$proxy->filter(\&sigalgs_filter);
- #Test 10: Sending no sig algs extension in TLSv1.2 should succeed at
- # security level 1
+ #Test 10: Sending no sig algs extension in TLSv1.2 will make it use
+ # SHA1, which is only supported at security level 0.
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
- $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=1");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
+ $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0");
$proxy->start();
- ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1");
+ ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0");
#Test 11: Sending no sig algs extension in TLSv1.2 should fail at security
- # level 2 since it will try to use SHA1. Testing client at level 1,
- # server level 2.
+ # level 1 since it will try to use SHA1. Testing client at level 0,
+ # server level 1.
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
- $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1");
- $proxy->ciphers("DEFAULT:\@SECLEVEL=2");
+ $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0");
+ $proxy->ciphers("DEFAULT:\@SECLEVEL=1");
$proxy->start();
- ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2");
+ ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1");
#Test 12: Sending no sig algs extension in TLSv1.2 should fail at security
- # level 2 since it will try to use SHA1. Testing client at level 2,
- # server level 1.
+ # level 1 since it will try to use SHA1. Testing client at level 1,
+ # server level 0.
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
- $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=2");
- $proxy->ciphers("DEFAULT:\@SECLEVEL=1");
+ $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1");
+ $proxy->ciphers("DEFAULT:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2");
ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
$proxy->filter(\&sigalgs_filter);
- #Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed
+ #Test 19: No sig algs extension, ECDSA cert, will use SHA1,
+ # TLSv1.2 should succeed at security level 0
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
- $proxy->clientflags("-no_tls1_3");
+ $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0");
$proxy->serverflags("-cert " . srctop_file("test", "certs",
"server-ecdsa-cert.pem") .
" -key " . srctop_file("test", "certs",
"server-ecdsa-key.pem")),
- $proxy->ciphers("ECDHE-ECDSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
}
$proxy->filter(\&modify_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
- "DSA/SHA2 sigalg sent for 1.3-only ClientHello");
+ "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello");
#Test 21: signature_algorithms with backwards compatible ClientHello
SKIP: {
$testtype = COMPAT_SIGALGS;
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
+ $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0");
$proxy->filter(\&modify_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
- "DSA sigalg not sent for compat ClientHello");
+ "backwards compatible sigalg sent for compat ClientHello");
}
}
projects / openssl.git / blobdiff