-RSA-AES128-SHA", }, - { - .desc = "TLSv1.1 client and default server with DHE KEX", - .client_max_version = TLS1_1_VERSION, - .client_ciphers = "DHE-RSA-AES128-SHA", - }, - { - .desc = "TLSv1.0 client and default server with DHE KEX", - .client_max_version = TLS1_VERSION, - .client_ciphers = "DHE-RSA-AES128-SHA", - }, { .desc = "TLSv1.2 client and default server with RSA KEX", .client_max_version = TLS1_2_VERSION, .client_ciphers = "AES128-SHA", }, - { - .desc = "TLSv1.1 client and default server with RSA KEX", - .client_max_version = TLS1_1_VERSION, - .client_ciphers = "AES128-SHA", - }, - { - .desc = "TLSv1.0 client and default server with RSA KEX", - .client_max_version = TLS1_VERSION, - .client_ciphers = "AES128-SHA", - }, }; #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests)) diff --git a/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py index 2953320c1dc..aa7e384e1fc 100644 --- a/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ b/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py @@ -1,4 +1,4 @@ -# $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $ +# $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $ # # Copyright (c) 2020 Theo Buehler # @@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [ tls12_exclude_legacy_protocols = [ # all these have BIO_read timeouts against TLSv1.3 "-e", "Protocol (3, 0)", + "-e", "Protocol (3, 1)", + "-e", "Protocol (3, 2)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", # the following only fail with TLSv1.3 "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", @@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [ "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", "-e", "Protocol (3, 3) with x448 group", + # These don't work without TLSv1.0 and TLSv1.1 + "-e", "Protocol (3, 1) with secp256r1 group", + "-e", "Protocol (3, 1) with secp384r1 group", + "-e", "Protocol (3, 1) with secp521r1 group", + "-e", "Protocol (3, 1) with x25519 group", + "-e", "Protocol (3, 2) with secp256r1 group", + "-e", "Protocol (3, 2) with secp384r1 group", + "-e", "Protocol (3, 2) with secp521r1 group", + "-e", "Protocol (3, 2) with x25519 group", ] tls12_tests = TestGroup("TLSv1.2 tests", [ # Tests that pass as they are. - Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), Test("test-aes-gcm-nonces.py"), - Test("test-chacha20.py"), Test("test-connection-abort.py"), Test("test-conversation.py"), Test("test-cve-2016-2107.py"), @@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ ] ), Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols), - Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]), + Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]), Test( "test-downgrade-protection.py", tls12_args = ["--server-max-protocol", "TLSv1.2"], - tls13_args = ["--server-max-protocol", "TLSv1.3"], + tls13_args = [ + "--server-max-protocol", "TLSv1.3", + "-e", "TLS 1.3 downgrade check for Protocol (3, 1)", + "-e", "TLS 1.3 downgrade check for Protocol (3, 2)", + ] + ), + Test( + "test-fallback-scsv.py", + tls13_args = [ + "--tls-1.3", + "-e", "FALLBACK - hello TLSv1.1 - pos 0", + "-e", "FALLBACK - hello TLSv1.1 - pos 1", + "-e", "FALLBACK - hello TLSv1.1 - pos 2", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1", + "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2", + "-e", "record TLSv1.1 hello TLSv1.1", + "-e", "sanity - TLSv1.1", + ] ), - Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ), Test("test-invalid-compression-methods.py", [ "-x", "invalid compression methods", @@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [ Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]), Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols), + + Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]), ]) tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [ @@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [ # x448 tests need disabling plus x25519 corner cases need sorting out Test("test-x25519.py"), + + # Needs TLS 1.0 or 1.1 + Test("test-TLSv1_2-rejected-without-TLSv1_2.py"), ]) tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [ diff --git a/regress/lib/libssl/unit/ssl_versions.c b/regress/lib/libssl/unit/ssl_versions.c index 261bed3a7ad..ebfe8d2c284 100644 --- a/regress/lib/libssl/unit/ssl_versions.c +++ b/regress/lib/libssl/unit/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -32,43 +32,43 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_3_VERSION, }, { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1_3, .minver = TLS1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1_2, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = SSL_OP_NO_TLSv1_1, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, + .want_maxver = TLS1_2_VERSION, }, { .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, @@ -81,15 +81,15 @@ static struct version_range_test version_range_tests[] = { .options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | @@ -119,14 +119,14 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { .options = 0, .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, - .want_minver = TLS1_1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_2_VERSION, }, { @@ -140,14 +140,14 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_3_VERSION, }, { .options = 0, .minver = TLS1_1_VERSION, .maxver = TLS1_3_VERSION, - .want_minver = TLS1_1_VERSION, + .want_minver = TLS1_2_VERSION, .want_maxver = TLS1_3_VERSION, }, { @@ -168,15 +168,15 @@ static struct version_range_test version_range_tests[] = { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_1_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, { .options = 0, .minver = TLS1_VERSION, .maxver = TLS1_VERSION, - .want_minver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_minver = 0, + .want_maxver = 0, }, }; @@ -276,7 +276,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -284,7 +284,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -316,7 +316,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -324,7 +324,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -340,7 +340,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -356,7 +356,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -372,7 +372,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_1_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLS_method, @@ -380,7 +380,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_VERSION, .peerver = TLS1_2_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLSv1_method, @@ -388,7 +388,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_VERSION, - .want_maxver = TLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = TLSv1_method, @@ -404,7 +404,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_VERSION, .maxver = TLS1_2_VERSION, .peerver = TLS1_1_VERSION, - .want_maxver = TLS1_1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLS_method, @@ -412,7 +412,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, .peerver = DTLS1_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLS_method, @@ -436,7 +436,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = TLS1_1_VERSION, .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, { .ssl_method = DTLSv1_2_method, @@ -476,7 +476,7 @@ static struct shared_version_test shared_version_tests[] = { .minver = TLS1_1_VERSION, .maxver = TLS1_2_VERSION, .peerver = DTLS1_2_VERSION, - .want_maxver = DTLS1_VERSION, + .want_maxver = 0, }, }; -- 2.20.1