fixing https testcases that require SSL3, but SSL3 is dead and with modern gnutls not even supported - libmicrohttpd - HTTP/1.x server C library (MHD 1.x, stable)

commit 7d1a24e75480f07c644b1d5444c9755d79137067
parent 7c7af4340fd283acb085b3c12b8cc4a128b4e678
Author: Christian Grothoff <christian@grothoff.org>
Date:   Fri,  3 Apr 2015 17:36:25 +0000

fixing https testcases that require SSL3, but SSL3 is dead and with modern gnutls not even supported

Diffstat:
M ChangeLog  | 3 +++
M configure.ac  | 8 ++++----
M src/testcurl/https/test_empty_response.c  | 2 +-
M src/testcurl/https/test_https_get.c  | 4 ----
M src/testcurl/https/test_https_get_select.c  | 2 +-
M src/testcurl/https/test_https_multi_daemon.c  | 2 +-
M src/testcurl/https/test_https_session_info.c  | 4 ++--
M src/testcurl/https/test_tls_options.c  | 47 -----------------------------------------------

8 files changed, 12 insertions(+), 60 deletions(-)
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+Fri Apr  3 12:55:31 CEST 2015
+	Update HTTPS testcases to avoid SSLv3, as SSLv3 is dead.
+
 Fri Apr  3 12:25:28 CEST 2015
 	Do not enforce FD_SETSIZE-limit on worker control
 	pipe when using MHD_USE_EPOLL_LINUX_ONLY (#3751). -MH/CG
diff --git a/configure.ac b/configure.ac
@@ -1,5 +1,5 @@
 # This file is part of libmicrohttpd.
-# (C) 2006-2014 Christian Grothoff (and other contributing authors)
+# (C) 2006-2015 Christian Grothoff (and other contributing authors)
 #
 # libmicrohttpd is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published
@@ -22,15 +22,15 @@
 #
 AC_PREREQ([2.60])
 LT_PREREQ([2.4.0])
-AC_INIT([libmicrohttpd],[0.9.39],[libmicrohttpd@gnu.org])
+AC_INIT([libmicrohttpd],[0.9.40],[libmicrohttpd@gnu.org])
 AM_INIT_AUTOMAKE([silent-rules] [subdir-objects])
 AC_CONFIG_HEADERS([MHD_config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AH_TOP([#define _GNU_SOURCE  1])
 
-LIB_VERSION_CURRENT=39
+LIB_VERSION_CURRENT=40
 LIB_VERSION_REVISION=0
-LIB_VERSION_AGE=29
+LIB_VERSION_AGE=30
 AC_SUBST(LIB_VERSION_CURRENT)
 AC_SUBST(LIB_VERSION_REVISION)
 AC_SUBST(LIB_VERSION_AGE)
diff --git a/src/testcurl/https/test_empty_response.c b/src/testcurl/https/test_empty_response.c
@@ -99,7 +99,7 @@ testInternalSelectGet ()
   curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, &copyBuffer);
   curl_easy_setopt (c, CURLOPT_WRITEDATA, &cbc);
   /* TLS options */
-  curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
+  curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
   curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, aes256_sha);
   curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0);
   curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0);
diff --git a/src/testcurl/https/test_https_get.c b/src/testcurl/https/test_https_get.c
@@ -100,7 +100,6 @@ main (int argc, char *const *argv)
 {
   unsigned int errorCount = 0;
   const char *aes256_sha_tlsv1   = "AES256-SHA";
-  const char *aes256_sha_sslv3   = "AES256-SHA";
   const char *des_cbc3_sha_tlsv1 = "DES-CBC3-SHA";
 
   gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
@@ -116,15 +115,12 @@ main (int argc, char *const *argv)
   if (curl_uses_nss_ssl() == 0)
     {
       aes256_sha_tlsv1 = "rsa_aes_256_sha";
-      aes256_sha_sslv3 = "rsa_aes_256_sha";
       des_cbc3_sha_tlsv1 = "rsa_aes_128_sha";
     }
 
   errorCount +=
     test_secure_get (NULL, aes256_sha_tlsv1, CURL_SSLVERSION_TLSv1);
   errorCount +=
-    test_secure_get (NULL, aes256_sha_sslv3, CURL_SSLVERSION_SSLv3);
-  errorCount +=
     test_cipher_option (NULL, des_cbc3_sha_tlsv1, CURL_SSLVERSION_TLSv1);
   print_test_result (errorCount, argv[0]);
 
