Added test for a server choosing a TLS-1.2 cipher suite with a pre-1.2 protocol versi...

diff --git a/SSLTLS/SSLServer.cs b/SSLTLS/SSLServer.cs
index 6f39135..71c97d0 100644 (file)
--- a/SSLTLS/SSLServer.cs
+++ b/SSLTLS/SSLServer.cs
@@ -453,6 +453,18 @@ public class SSLServer : SSLEngine {
                 * resumption).
                 */
                Version = Math.Min(ClientVersionMax, VersionMax);
+               string forcedVersion = GetQuirkString("forceVersion");
+               if (forcedVersion != null) {
+                       switch (forcedVersion) {
+                       case "TLS10": Version = SSL.TLS10; break;
+                       case "TLS11": Version = SSL.TLS11; break;
+                       case "TLS12": Version = SSL.TLS12; break;
+                       default:
+                               throw new Exception(string.Format(
+                                       "Unknown forced version: '{0}'", 
+                                       forcedVersion));
+                       }
+               }
 
                /*
                 * Recompute list of acceptable cipher suites. We keep
@@ -471,6 +483,11 @@ public class SSLServer : SSLEngine {
                CommonCipherSuites = new List<int>();
                List<int> commonSuitesResume = new List<int>();
                bool canTLS12 = Version >= SSL.TLS12;
+               bool mustTLS12 = false;
+               if (GetQuirkBool("forceTls12CipherSuite")) {
+                       canTLS12 = true;
+                       mustTLS12 = true;
+               }
                bool canSignRSA;
                bool canSignECDSA;
                if (Version >= SSL.TLS12) {
@@ -499,6 +516,9 @@ public class SSLServer : SSLEngine {
                        if (!canTLS12 && SSL.IsTLS12(cs)) {
                                continue;
                        }
+                       if (mustTLS12 && !SSL.IsTLS12(cs)) {
+                               continue;
+                       }
                        commonSuitesResume.Add(cs);
                        if (!canECDHE && SSL.IsECDHE(cs)) {
                                continue;

diff --git a/conf/bearssl.json b/conf/bearssl.json
index d46f349..97f213a 100644 (file)
--- a/conf/bearssl.json
+++ b/conf/bearssl.json
@@ -245,6 +245,17 @@
       "comment" : "Peer should forget session. Peer should close and reconnect.",
       "reconnect" : "peer",
       "forget" : "peer"
+    },
+    {
+      "name" : "tls12SuiteWithOlder",
+      "comment" : "Server selects a TLS-1.2 specific cipher suite with TLS-1.1; the client should refuse.",
+      "clientOnly" : "true",
+      "expectedExitCode" : 1,
+      "expectedFailure" : "Unexpected transport closure",
+      "quirks" : {
+        "forceVersion" : "TLS11",
+        "forceTls12CipherSuite" : "true"
+      }
     }
   ]
 }