aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2019-05-24 13:58:58 -0400
committerJack Lloyd <[email protected]>2019-05-24 14:01:11 -0400
commita6f271f638a20a619be8e840001ff83112506c40 (patch)
treec1b3114c5e95b1a42e469802b920e5e6b44e1e8e /src
parent92c06e93aa870f76ff3d8c126e47c0cd4ccdad66 (diff)
Add support for supported versions extension from TLS 1.3
Diffstat (limited to 'src')
-rw-r--r--src/bogo_shim/bogo_shim.cpp59
-rw-r--r--src/bogo_shim/config.json8
-rw-r--r--src/lib/tls/msg_client_hello.cpp20
-rw-r--r--src/lib/tls/msg_server_hello.cpp2
-rw-r--r--src/lib/tls/tls_extensions.cpp93
-rw-r--r--src/lib/tls/tls_extensions.h41
-rw-r--r--src/lib/tls/tls_messages.h2
-rw-r--r--src/lib/tls/tls_reader.h6
-rw-r--r--src/lib/tls/tls_server.cpp34
-rw-r--r--src/lib/tls/tls_version.h6
-rw-r--r--src/scripts/tls_scanner/policy.txt2
-rw-r--r--src/scripts/tls_scanner/urls.txt3
-rw-r--r--src/tests/unit_tls.cpp11
13 files changed, 219 insertions, 68 deletions
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
index 049c9dc2f..3248ce57f 100644
--- a/src/bogo_shim/bogo_shim.cpp
+++ b/src/bogo_shim/bogo_shim.cpp
@@ -121,6 +121,8 @@ std::string map_to_bogo_error(const std::string& e)
{ "Invalid authentication tag: ChaCha20Poly1305 tag check failed", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:" },
{ "Invalid authentication tag: GCM tag check failed", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:" },
{ "Message authentication failure", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:" },
+ { "No shared TLS version", ":UNSUPPORTED_PROTOCOL:" },
+ { "No shared DTLS version", ":UNSUPPORTED_PROTOCOL:" },
{ "OS2ECP: Unknown format type 251", ":BAD_ECPOINT:" },
{ "Policy forbids all available TLS version", ":NO_SUPPORTED_VERSIONS_ENABLED:" },
{ "Policy forbids all available DTLS version", ":NO_SUPPORTED_VERSIONS_ENABLED:" },
@@ -895,29 +897,52 @@ class Shim_Policy final : public Botan::TLS::Policy
return allow_client_initiated_renegotiation(); // same logic
}
+ bool allow_version(Botan::TLS::Protocol_Version version) const
+ {
+ if(m_args.option_used("min-version"))
+ {
+ const uint16_t min_version_16 = static_cast<uint16_t>(m_args.get_int_opt("min-version"));
+ Botan::TLS::Protocol_Version min_version(min_version_16 >> 8, min_version_16 & 0xFF);
+ if(min_version > version)
+ return false;
+ }
+
+ if(m_args.option_used("max-version"))
+ {
+ const uint16_t max_version_16 = static_cast<uint16_t>(m_args.get_int_opt("max-version"));
+ Botan::TLS::Protocol_Version max_version(max_version_16 >> 8, max_version_16 & 0xFF);
+ if(version > max_version)
+ return false;
+ }
+
+ return version.known_version();
+ }
+
bool allow_tls10() const override
{
- return !m_args.flag_set("dtls") && !m_args.flag_set("no-tls1");
+ return !m_args.flag_set("dtls") &&
+ !m_args.flag_set("no-tls1") &&
+ allow_version(Botan::TLS::Protocol_Version::TLS_V10);
}
bool allow_tls11() const override
{
- return !m_args.flag_set("dtls") && !m_args.flag_set("no-tls11");
+ return !m_args.flag_set("dtls") && !m_args.flag_set("no-tls11") && allow_version(Botan::TLS::Protocol_Version::TLS_V11);
}
bool allow_tls12() const override
{
- return !m_args.flag_set("dtls") && !m_args.flag_set("no-tls12");
+ return !m_args.flag_set("dtls") && !m_args.flag_set("no-tls12") && allow_version(Botan::TLS::Protocol_Version::TLS_V12);
}
bool allow_dtls10() const override
{
- return m_args.flag_set("dtls") && !m_args.flag_set("no-tls1");
