File 1621-ssl-Remove-CBC-ciphers-from-TLS-1.2-default.patch of Package erlang
From 550041c9546e4a42091d322478a00abfe49a01b1 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Sat, 9 Mar 2024 08:39:44 +0100
Subject: [PATCH] ssl: Remove CBC ciphers from TLS-1.2 default
---
lib/ssl/src/ssl_cipher.erl | 24 +++--
lib/ssl/src/tls_v1.erl | 107 ++++++++++++++++-------
lib/ssl/test/ssl_api_SUITE.erl | 136 ++++++++++++++++++++++-------
lib/ssl/test/ssl_basic_SUITE.erl | 48 +++++++---
lib/ssl/test/ssl_reject_SUITE.erl | 7 +-
lib/ssl/test/ssl_session_SUITE.erl | 13 ++-
lib/ssl/test/tls_api_SUITE.erl | 16 +++-
7 files changed, 256 insertions(+), 95 deletions(-)
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index fc250c01ba..11d57ddc50 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -322,20 +322,26 @@ suites(Version) when ?TLS_1_X(Version) ->
tls_v1:suites(Version);
suites(Version) when ?DTLS_1_X(Version) ->
dtls_v1:suites(Version).
+
all_suites(?TLS_1_3 = Version) ->
- suites(Version) ++ tls_legacy_suites(?TLS_1_2);
-all_suites(Version) when ?TLS_1_X(Version) ->
- suites(Version) ++ tls_legacy_suites(Version);
+ suites(Version) ++ tls_legacy_suites(?TLS_1_2) ++ tls_v1:exclusive_suites(?TLS_1_0);
+all_suites(?TLS_1_2 = Version) ->
+ suites(Version) ++ tls_legacy_suites(Version) ++ tls_v1:exclusive_suites(?TLS_1_0);
+all_suites(?TLS_1_1 = Version) ->
+ suites(Version) ++ tls_legacy_suites(Version) ++ tls_v1:cbc_suites(Version);
+all_suites(?TLS_1_0 = Version) ->
+ suites(Version) ++ tls_legacy_suites(Version) ++ tls_v1:cbc_suites(Version);
all_suites(Version) ->
dtls_v1:all_suites(Version).
tls_legacy_suites(Version) ->
- Tests = [fun tls_v1:psk_suites/1,
- fun tls_v1:srp_suites/1,
- fun tls_v1:rsa_suites/1,
- fun tls_v1:des_suites/1,
- fun tls_v1:rc4_suites/1],
- lists:flatmap(fun (Fun) -> Fun(Version) end, Tests).
+ LegacySuites = [fun tls_v1:cbc_suites/1,
+ fun tls_v1:psk_suites/1,
+ fun tls_v1:srp_suites/1,
+ fun tls_v1:rsa_suites/1,
+ fun tls_v1:des_suites/1,
+ fun tls_v1:rc4_suites/1],
+ lists:flatmap(fun (Fun) -> Fun(Version) end, LegacySuites).
%%--------------------------------------------------------------------
-spec anonymous_suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 11ec33ad10..b770d1ef3e 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -40,6 +40,7 @@
suites/1,
exclusive_suites/1,
exclusive_anonymous_suites/1,
+ cbc_suites/1,
psk_suites/1,
psk_exclusive/1,
psk_suites_anon/1,
@@ -503,15 +504,51 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, Version,Length, Fragment) ->
-spec suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
suites(Version) when ?TLS_1_X(Version) ->
- lists:flatmap(fun exclusive_suites/1, suites_to_test(Version)).
+ lists:flatmap(fun default_suites/1, suites_in_version(Version)).
-suites_to_test(?TLS_1_0) -> [?TLS_1_0];
-suites_to_test(?TLS_1_1) -> [?TLS_1_0];
-suites_to_test(?TLS_1_2) -> [?TLS_1_2, ?TLS_1_0];
-suites_to_test(?TLS_1_3) -> [?TLS_1_3, ?TLS_1_2, ?TLS_1_0].
+suites_in_version(?TLS_1_0) -> [?TLS_1_0];
+suites_in_version(?TLS_1_1) -> [?TLS_1_0];
+suites_in_version(?TLS_1_2) -> [?TLS_1_2];
+suites_in_version(?TLS_1_3) -> [?TLS_1_3, ?TLS_1_2].
