Paul Bakker
539d972a25
Add missing guards for gnuTLS
2015-02-08 16:18:35 +01:00
Manuel Pégourié-Gonnard
dc370e4969
Improve script portability
2015-01-22 10:24:59 +00:00
Manuel Pégourié-Gonnard
51d81661dc
Adapt tests to new defaults/errors.
2015-01-14 17:20:46 +01:00
Paul Bakker
5b8f7eaa3e
Merge new security defaults for programs (RC4 disabled, SSL3 disabled)
2015-01-14 16:26:54 +01:00
Paul Bakker
c82b7e2003
Merge option to disable truncated hmac on the server-side
2015-01-14 16:16:55 +01:00
Paul Bakker
e522d0fa57
Merge smarter certificate selection for pre-TLS-1.2 clients
2015-01-14 16:12:48 +01:00
Manuel Pégourié-Gonnard
9835bc077a
Fix racy test.
...
With exchanges == renego period, sometimes the connection will be closed by
the client before the server had time to read the ClientHello, making the test
fail. The extra exchange avoids that.
2015-01-14 14:41:58 +01:00
Manuel Pégourié-Gonnard
a852cf4833
Fix issue with non-blocking I/O & record splitting
2015-01-13 20:56:15 +01:00
Paul Bakker
f3561154ff
Merge support for 1/n-1 record splitting
2015-01-13 16:31:34 +01:00
Paul Bakker
f6080b8557
Merge support for enabling / disabling renegotiation support at compile-time
2015-01-13 16:18:23 +01:00
Paul Bakker
d9e2dd2bb0
Merge support for Encrypt-then-MAC
2015-01-13 14:23:56 +01:00
Manuel Pégourié-Gonnard
bd47a58221
Add ssl_set_arc4_support()
...
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
2015-01-13 13:03:06 +01:00
Paul Bakker
54b1a8fa4d
Merge support for Extended Master Secret (session-hash)
2015-01-12 14:14:07 +01:00
Paul Bakker
b52b015c0b
Merge support for FALLBACK_SCSV
2015-01-12 14:07:59 +01:00
Manuel Pégourié-Gonnard
448ea506bf
Set min version to TLS 1.0 in programs
2015-01-12 12:32:04 +01:00
Manuel Pégourié-Gonnard
e117a8fc0d
Make truncated hmac a runtime option server-side
...
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
2015-01-09 12:52:20 +01:00
Manuel Pégourié-Gonnard
f01768c55e
Specific error for suites in common but none good
2015-01-08 17:06:16 +01:00
Manuel Pégourié-Gonnard
df331a55d2
Prefer SHA-1 certificates for pre-1.2 clients
2015-01-08 16:43:07 +01:00
Manuel Pégourié-Gonnard
3ff78239fe
Add tests for CBC record splitting
2015-01-08 11:15:09 +01:00
Manuel Pégourié-Gonnard
c82ee3555f
Fix tests that were failing with record splitting
2015-01-07 16:39:10 +01:00
Manuel Pégourié-Gonnard
f46f128f4a
Fix test scripts portability issues
2014-12-11 17:26:09 +01:00
Manuel Pégourié-Gonnard
590f416142
Add tests for periodic renegotiation
2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
85d915b81d
Add tests for renego security enforcement
2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
b575b54cb9
Forbid extended master secret with SSLv3
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
169dd6a514
Adjust minimum length for EtM
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
78e745fc0a
Don't send back EtM extension if not using CBC
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
0098e7dc70
Preparation for EtM
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
699cafaea2
Implement initial negotiation of EtM
...
Not implemented yet:
- actually using EtM
- conditions on renegotiation
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
01b2699198
Implement FALLBACK_SCSV server-side
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
1cbd39dbeb
Implement FALLBACK_SCSV client-side
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
367381fddd
Add negotiation of Extended Master Secret
...
(But not the actual thing yet.)
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
7fa67728ad
Scripts print more info on failure within buildbot
2014-08-31 17:42:53 +02:00
Manuel Pégourié-Gonnard
c2b0092a1b
Fix leaving around temporary file in ssl-opt.sh
2014-08-31 17:17:36 +02:00
Manuel Pégourié-Gonnard
72e51ee7be
Use arithmetic expansion in scripts, avoid bashisms
2014-08-31 10:22:11 +02:00
Manuel Pégourié-Gonnard
c0f6a692fb
Add client timeout to ssl-opt.sh and compat.sh
2014-08-30 22:59:55 +02:00
Manuel Pégourié-Gonnard
a4afadfccd
Fix bug in OpenSSL v2 support testing
2014-08-30 22:09:36 +02:00
Manuel Pégourié-Gonnard
644e8f377d
Adapt debug_level in ssl-opt.sh to new levels
...
The meaning of debug_level was shift by one during the last debug overhaul.
(The new one is more rational, previously debug_level=1 didn't do anything.)
2014-08-30 21:59:31 +02:00
Manuel Pégourié-Gonnard
8e03c71b23
Normalize names in ssl-opt.sh
...
No numbering: does not add value, and painful to maintain, esp. with branches
2014-08-30 21:42:40 +02:00
Manuel Pégourié-Gonnard
51362961b8
Add interop testing of renegotiation
2014-08-30 21:22:47 +02:00
Manuel Pégourié-Gonnard
f2629b965e
Rm now useless tricks from ssl-opt.sh
2014-08-30 14:20:14 +02:00
Manuel Pégourié-Gonnard
480905d563
Fix selection of hash from sig_alg ClientHello ext.
2014-08-30 14:19:59 +02:00
Manuel Pégourié-Gonnard
baa7f07809
Add GnuTLS support to ssl-opt.sh
2014-08-20 20:15:53 +02:00
Manuel Pégourié-Gonnard
f07f421759
Fix server-initiated renego with non-blocking I/O
2014-08-19 13:32:15 +02:00
Manuel Pégourié-Gonnard
a8c0a0dbd0
Add "exchanges" option to test server and client
...
Goal is to test renegotiation better: we need more than one exchange for
server-initiated renego to work reliably (the previous hack for this wouldn't
work with non-blocking I/O and probably not with DTLS either).
Also check message termination in a semi-realistic way.
2014-08-19 13:26:05 +02:00
Manuel Pégourié-Gonnard
6591962f06
Allow delay on renego on client
...
Currently unbounded: will be fixed later
2014-08-19 12:50:30 +02:00
Manuel Pégourié-Gonnard
74b11702d7
Simplify terminating ssl_server2 in test scripts
2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
6f4fbbb3e1
Add a "skip" feature in ssl-opt.sh
2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
e73b26391d
Add config-full to all.sh
2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard
fae355e8ee
Add tests for ssl_set_renegotiation_enforced()
2014-07-04 14:32:27 +02:00
Manuel Pégourié-Gonnard
a9964dbcd5
Add ssl_set_renegotiation_enforced()
2014-07-04 14:16:07 +02:00