Merge branch 'master' into private-emaldona-upstream-experiment
This commit is contained in:
commit
4d5d729ef7
102
mozbz1277569backport.patch
Normal file
102
mozbz1277569backport.patch
Normal file
@ -0,0 +1,102 @@
|
||||
--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700
|
||||
+++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700
|
||||
@@ -675,16 +675,28 @@
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure; /* not allowed */
|
||||
}
|
||||
break;
|
||||
}
|
||||
ssl_EnableSSL3(&ss->vrange, on);
|
||||
break;
|
||||
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ /* We no longer support SSL v2.
|
||||
+ * However, if an old application requests to disable SSL v2,
|
||||
+ * we shouldn't fail.
|
||||
+ */
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ rv = SECFailure;
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
case SSL_NO_CACHE:
|
||||
ss->opt.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ss->opt.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
@@ -856,16 +868,20 @@
|
||||
on = ss->opt.handshakeAsServer;
|
||||
break;
|
||||
case SSL_ENABLE_TLS:
|
||||
on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
break;
|
||||
case SSL_ENABLE_SSL3:
|
||||
on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
|
||||
break;
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ on = PR_FALSE;
|
||||
+ break;
|
||||
case SSL_NO_CACHE:
|
||||
on = ss->opt.noCache;
|
||||
break;
|
||||
case SSL_ENABLE_FDX:
|
||||
on = ss->opt.fdx;
|
||||
break;
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
on = ss->opt.detectRollBack;
|
||||
@@ -967,16 +983,20 @@
|
||||
on = ssl_defaults.handshakeAsServer;
|
||||
break;
|
||||
case SSL_ENABLE_TLS:
|
||||
on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
break;
|
||||
case SSL_ENABLE_SSL3:
|
||||
on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
|
||||
break;
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ on = PR_FALSE;
|
||||
+ break;
|
||||
case SSL_NO_CACHE:
|
||||
on = ssl_defaults.noCache;
|
||||
break;
|
||||
case SSL_ENABLE_FDX:
|
||||
on = ssl_defaults.fdx;
|
||||
break;
|
||||
case SSL_ROLLBACK_DETECTION:
|
||||
on = ssl_defaults.detectRollBack;
|
||||
@@ -1100,16 +1120,28 @@
|
||||
case SSL_ENABLE_TLS:
|
||||
ssl_EnableTLS(&versions_defaults_stream, on);
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL3:
|
||||
ssl_EnableSSL3(&versions_defaults_stream, on);
|
||||
break;
|
||||
|
||||
+ case SSL_ENABLE_SSL2:
|
||||
+ case SSL_V2_COMPATIBLE_HELLO:
|
||||
+ /* We no longer support SSL v2.
|
||||
+ * However, if an old application requests to disable SSL v2,
|
||||
+ * we shouldn't fail.
|
||||
+ */
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
case SSL_NO_CACHE:
|
||||
ssl_defaults.noCache = on;
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_FDX:
|
||||
if (on && ssl_defaults.noLocks) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
@ -1,6 +1,6 @@
|
||||
diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn
|
||||
--- ./nss/external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
|
||||
+++ ./nss/external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
|
||||
diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
|
||||
--- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
|
||||
+++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
|
||||
@@ -8,7 +8,6 @@ DEPTH = ..
|
||||
DIRS = \
|
||||
google_test \
|
||||
|
52
nss.spec
52
nss.spec
@ -21,7 +21,7 @@ Name: nss
|
||||
Version: 3.24.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 2.0%{?dist}
|
||||
Release: 2.3%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
@ -96,9 +96,15 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# TODO: file a bug usptream
|
||||
Patch59: nss-check-policy-file.patch
|
||||
Patch60: nss-pem-unitialized-vars.path
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
|
||||
Patch61: mozbz1277569backport.patch
|
||||
# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/
|
||||
Patch61: nss-skip-util-gtest.patch
|
||||
|
||||
# TODO: file a bug usptream
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
# TODO: file a bug usptream when enough tests are run
|
||||
Patch63: tests-check-policy-file.patch
|
||||
# TODO: file a bug usptream when enough tests are run
|
||||
Patch64: tests-data-adjust-for-policy.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
@ -181,14 +187,15 @@ low level services.