-spec exclusive_suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
+default_suites(?TLS_1_3 = Version) ->
+ exclusive_suites(Version);
+default_suites(?TLS_1_2) ->
+ [?TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ ?TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+
+ ?TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+ ?TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+
+ ?TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ ?TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
+ ?TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ ?TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+
+ ?TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+ ?TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+
+ ?TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+ ?TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+
+ ?TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+ ?TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+
+ ?TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ ?TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+
+ ?TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ ?TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+
+ ?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ ];
+default_suites(Version) when Version == ?TLS_1_1;
+ Version == ?TLS_1_0 ->
+ exclusive_suites(?TLS_1_0).
+
exclusive_suites(?TLS_1_3) ->
[?TLS_AES_256_GCM_SHA384,
?TLS_AES_128_GCM_SHA256,
@@ -528,9 +565,6 @@ exclusive_suites(?TLS_1_2) ->
?TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
?TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
- ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
-
?TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
?TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
@@ -543,32 +577,16 @@ exclusive_suites(?TLS_1_2) ->
?TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
?TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
- ?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
- ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
-
?TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
?TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-
- ?TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
- ?TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
-
?TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
?TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
- ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
- ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-
?TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
?TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
- ?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-
- ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
- ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
-
+ ?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
%% not supported
%% ?TLS_DH_RSA_WITH_AES_256_GCM_SHA384,
%% ?TLS_DH_DSS_WITH_AES_256_GCM_SHA384,
@@ -578,8 +596,7 @@ exclusive_suites(?TLS_1_2) ->
exclusive_suites(?TLS_1_1) ->
[];
exclusive_suites(?TLS_1_0) ->
- [
- ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ [?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
@@ -594,8 +611,7 @@ exclusive_suites(?TLS_1_0) ->
?TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
?TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
?TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- ].
+ ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA].
%%--------------------------------------------------------------------
-spec exclusive_anonymous_suites(ssl_record:ssl_version()) ->
@@ -633,6 +649,31 @@ exclusive_anonymous_suites(?TLS_1_0=Version) ->
?TLS_DH_anon_WITH_DES_CBC_SHA
] ++ srp_suites_anon(Version).
+
+cbc_suites(Version) when ?TLS_1_X(Version) ->
+ cbc_exclusive(Version).
+
+cbc_exclusive(?TLS_1_2) ->
+ [?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ ?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+ ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+ ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ ?TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+ ?TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+ ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+ ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+ ];
+cbc_exclusive(?TLS_1_1) ->
+ %% Only have CBC SUITES
+ %% disabled even though they are legacy
+ [];
+cbc_exclusive(?TLS_1_0) ->
+ [?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA].
+
%%--------------------------------------------------------------------
-spec psk_suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
%%
@@ -814,11 +855,11 @@ des_exclusive(_) ->
%% Are not considered secure any more.
%%--------------------------------------------------------------------
rsa_suites(Version) when ?TLS_1_X(Version) ->
- lists:flatmap(fun rsa_exclusive/1, rsa_suites_to_test(Version)).
+ lists:flatmap(fun rsa_exclusive/1, rsa_suites_in_version(Version)).
-rsa_suites_to_test(?TLS_1_2) -> [?TLS_1_2, ?TLS_1_0];
-rsa_suites_to_test(?TLS_1_1) -> [?TLS_1_0];
-rsa_suites_to_test(?TLS_1_0) -> [?TLS_1_0].
+rsa_suites_in_version(?TLS_1_2) -> [?TLS_1_2, ?TLS_1_0];
+rsa_suites_in_version(?TLS_1_1) -> [?TLS_1_0];
+rsa_suites_in_version(?TLS_1_0) -> [?TLS_1_0].