+ return m_args.flag_set("dtls") && !m_args.flag_set("no-tls1") && allow_version(Botan::TLS::Protocol_Version::DTLS_V10);
}
bool allow_dtls12() const override
{
- return m_args.flag_set("dtls") && !m_args.flag_set("no-tls12");
+ return m_args.flag_set("dtls") && !m_args.flag_set("no-tls12") && allow_version(Botan::TLS::Protocol_Version::DTLS_V12);
}
//Botan::TLS::Group_Params default_dh_group() const override;
@@ -960,30 +985,6 @@ class Shim_Policy final : public Botan::TLS::Policy
return false;
}
- bool acceptable_protocol_version(Botan::TLS::Protocol_Version version) const override
- {
- if(!Botan::TLS::Policy::acceptable_protocol_version(version))
- return false;
-
- if(m_args.option_used("min-version"))
- {
- const uint16_t min_version_16 = static_cast<uint16_t>(m_args.get_int_opt("min-version"));
- Botan::TLS::Protocol_Version min_version(min_version_16 >> 8, min_version_16 & 0xFF);
- if(min_version > version)
- return false;
- }
-
- if(m_args.option_used("max-version"))
- {
- const uint16_t max_version_16 = static_cast<uint16_t>(m_args.get_int_opt("max-version"));
- Botan::TLS::Protocol_Version max_version(max_version_16 >> 8, max_version_16 & 0xFF);
- if(version > max_version)
- return false;
- }
-
- return version.known_version();
- }
-
bool send_fallback_scsv(Botan::TLS::Protocol_Version) const override
{
return m_args.flag_set("fallback-scsv");
diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
index 0bf7a8431..2c0203970 100644
--- a/src/bogo_shim/config.json
+++ b/src/bogo_shim/config.json
@@ -21,14 +21,12 @@
"EarlyDataEnabled*": "No TLS 1.3",
"DelegatedCredentials*": "No TLS 1.3",
"ExportTrafficSecrets-*": "No TLS 1.3",
-
- "ConflictingVersionNegotiation*": "No support for 1.3 version extension",
- "VersionNegotiationExtension*": "No support for 1.3 version extension",
- "IgnoreClientVersionOrder": "No support for 1.3 version extension",
- "NoSupportedVersions*": "No support for 1.3 version extension",
+ "IgnoreClientVersionOrder": "No TLS 1.3",
"DuplicateCertCompressionExt*": "No support for 1.3 cert compression extension",
+ "SupportedVersionSelection-TLS12": "We just ignore the version extension in this case",
+
"Downgrade*": "The 1.3 downgrade indicator is not implemented",
"*SSL3*": "No SSLv3",
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index 539e2a780..657fe01b2 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -108,6 +108,8 @@ Client_Hello::Client_Hello(Handshake_IO& io,
m_extensions.add(new Renegotiation_Extension(reneg_info));
+ m_extensions.add(new Supported_Versions(m_version, policy));
+
if(client_settings.hostname() != "")
m_extensions.add(new Server_Name_Indicator(client_settings.hostname()));
@@ -280,7 +282,7 @@ Client_Hello::Client_Hello(const std::vector<uint8_t>& buf)
m_comp_methods = reader.get_range_vector<uint8_t>(1, 1, 255);
- m_extensions.deserialize(reader, Connection_Side::SERVER);
+ m_extensions.deserialize(reader, Connection_Side::CLIENT);
if(offered_suite(static_cast<uint16_t>(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)))
{
@@ -296,15 +298,6 @@ Client_Hello::Client_Hello(const std::vector<uint8_t>& buf)
m_extensions.add(new Renegotiation_Extension());
}
}
-
- // Parsing complete, now any additional decoding checks
-
- if(m_version.supports_negotiable_signature_algorithms() == false)
- {
- if(m_extensions.has<Signature_Algorithms>())
- throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
- "Client sent signature_algorithms extension in version that doesn't support it");
- }
}
