ssl: Add option to phase out support for sslv2 client hello

ssl servers can recognize sslv2 client hellos to interop with clients that support higher version of SSL/TLS but also offers sslv2 Conflicts: lib/ssl/src/tls_connection.erl
author: Ingela Anderton Andin <[email protected]> 2016-05-03 12:07:51 +0200
committer: Ingela Anderton Andin <[email protected]> 2016-06-03 12:14:43 +0200
commit: 33afe108de9cf24be47b9ebd740a8f5e19daca79 (patch)
tree: 000f6b30068d5e696197c53b8cf4053602daab29 /lib/ssl/test
parent: f7e370a7513c93ae74eb7861d094589990958aa7 (diff)
download: otp-33afe108de9cf24be47b9ebd740a8f5e19daca79.tar.gz
otp-33afe108de9cf24be47b9ebd740a8f5e19daca79.tar.bz2
otp-33afe108de9cf24be47b9ebd740a8f5e19daca79.zip
4 files changed, 21 insertions, 10 deletions
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 99f7c9b780..efe996e57c 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -3059,7 +3059,7 @@ tls_ciphersuite_vs_version(Config) when is_list(Config) ->
 		      >>),
     {ok, <<22, RecMajor:8, RecMinor:8, _RecLen:16, 2, HelloLen:24>>} = gen_tcp:recv(Socket, 9, 10000),
     {ok, <<HelloBin:HelloLen/binary>>} = gen_tcp:recv(Socket, HelloLen, 5000),
-    ServerHello = tls_handshake:decode_handshake({RecMajor, RecMinor}, 2, HelloBin),
+    ServerHello = tls_handshake:decode_handshake({RecMajor, RecMinor}, 2, HelloBin, false),
     case ServerHello of
 	#server_hello{server_version = {3,0}, cipher_suite = <<0,57>>} -> 
 	    ok;
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 26e83413c1..a671e3e307 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -99,7 +99,8 @@ decode_hello_handshake(_Config) ->
 		    16#70, 16#64, 16#79, 16#2f, 16#32>>,
 	
     Version = {3, 0},
-    {Records, _Buffer} = tls_handshake:get_tls_handshake(Version, HelloPacket, <<>>),
+    {Records, _Buffer} = tls_handshake:get_tls_handshake(Version, HelloPacket, <<>>, 
+							 #ssl_options{v2_hello_compatible = false}),
 
     {Hello, _Data} = hd(Records),
     #renegotiation_info{renegotiated_connection = <<0>>}
diff --git a/lib/ssl/test/ssl_npn_hello_SUITE.erl b/lib/ssl/test/ssl_npn_hello_SUITE.erl
index 533501e788..00eb9fee4f 100644
--- a/lib/ssl/test/ssl_npn_hello_SUITE.erl
+++ b/lib/ssl/test/ssl_npn_hello_SUITE.erl
@@ -57,7 +57,7 @@ encode_and_decode_client_hello_test(Config) ->
     HandShakeData = create_client_handshake(undefined),
     Version = ssl_test_lib:protocol_version(Config),
     {[{DecodedHandshakeMessage, _Raw}], _} =
-	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>),
+	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>, #ssl_options{}),
     NextProtocolNegotiation = (DecodedHandshakeMessage#client_hello.extensions)#hello_extensions.next_protocol_negotiation,
     NextProtocolNegotiation = undefined.
 %%--------------------------------------------------------------------
@@ -65,7 +65,7 @@ encode_and_decode_npn_client_hello_test(Config) ->
     HandShakeData = create_client_handshake(#next_protocol_negotiation{extension_data = <<>>}),
     Version = ssl_test_lib:protocol_version(Config),
     {[{DecodedHandshakeMessage, _Raw}], _} =
-	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>),
+	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>,  #ssl_options{}),
     NextProtocolNegotiation = (DecodedHandshakeMessage#client_hello.extensions)#hello_extensions.next_protocol_negotiation,
     NextProtocolNegotiation = #next_protocol_negotiation{extension_data = <<>>}.
 %%--------------------------------------------------------------------
@@ -73,7 +73,7 @@ encode_and_decode_server_hello_test(Config) ->
     HandShakeData = create_server_handshake(undefined),
     Version = ssl_test_lib:protocol_version(Config),
     {[{DecodedHandshakeMessage, _Raw}], _} =
-	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>),
+	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>, #ssl_options{}),
     NextProtocolNegotiation = (DecodedHandshakeMessage#server_hello.extensions)#hello_extensions.next_protocol_negotiation,
     NextProtocolNegotiation = undefined.
 %%--------------------------------------------------------------------
@@ -81,7 +81,7 @@ encode_and_decode_npn_server_hello_test(Config) ->
     HandShakeData = create_server_handshake(#next_protocol_negotiation{extension_data = <<6, "spdy/2">>}),
     Version = ssl_test_lib:protocol_version(Config),
     {[{DecodedHandshakeMessage, _Raw}], _} =
-	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>),
+	tls_handshake:get_tls_handshake(Version, list_to_binary(HandShakeData), <<>>,  #ssl_options{}),
     NextProtocolNegotiation = (DecodedHandshakeMessage#server_hello.extensions)#hello_extensions.next_protocol_negotiation,
     ct:log("~p ~n", [NextProtocolNegotiation]),
     NextProtocolNegotiation = #next_protocol_negotiation{extension_data = <<6, "spdy/2">>}.
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 9df31a3381..d9a4657a79 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -131,6 +131,13 @@ end_per_suite(_Config) ->
     ssl:stop(),
     application:stop(crypto).
 