-spec rsa_exclusive(Version::ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
rsa_exclusive(?TLS_1_2) ->
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index 20b017436c..af1b1ac35f 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -114,6 +114,10 @@
honor_server_cipher_order/1,
honor_client_cipher_order/0,
honor_client_cipher_order/1,
+ honor_server_cipher_order_tls12/0,
+ honor_server_cipher_order_tls12/1,
+ honor_client_cipher_order_tls12/0,
+ honor_client_cipher_order_tls12/1,
honor_client_cipher_order_tls13/0,
honor_client_cipher_order_tls13/1,
honor_server_cipher_order_tls13/0,
@@ -249,19 +253,18 @@ groups() ->
{'tlsv1.3', [], ((gen_api_tests() ++ tls13_group() ++
handshake_paus_tests()) --
[dh_params,
- honor_server_cipher_order,
- honor_client_cipher_order,
new_options_in_handshake,
handshake_continue_tls13_client,
invalid_options])
++ (since_1_2() -- [conf_signature_algs])},
- {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3()},
- {'tlsv1.1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3()},
- {'tlsv1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ beast_mitigation_test()},
+ {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3() ++ [honor_client_cipher_order_tls12,
+ honor_server_cipher_order_tls12]},
+ {'tlsv1.1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ pre_1_2()},
+ {'tlsv1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ pre_1_2() ++ beast_mitigation_test()},
{'dtlsv1.2', [], gen_api_tests() -- [new_options_in_handshake, hibernate_server] ++
handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3()},
{'dtlsv1', [], gen_api_tests() -- [new_options_in_handshake, hibernate_server] ++
- handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3()}
+ handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3() ++ pre_1_2()}
].
since_1_2() ->
@@ -277,6 +280,10 @@ pre_1_3() ->
connection_information_with_srp
].
+pre_1_2() ->
+ [honor_server_cipher_order,
+ honor_client_cipher_order].
+
simple_api_tests() ->
[
invalid_keyfile,
@@ -289,7 +296,6 @@ simple_api_tests() ->
format_error
].
-
gen_api_tests() ->
[
peercert,
@@ -320,9 +326,6 @@ gen_api_tests() ->
close_in_error_state,
call_in_error_state,
close_transport_accept,
- abuse_transport_accept_socket,
- honor_server_cipher_order,
- honor_client_cipher_order,
ipv6,
der_input,
max_handshake_size,
@@ -756,13 +759,18 @@ dh_params(Config) when is_list(Config) ->
ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
DataDir = proplists:get_value(data_dir, Config),
DHParamFile = filename:join(DataDir, "dHParam.pem"),
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, 'tlsv1.2'),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_anon) -> false;
+ (srp_dss) -> false;
+ (_) -> true end}]),
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
{mfa, {ssl_test_lib, send_recv_result_active, []}},
- {options, [{dhfile, DHParamFile} | ServerOpts]}]),
+ {options, [{dhfile, DHParamFile}, {ciphers, Ciphers} | ServerOpts]}]),
Port = ssl_test_lib:inet_port(Server),
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
{host, Hostname},
@@ -1117,12 +1125,17 @@ versions_option_based_on_sni(Config) when is_list(Config) ->
TestVersion = ssl_test_lib:protocol_version(Config),
{Version, Versions} = test_versions_for_option_based_on_sni(TestVersion),
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, TestVersion),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_dss) -> false;
+ (_) -> true
+ end}]),
SNI = net_adm:localhost(),
Fun = fun(ServerName) ->
case ServerName of
SNI ->
- [{versions, [Version]} | ServerOpts];
+ [{versions, [Version]}, {ciphers, Ciphers} | ServerOpts];
_ ->
ServerOpts
end
@@ -1138,7 +1151,9 @@ versions_option_based_on_sni(Config) when is_list(Config) ->
{host, Hostname},
{from, self()},
{mfa, {ssl_test_lib, no_result, []}},
- {options, [{server_name_indication, SNI}, {versions, Versions} | ClientOpts]}]),
+ {options, [{server_name_indication, SNI}, {versions, Versions},
+ {ciphers, Ciphers}
+ | ClientOpts]}]),
ssl_test_lib:check_result(Server, ok),
ssl_test_lib:close(Server),
@@ -1814,24 +1829,77 @@ invalid_keyfile(Config) when is_list(Config) ->
{error,{options, {keyfile, File, {error,enoent}}}}, Client,
{error, closed}).
+%%--------------------------------------------------------------------
+honor_server_cipher_order_tls12() ->
+ [{doc,"Test API honor server cipher order."}].
