Enable all ciphers in OpenSSL >=1.1.0
OpenSSL may be configured to support features such as cipher suites or protocol versions that are disabled by default. Enable them all: we're testing, we don't care about enabling insecure stuff. This is not needed with the builds of OpenSSL that we're currently using on the Jenkins CI, but it's needed with more recent versions such as typically found on developer machines, and with future CI additions. The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we don't need to do anything special with earlier versions. With OpenSSL 1.1.1f on Ubuntu 20.04, this allows SHA-1 in certificates, which is still needed for a few test cases in ssl-opt.sh. Curiously, this is also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and no other, including other DHE-PSK or ARIA cipher suites). Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
parent
6157fee306
commit
4bdb9fbfa2
2 changed files with 28 additions and 0 deletions
|
|
@ -595,6 +595,20 @@ setup_arguments()
|
|||
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
|
||||
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
|
||||
|
||||
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
|
||||
# low-security ones. This covers not just cipher suites but also protocol
|
||||
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
|
||||
# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
|
||||
# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
|
||||
# a way to discover it from -help, so check the openssl version.
|
||||
case $($OPENSSL_CMD version) in
|
||||
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
|
||||
*)
|
||||
O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
|
||||
O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "X$VERIFY" = "XYES" ];
|
||||
then
|
||||
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
|
||||
|
|
|
|||
|
|
@ -1689,6 +1689,20 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
|||
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
|
||||
fi
|
||||
|
||||
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
|
||||
# low-security ones. This covers not just cipher suites but also protocol
|
||||
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
|
||||
# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
|
||||
# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
|
||||
# a way to discover it from -help, so check the openssl version.
|
||||
case $($OPENSSL_CMD version) in
|
||||
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
|
||||
*)
|
||||
O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
|
||||
O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "${OPENSSL_NEXT:-}" ]; then
|
||||
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
|
||||
O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
|
||||
|
|
|
|||
Loading…
Reference in a new issue