Commit graph

2609 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 081b15231f Fix another wrong check for errors in test code 2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 2a62a05688 Add test that save-load is the identity
This test works regardless of the serialisation format and embedded pointers
in it, contrary to the load-save test, though it requires more maintenance of
the test code (sync the member list with the struct definition).
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard aab6204dc1 Fix populate_session() and its usage in tests
Not checking the return value allowed a bug to go undetected, fix the bug and
check the return value.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 5709811dd2 Add test for session_load() from small buffers
This uncovered a bug that led to a double-free (in practice, in general could
be free() on any invalid value): initially the session structure is loaded
with `memcpy()` which copies the previous values of pointers peer_cert and
ticket to heap-allocated buffers (or any other value if the input is
attacker-controlled). Now if we exit before we got a chance to replace those
invalid values with valid ones (for example because the input buffer is too
small, or because the second malloc() failed), then the next call to
session_free() is going to call free() on invalid pointers.

This bug is fixed in this commit by always setting the pointers to NULL right
after they've been read from the serialised state, so that the invalid values
can never be used.

(An alternative would be to NULL-ify them when writing, which was rejected
mostly because we need to do it when reading anyway (as the consequences of
free(invalid) are too severe to take any risk), so doing it when writing as
well is redundant and a waste of code size.)

Also, while thinking about what happens in case of errors, it became apparent
to me that it was bad practice to leave the session structure in an
half-initialised state and rely on the caller to call session_free(), so this
commit also ensures we always clear the structure when loading failed.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 98fccc3f6a Add test for session_save() on small buffers 2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 1ba5c68503 Disable test for load-save identity
This test appeared to be passing for the wrong reason, it's not actually not
appropriate for the current implementation. The serialised data contains
values of pointers to heap-allocated buffers. There is no reason these should
be identical after a load-save pair. They just happened to be identical when I
first ran the test due to the place of session_free() in the test code and the
fact that the libc's malloc() reused the same buffers. The test no longer
passes if other malloc() implementations are used (for example, when compiling
with asan which avoids re-using the buffer, probably for better error
detection).

So, disable this test for now (we can re-enable it when we changed how
sessions are serialised, which will be done in a future PR, hence the name of
the dummy macro in depends_on). In the next commit we're going to add a test
that save-load is the identity instead - which will be more work in testing as
it will require checking each field manually, but at least is reliable.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 16f6bb1aa3 Improve load-save test with tickets and certs 2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard dfa5a7ae76 Start adding unit test for session serialisation
This initial test ensures that a load-save function is the identity. It is so
far incomplete in that it only tests sessions without tickets or certificate.
This will be improved in the next commits.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 57a348ba8c Add tests for session copy without serialisation 2019-06-03 09:51:08 +02:00
Jaeden Amero ada38317dd test: Always use make clean by itself
When running make with parallelization, running both "clean" and "lib"
with a single make invocation can lead to each target building in
parallel. It's bad if lib is partially done building something, and then
clean deletes what was built. This can lead to errors later on in the
lib target.

    $ make -j9 clean lib
      CC    aes.c
      CC    aesni.c
      CC    arc4.c
      CC    aria.c
      CC    asn1parse.c
      CC    ./library/error.c
      CC    ./library/version.c
      CC    ./library/version_features.c
      AR    libmbedcrypto.a
    ar: aes.o: No such file or directory
    Makefile:120: recipe for target 'libmbedcrypto.a' failed
    make[2]: *** [libmbedcrypto.a] Error 1
    Makefile:152: recipe for target 'libmbedcrypto.a' failed
    make[1]: *** [libmbedcrypto.a] Error 2
    Makefile:19: recipe for target 'lib' failed
    make: *** [lib] Error 2
    make: *** Waiting for unfinished jobs....