+honor_server_cipher_order_tls12(Config) when is_list(Config) ->
+ ClientCiphers = [#{key_exchange => ecdhe_rsa,
+ cipher => aes_128_gcm,
+ mac => aead,
+ prf => sha256},
+ #{key_exchange => ecdhe_rsa,
+ cipher => aes_256_gcm,
+ mac => aead,
+ prf => sha384}],
+ ServerCiphers = [#{key_exchange => ecdhe_rsa,
+ cipher => aes_256_gcm,
+ mac => aead,
+ prf => sha384},
+ #{key_exchange => ecdhe_rsa,
+ cipher => aes_128_gcm,
+ mac => aead,
+ prf => sha256}],
+ honor_cipher_order(Config, true, ServerCiphers,
+ ClientCiphers, #{key_exchange => ecdhe_rsa,
+ cipher => aes_256_gcm,
+ mac => aead,
+ prf => sha384}).
+
+%%--------------------------------------------------------------------
+
+honor_client_cipher_order_tls12() ->
+ [{doc,"Test API honor server cipher order."}].
+honor_client_cipher_order_tls12(Config) when is_list(Config) ->
+ ClientCiphers = [#{key_exchange => ecdhe_rsa,
+ cipher => aes_128_gcm,
+ mac => aead,
+ prf => sha256},
+ #{key_exchange => ecdhe_rsa,
+ cipher => aes_256_gcm,
+ mac => aead,
+ prf => sha384}],
+ ServerCiphers = [#{key_exchange => ecdhe_rsa,
+ cipher => aes_256_gcm,
+ mac => aead,
+ prf => sha384},
+ #{key_exchange => ecdhe_rsa,
+ cipher => aes_128_gcm,
+ mac => aead,
+ prf => sha256}],
+ honor_cipher_order(Config, false, ServerCiphers,
+ ClientCiphers, #{key_exchange => ecdhe_rsa,
+ cipher => aes_128_gcm,
+ mac => aead,
+ prf => sha256}).
+
%%--------------------------------------------------------------------
honor_server_cipher_order() ->
[{doc,"Test API honor server cipher order."}].
honor_server_cipher_order(Config) when is_list(Config) ->
- ClientCiphers = [#{key_exchange => dhe_rsa,
- cipher => aes_128_cbc,
+ ClientCiphers = [#{key_exchange => dhe_rsa,
+ cipher => aes_128_cbc,
mac => sha,
- prf => default_prf},
- #{key_exchange => dhe_rsa,
- cipher => aes_256_cbc,
+ prf => default_prf},
+ #{key_exchange => dhe_rsa,
+ cipher => aes_256_cbc,
mac => sha,
prf => default_prf}],
- ServerCiphers = [#{key_exchange => dhe_rsa,
- cipher => aes_256_cbc,
- mac =>sha,
+ ServerCiphers = [#{key_exchange => dhe_rsa,
+ cipher => aes_256_cbc,
+ mac => sha,
prf => default_prf},
- #{key_exchange => dhe_rsa,
- cipher => aes_128_cbc,
+ #{key_exchange => dhe_rsa,
+ cipher => aes_128_cbc,
mac => sha,
prf => default_prf}],
honor_cipher_order(Config, true, ServerCiphers,
@@ -1841,23 +1909,24 @@ honor_server_cipher_order(Config) when is_list(Config) ->
prf => default_prf}).
%%--------------------------------------------------------------------
+
honor_client_cipher_order() ->
[{doc,"Test API honor server cipher order."}].
honor_client_cipher_order(Config) when is_list(Config) ->
- ClientCiphers = [#{key_exchange => dhe_rsa,
- cipher => aes_128_cbc,
+ ClientCiphers = [#{key_exchange => dhe_rsa,
+ cipher => aes_128_cbc,
mac => sha,
- prf => default_prf},
- #{key_exchange => dhe_rsa,
- cipher => aes_256_cbc,
+ prf => default_prf},
+ #{key_exchange => dhe_rsa,
+ cipher => aes_256_cbc,
mac => sha,
prf => default_prf}],
- ServerCiphers = [#{key_exchange => dhe_rsa,
- cipher => aes_256_cbc,
- mac =>sha,
+ ServerCiphers = [#{key_exchange => dhe_rsa,
+ cipher => aes_256_cbc,
+ mac => sha,
prf => default_prf},
- #{key_exchange => dhe_rsa,
- cipher => aes_128_cbc,
+ #{key_exchange => dhe_rsa,
+ cipher => aes_128_cbc,
mac => sha,
prf => default_prf}],
honor_cipher_order(Config, false, ServerCiphers,
@@ -1866,6 +1935,7 @@ honor_client_cipher_order(Config) when is_list(Config) ->
mac => sha,
prf => default_prf}).