|
||||
%patch47 -p0 -b .templates
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
pushd nss
|
||||
popd
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
%patch60 -p1 -b .unitialized_vars
|
||||
%patch61 -p1 -b .compatibility
|
||||
%patch62 -p0 -b .skip_util_gtest
|
||||
%patch63 -p1 -b .check_policy
|
||||
%patch64 -p1 -b .expected_result
|
||||
popd
|
||||
%patch61 -p0 -b .skip_util_gtest
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
@ -225,15 +232,15 @@ done
|
||||
%{__rm} -rf ./nss/external_tests/util_gtests
|
||||
|
||||
pushd nss/tests/ssl
|
||||
# Create versions of sslcov.txt and sslstress.txt that disable tests
|
||||
# for SSL2 and EXPORT ciphers.
|
||||
cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
|
||||
cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
|
||||
# Create versions of ssauth.txt, sslcov.txt and sslstress.txt that disable
|
||||
# tests for non policy compliant ciphers.
|
||||
cat sslauth.txt| sed -r "s/^([^#].*EXPORT|^[^#].*MD5)/#disabled \1/" > sslauth.noPolicy.txt
|
||||
cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt
|
||||
cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt
|
||||
popd
|
||||
|
||||
%build
|
||||
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
@ -307,6 +314,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
|
||||
# Set the policy file location
|
||||
# if set NSS will always check for the policy file and load it if it exists
|
||||
# TODO: restore the POLICY_FILE and POLICY_PATH exports
|
||||
export POLICY_FILE="nss.config"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
@ -396,6 +404,10 @@ fi
|
||||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that policy is enabled
|
||||
export POLICY_FILE="nss.config"
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
@ -803,8 +815,24 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
|
||||
- Apply the patch that was last introduced
|
||||
- Renumber and reorder some of the patches
|
||||
- Resolves: Bug 1342158
|
||||
|
||||
* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.2
|
||||
- Allow application requests to disable SSL v2 to succeed
|
||||
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
|
||||
|
||||
* Sun May 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.1
|
||||
- Rebase to NSS 3.24.0
|
||||
- Restore setting the policy file location
|
||||
- Make ssl tests scripts aware of policy
|
||||
- Ajust tests data expected result for policy
|
||||
|
||||
* Tue May 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.0
|
||||
- Rebase to NSS 3.24.0
|
||||
- Bootstrap build to rebase to NSS 3.24.0
|
||||
- Temporarily not setting the policy file location
|
||||
|
||||
* Thu May 12 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-9
|
||||
- Change POLICY_FILE to "nss.config"
|
||||
|
84
tests-check-policy-file.patch
Normal file
84
tests-check-policy-file.patch
Normal file
@ -0,0 +1,84 @@
|
||||
diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt
|
||||
diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.check_policy 2016-05-17 00:58:45.000000000 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2016-05-28 15:45:07.645964005 -0700
|
||||
@@ -61,10 +61,19 @@ ssl_init()
|
||||
nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
|
||||
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
|
||||
|
||||
+ NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \
|
||||
+ ? "${POLICY_PATH}/${POLICY_FILE}" \
|
||||
+ : ""
|
||||
# Test case files
|
||||
- SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
- SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ if [ -n ${NSS_POLICY_FILE} ]; then
|
||||
+ SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt
|
||||
+ else
|
||||
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
|
||||
+ SSLCOV=${QADIR}/ssl/sslcov.txt
|
||||
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
|
||||
+ fi
|
||||
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
|
||||
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
|
||||
|
||||
@@ -122,7 +131,11 @@ is_selfserv_alive()
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ echo "No server to kill"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "selfserv with PID ${PID} found at `date`"
|
||||
}
|
||||
@@ -145,7 +158,11 @@ wait_for_selfserv()
|
||||
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
|
||||
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
|
||||
+ html_passed "Server never started"
|
||||
+ else
|
||||
html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_selfserv_alive
|
||||
@@ -216,15 +233,16 @@ start_selfserv()
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
- echo " $verbose -H 1 &"
|
||||
+ VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : ""
|
||||
+ echo " $verbose -H 1 ${VMIN_OPT} &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
|
||||
- > ${SERVEROUTFILE} 2>&1 &
|
||||
+ ${VMIN_OPT}> ${SERVEROUTFILE} 2>&1 &
|
||||
RET=$?