To avoid this sort of trouble, always invoke clean by itself without
other targets throughout the library. Don't run clean in parallel with
other rules. The only place where clean was run in parallel with other
targets was in list-symbols.sh.
2019-05-31 17:49:25 +01:00
Hanno Becker 67d1848ed0 Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:19:08 +01:00
Hanno Becker 556e6d84ea Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:19:08 +01:00
Hanno Becker dd7e193f49 Add new line at the end of test-ca2.key.enc 2019-05-30 10:58:12 +01:00
Hanno Becker e562e7dbeb Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO 2019-05-30 10:58:12 +01:00
Hanno Becker 7a11e72a4f ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
This should allow to run ssl-opt.sh successfully in the default
configuration minus MBEDTLS_PEM_PARSE_C minus MBEDTLS_FS_IO.
2019-05-30 10:58:07 +01:00
Hanno Becker f8b0b15c90 Rename server1.der to server1.crt.der 2019-05-30 10:27:49 +01:00
Hanno Becker 389ee9b40b Add DER encoded files to git tree 2019-05-30 10:27:14 +01:00
Hanno Becker 5895a2db7b Add build instructions to generate DER versions of CRTs and keys 2019-05-30 10:27:14 +01:00
Simon Butcher 0d1d76f987 Merge remote-tracking branch 'origin/pr/561' into baremetal 2019-05-29 15:09:24 +01:00
Simon Butcher d5e1bfc6b4 Merge remote-tracking branch 'origin/pr/569' into baremetal 2019-05-24 15:07:10 +01:00
Simon Butcher 0edb924e16 Merge remote-tracking branch 'origin/pr/565' into baremetal 2019-05-24 15:06:56 +01:00
Simon Butcher 5a790f9214 Merge remote-tracking branch 'origin/pr/563' into baremetal 2019-05-24 15:06:16 +01:00
Hanno Becker f6fb4ea632 Insert records with unexpected CID in CID tests in ssl-opt.sh 2019-05-24 10:11:23 +01:00
Gilles Peskine 39d7c58db5 list-symbols.sh: if the build fails, print the build transcript
If "make clean lib" fails in list-symbols.sh, print the transcript
from running make.
2019-05-22 19:07:36 +02:00
Gilles Peskine 902a1f3f7f Document "check-names.sh -v" 2019-05-22 19:07:36 +02:00
Hanno Becker 6945983588 Rename MBEDTLS_SSL_CID->MBEDTLS_SSL_DTLS_CONNECTION_ID in SSL suite 2019-05-20 15:40:23 +01:00
Hanno Becker a5a2b08a05 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-05-20 15:35:36 +01:00
Hanno Becker 84bbc51968 Add CID test not using datagram packing to ssl-opt.sh 2019-05-20 15:32:36 +01:00
Hanno Becker 04ca04caf2 Add Proxy tests for Connection ID to ssl-opt.sh
Also, shorten test names to avoid them being truncated on the cmd line.
2019-05-20 15:32:36 +01:00
Hanno Becker 043a2a4869 Remove indicators and warnings about unfinished CID implementation 2019-05-20 15:32:36 +01:00
Hanno Becker ad8e2c9144 Fix mismatching debug grep in ssl-opt.sh CID tests 2019-05-20 15:32:36 +01:00
Hanno Becker 9687029d22 Add support for change of CID to ssl_client2 / ssl_server2
And add tests for various CID configuration changes during
renegotiation to ssl-opt.sh.
2019-05-20 15:32:36 +01:00
Hanno Becker b7f9e9c9a5 Reintroduce grepping for debug messages in CID tests in ssl-opt.sh 2019-05-20 15:32:36 +01:00
Hanno Becker 6943920839 Add missing dependencies in unit tests for CID-based record enc/dec
Changes generated via:
% sed -i '/.*CID [0-9]+[0-9]/{n;s/depends_on:/depends_on:MBEDTLS_SSL_CID:/}' test_suite_ssl.data
2019-05-20 15:23:27 +01:00
Manuel Pégourié-Gonnard 9c5bcc9220 Use more specific name in debug message for testing
While 'session hash' is currently unique, so suitable to prove that the
intended code path has been taken, it's a generic enough phrase that in the
future we might add other debug messages containing it in completely unrelated
code paths. In order to future-proof the accuracy of the test, let's use a
more specific string.
2019-05-20 12:09:50 +02:00
Manuel Pégourié-Gonnard 5478e1e5ed Remove redundant debug message.
Two consecutive messages (ie no branch between them) at the same level are not
needed, so only keep the one that has the most information.
2019-05-20 10:07:29 +02:00
Hanno Becker 505089d944 Fix missing compile-time guards around CID-only constants 2019-05-17 10:23:47 +01:00
Hanno Becker d91dc3767f Skip copying CIDs to SSL transforms until CID feature is complete
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
2019-05-17 10:23:47 +01:00
Hanno Becker d8f753bd04 Add unit tests for record protection using CID 2019-05-17 10:23:47 +01:00
Hanno Becker 36fb379f68 Record enc/dec tests: Don't take turns in sending / receiving roles
Part of the record encryption/decryption tests is to gradually
increase the space available at the front and/or at the back of
a record and observe when encryption starts to succeed. If exactly
one of the two parameters is varied at a time, the expectation is
that encryption will continue to succeed once it has started
succeeding (that's not true if both pre- and post-space are varied
at the same time).