+
%%--------------------------------------------------------------------
ipv6() ->
[{require, ipv6_hosts},
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index d83427122c..98dc4dff00 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -313,12 +313,18 @@ cipher_suites_mix(Config) when is_list(Config) ->
ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config),
ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),
+ ServerCipherSuites = ssl:filter_cipher_suites(ssl:cipher_suites(all, 'tlsv1.3'),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_dss) -> false;
+ (_) -> true
+ end}]),
+
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
{mfa, {ssl_test_lib, send_recv_result_active, []}},
- {options, ServerOpts}]),
+ {options, [{ciphers, ServerCipherSuites} | ServerOpts]}]),
Port = ssl_test_lib:inet_port(Server),
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
{host, Hostname},
@@ -997,10 +1003,14 @@ anon_chipher_suite_checks(Version) ->
[_|_] = ssl:cipher_suites(exclusive_anonymous, Version).
chipher_suite_checks(Version) ->
- MandatoryCipherSuiteTLS1_0TLS1_1 = #{key_exchange => rsa,
- cipher => '3des_ede_cbc',
- mac => sha,
- prf => default_prf},
+ MandatoryCipherSuiteTLS1_0 = #{key_exchange => dhe_dss,
+ cipher => '3des_ede_cbc',
+ mac => sha,
+ prf => default_prf},
+ MandatoryCipherSuiteTLS1_1 = #{key_exchange => rsa,
+ cipher => '3des_ede_cbc',
+ mac => sha,
+ prf => default_prf},
MandatoryCipherSuiteTLS1_0TLS1_2 = #{key_exchange =>rsa,
cipher => 'aes_128_cbc',
mac => sha,
@@ -1009,6 +1019,7 @@ chipher_suite_checks(Version) ->
Default = [_|_] = ssl:cipher_suites(default, Version),
Anonymous = ssl:cipher_suites(anonymous, Version),
true = length(Default) < length(All),
+
Filters = [{key_exchange,
fun(dhe_rsa) ->
true;
@@ -1024,6 +1035,7 @@ chipher_suite_checks(Version) ->
end
},
{mac,
+
fun(sha) ->
true;
(_) ->
@@ -1037,20 +1049,30 @@ chipher_suite_checks(Version) ->
prf => default_prf},
[Cipher] = ssl:filter_cipher_suites(All, Filters),
[Cipher | Rest0] = ssl:prepend_cipher_suites([Cipher], Default),
- [Cipher | Rest0] = ssl:prepend_cipher_suites(Filters, Default),
- true = lists:member(Cipher, Default),
- false = lists:member(Cipher, Rest0),
+ case (Version == 'tlsv1') orelse (Version == 'tlsv1.1') orelse (Version == 'dtlsv1') of
+ true ->
+ true = lists:member(Cipher, Default),
+ [Cipher | Rest0] = ssl:prepend_cipher_suites(Filters, Default),
+ false = lists:member(Cipher, Rest0);
+ false ->
+ false = lists:member(Cipher, Default)
+ end,
[Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites([Cipher], Default)),
- [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites(Filters, Default)),
- true = lists:member(Cipher, Default),
- false = lists:member(Cipher, Rest1),
+ case (Version == 'tlsv1') orelse (Version == 'tlsv1.1') orelse (Version == 'dtlsv1') of
+ true ->
+ true = lists:member(Cipher, Default),
+ [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites(Filters, Default)),
+ false = lists:member(Cipher, Rest1);
+ false ->
+ false = lists:member(Cipher, Default)
+ end,
[] = lists:dropwhile(fun(X) -> not lists:member(X, Default) end, Anonymous),
[] = lists:dropwhile(fun(X) -> not lists:member(X, All) end, Anonymous),
case Version of
tlsv1 ->
- true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_1, All);
+ true = lists:member(MandatoryCipherSuiteTLS1_0, All);
'tlsv1.1' ->
- true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_1, All),
+ true = lists:member(MandatoryCipherSuiteTLS1_1, All),
true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_2, All);
'tlsv1.2' ->
ok;
