Merge pull request #1595 from SparkiDev/tls13_cipher_down

Fix for downgrading from TLS 1.3 due to old cipher suite
2018-06-12 08:24:26 -07:00
parent f2a20c4232 fcd2234841
commit 29410ada1e
4 changed files with 86 additions and 72 deletions
--- a/scripts/tls13.test
+++ b/scripts/tls13.test
@ -137,6 +137,38 @@ if [ $? -ne 0 ]; then
        exit 1
    fi
    echo ""
+
+    echo "Find usable TLS 1.2 cipher suite"
+    for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
+    do
+        echo $CS
+        ./examples/client/client -e | grep $CS >/dev/null
+        if [ "$?" = "0" ]; then
+            TLS12_CS=$CS
+            break
+        fi
+    done
+    if [ "$TLS12_CS" != "" ]; then
+        # TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
+        echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
+        port=0
+        SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
+        CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
+        ./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &
+        server_pid=$!
+        create_port
+        ./examples/client/client -v d -l $CLIENT_CS -p $port
+        RESULT=$?
+        remove_ready_file
+        if [ $RESULT -eq 0 ]; then
+            echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
+            do_cleanup
+            exit 1
+        fi
+        echo ""
+    else
+        echo "No usable TLS 1.2 cipher suite found"
+    fi
 fi

 do_cleanup