Merge remote-tracking branch 'restricted/pr/390' into development
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5dffcf9..ee7944b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -151,7 +151,7 @@
{
int ret;
size_t remaining, expansion;
- size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
+ size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
@@ -212,7 +212,10 @@
* delivered) of any compliant IPv4 (and IPv6) network, and should work
* on most non-IP stacks too. */
if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
+ {
ssl->handshake->mtu = 508;
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
+ }
new_timeout = 2 * ssl->handshake->retransmit_timeout;
@@ -7956,6 +7959,12 @@
#if defined(MBEDTLS_SSL_PROTO_DTLS)
static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
{
+ /* Return unlimited mtu for client hello messages to avoid fragmentation. */
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
+ ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
+ return ( 0 );
+
if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
return( ssl->mtu );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6cdc5b3..7c408e4 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -262,6 +262,21 @@
fi
}
+# skip next test if it's i686 or uname is not available
+requires_not_i686() {
+ if [ -z "${IS_I686:-}" ]; then
+ IS_I686="YES"
+ if which "uname" >/dev/null 2>&1; then
+ if [ -z "$(uname -a | grep i686)" ]; then
+ IS_I686="NO"
+ fi
+ fi
+ fi
+ if [ "$IS_I686" = "YES" ]; then
+ SKIP_NEXT="YES"
+ fi
+}
+
# Calculate the input & output maximum content lengths set in the config
MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
@@ -5867,10 +5882,12 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=4096" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ hs_timeout=2500-60000 \
max_frag_len=4096" \
0 \
-S "found fragmented DTLS handshake message" \
@@ -5885,10 +5902,12 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=1024" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ hs_timeout=2500-60000 \
max_frag_len=2048" \
0 \
-S "found fragmented DTLS handshake message" \
@@ -5907,10 +5926,12 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ hs_timeout=2500-60000 \
max_frag_len=4096" \
0 \
-S "found fragmented DTLS handshake message" \
@@ -5925,12 +5946,14 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=none \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=2048" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- max_frag_len=512" \
- 0 \
+ hs_timeout=2500-60000 \
+ max_frag_len=1024" \
+ 0 \
-S "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
@@ -5947,15 +5970,17 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
- -p "$P_PXY mtu=560" \
+ -p "$P_PXY mtu=1110" \
"$P_SRV dtls=1 debug_level=2 auth_mode=none \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=2048" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- max_frag_len=512" \
+ hs_timeout=2500-60000 \
+ max_frag_len=1024" \
0 \
-S "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
@@ -5969,11 +5994,13 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=2048" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- max_frag_len=512" \
+ hs_timeout=2500-60000 \
+ max_frag_len=1024" \
0 \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
@@ -5991,15 +6018,17 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
- -p "$P_PXY mtu=560" \
+ -p "$P_PXY mtu=1110" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
max_frag_len=2048" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- max_frag_len=512" \
+ hs_timeout=2500-60000 \
+ max_frag_len=1024" \
0 \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
@@ -6012,10 +6041,12 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
mtu=4096" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ hs_timeout=2500-60000 \
mtu=4096" \
0 \
-S "found fragmented DTLS handshake message" \
@@ -6029,11 +6060,13 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=3500-60000 \
mtu=4096" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- mtu=512" \
+ hs_timeout=3500-60000 \
+ mtu=1024" \
0 \
-s "found fragmented DTLS handshake message" \
-C "found fragmented DTLS handshake message" \
@@ -6046,10 +6079,12 @@
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ hs_timeout=2500-60000 \
mtu=2048" \
0 \
-S "found fragmented DTLS handshake message" \
@@ -6059,54 +6094,96 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-run_test "DTLS fragmenting: both (MTU)" \
+run_test "DTLS fragmenting: both (MTU=1024)" \
+ -p "$P_PXY mtu=1024" \
+ "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+ crt_file=data_files/server7_int-ca.crt \
+ key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
+ mtu=1024" \
+ "$P_CLI dtls=1 debug_level=2 \
+ crt_file=data_files/server8_int-ca2.crt \
+ key_file=data_files/server8.key \
+ hs_timeout=2500-60000 \
+ mtu=1024" \
+ 0 \
+ -s "found fragmented DTLS handshake message" \
+ -c "found fragmented DTLS handshake message" \
+ -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test "DTLS fragmenting: both (MTU=512)" \
-p "$P_PXY mtu=512" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=2500-60000 \
mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=2500-60000 \
mtu=512" \
0 \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-# Test for automatic MTU reduction on repeated resend
+# Test for automatic MTU reduction on repeated resend.
+# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
+# The ratio of max/min timeout should ideally equal 4 to accept two
+# retransmissions, but in some cases (like both the server and client using
+# fragmentation and auto-reduction) an extra retransmission might occur,
+# hence the ratio of 8.
not_with_valgrind
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
-p "$P_PXY mtu=508" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
- key_file=data_files/server7.key\
- hs_timeout=100-400" \
+ key_file=data_files/server7.key \
+ hs_timeout=400-3200" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- hs_timeout=100-400" \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=400-3200" \
0 \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
+# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
only_with_valgrind
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
-p "$P_PXY mtu=508" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
- key_file=data_files/server7.key\
+ key_file=data_files/server7.key \
hs_timeout=250-10000" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
hs_timeout=250-10000" \
0 \
-s "found fragmented DTLS handshake message" \
@@ -6116,78 +6193,146 @@
# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
# OTOH the client might resend if the server is to slow to reset after sending
# a HelloVerifyRequest, so only check for no retransmission server-side
-not_with_valgrind # spurious resend due to timeout
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-run_test "DTLS fragmenting: proxy MTU, simple handshake" \
- -p "$P_PXY mtu=512" \
+run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
+ -p "$P_PXY mtu=1024" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-not_with_valgrind # spurious resend due to timeout
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
+# OTOH the client might resend if the server is to slow to reset after sending
+# a HelloVerifyRequest, so only check for no retransmission server-side
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio" \
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
-p "$P_PXY mtu=512" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
- mtu=512 nbio=2" \
+ hs_timeout=10000-60000 \
+ mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
- mtu=512 nbio=2" \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=10000-60000 \
+ mtu=512" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
+ -p "$P_PXY mtu=1024" \
+ "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+ crt_file=data_files/server7_int-ca.crt \
+ key_file=data_files/server7.key \
+ hs_timeout=10000-60000 \
+ mtu=1024 nbio=2" \
+ "$P_CLI dtls=1 debug_level=2 \
+ crt_file=data_files/server8_int-ca2.crt \
+ key_file=data_files/server8.key \
+ hs_timeout=10000-60000 \
+ mtu=1024 nbio=2" \
+ 0 \
+ -S "autoreduction" \
+ -s "found fragmented DTLS handshake message" \
+ -c "found fragmented DTLS handshake message" \
+ -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
+ -p "$P_PXY mtu=512" \
+ "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+ crt_file=data_files/server7_int-ca.crt \
+ key_file=data_files/server7.key \
+ hs_timeout=10000-60000 \
+ mtu=512 nbio=2" \
+ "$P_CLI dtls=1 debug_level=2 \
+ crt_file=data_files/server8_int-ca2.crt \
+ key_file=data_files/server8.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=10000-60000 \
+ mtu=512 nbio=2" \
+ 0 \
+ -S "autoreduction" \
+ -s "found fragmented DTLS handshake message" \
+ -c "found fragmented DTLS handshake message" \
+ -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
# This ensures things still work after session_reset().
# It also exercises the "resumed handshake" flow.
# Since we don't support reading fragmented ClientHello yet,
# up the MTU to 1450 (larger than ClientHello with session ticket,
# but still smaller than client's Certificate to ensure fragmentation).
-# A resend on the client-side might happen if the server is
-# slow to reset, therefore omitting '-C "resend"' below.
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
# reco_delay avoids races where the client reconnects before the server has
-# resumed listening, which would result in a spurious resend.
-not_with_valgrind # spurious resend due to timeout
+# resumed listening, which would result in a spurious autoreduction.
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
-p "$P_PXY mtu=1450" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
+ hs_timeout=10000-60000 \
mtu=1450" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ hs_timeout=10000-60000 \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
mtu=1450 reconnect=1 reco_delay=1" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-# A resend on the client-side might happen if the server is
-# slow to reset, therefore omitting '-C "resend"' below.
-not_with_valgrind # spurious resend due to timeout
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6201,22 +6346,24 @@
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
exchanges=2 renegotiation=1 \
- force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
+ hs_timeout=10000-60000 \
mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
exchanges=2 renegotiation=1 renegotiate=1 \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=10000-60000 \
mtu=512" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-# A resend on the client-side might happen if the server is
-# slow to reset, therefore omitting '-C "resend"' below.
-not_with_valgrind # spurious resend due to timeout
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6231,22 +6378,24 @@
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
exchanges=2 renegotiation=1 \
- force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=10000-60000 \
mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
exchanges=2 renegotiation=1 renegotiate=1 \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+ hs_timeout=10000-60000 \
mtu=512" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-# A resend on the client-side might happen if the server is
-# slow to reset, therefore omitting '-C "resend"' below.
-not_with_valgrind # spurious resend due to timeout
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6256,27 +6405,29 @@
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CCM_C
run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
- -p "$P_PXY mtu=512" \
+ -p "$P_PXY mtu=1024" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
exchanges=2 renegotiation=1 \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
exchanges=2 renegotiation=1 renegotiate=1 \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-# A resend on the client-side might happen if the server is
-# slow to reset, therefore omitting '-C "resend"' below.
