diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e174219d4..6a1bfa8f5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -853,12 +853,21 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) { + const mbedtls_ssl_config *conf = ssl->conf; + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + if( mbedtls_ssl_conf_is_tls13_enabled( conf ) && + ( conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ) { - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 server is not supported yet." ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + if( mbedtls_ssl_conf_is_tls13_only( conf ) ) + { + if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported." ) ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) ); @@ -867,7 +876,7 @@ static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + if( mbedtls_ssl_conf_is_tls12_only( conf ) ) { MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) ); return( 0 ); @@ -875,7 +884,7 @@ static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) - if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) ) + if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( conf ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index aff2411e6..03351d419 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9630,26 +9630,23 @@ run_test "TLS 1.3: Test gnutls tls1_3 feature" \ -c "Version: TLS1.3" # TLS1.3 test cases -# TODO: remove or rewrite this test case if #4832 is resolved. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 skip_handshake_stage_check run_test "TLS 1.3: Not supported version check: tls12 and tls13" \ - "$P_SRV debug_level=1 min_version=tls12 max_version=tls13" \ + "$P_SRV debug_level=1" \ "$P_CLI debug_level=1 min_version=tls12 max_version=tls13" \ 1 \ - -s "SSL - The requested feature is not available" \ -c "SSL - The requested feature is not available" \ - -s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \ -c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "TLS 1.3: handshake dispatch test: tls13 only" \ - "$P_SRV debug_level=2 min_version=tls13 max_version=tls13" \ - "$P_CLI debug_level=2 min_version=tls13 max_version=tls13" \ +skip_handshake_stage_check +run_test "TLS 1.3: No server support" \ + "$P_SRV debug_level=2 force_version=tls13" \ + "$P_CLI debug_level=2 force_version=tls13" \ 1 \ - -s "tls13 server state: MBEDTLS_SSL_HELLO_REQUEST" \ - -c "tls13 client state: MBEDTLS_SSL_HELLO_REQUEST" + -s "TLS 1.3 server is not supported yet." requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 7de562afd..e330016f5 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -101,6 +101,7 @@ Test mbedtls_endpoint sanity for the client mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_CLIENT Test mbedtls_endpoint sanity for the server +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_SERVER Test moving clients handshake to state: HELLO_REQUEST