From 17d01b420151d05edd347b584fa1942f5b914fc5 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 2 Nov 2016 09:09:02 +0000 Subject: [PATCH] Add some more version tests Send a TLS1.4 ClientHello with supported_versions and get TLS1.3 Send a TLS1.3 ClientHello without supported_versions and get TLS1.2 Reviewed-by: Rich Salz --- test/recipes/70-test_sslversions.t | 22 +++++++++++++++++++--- test/recipes/70-test_sslvertol.t | 23 ++++++++++++++++++----- 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index 374579c304..0ee15561da 100755 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -17,7 +17,8 @@ use constant { UNRECOGNISED_VERSIONS => 2, NO_EXTENSION => 3, EMPTY_EXTENSION => 4, - NO_TLS1_3 => 5 + NO_TLS1_3 => 5, + WITH_TLS1_4 => 6 }; my $testtype; @@ -54,7 +55,7 @@ my $proxy = TLSProxy::Proxy->new( $testtype = EMPTY_EXTENSION; $proxy->filter(\&modify_supported_versions_filter); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 6; +plan tests => 7; ok(TLSProxy::Message->fail(), "Empty supported versions"); #Test 2: supported_versions extension with no recognised versions should not @@ -99,6 +100,15 @@ ok(TLSProxy::Message->success() && $record->version() == TLSProxy::Record::VERS_TLS_1_1, "No TLS1.3 in supported versions extension"); +#Test 7: TLS1.4 and TLS1.3 in supported versions. Should succeed and use TLS1.3 +$proxy->clear(); +$testtype = WITH_TLS1_4; +$proxy->start(); +$record = pop @{$proxy->record_list}; +ok(TLSProxy::Message->success() + && $record->version() == TLSProxy::Record::VERS_TLS_1_3, + "TLS1.4 in supported versions extension"); + sub modify_supported_versions_filter { my $proxy = shift; @@ -126,10 +136,16 @@ sub modify_supported_versions_filter 0x04, # Length 0x03, 0x02, #TLSv1.1 0x03, 0x01; #TLSv1.0 + } elsif ($testtype == WITH_TLS1_4) { + $ext = pack "C5", + 0x04, # Length + 0x03, 0x05, #TLSv1.4 + 0x03, 0x04; #TLSv1.3 } if ($testtype == REVERSE_ORDER_VERSIONS || $testtype == UNRECOGNISED_VERSIONS - || $testtype == NO_TLS1_3) { + || $testtype == NO_TLS1_3 + || $testtype == WITH_TLS1_4) { $message->set_extension( TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); } elsif ($testtype == EMPTY_EXTENSION) { diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t index 46fc9b6cc7..108166f33e 100755 --- a/test/recipes/70-test_sslvertol.t +++ b/test/recipes/70-test_sslvertol.t @@ -34,15 +34,28 @@ my $proxy = TLSProxy::Proxy->new( (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -#Test 1: Asking for TLS1.4 should pass +#This file does tests without the supported_versions extension. +#See 70-test_sslversions.t for tests with supported versions. +#Test 1: Asking for TLS1.4 should pass and negotiate TLS1.2 my $client_version = TLSProxy::Record::VERS_TLS_1_4; -#We don't want the supported versions extension for this test $proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 2; -ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.4"); +plan tests => 3; +my $record = pop @{$proxy->record_list}; +ok(TLSProxy::Message->success() + && $record->version() == TLSProxy::Record::VERS_TLS_1_2, + "Version tolerance test, TLS 1.4"); -#Test 2: Testing something below SSLv3 should fail +#Test 2: Asking for TLS1.3 should succeed and negotiate TLS1.2 +$proxy->clear(); +$proxy->clientflags("-no_tls1_3"); +$proxy->start(); +$record = pop @{$proxy->record_list}; +ok(TLSProxy::Message->success() + && $record->version() == TLSProxy::Record::VERS_TLS_1_2, + "Version tolerance test, TLS 1.3"); + +#Test 3: Testing something below SSLv3 should fail $client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; $proxy->clear(); $proxy->clientflags("-no_tls1_3");