compat.sh: Skip static ECDH cases if unsupported in openssl #7137
Conversation
This commit add support to detect if openssl used for testing supports static ECDH key exchange. Skip the ciphersutes if openssl doesn't support them. Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
lpy4105
added
needs-review
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
| @@ -534,6 +534,15 @@ add_mbedtls_ciphersuites() | |||
| esac | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
I know it wasn't a requirement of #1785, but since compat.sh is now skipping static ECDH cipher suites automatically, I think we should remove the explicit exclusions in .travis.yml and all.sh.
There was a problem hiding this comment.
No explicit exclusions found in all.sh, so I only removed that in .travis.yml.
There was a problem hiding this comment.
I also found this doesn't work for a more recent OpenSSL (e.g 1.1.1f on Travis CI).
Lines 823 to 824 in ffb92b0
There was a problem hiding this comment.
Actually, the comment (which was added later by a different person) is wrong. Cipher is (NONE) indicates a null cipher, not a cipher that isn't supported, and that's still true at least in OpenSSL 1.1.1. So what this piece of code really does is to automatically mark null cipher suites as skipped if OpenSSL doesn't support them.
I don't think we need to change the code: it's working well enough. But before we forget, please fix the comment.
There was a problem hiding this comment.
OK, I see. But Cipher is (NONE) is also printed if there is a invalid ciphersuite in old OpenSSL. So I misunderstood the code here. Let me update the comment.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
lpy4105
removed
the
needs-reviewer
The mechanism of detecting unsupported ciphersuites for OpenSSL client doesn't work on a modern OpenSSL. At least, it fails on Travis CI which is installed with OpenSSL 1.1.1f. So we need to skip ECDH cipher- suites for O->m. Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
There was a problem hiding this comment.
Looks good to me, except, please update the preexisting incorrect comment.
| @@ -534,6 +534,15 @@ add_mbedtls_ciphersuites() | |||
| esac | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Actually, the comment (which was added later by a different person) is wrong. Cipher is (NONE) indicates a null cipher, not a cipher that isn't supported, and that's still true at least in OpenSSL 1.1.1. So what this piece of code really does is to automatically mark null cipher suites as skipped if OpenSSL doesn't support them.
I don't think we need to change the code: it's working well enough. But before we forget, please fix the comment.
gilles-peskine-arm
added
needs-work
needs-backports
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
lpy4105
removed
the
needs-backports
gilles-peskine-arm
added
approved
Description
Fix: #1785
This PR add the ability in
compat.shto check if the under testingopensslprogram supports static ECDH (i.e.ECDH_ECDSA) key exchange methods. The cases forTLS_ECDH_ECDSA_xxxciphersuites will be skipped ifopenssldoesn't support so.This PR would like to cover all out of box failures of ssl-opt.sh and compat.sh on modern systems (e.g Ubuntu 18.04 and newer).
Gatekeeper checklist