bool Client_Hello::sent_fallback_scsv() const
@@ -386,6 +379,13 @@ std::vector<uint8_t> Client_Hello::renegotiation_info() const
return std::vector<uint8_t>();
}
+std::vector<Protocol_Version> Client_Hello::supported_versions() const
+ {
+ if(Supported_Versions* versions = m_extensions.get<Supported_Versions>())
+ return versions->versions();
+ return {};
+ }
+
bool Client_Hello::supports_session_ticket() const
{
return m_extensions.has<Session_Ticket>();
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index 933ee8af7..f3ef45f50 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -159,7 +159,7 @@ Server_Hello::Server_Hello(const std::vector<uint8_t>& buf)
m_comp_method = reader.get_byte();
- m_extensions.deserialize(reader, Connection_Side::CLIENT);
+ m_extensions.deserialize(reader, Connection_Side::SERVER);
}
/*
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index ca4e1200f..54f006c74 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -9,6 +9,7 @@
#include <botan/tls_extensions.h>
#include <botan/internal/tls_reader.h>
#include <botan/tls_exceptn.h>
+#include <botan/tls_policy.h>
namespace Botan {
@@ -16,10 +17,8 @@ namespace TLS {
namespace {
-Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size, Connection_Side side)
+Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size, Connection_Side from)
{
- BOTAN_UNUSED(side);
-
switch(code)
{
case TLSEXT_SERVER_NAME_INDICATION:
@@ -34,7 +33,7 @@ Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size,
return new Supported_Groups(reader, size);
case TLSEXT_CERT_STATUS_REQUEST:
- return new Certificate_Status_Request(reader, size, side);
+ return new Certificate_Status_Request(reader, size, from);
case TLSEXT_EC_POINT_FORMATS:
return new Supported_Point_Formats(reader, size);
@@ -59,6 +58,9 @@ Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size,
case TLSEXT_SESSION_TICKET:
return new Session_Ticket(reader, size);
+
+ case TLSEXT_SUPPORTED_VERSIONS:
+ return new Supported_Versions(reader, size, from);
}
return new Unknown_Extension(static_cast<Handshake_Extension_Type>(code),
@@ -67,7 +69,7 @@ Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size,
}
-void Extensions::deserialize(TLS_Data_Reader& reader, Connection_Side side)
+void Extensions::deserialize(TLS_Data_Reader& reader, Connection_Side from)
{
if(reader.has_remaining())
{
@@ -88,7 +90,7 @@ void Extensions::deserialize(TLS_Data_Reader& reader, Connection_Side side)
"Peer sent duplicated extensions");
Extension* extn = make_extension(
- reader, extension_code, extension_size, side);
+ reader, extension_code, extension_size, from);
this->add(extn);
}
@@ -539,8 +541,8 @@ std::vector<uint8_t> Certificate_Status_Request::serialize() const
Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader,
uint16_t extension_size,
- Connection_Side side) :
- m_server_side(side == SERVER)
+ Connection_Side from) :
+ m_server_side(from == SERVER)
{
if(extension_size > 0)
{
@@ -573,6 +575,81 @@ Certificate_Status_Request::Certificate_Status_Request() : m_server_side(true)
}
+std::vector<uint8_t> Supported_Versions::serialize() const
+ {
+ std::vector<uint8_t> buf;
+
+ if(m_server_side)
+ {
+ BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
+ buf.push_back(m_versions[0].major_version());
+ buf.push_back(m_versions[0].minor_version());
+ }
+ else
+ {
+ const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
+
+ buf.push_back(len);
+
+ for(Protocol_Version version : m_versions)
+ {
+ buf.push_back(get_byte(0, version.major_version()));
