From ad8c607df66aac55ca6133281635513a34ef5a88 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Mon, 29 Jul 2019 15:11:53 +0200 Subject: ssl: Avoid broken ALPN/NPN renegotiation in OpenSSL All these test work fine with current OpenSSL master --- lib/ssl/test/openssl_alpn_SUITE.erl | 14 +++++++++----- lib/ssl/test/openssl_npn_SUITE.erl | 17 ++++++++++++----- lib/ssl/test/ssl_test_lib.erl | 22 ++++++++++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/lib/ssl/test/openssl_alpn_SUITE.erl b/lib/ssl/test/openssl_alpn_SUITE.erl index 1e8912be7d..5008dba922 100644 --- a/lib/ssl/test/openssl_alpn_SUITE.erl +++ b/lib/ssl/test/openssl_alpn_SUITE.erl @@ -36,7 +36,7 @@ all() -> %% Note: ALPN not supported in sslv3 - case ssl_test_lib:openssl_sane_dtls() of + case ssl_test_lib:openssl_sane_dtls_alpn() of true -> [ {group, 'tlsv1.3'}, @@ -52,7 +52,7 @@ all() -> end. groups() -> - case ssl_test_lib:openssl_sane_dtls() of + case ssl_test_lib:openssl_sane_dtls_alpn() of true -> [ {'tlsv1.3', [], alpn_tests()}, @@ -85,9 +85,13 @@ alpn_npn_coexist() -> erlang_server_alpn_npn_openssl_client_alpn_npn ]. rengotiation_tests() -> - [erlang_client_alpn_openssl_server_alpn_renegotiate, - erlang_server_alpn_openssl_client_alpn_renegotiate]. - + case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of + true -> + [erlang_client_alpn_openssl_server_alpn_renegotiate, + erlang_server_alpn_openssl_client_alpn_renegotiate]; + false -> + [] + end. init_per_suite(Config0) -> case os:find_executable("openssl") of false -> diff --git a/lib/ssl/test/openssl_npn_SUITE.erl b/lib/ssl/test/openssl_npn_SUITE.erl index f249ba47c2..0294f4997f 100644 --- a/lib/ssl/test/openssl_npn_SUITE.erl +++ b/lib/ssl/test/openssl_npn_SUITE.erl @@ -41,21 +41,28 @@ all() -> {group, 'tlsv1'}]. groups() -> - [{'tlsv1.2', [], npn_tests()}, - {'tlsv1.1', [], npn_tests()}, - {'tlsv1', [], npn_tests()} + [{'tlsv1.2', [], npn_tests() ++ npn_renegotiate_tests()}, + {'tlsv1.1', [], npn_tests() ++ npn_renegotiate_tests()}, + {'tlsv1', [], npn_tests() ++ npn_renegotiate_tests()} ]. npn_tests() -> [erlang_client_openssl_server_npn, erlang_server_openssl_client_npn, - erlang_server_openssl_client_npn_renegotiate, - erlang_client_openssl_server_npn_renegotiate, erlang_server_openssl_client_npn_only_client, erlang_server_openssl_client_npn_only_server, erlang_client_openssl_server_npn_only_client, erlang_client_openssl_server_npn_only_server]. +npn_renegotiate_tests() -> + case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of + true -> + [erlang_server_openssl_client_npn_renegotiate, + erlang_client_openssl_server_npn_renegotiate]; + false -> + [] + end. + init_per_suite(Config0) -> case os:find_executable("openssl") of false -> diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 7009a628f1..9bf2393897 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -2716,3 +2716,25 @@ new_config(PrivDir, ServerOpts0) -> [{cacertfile, NewCaCertFile}, {certfile, NewCertFile}, {keyfile, NewKeyFile} | ServerOpts]. + +sane_openssl_alpn_npn_renegotiate() -> + case os:cmd("openssl version") of + "LibreSSL 2.9.1" ++ _ -> + false; + "LibreSSL 2.6.4" ++ _ -> + false; + "OpenSSL 1.1.1a-freebsd" ++ _ -> + false; + _ -> + true + end. + +openssl_sane_dtls_alpn() -> + case os:cmd("openssl version") of + "OpenSSL 1.1.0g" ++ _ -> + false; + "OpenSSL 1.1.1a" ++ _ -> + false; + _-> + openssl_sane_dtls() + end. -- cgit v1.2.3