Moreover, previously the test would take turns when choosing which
transform should be used for encryption, and which for decryption.

With the introduction of the CID feaature, this switching of transforms
doesn't align with the expectation of eventual success of the encryption,
since the overhead of encryption might be different for the parties,
because both parties may use different CIDs for their outgoing records.

This commit modifies the tests to not take turns between transforms,
but to always use the same transforms for encryption and decryption
during a single round of the test.
2019-05-17 10:23:47 +01:00
Hanno Becker 6a3ff286a5 Grep for dbug msgs witnessing use of CID in ssl_client2/ssl_server2 2019-05-17 10:20:41 +01:00
Hanno Becker 5e2cd1422e Grep for dbg msg witnessing copying of CIDs to SSL transform 2019-05-17 10:20:41 +01:00
Hanno Becker cf2a565e3e Grep for dbg msg witnessing parsing of CID extension in ServerHello 2019-05-17 10:20:41 +01:00
Hanno Becker 4eb0587c0f Grep for dbg msg witnessing writing of CID extension in ServerHello 2019-05-17 10:20:41 +01:00
Hanno Becker c008cb5f8c Grep for dbg msg witnessing parsing of CID extension in ClientHello 2019-05-17 10:20:41 +01:00
Hanno Becker 7345599a7b Grep for dbg msg witnessing writing of CID extension in ClientHello 2019-05-17 10:20:41 +01:00
Hanno Becker 9dae9fd57b Modify CID tests in ssl-opt.sh to grep for CID config debug msgs 2019-05-17 10:20:41 +01:00
Hanno Becker fce6f836ba Merge branch 'mbedtls-2.16' into baremetal 2019-05-17 10:06:02 +01:00
Gilles Peskine 473f2d4ec2 all.sh: invoke check-names.sh in print-trace-on-exit mode 2019-05-15 17:55:06 +02:00
Gilles Peskine 5e525fb6e5 Print a command trace if the check-names.sh exits unexpectedly
We've observed that sometimes check-names.sh exits unexpectedly with
status 2 and no error message. The failure is not reproducible. This
commits makes the script print a trace if it exits unexpectedly.
2019-05-15 17:40:58 +02:00
Simon Butcher 724a695534 Merge remote-tracking branch 'origin/pr/562' into baremetal 2019-05-09 17:11:38 +01:00
Simon Butcher e372d5fb8f Merge remote-tracking branch 'origin/pr/558' into baremetal 2019-05-09 17:03:18 +01:00
Simon Butcher 999ac174cc Merge remote-tracking branch 'origin/pr/566' into baremetal 2019-05-09 16:59:02 +01:00
Manuel Pégourié-Gonnard afdc1b5cbd Consistently use the name tinycrypt over uecc
We called in tinycrypt in the file names, but uecc in config.h, all.sh and
other places, which could be confusing. Just use tinycrypt everywhere because
that's the name of the project and repo where we took the files.

