aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorDániel Szoboszlay <[email protected]>2015-10-13 14:39:35 +0200
committerSverker Eriksson <[email protected]>2016-01-28 19:29:24 +0100
commit62ad9fb02820b7563402702e6026d9f4213149c6 (patch)
treed4f8bff2fce3b0bf67301e0c4e12ef37f759a2cb /lib/ssl
parent279cb5b1bba53b93384093530ae781fcf203756b (diff)
downloadotp-62ad9fb02820b7563402702e6026d9f4213149c6.tar.gz
otp-62ad9fb02820b7563402702e6026d9f4213149c6.tar.bz2
otp-62ad9fb02820b7563402702e6026d9f4213149c6.zip
Ensure testing ssl with supported ciphers only
There are two problematic areas: EC curve selection and interoperability tests with OpenSSL. The tests shouldn't assume any particular EC curve is available, but should always check the list of curves reported by tls_v1:ecc_curves/1. And during interoperability tests the tests shouldn't assume that any cipher suite supported by Erlang is also supported by OpenSSL. There are OpenSSL packages where the command line openssl tool only supports a subset of the ciphers available in libcrypto. The actual list of supported cipher suites thus shall be queried from OpenSSL.
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/test/erl_make_certs.erl4
-rw-r--r--lib/ssl/test/ssl_test_lib.erl12
2 files changed, 14 insertions, 2 deletions
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index 8e909a5b74..f5cada9021 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -334,7 +334,9 @@ make_key(dsa, _Opts) ->
gen_dsa2(128, 20); %% Bytes i.e. {1024, 160}
make_key(ec, _Opts) ->
%% (OBS: for testing only)
- gen_ec2(secp256k1).
+ CurveOid = hd(tls_v1:ecc_curves(0)),
+ NamedCurve = pubkey_cert_records:namedCurves(CurveOid),
+ gen_ec2(NamedCurve).
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% RSA key generation (OBS: for testing only)
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 77c29668b5..afd21f0d2f 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -818,7 +818,17 @@ rsa_suites(CounterPart) ->
(_) ->
false
end,
- ssl:cipher_suites()).
+ common_ciphers(CounterPart)).
+
+common_ciphers(crypto) ->
+ ssl:cipher_suites();
+common_ciphers(openssl) ->
+ OpenSslSuites =
+ string:tokens(string:strip(os:cmd("openssl ciphers"), right, $\n), ":"),
+ [ssl:suite_definition(S)
+ || S <- ssl_cipher:suites(tls_record:highest_protocol_version([])),
+ lists:member(ssl_cipher:openssl_suite_name(S), OpenSslSuites)
+ ].
rsa_non_signed_suites() ->
lists:filter(fun({rsa, _, _}) ->