+init_per_group(basic, Config) ->
+    case ssl_test_lib:supports_ssl_tls_version(sslv2) of
+	true ->
+	    [{v2_hello_compatible, true} | Config];
+	false ->
+	    [{v2_hello_compatible, false} | Config]
+    end;
 init_per_group(GroupName, Config) ->
     case ssl_test_lib:is_tls_version(GroupName) of
 	true ->
@@ -296,15 +303,18 @@ basic_erlang_server_openssl_client() ->
 basic_erlang_server_openssl_client(Config) when is_list(Config) ->
     process_flag(trap_exit, true),
     ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    V2Compat = proplists:get_value(v2_hello_compatible, Config), 
 
     {_, ServerNode, _} = ssl_test_lib:run_where(Config),
     
     Data = "From openssl to erlang",
+    ct:pal("v2_hello_compatible: ~p", [V2Compat]),
 
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
 					{from, self()}, 
-			   {mfa, {?MODULE, erlang_ssl_receive, [Data]}},
-			   {options, ServerOpts}]),
+					{mfa, {?MODULE, erlang_ssl_receive, [Data]}},
+					{options,[{v2_hello_compatible, V2Compat} | ServerOpts]}]),
+
     Port = ssl_test_lib:inet_port(Server),
     
     Exe = "openssl",
@@ -318,8 +328,8 @@ basic_erlang_server_openssl_client(Config) when is_list(Config) ->
     %% Clean close down!   Server needs to be closed first !!
     ssl_test_lib:close(Server),
     ssl_test_lib:close_port(OpenSslPort),
-    process_flag(trap_exit, false),
-    ok.
+    process_flag(trap_exit, false).
+
 %%--------------------------------------------------------------------
 erlang_client_openssl_server() ->
     [{doc,"Test erlang client with openssl server"}].
author	Ingela Anderton Andin <[email protected]>	2016-05-03 12:07:51 +0200
committer	Ingela Anderton Andin <[email protected]>	2016-06-03 12:14:43 +0200
commit	33afe108de9cf24be47b9ebd740a8f5e19daca79 (patch)
tree	000f6b30068d5e696197c53b8cf4053602daab29 /lib/ssl/test
parent	f7e370a7513c93ae74eb7861d094589990958aa7 (diff)
download	otp-33afe108de9cf24be47b9ebd740a8f5e19daca79.tar.gz otp-33afe108de9cf24be47b9ebd740a8f5e19daca79.tar.bz2 otp-33afe108de9cf24be47b9ebd740a8f5e19daca79.zip