The changes were made using the following commands (with GNU sed and zsh):

sed -i 's/uecc/tinycrypt/g' **/*.[ch] tests/scripts/all.sh
sed -i 's/MBEDTLS_USE_UECC/MBEDTLS_USE_TINYCRYPT/g' **/*.[ch] tests/scripts/all.sh scripts/config.pl
2019-05-09 11:24:11 +02:00
Jarno Lamsa 8751e35751 Remove baremetal from build component names 2019-05-02 13:04:08 +03:00
Jarno Lamsa 4498de57b8 Address review comments about all.sh 2019-05-02 11:45:57 +03:00
Jarno Lamsa d91f7fa26b Add native build targets for uecc baremetal config 2019-04-30 14:29:23 +03:00
Jarno Lamsa 65ea285759 Fix typo 2019-04-30 13:00:41 +03:00
Jarno Lamsa f6371ff923 Add armcc5 build for uecc and baremetal config 2019-04-30 10:10:03 +03:00
Hanno Becker a131766743 Ensure non-NULL key buffer when building SSL test transforms 2019-04-29 12:19:38 +02:00
Hanno Becker 1acadb77cb Catch errors while building SSL test transforms 2019-04-29 12:19:38 +02:00
Hanno Becker afc528ad56 Use mbedtls_{calloc|free}() in SSL unit test suite 2019-04-29 12:19:24 +02:00
Hanno Becker b17a1a2068 Alternative between send/recv transform in SSL record test suite 2019-04-29 12:19:07 +02:00
Hanno Becker 5c1176e53f Fix memory leak on failure in test_suite_ssl 2019-04-29 12:18:50 +02:00
Hanno Becker 3693c72b82 Add record encryption/decryption tests for ARIA to SSL test suite 2019-04-29 12:18:27 +02:00
Hanno Becker d300003b2c Add encryption/decryption tests for small records
This commit adds tests to check the behavior of the record encryption
routine `ssl_encrypt_buf` when the buffer surrounding the plaintext is
too small to hold the expansion in the beginning and end (due to IV's,
padding, and MAC).

