mirror of
https://git.suyu.dev/suyu/mbedtls.git
synced 2025-12-21 21:36:21 +01:00
Merge new security defaults for programs (RC4 disabled, SSL3 disabled)
This commit is contained in:
Paul Bakker
commit
5b8f7eaa3e
14 changed files with 149 additions and 23 deletions
|
|
@ -676,7 +676,7 @@ setup_arguments()
|
|||
exit 1;
|
||||
esac
|
||||
|
||||
P_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE"
|
||||
P_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
|
||||
O_SERVER_ARGS="-accept $PORT -www -cipher NULL,ALL -$MODE"
|
||||
G_SERVER_ARGS="-p $PORT --http"
|
||||
G_SERVER_PRIO="EXPORT:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
||||
|
|
|
|||
|
|
@ -408,6 +408,26 @@ run_test "Default" \
|
|||
-S "error" \
|
||||
-C "error"
|
||||
|
||||
# Tests for rc4 option
|
||||
|
||||
run_test "RC4: server disabled, client enabled" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
1 \
|
||||
-s "SSL - The server has no ciphersuites in common"
|
||||
|
||||
run_test "RC4: server enabled, client disabled" \
|
||||
"$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI" \
|
||||
1 \
|
||||
-s "SSL - The server has no ciphersuites in common"
|
||||
|
||||
run_test "RC4: both enabled" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-S "SSL - The server has no ciphersuites in common"
|
||||
|
||||
# Test for SSLv2 ClientHello
|
||||
|
||||
requires_openssl_with_sslv2
|
||||
|
|
@ -1416,7 +1436,7 @@ run_test "Authentication: client no cert, openssl server optional" \
|
|||
|
||||
run_test "Authentication: client no cert, ssl3" \
|
||||
"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
|
||||
"$P_CLI debug_level=3 crt_file=none key_file=none" \
|
||||
"$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
|
||||
0 \
|
||||
-S "skip write certificate request" \
|
||||
-C "skip parse certificate request" \
|
||||
|
|
@ -2098,14 +2118,14 @@ run_test "PSK callback: wrong key" \
|
|||
# Tests for ciphersuites per version
|
||||
|
||||
run_test "Per-version suites: SSL3" \
|
||||
"$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
|
||||
"$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
|
||||
"$P_CLI force_version=ssl3" \
|
||||
0 \
|
||||
-c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
|
||||
|
||||
run_test "Per-version suites: TLS 1.0" \
|
||||
"$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
|
||||
"$P_CLI force_version=tls1" \
|
||||
"$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
|
||||
"$P_CLI force_version=tls1 arc4=1" \
|
||||
0 \
|
||||
-c "Ciphersuite is TLS-RSA-WITH-RC4-128-SHA"
|
||||
|
||||
|
|
@ -2138,14 +2158,14 @@ run_test "ssl_get_bytes_avail: extra data" \
|
|||
# Tests for small packets
|
||||
|
||||
run_test "Small packet SSLv3 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV min_version=ssl3" \
|
||||
"$P_CLI request_size=1 force_version=ssl3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small packet SSLv3 StreamCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV min_version=ssl3 arc4=1" \
|
||||
"$P_CLI request_size=1 force_version=ssl3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
|
|
@ -2174,7 +2194,7 @@ run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
|
|||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
|
||||
trunc_hmac=1" \
|
||||
|
|
@ -2196,7 +2216,7 @@ run_test "Small packet TLS 1.1 BlockCipher without EtM" \
|
|||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small packet TLS 1.1 StreamCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
|
|
@ -2211,7 +2231,7 @@ run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
|
|||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
|
||||
trunc_hmac=1" \
|
||||
|
|
@ -2248,14 +2268,14 @@ run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
|
|||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small packet TLS 1.2 StreamCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
|
||||
trunc_hmac=1" \
|
||||
|
|
@ -2279,14 +2299,14 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \
|
|||
# Test for large packets
|
||||
|
||||
run_test "Large packet SSLv3 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV min_version=ssl3" \
|
||||
"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
run_test "Large packet SSLv3 StreamCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV min_version=ssl3 arc4=1" \
|
||||
"$P_CLI request_size=16384 force_version=ssl3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
|
|
@ -2308,7 +2328,7 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
|
|||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
|
||||
trunc_hmac=1" \
|
||||
|
|
@ -2323,7 +2343,7 @@ run_test "Large packet TLS 1.1 BlockCipher" \
|
|||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.1 StreamCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
|
|
@ -2338,7 +2358,7 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
|
|||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
|
||||
trunc_hmac=1" \
|
||||
|
|
@ -2368,14 +2388,14 @@ run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
|
|||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 StreamCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_SRV arc4=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
|
||||
trunc_hmac=1" \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue