Commit 5627f9f21764af7eac2af2fb8ec867cd65ca8949 - openssl

Don't detect a downgrade where the server has a protocol version hole Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013) Matt Caswell 5 years ago

2 changed file(s) with 21 addition(s) and 7 deletion(s). Raw diff Collapse all Expand all

+10

-3

ssl/statem/statem_lib.c less more

1664	1664	if (vers == TLS1_2_VERSION
1665	1665	&& ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1666	1666	*dgrd = DOWNGRADE_TO_1_2;
1667		} else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION
1668		&& (ssl_version_supported(s, TLS1_2_VERSION, NULL)
1669		\|\| ssl_version_supported(s, TLS1_3_VERSION, NULL))) {
	1667	} else if (!SSL_IS_DTLS(s)
	1668	&& vers < TLS1_2_VERSION
	1669	/*
	1670	* We need to ensure that a server that disables TLSv1.2
	1671	* (creating a hole between TLSv1.3 and TLSv1.1) can still
	1672	* complete handshakes with clients that support TLSv1.2 and
	1673	* below. Therefore we do not enable the sentinel if TLSv1.3 is
	1674	* enabled and TLSv1.2 is not.
	1675	*/
	1676	&& ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1670	1677	*dgrd = DOWNGRADE_TO_1_1;
1671	1678	} else {
1672	1679	*dgrd = DOWNGRADE_NONE;

+11

-4

test/recipes/70-test_tls13downgrade.t less more

44	44	$proxy->filter(\&downgrade_filter);
45	45	my $testtype = DOWNGRADE_TO_TLS_1_2;
46	46	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
47		plan tests => 5;
	47	plan tests => 6;
48	48	ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2");
49	49
50	50	#Test 2: Downgrade from TLSv1.3 to TLSv1.1

73	73	"Fallback from TLSv1.3");
74	74
75	75	SKIP: {
76		skip "TLSv1.1 disabled", 1 if disabled("tls1_1");
77		#Test 5: A protocol "hole" should not be detected as a downgrade
	76	skip "TLSv1.1 disabled", 2 if disabled("tls1_1");
	77	#Test 5: A client side protocol "hole" should not be detected as a downgrade
78	78	$proxy->clear();
79	79	$proxy->filter(undef);
80	80	$proxy->clientflags("-no_tls1_2");
81	81	$proxy->start();
82		ok(TLSProxy::Message->success(), "TLSv1.2 protocol hole");
	82	ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole");
	83
	84	#Test 6: A server side protocol "hole" should not be detected as a downgrade
	85	$proxy->clear();
	86	$proxy->filter(undef);
	87	$proxy->serverflags("-no_tls1_2");
	88	$proxy->start();
	89	ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole");
83	90	}
84	91
85	92	sub downgrade_filter