Each test starts successively increases the space available at the
beginning, end, or both, of the record buffer, and checks that the
record encryption either fails with a BUFFER_TOO_SMALL error, or
that it succeeds. Moreover, if it succeeds, it is checked that
decryption succeeds, too, and results in the original record.
2019-04-29 12:15:30 +02:00
Hanno Becker 611a83b571 Add tests for record encryption/decryption
This commit adds tests exercising mutually inverse pairs of
record encryption and decryption transformations for the various
transformation types allowed in TLS: Stream, CBC, and AEAD.
2019-04-29 12:15:21 +02:00
Jarno Lamsa ce3cb64aeb Fix check-names.sh 2019-04-29 12:07:43 +03:00
Jarno Lamsa 8557fc9220 Add whitelist for uECC files for check-names.sh
Whitelist currently includes the unmatching symbols from uECC files.
This is now specific for the baremetal branch.
2019-04-26 16:22:10 +03:00
Jarno Lamsa 02493afe6c Ignore tinycrypt files from check-files.py 2019-04-25 14:56:17 +03:00
Hanno Becker b60c85c67c Indicate ssl-opt.sh CID tests only test the stub CID code 2019-04-23 12:02:34 +01:00
Hanno Becker 963cb35a24 Fix use of requires_config_enabled in ssl-opt.sh
requires_config_enabled doesn't support multiple config options.
Tests having multiple configuration dependencies must be prefixed
with multiple invocations of requires_config_enabled instead.
2019-04-23 11:52:44 +01:00
Hanno Becker 4f98b6ad17 Fix typo in CID test in ssl-opt.sh 2019-04-23 11:52:14 +01:00
Darryl Green 3997a6cd25 Document the scripts behaviour further 2019-04-18 13:18:22 +01:00
Darryl Green 3ef06d5bf7 Add --internal option to list-identifiers.sh
When doing ABI/API checking, its useful to have a list of all the
identifiers that are defined in the internal header files, as we
do not promise compatibility for them. This option allows for a
simple method of getting them for use with the ABI checking script.
2019-04-18 12:02:49 +01:00
Jaeden Amero 20d707dd3e Merge remote-tracking branch 'origin/pr/2571' into mbedtls-2.16
* origin/pr/2571:
  Clarify comment mangled by an earlier refactoring
  Add an "out-of-box" component
  Run ssl-opt.sh on 32-bit runtime
2019-04-16 15:10:18 +01:00
Gilles Peskine 0a47c4ffbb Clarify comment mangled by an earlier refactoring 2019-04-10 18:47:51 +02:00
Gilles Peskine 99a3310fba Add an "out-of-box" component
Just run `make` and `make test`. And `selftest` for good measure.
2019-04-10 18:47:51 +02:00
Gilles Peskine 7dd44b28f1 Run ssl-opt.sh on 32-bit runtime
Run ssl-opt.sh on x86_32 with ASan. This may detect bugs that only
show up on 32-bit platforms, for example due to size_t overflow.

For this component, turn off some memory management features that are
not useful, potentially slow, and may reduce ASan's effectiveness at
catching buffer overflows.
2019-04-10 18:47:50 +02:00
Jaeden Amero e59c4193fb Fix typo in data_file generator code
The file to generate is `server10_int3-bs.pem`, not
`server10-bs_int3-bs.pem`.
2019-04-10 11:50:36 +01:00
Hanno Becker 2dcdc926b6 Add basic Connection ID tests to ssl-opt.sh 2019-04-09 18:27:04 +01:00
Jaeden Amero db8821cb7e Merge remote-tracking branch 'origin/pr/2470' into mbedtls-2.16
* origin/pr/2470:
  Silence pylint
  check-files.py: readability improvement in permission check
  check-files.py: use class fields for class-wide constants
  check-files.py: clean up class structure
  abi_check.py: Document more methods
  check-files.py: document some classes and methods
  Fix pylint errors going uncaught
  Call pylint3, not pylint
  New, documented pylint configuration
2019-04-05 14:20:00 +01:00
Jaeden Amero f41fa48dd4 Merge remote-tracking branch 'origin/pr/2520' into mbedtls-2.16
* origin/pr/2520:
  Fix errors in AEAD test function
2019-04-05 14:17:47 +01:00
Jaeden Amero 77027354f4 Merge remote-tracking branch 'origin/pr/2503' into mbedtls-2.16
* origin/pr/2503:
  Fix ChangeLog entry ordering
  Fix typo
  Add non-regression test for buffer overflow
  Improve documentation of mbedtls_mpi_write_string()
  Adapt ChangeLog
  Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
2019-04-05 14:10:02 +01:00
Jaeden Amero 9bfcebfe27 Merge remote-tracking branch 'origin/pr/2364' into mbedtls-2.16
* origin/pr/2364:
  Increase okm_hex buffer to contain null character
  Minor modifications to hkdf test
  Add explanation for okm_string size
  Update ChangeLog
  Reduce buffer size of okm
  Reduce Stack usage of hkdf test function
2019-04-05 13:53:22 +01:00
Jaeden Amero 186c2c054d Merge remote-tracking branch 'restricted/pr/553' into mbedtls-2.16
* restricted/pr/553:
  Fix mbedtls_ecdh_get_params with new ECDH context
  Add changelog entry for mbedtls_ecdh_get_params robustness
  Fix ecdh_get_params with mismatching group
  Add test case for ecdh_get_params with mismatching group
  Add test case for ecdh_calc_secret
  Fix typo in documentation
2019-03-27 14:54:00 +00:00
Jaeden Amero f2357f8903 Merge remote-tracking branch 'origin/pr/2526' into mbedtls-2.16
* origin/pr/2526:
  Update library version to 2.16.1
2019-03-26 15:27:56 +00:00
Jaeden Amero 9f4f8eec93 Update library version to 2.16.1 2019-03-19 16:20:02 +00:00
Jack Lloyd b25719b031 Fix errors in AEAD test function
It was failing to set the key in the ENCRYPT direction before encrypting.
This just happened to work for GCM and CCM.

