From: Thomas Pornin Date: Fri, 18 May 2018 23:54:26 +0000 (+0200) Subject: Added test for a server choosing a TLS-1.2 cipher suite with a pre-1.2 protocol versi... X-Git-Url: https://bearssl.org/gitweb//home/git/?a=commitdiff_plain;h=a3526e62c383183a1ba5572a3af40912431121fc;p=BoarSSL Added test for a server choosing a TLS-1.2 cipher suite with a pre-1.2 protocol version (client should reject it). --- diff --git a/SSLTLS/SSLServer.cs b/SSLTLS/SSLServer.cs index 6f39135..71c97d0 100644 --- a/SSLTLS/SSLServer.cs +++ b/SSLTLS/SSLServer.cs @@ -453,6 +453,18 @@ public class SSLServer : SSLEngine { * resumption). */ Version = Math.Min(ClientVersionMax, VersionMax); + string forcedVersion = GetQuirkString("forceVersion"); + if (forcedVersion != null) { + switch (forcedVersion) { + case "TLS10": Version = SSL.TLS10; break; + case "TLS11": Version = SSL.TLS11; break; + case "TLS12": Version = SSL.TLS12; break; + default: + throw new Exception(string.Format( + "Unknown forced version: '{0}'", + forcedVersion)); + } + } /* * Recompute list of acceptable cipher suites. We keep @@ -471,6 +483,11 @@ public class SSLServer : SSLEngine { CommonCipherSuites = new List(); List commonSuitesResume = new List(); bool canTLS12 = Version >= SSL.TLS12; + bool mustTLS12 = false; + if (GetQuirkBool("forceTls12CipherSuite")) { + canTLS12 = true; + mustTLS12 = true; + } bool canSignRSA; bool canSignECDSA; if (Version >= SSL.TLS12) { @@ -499,6 +516,9 @@ public class SSLServer : SSLEngine { if (!canTLS12 && SSL.IsTLS12(cs)) { continue; } + if (mustTLS12 && !SSL.IsTLS12(cs)) { + continue; + } commonSuitesResume.Add(cs); if (!canECDHE && SSL.IsECDHE(cs)) { continue; diff --git a/conf/bearssl.json b/conf/bearssl.json index d46f349..97f213a 100644 --- a/conf/bearssl.json +++ b/conf/bearssl.json @@ -245,6 +245,17 @@ "comment" : "Peer should forget session. Peer should close and reconnect.", "reconnect" : "peer", "forget" : "peer" + }, + { + "name" : "tls12SuiteWithOlder", + "comment" : "Server selects a TLS-1.2 specific cipher suite with TLS-1.1; the client should refuse.", + "clientOnly" : "true", + "expectedExitCode" : 1, + "expectedFailure" : "Unexpected transport closure", + "quirks" : { + "forceVersion" : "TLS11", + "forceTls12CipherSuite" : "true" + } } ] }