Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:26
erlang
1621-ssl-Remove-CBC-ciphers-from-TLS-1.2-defaul...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1621-ssl-Remove-CBC-ciphers-from-TLS-1.2-default.patch of Package erlang
From 550041c9546e4a42091d322478a00abfe49a01b1 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Sat, 9 Mar 2024 08:39:44 +0100 Subject: [PATCH] ssl: Remove CBC ciphers from TLS-1.2 default --- lib/ssl/src/ssl_cipher.erl | 24 +++-- lib/ssl/src/tls_v1.erl | 107 ++++++++++++++++------- lib/ssl/test/ssl_api_SUITE.erl | 136 ++++++++++++++++++++++------- lib/ssl/test/ssl_basic_SUITE.erl | 48 +++++++--- lib/ssl/test/ssl_reject_SUITE.erl | 7 +- lib/ssl/test/ssl_session_SUITE.erl | 13 ++- lib/ssl/test/tls_api_SUITE.erl | 16 +++- 7 files changed, 256 insertions(+), 95 deletions(-) diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index fc250c01ba..11d57ddc50 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -322,20 +322,26 @@ suites(Version) when ?TLS_1_X(Version) -> tls_v1:suites(Version); suites(Version) when ?DTLS_1_X(Version) -> dtls_v1:suites(Version). + all_suites(?TLS_1_3 = Version) -> - suites(Version) ++ tls_legacy_suites(?TLS_1_2); -all_suites(Version) when ?TLS_1_X(Version) -> - suites(Version) ++ tls_legacy_suites(Version); + suites(Version) ++ tls_legacy_suites(?TLS_1_2) ++ tls_v1:exclusive_suites(?TLS_1_0); +all_suites(?TLS_1_2 = Version) -> + suites(Version) ++ tls_legacy_suites(Version) ++ tls_v1:exclusive_suites(?TLS_1_0); +all_suites(?TLS_1_1 = Version) -> + suites(Version) ++ tls_legacy_suites(Version) ++ tls_v1:cbc_suites(Version); +all_suites(?TLS_1_0 = Version) -> + suites(Version) ++ tls_legacy_suites(Version) ++ tls_v1:cbc_suites(Version); all_suites(Version) -> dtls_v1:all_suites(Version). tls_legacy_suites(Version) -> - Tests = [fun tls_v1:psk_suites/1, - fun tls_v1:srp_suites/1, - fun tls_v1:rsa_suites/1, - fun tls_v1:des_suites/1, - fun tls_v1:rc4_suites/1], - lists:flatmap(fun (Fun) -> Fun(Version) end, Tests). + LegacySuites = [fun tls_v1:cbc_suites/1, + fun tls_v1:psk_suites/1, + fun tls_v1:srp_suites/1, + fun tls_v1:rsa_suites/1, + fun tls_v1:des_suites/1, + fun tls_v1:rc4_suites/1], + lists:flatmap(fun (Fun) -> Fun(Version) end, LegacySuites). %%-------------------------------------------------------------------- -spec anonymous_suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()]. diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 11ec33ad10..b770d1ef3e 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -40,6 +40,7 @@ suites/1, exclusive_suites/1, exclusive_anonymous_suites/1, + cbc_suites/1, psk_suites/1, psk_exclusive/1, psk_suites_anon/1, @@ -503,15 +504,51 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, Version,Length, Fragment) -> -spec suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()]. suites(Version) when ?TLS_1_X(Version) -> - lists:flatmap(fun exclusive_suites/1, suites_to_test(Version)). + lists:flatmap(fun default_suites/1, suites_in_version(Version)). -suites_to_test(?TLS_1_0) -> [?TLS_1_0]; -suites_to_test(?TLS_1_1) -> [?TLS_1_0]; -suites_to_test(?TLS_1_2) -> [?TLS_1_2, ?TLS_1_0]; -suites_to_test(?TLS_1_3) -> [?TLS_1_3, ?TLS_1_2, ?TLS_1_0]. +suites_in_version(?TLS_1_0) -> [?TLS_1_0]; +suites_in_version(?TLS_1_1) -> [?TLS_1_0]; +suites_in_version(?TLS_1_2) -> [?TLS_1_2]; +suites_in_version(?TLS_1_3) -> [?TLS_1_3, ?TLS_1_2]. -spec exclusive_suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()]. +default_suites(?TLS_1_3 = Version) -> + exclusive_suites(Version); +default_suites(?TLS_1_2) -> + [?TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + ?TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + + ?TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + ?TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + + ?TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + ?TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + + ?TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + ?TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + + ?TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + ?TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + + ?TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, + ?TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, + + ?TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + ?TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, + + ?TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + ?TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + + ?TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + ?TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + + ?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ]; +default_suites(Version) when Version == ?TLS_1_1; + Version == ?TLS_1_0 -> + exclusive_suites(?TLS_1_0). + exclusive_suites(?TLS_1_3) -> [?TLS_AES_256_GCM_SHA384, ?TLS_AES_128_GCM_SHA256, @@ -528,9 +565,6 @@ exclusive_suites(?TLS_1_2) -> ?TLS_ECDHE_ECDSA_WITH_AES_256_CCM, ?TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, - ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - ?TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, ?TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, @@ -543,32 +577,16 @@ exclusive_suites(?TLS_1_2) -> ?TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, ?TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, - ?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, - ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, - ?TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, ?TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, - ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - - ?TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, - ?TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, - ?TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, ?TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, - ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, - ?TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ?TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, - ?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - - ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - + ?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 %% not supported %% ?TLS_DH_RSA_WITH_AES_256_GCM_SHA384, %% ?TLS_DH_DSS_WITH_AES_256_GCM_SHA384, @@ -578,8 +596,7 @@ exclusive_suites(?TLS_1_2) -> exclusive_suites(?TLS_1_1) -> []; exclusive_suites(?TLS_1_0) -> - [ - ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + [?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, ?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, @@ -594,8 +611,7 @@ exclusive_suites(?TLS_1_0) -> ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA, ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA, ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ]. + ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA]. %%-------------------------------------------------------------------- -spec exclusive_anonymous_suites(ssl_record:ssl_version()) -> @@ -633,6 +649,31 @@ exclusive_anonymous_suites(?TLS_1_0=Version) -> ?TLS_DH_anon_WITH_DES_CBC_SHA ] ++ srp_suites_anon(Version). + +cbc_suites(Version) when ?TLS_1_X(Version) -> + cbc_exclusive(Version). + +cbc_exclusive(?TLS_1_2) -> + [?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + ?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, + ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, + ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + ?TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, + ?TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, + ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + ]; +cbc_exclusive(?TLS_1_1) -> + %% Only have CBC SUITES + %% disabled even though they are legacy + []; +cbc_exclusive(?TLS_1_0) -> + [?