After re-encrypting, compare the length to the expected ciphertext
length not the plaintext length. Again this just happens to work for
GCM and CCM since they do not perform any kind of padding.
2019-03-14 11:06:02 +02:00
Janos Follath 276284fd2e Add non-regression test for buffer overflow 2019-03-06 13:51:25 +00:00
Jaeden Amero b0abd1c84f Merge remote-tracking branch 'origin/pr/2388' into mbedtls-2.16
* origin/pr/2388:
  Update change log
  all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
  Fix DEADCODE in mbedtls_mpi_exp_mod()
2019-03-05 16:34:40 +00:00
Jaeden Amero 6b79a1115e Merge remote-tracking branch 'origin/pr/2293' into mbedtls-2.16
* origin/pr/2293:
  Declare test_suite_aes.ofb to CMake
  Add a facility to skip running some test suites
  run-test-suites: update the documentation
2019-03-05 16:31:02 +00:00
Jaeden Amero daed232dd7 Merge remote-tracking branch 'origin/pr/2436' into mbedtls-2.16
* origin/pr/2436:
  Use certificates from data_files and refer them
  Specify server certificate to use in SHA-1 test
  refactor CA and SRV certificates into separate blocks
  refactor SHA-1 certificate defintions and assignment
  refactor server SHA-1 certificate definition into a new block
  define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME
  server SHA-256 certificate now follows the same logic as CA SHA-256 certificate
  add entry to ChangeLog
2019-03-05 16:26:34 +00:00
Simon Butcher 799cd57c72 Merge remote-tracking branch 'restricted/pr/550' into mbedtls-2.16
* restricted/pr/550:
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
2019-03-01 13:05:43 +00:00
Simon Butcher e6a3f57898 Merge remote-tracking branch 'public/pr/2429' into mbedtls-2.16
* public/pr/2429:
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for ASN.1 bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Fix ASN1 bitstring writing
2019-03-01 13:04:04 +00:00
Simon Butcher 3664fdb5f6 Merge remote-tracking branch 'public/pr/2449' into mbedtls-2.16
* public/pr/2449:
  Reword changelog entry
  Reenable GnuTLS next based tests
2019-03-01 13:01:54 +00:00
Manuel Pégourié-Gonnard f1e62e8e1e Fix failure in SSLv3 per-version suites test
The test used 3DES as the suite for SSLv3, which now makes the handshake fails
with "no ciphersuite in common", failing the test as well. Use Camellia
instead (as there are not enough AES ciphersuites before TLS 1.2 to
distinguish between the 3 versions).

Document some dependencies, but not all. Just trying to avoid introducing new
issues by using a new cipher here, not trying to make it perfect, which is a
much larger task out of scope of this commit.
2019-03-01 10:30:11 +01:00
Andres Amaya Garcia 37e0a8c455 Adjust DES exclude lists in test scripts 2019-03-01 10:30:11 +01:00
Andres Amaya Garcia 7c86e9a03e Fix documentation for 3DES removal 2019-03-01 10:29:49 +01:00
Andres Amaya Garcia ac9c5221c5 Exclude 3DES tests in test scripts 2019-03-01 10:29:49 +01:00