-not_with_valgrind # spurious resend due to timeout
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6287,27 +6438,29 @@
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
- -p "$P_PXY mtu=512" \
+ -p "$P_PXY mtu=1024" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
exchanges=2 renegotiation=1 \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
exchanges=2 renegotiation=1 renegotiate=1 \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
-# A resend on the client-side might happen if the server is
-# slow to reset, therefore omitting '-C "resend"' below.
-not_with_valgrind # spurious resend due to timeout
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6317,27 +6470,33 @@
requires_config_enabled MBEDTLS_AES_C
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
- -p "$P_PXY mtu=512" \
+ -p "$P_PXY mtu=1024" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
exchanges=2 renegotiation=1 \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
exchanges=2 renegotiation=1 renegotiate=1 \
- mtu=512" \
+ hs_timeout=10000-60000 \
+ mtu=1024" \
0 \
- -S "resend" \
+ -S "autoreduction" \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
client_needs_more_time 2
run_test "DTLS fragmenting: proxy MTU + 3d" \
-p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
@@ -6348,15 +6507,20 @@
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
hs_timeout=250-10000 mtu=512" \
0 \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
client_needs_more_time 2
run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
-p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
@@ -6367,6 +6531,7 @@
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
hs_timeout=250-10000 mtu=512 nbio=2" \
0 \
-s "found fragmented DTLS handshake message" \
@@ -6377,7 +6542,6 @@
#
# here and below we just want to test that the we fragment in a way that
# pleases other implementations, so we don't need the peer to fragment
-requires_gnutls
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6393,7 +6557,6 @@
-c "fragmenting handshake message" \
-C "error"
-requires_gnutls
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6421,6 +6584,7 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_gnutls
+requires_not_i686
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
"$P_SRV dtls=1 debug_level=2 \
crt_file=data_files/server7_int-ca.crt \
@@ -6436,6 +6600,7 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
requires_gnutls
+requires_not_i686
run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
"$P_SRV dtls=1 debug_level=2 \
crt_file=data_files/server7_int-ca.crt \
@@ -6576,13 +6741,11 @@
0 \
-s "fragmenting handshake message"
-## Interop test with OpenSSL might triger a bug in recent versions (that
-## probably won't be fixed before 1.1.1X), so we use an old version that
-## doesn't have this bug, but unfortunately it doesn't have support for DTLS
-## 1.2 either, so the DTLS 1.2 tests are commented for now.
+## Interop test with OpenSSL might trigger a bug in recent versions (including
+## all versions installed on the CI machines), reported here:
## Bug report: https://github.com/openssl/openssl/issues/6902
-## They should be re-enabled (and the DTLS 1.0 switched back to a non-legacy
-## version of OpenSSL once a fixed version of OpenSSL is available)
+## They should be re-enabled once a fixed version of OpenSSL is available
+## (this should happen in some 1.1.1_ release according to the ticket).
skip_next_test
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
@@ -6600,7 +6763,7 @@
-c "fragmenting handshake message" \
-C "error"
-requires_openssl_legacy
+skip_next_test
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6608,7 +6771,7 @@
client_needs_more_time 4
run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
-p "$P_PXY drop=8 delay=8 duplicate=8" \
- "$O_LEGACY_SRV -dtls1 -verify 10" \
+ "$O_SRV -dtls1 -verify 10" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
@@ -6617,25 +6780,25 @@
-c "fragmenting handshake message" \
-C "error"
-## see comment on the previous-previous test
-## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
-## requires_config_enabled MBEDTLS_RSA_C
-## requires_config_enabled MBEDTLS_ECDSA_C
-## requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-## client_needs_more_time 4
-## run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
-## -p "$P_PXY drop=8 delay=8 duplicate=8" \
-## "$P_SRV dtls=1 debug_level=2 \
-## crt_file=data_files/server7_int-ca.crt \
-## key_file=data_files/server7.key \
-## hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
-## "$O_CLI -dtls1_2" \
-## 0 \
-## -s "fragmenting handshake message"
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+client_needs_more_time 4
+run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
+ -p "$P_PXY drop=8 delay=8 duplicate=8" \
+ "$P_SRV dtls=1 debug_level=2 \
+ crt_file=data_files/server7_int-ca.crt \
+ key_file=data_files/server7.key \
+ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
+ "$O_CLI -dtls1_2" \
+ 0 \
+ -s "fragmenting handshake message"
# -nbio is added to prevent s_client from blocking in case of duplicated
# messages at the end of the handshake
-requires_openssl_legacy
+skip_next_test
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
@@ -6647,7 +6810,7 @@
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
hs_timeout=250-60000 mtu=512 force_version=dtls1" \
- "$O_LEGACY_CLI -nbio -dtls1" \
+ "$O_CLI -nbio -dtls1" \
0 \
-s "fragmenting handshake message"
@@ -6775,8 +6938,10 @@
run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
-p "$P_PXY delay_srv=ServerHello" \
- "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-c "Buffering HS message" \
-c "Next handshake message has been buffered - load"\
@@ -6789,8 +6954,10 @@
run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
-p "$P_PXY delay_srv=ServerHello" \
- "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-c "Buffering HS message" \
-c "found fragmented DTLS handshake message"\
@@ -6810,8 +6977,10 @@
requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
-p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