diff --git a/src/testcurl/https/test_https_get_select.c b/src/testcurl/https/test_https_get_select.c
@@ -111,7 +111,7 @@ testExternalGet (int flags)
   curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, &copyBuffer);
   curl_easy_setopt (c, CURLOPT_WRITEDATA, &cbc);
   /* TLS options */
-  curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
+  curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
   curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, aes256_sha);
   curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0);
   curl_easy_setopt (c, CURLOPT_SSL_VERIFYHOST, 0);
diff --git a/src/testcurl/https/test_https_multi_daemon.c b/src/testcurl/https/test_https_multi_daemon.c
@@ -120,7 +120,7 @@ main (int argc, char *const *argv)
     }
   
   errorCount +=
-    test_concurent_daemon_pair (NULL, aes256_sha, CURL_SSLVERSION_SSLv3);
+    test_concurent_daemon_pair (NULL, aes256_sha, CURL_SSLVERSION_TLSv1);
 
   print_test_result (errorCount, "concurent_daemon_pair");
 
diff --git a/src/testcurl/https/test_https_session_info.c b/src/testcurl/https/test_https_session_info.c
@@ -55,7 +55,7 @@ query_session_ahc (void *cls, struct MHD_Connection *connection,
       return MHD_YES;
     }
 
-  if (GNUTLS_SSL3 != 
+  if (GNUTLS_TLS1_1 != 
       (ret = MHD_get_connection_info
        (connection,
 	MHD_CONNECTION_INFO_PROTOCOL)->protocol))
@@ -122,7 +122,7 @@ test_query_session ()
   curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, &copyBuffer);
   curl_easy_setopt (c, CURLOPT_FILE, &cbc);
   /* TLS options */
-  curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
+  curl_easy_setopt (c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
   curl_easy_setopt (c, CURLOPT_SSL_CIPHER_LIST, aes256_sha);
   /* currently skip any peer authentication */
   curl_easy_setopt (c, CURLOPT_SSL_VERIFYPEER, 0);
diff --git a/src/testcurl/https/test_tls_options.c b/src/testcurl/https/test_tls_options.c
@@ -134,53 +134,6 @@ main (int argc, char *const *argv)
       fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
       errorCount++;
     }
-#if 0
-  /* this used to work, but somehow no longer.  gnutls issue? */
-  if (0 != 
-      test_wrap ("SSL3.0-AES256-SHA1", 
-		 &test_https_transfer, NULL, daemon_flags,
-		 aes256_sha,
-		 CURL_SSLVERSION_SSLv3,
-		 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
-		 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
-		 MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
-	       MHD_OPTION_END))
-    {
-      fprintf (stderr, "SSL3.0-AES256-SHA1 test failed\n");
-      errorCount++;
-    }
-  if (0 !=
-      test_wrap ("SSL3.0-AES-SHA1",
-		 &test_https_transfer, NULL, daemon_flags,
-		 aes128_sha,
-		 CURL_SSLVERSION_SSLv3,
-		 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
-		 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
-		 MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
-		 MHD_OPTION_END))
-    {
-      fprintf (stderr, "SSL3.0-AES-SHA1 test failed\n");
-      errorCount++;
-    }
-#endif
-
-
-#if 0
-  /* manual inspection of the handshake suggests that CURL will
-     request TLSv1, we send back "SSL3" and CURL takes it *despite*
-     being configured to speak SSL3-only.  Notably, the other way
-     round (have curl request SSL3, respond with TLSv1 only)
-     is properly refused by CURL.  Either way, this does NOT seem
-     to be a bug in MHD/gnuTLS but rather in CURL; hence this
-     test is commented out here... */
-  errorCount +=
-    test_wrap ("unmatching version: SSL3 vs. TLS", &test_unmatching_ssl_version,
-               NULL, daemon_flags, "AES256-SHA", CURL_SSLVERSION_TLSv1,
-               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
-               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
-               MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END);
-#endif
-
   fprintf (stderr,
 	   "The following handshake should fail (and print an error message)...\n");
   if (0 !=

	libmicrohttpd HTTP/1.x server C library (MHD 1.x, stable)
	Log \| Files \| Refs \| Submodules \| README \| LICENSE

M	ChangeLog	\|	3	+++
M	configure.ac	\|	8	++++----
M	src/testcurl/https/test_empty_response.c	\|	2	+-
M	src/testcurl/https/test_https_get.c	\|	4	----
M	src/testcurl/https/test_https_get_select.c	\|	2	+-
M	src/testcurl/https/test_https_multi_daemon.c	\|	2	+-
M	src/testcurl/https/test_https_session_info.c	\|	4	++--
M	src/testcurl/https/test_tls_options.c	\|	47	-----------------------------------------------