+ buf.push_back(get_byte(1, version.minor_version()));
+ }
+ }
+
+ return buf;
+ }
+
+Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& policy) :
+ m_server_side(false)
+ {
+ if(offer.is_datagram_protocol())
+ {
+ if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12())
+ m_versions.push_back(Protocol_Version::DTLS_V12);
+ if(offer >= Protocol_Version::DTLS_V10 && policy.allow_dtls10())
+ m_versions.push_back(Protocol_Version::DTLS_V10);
+ }
+ else
+ {
+ if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12())
+ m_versions.push_back(Protocol_Version::TLS_V12);
+ if(offer >= Protocol_Version::TLS_V11 && policy.allow_tls11())
+ m_versions.push_back(Protocol_Version::TLS_V11);
+ if(offer >= Protocol_Version::TLS_V10 && policy.allow_tls10())
+ m_versions.push_back(Protocol_Version::TLS_V10);
+ }
+ }
+
+Supported_Versions::Supported_Versions(TLS_Data_Reader& reader,
+ uint16_t extension_size,
+ Connection_Side from)
+ {
+ if(from == Connection_Side::SERVER)
+ {
+ m_server_side = true;
+ m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
+ }
+ else
+ {
+ m_server_side = false;
+
+ auto versions = reader.get_range<uint16_t>(1, 1, 127);
+
+ for(auto v : versions)
+ m_versions.push_back(Protocol_Version(v));
+ }
+ }
+
+bool Supported_Versions::supports(Protocol_Version version) const
+ {
+ for(auto v : m_versions)
+ if(version == v)
+ return true;
+ return false;
+ }
+
}
}
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
index 5920a1576..e015f7b82 100644
--- a/src/lib/tls/tls_extensions.h
+++ b/src/lib/tls/tls_extensions.h
@@ -12,6 +12,7 @@
#include <botan/tls_algos.h>
#include <botan/tls_magic.h>
+#include <botan/tls_version.h>
#include <botan/secmem.h>
#include <botan/x509_dn.h>
#include <vector>
@@ -23,6 +24,8 @@ namespace Botan {
namespace TLS {
+class Policy;
+
class TLS_Data_Reader;
enum Handshake_Extension_Type {
@@ -42,6 +45,8 @@ enum Handshake_Extension_Type {
TLSEXT_SESSION_TICKET = 35,
+ TLSEXT_SUPPORTED_VERSIONS = 43,
+
TLSEXT_SAFE_RENEGOTIATION = 65281,
};
@@ -425,6 +430,40 @@ class BOTAN_UNSTABLE_API Certificate_Status_Request final : public Extension
};
/**
+* Supported Versions from RFC 8446
+*/
+class BOTAN_UNSTABLE_API Supported_Versions final : public Extension
+ {
+ public:
+ static Handshake_Extension_Type static_type()
+ { return TLSEXT_SUPPORTED_VERSIONS; }
+
+ Handshake_Extension_Type type() const override { return static_type(); }
+
+ std::vector<uint8_t> serialize() const override;
+
+ bool empty() const override { return m_versions.empty(); }
+
+ Supported_Versions(Protocol_Version version, const Policy& policy);
+
+ Supported_Versions(Protocol_Version version) : m_server_side(true)
+ {
+ m_versions.push_back(version);
+ }
+
+ Supported_Versions(TLS_Data_Reader& reader,
+ uint16_t extension_size,
+ Connection_Side from);
+
+ bool supports(Protocol_Version version) const;
+
+ const std::vector<Protocol_Version> versions() const { return m_versions; }
+ private:
+ std::vector<Protocol_Version> m_versions;
+ bool m_server_side;
+ };
+
+/**
* Unknown extensions are deserialized as this type
*/
class BOTAN_UNSTABLE_API Unknown_Extension final : public Extension
@@ -484,7 +523,7 @@ class BOTAN_UNSTABLE_API Extensions final
std::vector<uint8_t> serialize() const;
- void deserialize(TLS_Data_Reader& reader, Connection_Side side);
+ void deserialize(TLS_Data_Reader& reader, Connection_Side from);
/**
* Remvoe an extension from this extensions object, if it exists.