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA]. + %%-------------------------------------------------------------------- -spec psk_suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()]. %% @@ -814,11 +855,11 @@ des_exclusive(_) -> %% Are not considered secure any more. %%-------------------------------------------------------------------- rsa_suites(Version) when ?TLS_1_X(Version) -> - lists:flatmap(fun rsa_exclusive/1, rsa_suites_to_test(Version)). + lists:flatmap(fun rsa_exclusive/1, rsa_suites_in_version(Version)). -rsa_suites_to_test(?TLS_1_2) -> [?TLS_1_2, ?TLS_1_0]; -rsa_suites_to_test(?TLS_1_1) -> [?TLS_1_0]; -rsa_suites_to_test(?TLS_1_0) -> [?TLS_1_0]. +rsa_suites_in_version(?TLS_1_2) -> [?TLS_1_2, ?TLS_1_0]; +rsa_suites_in_version(?TLS_1_1) -> [?TLS_1_0]; +rsa_suites_in_version(?TLS_1_0) -> [?TLS_1_0]. -spec rsa_exclusive(Version::ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()]. rsa_exclusive(?TLS_1_2) -> diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index 20b017436c..af1b1ac35f 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -114,6 +114,10 @@ honor_server_cipher_order/1, honor_client_cipher_order/0, honor_client_cipher_order/1, + honor_server_cipher_order_tls12/0, + honor_server_cipher_order_tls12/1, + honor_client_cipher_order_tls12/0, + honor_client_cipher_order_tls12/1, honor_client_cipher_order_tls13/0, honor_client_cipher_order_tls13/1, honor_server_cipher_order_tls13/0, @@ -249,19 +253,18 @@ groups() -> {'tlsv1.3', [], ((gen_api_tests() ++ tls13_group() ++ handshake_paus_tests()) -- [dh_params, - honor_server_cipher_order, - honor_client_cipher_order, new_options_in_handshake, handshake_continue_tls13_client, invalid_options]) ++ (since_1_2() -- [conf_signature_algs])}, - {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3()}, - {'tlsv1.1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3()}, - {'tlsv1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ beast_mitigation_test()}, + {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3() ++ [honor_client_cipher_order_tls12, + honor_server_cipher_order_tls12]}, + {'tlsv1.1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ pre_1_2()}, + {'tlsv1', [], gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ pre_1_2() ++ beast_mitigation_test()}, {'dtlsv1.2', [], gen_api_tests() -- [new_options_in_handshake, hibernate_server] ++ handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3()}, {'dtlsv1', [], gen_api_tests() -- [new_options_in_handshake, hibernate_server] ++ - handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3()} + handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3() ++ pre_1_2()} ]. since_1_2() -> @@ -277,6 +280,10 @@ pre_1_3() -> connection_information_with_srp ]. +pre_1_2() -> + [honor_server_cipher_order, + honor_client_cipher_order]. + simple_api_tests() -> [ invalid_keyfile, @@ -289,7 +296,6 @@ simple_api_tests() -> format_error ]. - gen_api_tests() -> [ peercert, @@ -320,9 +326,6 @@ gen_api_tests() -> close_in_error_state, call_in_error_state, close_transport_accept, - abuse_transport_accept_socket, - honor_server_cipher_order, - honor_client_cipher_order, ipv6, der_input, max_handshake_size, @@ -756,13 +759,18 @@ dh_params(Config) when is_list(Config) -> ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), DataDir = proplists:get_value(data_dir, Config), DHParamFile = filename:join(DataDir, "dHParam.pem"), + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, 'tlsv1.2'), + [{key_exchange, fun(srp_rsa) -> false; + (srp_anon) -> false; + (srp_dss) -> false; + (_) -> true end}]), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, [{dhfile, DHParamFile} | ServerOpts]}]), + {options, [{dhfile, DHParamFile}, {ciphers, Ciphers} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, {host, Hostname}, @@ -1117,12 +1125,17 @@ versions_option_based_on_sni(Config) when