diff --git a/lib/ssl/test/ssl_reject_SUITE.erl b/lib/ssl/test/ssl_reject_SUITE.erl
index be79e0543b..a18b232f9b 100644
--- a/lib/ssl/test/ssl_reject_SUITE.erl
+++ b/lib/ssl/test/ssl_reject_SUITE.erl
@@ -185,11 +185,16 @@ accept_sslv3_record_hello(Config) when is_list(Config) ->
Allversions = all_versions(),
AllSigAlgs = ssl:signature_algs(all, 'tlsv1.3'),
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, 'tlsv1.3'),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_dss) -> false;
+ (_) -> true
+ end}]),
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{versions, Allversions},
- {signature_algs, AllSigAlgs} | ServerOpts]}]),
+ {signature_algs, AllSigAlgs}, {ciphers, Ciphers} | ServerOpts]}]),
Port = ssl_test_lib:inet_port(Server),
%% TLS-1.X Hello with SSL-3.0 record version
diff --git a/lib/ssl/test/ssl_session_SUITE.erl b/lib/ssl/test/ssl_session_SUITE.erl
index 0901539b9c..4041213b3b 100644
--- a/lib/ssl/test/ssl_session_SUITE.erl
+++ b/lib/ssl/test/ssl_session_SUITE.erl
@@ -186,8 +186,14 @@ reuse_session_expired() ->
reuse_session_expired(Config) when is_list(Config) ->
ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config),
ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),
+ TestVersion = ssl_test_lib:protocol_version(Config),
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, TestVersion),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_dss) -> false;
+ (_) -> true
+ end}]),
+
Server0 =
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
@@ -199,13 +205,14 @@ reuse_session_expired(Config) when is_list(Config) ->
Client0 = ssl_test_lib:start_client([{node, ClientNode},
{port, Port0}, {host, Hostname},
{mfa, {ssl_test_lib, session_id, []}},
- {from, self()}, {options, [{reuse_sessions, save} | ClientOpts]}]),
+ {from, self()}, {options, [{reuse_sessions, save},
+ {ciphers, Ciphers}| ClientOpts]}]),
Server0 ! listen,
Client1 = ssl_test_lib:start_client([{node, ClientNode},
{port, Port0}, {host, Hostname},
{mfa, {ssl_test_lib, session_id, []}},
- {from, self()}, {options, ClientOpts}]),
+ {from, self()}, {options, [{ciphers, Ciphers} | ClientOpts]}]),
SID = receive
{Client0, Id0} ->
diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl
index 11756bf2f7..4c7228a499 100644
--- a/lib/ssl/test/tls_api_SUITE.erl
+++ b/lib/ssl/test/tls_api_SUITE.erl
@@ -305,7 +305,11 @@ tls_upgrade_new_opts_with_sni_fun(Config) when is_list(Config) ->
TcpOpts = [binary, {reuseaddr, true}],
Version = ssl_test_lib:protocol_version(Config),
NewVersions = new_versions(Version),
- Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version), []),
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_dss) -> false;
+ (_) -> true
+ end}]),
NewOpts = [{versions, NewVersions},
{ciphers, Ciphers},
@@ -729,11 +733,17 @@ tls_dont_crash_on_handshake_garbage(Config) ->
ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
Version = ssl_test_lib:protocol_version(Config),
{_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version),
+ [{key_exchange, fun(srp_rsa) -> false;
+ (srp_dss) -> false;
+ (_) -> true
+ end}]),
+
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
{mfa, ssl_test_lib, no_result},
- {options, [{versions, [Version]} | ServerOpts]}]),
+ {options, [{versions, [Version]}, {ciphers, Ciphers} | ServerOpts]}]),
Port = ssl_test_lib:inet_port(Server),
{ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {active, false}]),
@@ -752,7 +762,7 @@ tls_dont_crash_on_handshake_garbage(Config) ->
case Version of
'tlsv1.3' ->
ssl_test_lib:check_server_alert(Server, protocol_version);
- _ ->
+ _ ->
ssl_test_lib:check_server_alert(Server, handshake_failure)
end.
--
2.35.3