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index 31c067696..7c35bff87 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -94,6 +94,8 @@ class BOTAN_UNSTABLE_API Client_Hello final : public Handshake_Message
Protocol_Version version() const { return m_version; }
+ std::vector<Protocol_Version> supported_versions() const;
+
const std::vector<uint8_t>& random() const { return m_random; }
const std::vector<uint8_t>& session_id() const { return m_session_id; }
diff --git a/src/lib/tls/tls_reader.h b/src/lib/tls/tls_reader.h
index 8474f1308..c6cffed32 100644
--- a/src/lib/tls/tls_reader.h
+++ b/src/lib/tls/tls_reader.h
@@ -98,7 +98,7 @@ class TLS_Data_Reader final
const size_t num_elems =
get_num_elems(len_bytes, sizeof(T), min_elems, max_elems);
- return get_elem<T, std::vector<T> >(num_elems);
+ return get_elem<T, std::vector<T>>(num_elems);
}
template<typename T>
@@ -109,7 +109,7 @@ class TLS_Data_Reader final
const size_t num_elems =
get_num_elems(len_bytes, sizeof(T), min_elems, max_elems);
- return get_elem<T, std::vector<T> >(num_elems);
+ return get_elem<T, std::vector<T>>(num_elems);
}
std::string get_string(size_t len_bytes,
@@ -125,7 +125,7 @@ class TLS_Data_Reader final
template<typename T>
std::vector<T> get_fixed(size_t size)
{
- return get_elem<T, std::vector<T> >(size);
+ return get_elem<T, std::vector<T>>(size);
}
private:
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index fb0b5eacc..d2474c225 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -382,10 +382,13 @@ namespace {
Protocol_Version select_version(const Botan::TLS::Policy& policy,
Protocol_Version client_offer,
Protocol_Version active_version,
- bool is_fallback)
+ bool is_fallback,
+ const std::vector<Protocol_Version>& supported_versions)
{
- const Protocol_Version latest_supported =
- policy.latest_supported_version(client_offer.is_datagram_protocol());
+ const bool is_datagram = client_offer.is_datagram_protocol();
+ const bool initial_handshake = (active_version.valid() == false);
+
+ const Protocol_Version latest_supported = policy.latest_supported_version(is_datagram);
if(is_fallback)
{
@@ -394,7 +397,27 @@ Protocol_Version select_version(const Botan::TLS::Policy& policy,
"Client signalled fallback SCSV, possible attack");
}
- const bool initial_handshake = (active_version.valid() == false);
+ if(supported_versions.size() > 0)
+ {
+ if(is_datagram)
+ {
+ if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12)))
+ return Protocol_Version::DTLS_V12;
+ if(policy.allow_dtls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V10)))
+ return Protocol_Version::DTLS_V10;
+ throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared DTLS version");
+ }
+ else
+ {
+ if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12)))
+ return Protocol_Version::TLS_V12;
+ if(policy.allow_tls11() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V11)))
+ return Protocol_Version::TLS_V11;
+ if(policy.allow_tls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V10)))
+ return Protocol_Version::TLS_V10;
+ throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared TLS version");
+ }
+ }
const bool client_offer_acceptable =
client_offer.known_version() && policy.acceptable_protocol_version(client_offer);
@@ -487,7 +510,8 @@ void Server::process_client_hello_msg(const Handshake_State* active_state,
const Protocol_Version negotiated_version =
