|
 |
20bab0 |
From a00a70b7195438c543191b69382ff20e452548bf Mon Sep 17 00:00:00 2001
|
|
|
20bab0 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
20bab0 |
Date: Mon, 13 Aug 2018 12:33:58 +0200
|
|
|
20bab0 |
Subject: [PATCH] Adapt CTX_get_min_proto_version tests to system-wide policy
|
|
|
20bab0 |
MIME-Version: 1.0
|
|
|
20bab0 |
Content-Type: text/plain; charset=UTF-8
|
|
|
20bab0 |
Content-Transfer-Encoding: 8bit
|
|
|
20bab0 |
|
|
|
20bab0 |
In our distribution, /etc/crypto-policies/back-ends/opensslcnf.config
|
|
|
20bab0 |
can override default minimal SSL/TLS protocol version. If it does,
|
|
|
20bab0 |
t/local/09_ctx_new.t test will fail because OpenSSL will return
|
|
|
20bab0 |
different then 0 value.
|
|
|
20bab0 |
|
|
|
20bab0 |
This patch parses the configuration file and adjusts expect values in
|
|
|
20bab0 |
the test.
|
|
|
20bab0 |
|
|
|
20bab0 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
20bab0 |
---
|
|
|
20bab0 |
t/local/09_ctx_new.t | 22 ++++++++++++++++++++--
|
|
|
20bab0 |
1 file changed, 20 insertions(+), 2 deletions(-)
|
|
|
20bab0 |
|
|
|
20bab0 |
diff --git a/t/local/09_ctx_new.t b/t/local/09_ctx_new.t
|
|
|
20bab0 |
index 6d06f21..c584856 100644
|
|
|
20bab0 |
--- a/t/local/09_ctx_new.t
|
|
|
20bab0 |
+++ b/t/local/09_ctx_new.t
|
|
|
20bab0 |
@@ -109,14 +109,32 @@ else
|
|
|
20bab0 |
# Having TLS_method() does not necessarily that proto getters are available
|
|
|
20bab0 |
if ($ctx_tls && exists &Net::SSLeay::CTX_get_min_proto_version)
|
|
|
20bab0 |
{
|
|
|
20bab0 |
+ my $min_ver = 0;
|
|
|
20bab0 |
+ # Adjust minimal version to system-wide crypto policy
|
|
|
20bab0 |
+ if (open(my $f, '<', '/etc/crypto-policies/back-ends/opensslcnf.config')) {
|
|
|
20bab0 |
+ while(<$f>) {
|
|
|
20bab0 |
+ if (/^MinProtocol = ([\w.]+)\b/) {
|
|
|
20bab0 |
+ if ($1 eq 'TLSv1') {
|
|
|
20bab0 |
+ $min_ver = 0x0301;
|
|
|
20bab0 |
+ } elsif ($1 eq 'TLSv1.1') {
|
|
|
20bab0 |
+ $min_ver = 0x0302;
|
|
|
20bab0 |
+ } elsif ($1 eq 'TLSv1.2') {
|
|
|
20bab0 |
+ $min_ver = 0x0303;
|
|
|
20bab0 |
+ } elsif ($1 eq 'TLSv1.3') {
|
|
|
20bab0 |
+ $min_ver = 0x0304;
|
|
|
20bab0 |
+ }
|
|
|
20bab0 |
+ }
|
|
|
20bab0 |
+ }
|
|
|
20bab0 |
+ close($f);
|
|
|
20bab0 |
+ }
|
|
|
20bab0 |
my $ver;
|
|
|
20bab0 |
$ver = Net::SSLeay::CTX_get_min_proto_version($ctx_tls);
|
|
|
20bab0 |
- is($ver, 0, 'TLS_method CTX has automatic minimum version');
|
|
|
20bab0 |
+ is($ver, $min_ver, 'TLS_method CTX has automatic minimum version');
|
|
|
20bab0 |
$ver = Net::SSLeay::CTX_get_max_proto_version($ctx_tls);
|
|
|
20bab0 |
is($ver, 0, 'TLS_method CTX has automatic maximum version');
|
|
|
20bab0 |
|
|
|
20bab0 |
$ver = Net::SSLeay::get_min_proto_version($ssl_tls);
|
|
|
20bab0 |
- is($ver, 0, 'SSL from TLS_method CTX has automatic minimum version');
|
|
|
20bab0 |
+ is($ver, $min_ver, 'SSL from TLS_method CTX has automatic minimum version');
|
|
|
20bab0 |
$ver = Net::SSLeay::get_max_proto_version($ssl_tls);
|
|
|
20bab0 |
is($ver, 0, 'SSL from TLS_method CTX has automatic maximum version');
|
|
|
20bab0 |
|
|
|
20bab0 |
--
|
|
|
20bab0 |
2.14.4
|
|
|
20bab0 |
|