Enable all ciphers in OpenSSL >=1.1.0

OpenSSL may be configured to support features such as cipher suites or protocol versions that are disabled by default. Enable them all: we're testing, we don't care about enabling insecure stuff. This is not needed with the builds of OpenSSL that we're currently using on the Jenkins CI, but it's needed with more recent versions such as typically found on developer machines, and with future CI additions. The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we don't need to do anything special with earlier versions. With OpenSSL 1.1.1f on Ubuntu 20.04, this is needed to enable TLS 1.0, TLS 1.1 and DTLS 1.0. This also allows SHA-1 in certificates, which is still needed for a few test cases in ssl-opt.sh. Curiously, this is also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and no other, including other DHE-PSK or ARIA cipher suites). Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Mbed-TLS · Nov 24, 2022 · 4eea196 · 4eea196
1 parent 8fe23a0
commit 4eea196
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/tests/compat.sh b/tests/compat.sh
@@ -930,6 +930,20 @@ setup_arguments()
     G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
     G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
 
+    # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
+    # low-security ones. This covers not just cipher suites but also protocol
+    # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
+    # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
+    # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
+    # a way to discover it from -help, so check the openssl version.
+    case $($OPENSSL_CMD version) in
+        "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
+        *)
+            O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
+            O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
+            ;;
+    esac
+
     if [ "X$VERIFY" = "XYES" ];
     then
         M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
@@ -1493,6 +1493,20 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then
     O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
 fi
 
+# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
+# low-security ones. This covers not just cipher suites but also protocol
+# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
+# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
+# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
+# a way to discover it from -help, so check the openssl version.
+case $($OPENSSL_CMD version) in
+    "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
+    *)
+        O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
+        O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
+        ;;
+esac
+
 if [ -n "${OPENSSL_NEXT:-}" ]; then
     O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
     O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"