select_version(policy(), client_offer,
active_state ? active_state->version() : Protocol_Version(),
- pending_state.client_hello()->sent_fallback_scsv());
+ pending_state.client_hello()->sent_fallback_scsv(),
+ pending_state.client_hello()->supported_versions());
const auto compression_methods = pending_state.client_hello()->compression_methods();
if(!value_exists(compression_methods, uint8_t(0)))
diff --git a/src/lib/tls/tls_version.h b/src/lib/tls/tls_version.h
index 13be64316..4d56f94ca 100644
--- a/src/lib/tls/tls_version.h
+++ b/src/lib/tls/tls_version.h
@@ -48,18 +48,20 @@ class BOTAN_PUBLIC_API(2,0) Protocol_Version final
Protocol_Version() : m_version(0) {}
+ explicit Protocol_Version(uint16_t code) : m_version(code) {}
+
/**
* @param named_version a specific named version of the protocol
*/
Protocol_Version(Version_Code named_version) :
- m_version(static_cast<uint16_t>(named_version)) {}
+ Protocol_Version(static_cast<uint16_t>(named_version)) {}
/**
* @param major the major version
* @param minor the minor version
*/
Protocol_Version(uint8_t major, uint8_t minor) :
- m_version(static_cast<uint16_t>((static_cast<uint16_t>(major) << 8) | minor)) {}
+ Protocol_Version(static_cast<uint16_t>((static_cast<uint16_t>(major) << 8) | minor)) {}
/**
* @return true if this is a valid protocol version
diff --git a/src/scripts/tls_scanner/policy.txt b/src/scripts/tls_scanner/policy.txt
index a9854ee54..ddd7a7c57 100644
--- a/src/scripts/tls_scanner/policy.txt
+++ b/src/scripts/tls_scanner/policy.txt
@@ -9,7 +9,7 @@ ciphers=Camellia-128 Camellia-256 Camellia-128/GCM Camellia-256/GCM ChaCha20Poly
signature_hashes=SHA-384 SHA-256 SHA-1
macs=AEAD SHA-384 SHA-256 SHA-1
key_exchange_methods=CECPQ1 ECDH DH RSA
-signature_methods=ECDSA RSA DSA
+signature_methods=ECDSA RSA DSA IMPLICIT
ecc_curves=x25519 secp256r1 secp384r1
minimum_dh_group_size=1024
minimum_ecdh_group_size=255
diff --git a/src/scripts/tls_scanner/urls.txt b/src/scripts/tls_scanner/urls.txt
index a5bcf349e..3be7276b3 100644
--- a/src/scripts/tls_scanner/urls.txt
+++ b/src/scripts/tls_scanner/urls.txt
@@ -27,18 +27,15 @@ linkedin.com
medium.com
microsoft.com
mikestoolbox.org
-nec.com
netflix.com
openssl.org
oracle.com
-sgi.com
chase.com
bankofamerica.com
citibank.com
wellsfargo.com
ebay.com
paypal.com
-pwc.com
randombit.net
reddit.com
redhat.com
diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp
index fa23b5842..e42cd6a4a 100644
--- a/src/tests/unit_tls.cpp
+++ b/src/tests/unit_tls.cpp
@@ -751,6 +751,12 @@ class TLS_Unit_Tests final : public Test
policy.set("key_exchange_methods", kex_policy);
policy.set("negotiate_encrypt_then_mac", etm_policy);
+ policy.set("allow_tls10", "true");
+ policy.set("allow_tls11", "true");
+ policy.set("allow_tls12", "true");
+ policy.set("allow_dtls10", "true");
+ policy.set("allow_dtls12", "true");
+
if(kex_policy.find("RSA") != std::string::npos)
{
policy.set("signature_methods", "IMPLICIT");
@@ -798,6 +804,11 @@ class TLS_Unit_Tests final : public Test
policy.set("ciphers", cipher_policy);
policy.set("macs", mac_policy);
policy.set("key_exchange_methods", kex_policy);
+ policy.set("allow_tls10", "false");
+ policy.set("allow_tls11", "false");
+ policy.set("allow_tls12", "true");
+ policy.set("allow_dtls10", "false");
+ policy.set("allow_dtls12", "true");
if(kex_policy.find("RSA") != std::string::npos)
{
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 01:16:28 +0000