is_list(Config) -> TestVersion = ssl_test_lib:protocol_version(Config), {Version, Versions} = test_versions_for_option_based_on_sni(TestVersion), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, TestVersion), + [{key_exchange, fun(srp_rsa) -> false; + (srp_dss) -> false; + (_) -> true + end}]), SNI = net_adm:localhost(), Fun = fun(ServerName) -> case ServerName of SNI -> - [{versions, [Version]} | ServerOpts]; + [{versions, [Version]}, {ciphers, Ciphers} | ServerOpts]; _ -> ServerOpts end @@ -1138,7 +1151,9 @@ versions_option_based_on_sni(Config) when is_list(Config) -> {host, Hostname}, {from, self()}, {mfa, {ssl_test_lib, no_result, []}}, - {options, [{server_name_indication, SNI}, {versions, Versions} | ClientOpts]}]), + {options, [{server_name_indication, SNI}, {versions, Versions}, + {ciphers, Ciphers} + | ClientOpts]}]), ssl_test_lib:check_result(Server, ok), ssl_test_lib:close(Server), @@ -1814,24 +1829,77 @@ invalid_keyfile(Config) when is_list(Config) -> {error,{options, {keyfile, File, {error,enoent}}}}, Client, {error, closed}). +%%-------------------------------------------------------------------- +honor_server_cipher_order_tls12() -> + [{doc,"Test API honor server cipher order."}]. +honor_server_cipher_order_tls12(Config) when is_list(Config) -> + ClientCiphers = [#{key_exchange => ecdhe_rsa, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}, + #{key_exchange => ecdhe_rsa, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}], + ServerCiphers = [#{key_exchange => ecdhe_rsa, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}, + #{key_exchange => ecdhe_rsa, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}], + honor_cipher_order(Config, true, ServerCiphers, + ClientCiphers, #{key_exchange => ecdhe_rsa, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}). + +%%-------------------------------------------------------------------- + +honor_client_cipher_order_tls12() -> + [{doc,"Test API honor server cipher order."}]. +honor_client_cipher_order_tls12(Config) when is_list(Config) -> + ClientCiphers = [#{key_exchange => ecdhe_rsa, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}, + #{key_exchange => ecdhe_rsa, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}], + ServerCiphers = [#{key_exchange => ecdhe_rsa, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}, + #{key_exchange => ecdhe_rsa, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}], + honor_cipher_order(Config, false, ServerCiphers, + ClientCiphers, #{key_exchange => ecdhe_rsa, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}). + %%-------------------------------------------------------------------- honor_server_cipher_order() -> [{doc,"Test API honor server cipher order."}]. honor_server_cipher_order(Config) when is_list(Config) -> - ClientCiphers = [#{key_exchange => dhe_rsa, - cipher => aes_128_cbc, + ClientCiphers = [#{key_exchange => dhe_rsa, + cipher => aes_128_cbc, mac => sha, - prf => default_prf}, - #{key_exchange => dhe_rsa, - cipher => aes_256_cbc, + prf => default_prf}, + #{key_exchange => dhe_rsa, + cipher => aes_256_cbc, mac => sha, prf => default_prf}], - ServerCiphers = [#{key_exchange => dhe_rsa, - cipher => aes_256_cbc, - mac =>sha, + ServerCiphers = [#{key_exchange => dhe_rsa, + cipher => aes_256_cbc, + mac => sha, prf => default_prf}, - #{key_exchange => dhe_rsa, - cipher => aes_128_cbc, + #{key_exchange => dhe_rsa, + cipher => aes_128_cbc, mac => sha, prf => default_prf}], honor_cipher_order(Config, true, ServerCiphers, @@ -1841,23 +1909,24 @@ honor_server_cipher_order(Config) when is_list(Config) -> prf => default_prf}). %%-------------------------------------------------------------------- + honor_client_cipher_order() -> [{doc,"Test API honor server cipher order."