|
||||
else
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
|
||||
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 ${VMIN_OPT} &
|
||||
RET=$?
|
||||
fi
|
||||
|
||||
@@ -275,6 +293,12 @@ ssl_cov()
|
||||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
|
||||
+ # trace these types of tests when build has policy enabled
|
||||
+ if [ -n ${NSS_POLICY_FILE} ] &&
|
||||
+ [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then
|
||||
+ echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})"
|
||||
+ fi
|
||||
+
|
||||
if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
|
||||
echo "$SCRIPTNAME: skipping $testname (ECC only)"
|
||||
elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then
|
101
tests-data-adjust-for-policy.patch
Normal file
101
tests-data-adjust-for-policy.patch
Normal file
@ -0,0 +1,101 @@
|
||||
diff -up ./tests/ssl/sslauth.txt.expected_result ./tests/ssl/sslauth.txt
|
||||
--- ./tests/ssl/sslauth.txt.expected_result 2016-05-17 00:58:45.000000000 -0700
|
||||
+++ ./tests/ssl/sslauth.txt 2016-05-28 15:21:11.800761721 -0700
|
||||
@@ -14,12 +14,12 @@
|
||||
noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
|
||||
noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
|
||||
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
|
||||
- noECC 0 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||
- noECC 0 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||
- noECC 0 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||
+ noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
|
||||
+ noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
|
||||
+ noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
|
||||
noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
|
||||
noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
|
||||
- noECC 0 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||
+ noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
|
||||
@@ -32,9 +32,9 @@
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
|
||||
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||
- noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||
+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
|
||||
+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
|
||||
+ noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
|
||||
noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
|
||||
@@ -57,17 +57,17 @@
|
||||
ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
|
||||
ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
|
||||
- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
- ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
+ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
|
||||
+ ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
|
||||
ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
|
||||
- ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||
+ ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
|
||||
#
|
||||
# SNI Tests
|
||||
#
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
+ SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
diff -up ./tests/ssl/sslpolicy.txt.expected_result ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.expected_result 2016-05-17 00:58:45.000000000 -0700
|
||||
+++ ./tests/ssl/sslpolicy.txt 2016-05-28 15:21:11.800761721 -0700
|
||||
@@ -148,26 +148,26 @@
|
||||
# Exp Enable Enable Cipher Config Policy Test Name
|
||||
# Ret EC TLS
|
||||
# turn on single cipher
|
||||
- 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
|
||||
- 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
|
||||
- 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
|
||||
- 1 noECC SSL3 d disallow=all Disallow All Explicitly.
|
||||
+# 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
|
||||
+# 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
|
||||
+# 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
|
||||
+# 1 noECC SSL3 d disallow=all Disallow All Explicitly.
|
||||
# turn off signature only
|
||||
- 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
|
||||
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
|
||||
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
|
||||
+# 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
|
||||
+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
|
||||
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
|
||||
# turn off single cipher
|
||||
- 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
|
||||
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
|
||||
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
|
||||
+# 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
|
||||
+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
|
||||
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
|
||||
# turn off H-Mac
|
||||
- 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
|
||||
- 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
|
||||
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
|
||||
+# 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
|
||||
+# 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
|
||||
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
|
||||
# turn off key exchange
|
||||
- 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
|
||||
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
|
||||
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
|
||||
+# 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
|
||||
+# 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
|
||||
+# 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
|
||||
# turn off version
|
||||
1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
|
||||
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
|
Loading…
Reference in New Issue
Block a user