- "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-c "Buffering HS message" \
-c "Next handshake message has been buffered - load"\
@@ -6830,8 +6999,10 @@
requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
-p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
- "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-c "Buffering HS message" \
-c "attempt to make space by freeing buffered future messages" \
@@ -6845,8 +7016,10 @@
run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
-p "$P_PXY delay_cli=Certificate" \
- "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-C "Buffering HS message" \
-C "Next handshake message has been buffered - load"\
@@ -6859,8 +7032,10 @@
run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
-p "$P_PXY delay_srv=NewSessionTicket" \
- "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-C "Buffering HS message" \
-C "Next handshake message has been buffered - load"\
@@ -6873,8 +7048,10 @@
run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
-p "$P_PXY delay_cli=ClientKeyExchange" \
- "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-C "Buffering HS message" \
-C "Next handshake message has been buffered - load"\
@@ -6887,8 +7064,10 @@
run_test "DTLS reordering: Buffer encrypted Finished message" \
-p "$P_PXY delay_ccs=1" \
- "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
+ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+ hs_timeout=2500-60000" \
0 \
-s "Buffer record from epoch 1" \
-s "Found buffered record from current epoch - load" \
@@ -6928,9 +7107,9 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
-s "Extra-header:" \
@@ -6939,8 +7118,8 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
-s "Extra-header:" \
@@ -6949,8 +7128,8 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0" \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
@@ -6958,8 +7137,8 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d, FS, client auth" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=required" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0" \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
@@ -6967,8 +7146,8 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d, FS, ticket" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1 auth_mode=none" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1" \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
@@ -6976,8 +7155,8 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1 auth_mode=required" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1" \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
@@ -6985,9 +7164,9 @@
client_needs_more_time 2
run_test "DTLS proxy: 3d, max handshake, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 nbio=2 tickets=1 \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
auth_mode=required" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 nbio=2 tickets=1" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
@@ -6995,9 +7174,9 @@
client_needs_more_time 4
run_test "DTLS proxy: 3d, min handshake, resumption" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 debug_level=3" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -7009,9 +7188,9 @@
client_needs_more_time 4
run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 debug_level=3 nbio=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
0 \
@@ -7024,9 +7203,9 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiation=1 debug_level=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -7039,9 +7218,9 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiation=1 debug_level=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -7054,10 +7233,10 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
renegotiation=1 exchanges=4 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -7070,10 +7249,10 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
- "$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
+ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2 nbio=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -7082,30 +7261,38 @@
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
+## Interop tests with OpenSSL might trigger a bug in recent versions (including
+## all versions installed on the CI machines), reported here:
+## Bug report: https://github.com/openssl/openssl/issues/6902
+## They should be re-enabled once a fixed version of OpenSSL is available
+## (this should happen in some 1.1.1_ release according to the ticket).
+skip_next_test
client_needs_more_time 6
not_with_valgrind # risk of non-mbedtls peer timing out
run_test "DTLS proxy: 3d, openssl server" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
"$O_SRV -dtls1 -mtu 2048" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 tickets=0" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
0 \
-c "HTTP/1.0 200 OK"
+skip_next_test # see above
client_needs_more_time 8
not_with_valgrind # risk of non-mbedtls peer timing out
run_test "DTLS proxy: 3d, openssl server, fragmentation" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
"$O_SRV -dtls1 -mtu 768" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 tickets=0" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
0 \
-c "HTTP/1.0 200 OK"
+skip_next_test # see above
client_needs_more_time 8
not_with_valgrind # risk of non-mbedtls peer timing out
run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
"$O_SRV -dtls1 -mtu 768" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
0 \
-c "HTTP/1.0 200 OK"
@@ -7115,7 +7302,7 @@
run_test "DTLS proxy: 3d, gnutls server" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$G_SRV -u --mtu 2048 -a" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
0 \
-s "Extra-header:" \
-c "Extra-header:"
@@ -7126,7 +7313,7 @@
run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$G_SRV -u --mtu 512" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
0 \
-s "Extra-header:" \
-c "Extra-header:"
@@ -7137,7 +7324,7 @@
run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$G_SRV -u --mtu 512" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 nbio=2" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
0 \
-s "Extra-header:" \
-c "Extra-header:"