}]. honor_client_cipher_order(Config) when is_list(Config) -> - ClientCiphers = [#{key_exchange => dhe_rsa, - cipher => aes_128_cbc, + ClientCiphers = [#{key_exchange => dhe_rsa, + cipher => aes_128_cbc, mac => sha, - prf => default_prf}, - #{key_exchange => dhe_rsa, - cipher => aes_256_cbc, + prf => default_prf}, + #{key_exchange => dhe_rsa, + cipher => aes_256_cbc, mac => sha, prf => default_prf}], - ServerCiphers = [#{key_exchange => dhe_rsa, - cipher => aes_256_cbc, - mac =>sha, + ServerCiphers = [#{key_exchange => dhe_rsa, + cipher => aes_256_cbc, + mac => sha, prf => default_prf}, - #{key_exchange => dhe_rsa, - cipher => aes_128_cbc, + #{key_exchange => dhe_rsa, + cipher => aes_128_cbc, mac => sha, prf => default_prf}], honor_cipher_order(Config, false, ServerCiphers, @@ -1866,6 +1935,7 @@ honor_client_cipher_order(Config) when is_list(Config) -> mac => sha, prf => default_prf}). + %%-------------------------------------------------------------------- ipv6() -> [{require, ipv6_hosts}, diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index d83427122c..98dc4dff00 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -313,12 +313,18 @@ cipher_suites_mix(Config) when is_list(Config) -> ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + ServerCipherSuites = ssl:filter_cipher_suites(ssl:cipher_suites(all, 'tlsv1.3'), + [{key_exchange, fun(srp_rsa) -> false; + (srp_dss) -> false; + (_) -> true + end}]), + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, ServerOpts}]), + {options, [{ciphers, ServerCipherSuites} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, {host, Hostname}, @@ -997,10 +1003,14 @@ anon_chipher_suite_checks(Version) -> [_|_] = ssl:cipher_suites(exclusive_anonymous, Version). chipher_suite_checks(Version) -> - MandatoryCipherSuiteTLS1_0TLS1_1 = #{key_exchange => rsa, - cipher => '3des_ede_cbc', - mac => sha, - prf => default_prf}, + MandatoryCipherSuiteTLS1_0 = #{key_exchange => dhe_dss, + cipher => '3des_ede_cbc', + mac => sha, + prf => default_prf}, + MandatoryCipherSuiteTLS1_1 = #{key_exchange => rsa, + cipher => '3des_ede_cbc', + mac => sha, + prf => default_prf}, MandatoryCipherSuiteTLS1_0TLS1_2 = #{key_exchange =>rsa, cipher => 'aes_128_cbc', mac => sha, @@ -1009,6 +1019,7 @@ chipher_suite_checks(Version) -> Default = [_|_] = ssl:cipher_suites(default, Version), Anonymous = ssl:cipher_suites(anonymous, Version), true = length(Default) < length(All), + Filters = [{key_exchange, fun(dhe_rsa) -> true; @@ -1024,6 +1035,7 @@ chipher_suite_checks(Version) -> end }, {mac, + fun(sha) -> true; (_) -> @@ -1037,20 +1049,30 @@ chipher_suite_checks(Version) -> prf => default_prf}, [Cipher] = ssl:filter_cipher_suites(All, Filters), [Cipher | Rest0] = ssl:prepend_cipher_suites([Cipher], Default), - [Cipher | Rest0] = ssl:prepend_cipher_suites(Filters, Default), - true = lists:member(Cipher, Default), - false = lists:member(Cipher, Rest0), + case (Version == 'tlsv1') orelse (Version == 'tlsv1.1') orelse (Version == 'dtlsv1') of + true -> + true = lists:member(Cipher, Default), + [Cipher | Rest0] = ssl:prepend_cipher_suites(Filters, Default), + false = lists:member(Cipher, Rest0); + false -> + false = lists:member(Cipher, Default) + end, [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites([Cipher], Default)), - [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites(Filters, Default)), - true = lists:member(Cipher, Default), - false = lists:member(Cipher, Rest1), + case (Version == 'tlsv1') orelse (Version == 'tlsv1.1') orelse (Version == 'dtlsv1') of + true -> + true = lists:member(Cipher, Default), + [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites(Filters, Default)), + false = lists:member(Cipher, Rest1); + false -> + false = lists:member(Cipher, Default) + end, [] = lists:dropwhile(fun(X) -> not lists:member(X, Default) end, Anonymous), [] = lists:dropwhile(fun(X) -> not lists:member(X, All) end, Anonymous), case Version of tlsv1 -> - true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_1, All); + true = lists:member(MandatoryCipherSuiteTLS1_0, All); 'tlsv1.1' -> - true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_1, All), + true = lists:member(MandatoryCipherSuiteTLS1_1, All), true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_2, All); 'tlsv1.2' -> ok; diff --git a/lib/ssl/test/ssl_reject_SUITE.erl b/lib/ssl/test/ssl_reject_SUITE.erl index be79e0543b..a18b232f9b 100644 --- a/lib/ssl/test/ssl_reject_SUITE.erl +++ b/lib/ssl/test/ssl_reject_SUITE.erl @@ -185,11 +185,16 @@ accept_sslv3_record_hello(Config) when is_list(Config) -> Allversions = all_versions(), AllSigAlgs = ssl:signature_algs(all, 'tlsv1.3'), + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, 'tlsv1.3'), + [{key_exchange, fun(srp_rsa) -> false; + (srp_dss) -> false; + (_) -> true + end}]), Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {options, [{versions, Allversions}, - {signature_algs, AllSigAlgs} | ServerOpts]}]), + {signature_algs, AllSigAlgs}, {ciphers, Ciphers} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), %% TLS-1.X Hello with SSL-3.0 record version diff --git a/lib/ssl/test/ssl_session_SUITE.erl b/lib/ssl/test/ssl_session_SUITE.erl index 0901539b9c..4041213b3b 100644 --- a/lib/ssl/test/ssl_session_SUITE.erl +++ b/lib/ssl/test/ssl_session_SUITE.erl @@ -186,8 +186,14 @@ reuse_session_expired() -> reuse_session_expired(Config) when is_list(Config) -> ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + TestVersion = ssl_test_lib:protocol_version(Config), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, TestVersion), + [{key_exchange, fun(srp_rsa) -> false; + (srp_dss) -> false; + (_) -> true + end}]), + Server0 = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, @@ -199,13 +205,14 @@ reuse_session_expired(Config) when is_list(Config) -> Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port0}, {host, Hostname}, {mfa, {ssl_test_lib, session_id, []}}, - {from, self()}, {options, [{reuse_sessions, save} | ClientOpts]}]), + {from, self()}, {options, [{reuse_sessions, save}, + {ciphers, Ciphers}| ClientOpts]}]), Server0 ! listen, Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port0}, {host, Hostname}, {mfa, {ssl_test_lib, session_id, []}}, - {from, self()}, {options, ClientOpts}]), + {from, self()}, {options, [{ciphers, Ciphers} | ClientOpts]}]), SID = receive {Client0, Id0} -> diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl index 11756bf2f7..4c7228a499 100644 --- a/lib/ssl/test/tls_api_SUITE.erl +++ b/lib/ssl/test/tls_api_SUITE.erl @@ -305,7 +305,11 @@ tls_upgrade_new_opts_with_sni_fun(Config) when is_list(Config) -> TcpOpts = [binary, {reuseaddr, true}], Version = ssl_test_lib:protocol_version(Config), NewVersions = new_versions(Version), - Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version), []), + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version), + [{key_exchange, fun(srp_rsa) -> false; + (srp_dss) -> false; + (_) -> true + end}]), NewOpts = [{versions, NewVersions}, {ciphers, Ciphers}, @@ -729,11 +733,17 @@ tls_dont_crash_on_handshake_garbage(Config) -> ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), Version = ssl_test_lib:protocol_version(Config), {_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version), + [{key_exchange, fun(srp_rsa) -> false; + (srp_dss) -> false; + (_) -> true + end}]), + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {mfa, ssl_test_lib, no_result}, - {options, [{versions, [Version]} | ServerOpts]}]), + {options, [{versions, [Version]}, {ciphers, Ciphers} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {active, false}]), @@ -752,7 +762,7 @@ tls_dont_crash_on_handshake_garbage(Config) -> case Version of 'tlsv1.3' -> ssl_test_lib:check_server_alert(Server, protocol_version); - _ -> + _ -> ssl_test_lib:check_server_alert(Server, handshake_failure) end. -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor