2 files changed, 52 insertions, 28 deletions
diff --git a/src/testcurl/https/mhds_session_info_test.c b/src/testcurl/https/mhds_session_info_test.c
index 3cfb39c4..d77add8f 100644
--- a/src/testcurl/https/mhds_session_info_test.c
+++ b/src/testcurl/https/mhds_session_info_test.c
@@ -56,13 +56,13 @@ query_session_ahc (void *cls, struct MHD_Connection *connection,
    }
  /* assert actual connection cipher is the one negotiated */
-  if (GNUTLS_CIPHER_AES_256_CBC != 
+  if (GNUTLS_CIPHER_ARCFOUR_128 != 
      (ret = MHD_get_connection_info
       (connection,
        MHD_CONNECTION_INFO_CIPHER_ALGO)->cipher_algorithm))
    {
      fprintf (stderr, "Error: requested cipher mismatch (wanted %d, got %d)\n",
-               GNUTLS_CIPHER_AES_256_CBC,
+               GNUTLS_CIPHER_ARCFOUR_128,
               ret);
      return -1;
    }
@@ -86,7 +86,8 @@ query_session_ahc (void *cls, struct MHD_Connection *connection,
  return ret;
 }
-/*
+/**
 * negotiate a secure connection with server & query negotiated security parameters
 */
 static int
@@ -108,7 +109,7 @@ test_query_session ()
  d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL |
                        MHD_USE_DEBUG, DEAMON_TEST_PORT,
                        NULL, NULL, &query_session_ahc, NULL,
-                        MHD_OPTION_HTTPS_PRIORITIES, "NORMAL:-AES-128-CBC",
+                        MHD_OPTION_HTTPS_PRIORITIES, "NORMAL:+ARCFOUR-128",
                        MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
                        MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
                        MHD_OPTION_END);
@@ -116,7 +117,7 @@ test_query_session ()
  if (d == NULL)
    return 2;
-  char *aes256_sha = "AES256-SHA";
+  const char *aes256_sha = "AES256-SHA";
  if (curl_uses_nss_ssl() == 0)
    {
      aes256_sha = "rsa_aes_256_sha";
@@ -155,8 +156,8 @@ test_query_session ()
      return -1;
    }
-  MHD_stop_daemon (d);
  curl_easy_cleanup (c);
+  MHD_stop_daemon (d);
  free (cbc.buf);
  return 0;
 }
diff --git a/src/testcurl/https/tls_daemon_options_test.c b/src/testcurl/https/tls_daemon_options_test.c
index f1b1b7fd..1c604daf 100644
--- a/src/testcurl/https/tls_daemon_options_test.c
+++ b/src/testcurl/https/tls_daemon_options_test.c
@@ -58,6 +58,7 @@ test_unmatching_ssl_version (void * cls, const char *cipher_suite,
  if (gen_test_file_url (url, DEAMON_TEST_PORT))
    {
      free (cbc.buf);
+      fprintf (stderr, "Internal error in gen_test_file_url\n");
      return -1;
    }
@@ -104,7 +105,7 @@ main (int argc, char *const *argv)
    }
  
-  errorCount +=
+  if (0 != 
    test_wrap ("TLS1.0-AES-SHA1",
               &test_https_transfer, NULL, daemon_flags,
               aes128_sha,
@@ -112,26 +113,42 @@ main (int argc, char *const *argv)
               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
               MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
-               MHD_OPTION_END);
+               MHD_OPTION_END))
+    {
+      fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
+      errorCount++;
+    }
+#if 0
+  /* this used to work, but somehow no longer.  gnutls issue? */
+  if (0 != 
+      test_wrap ("SSL3.0-AES256-SHA1", 
+                 &test_https_transfer, NULL, daemon_flags,
+                 aes256_sha,
+                 CURL_SSLVERSION_SSLv3,
+                 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+                 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+                 MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
+               MHD_OPTION_END))
+    {
+      fprintf (stderr, "SSL3.0-AES256-SHA1 test failed\n");
+      errorCount++;
+    }
+  if (0 !=
+      test_wrap ("SSL3.0-AES-SHA1",
+                 &test_https_transfer, NULL, daemon_flags,
+                 aes128_sha,
+                 CURL_SSLVERSION_SSLv3,
+                 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
+                 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
+                 MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
+                 MHD_OPTION_END))
+    {
+      fprintf (stderr, "SSL3.0-AES-SHA1 test failed\n");
+      errorCount++;
+    }
+#endif
-  errorCount +=
-    test_wrap ("SSL3.0-AES256-SHA1",
-               &test_https_transfer, NULL, daemon_flags,
-               aes256_sha,
-               CURL_SSLVERSION_SSLv3,
-               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
-               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
-               MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
-               MHD_OPTION_END);
-  errorCount +=
-    test_wrap ("SSL3.0-AES-SHA1",
-               &test_https_transfer, NULL, daemon_flags,
-               aes128_sha,
-               CURL_SSLVERSION_SSLv3,
-               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
-               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
-               MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
-               MHD_OPTION_END);
 #if 0
  /* manual inspection of the handshake suggests that CURL will
     request TLSv1, we send back "SSL3" and CURL takes it *despite*
@@ -148,7 +165,9 @@ main (int argc, char *const *argv)
               MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END);
 #endif
-  errorCount +=
+  fprintf (stderr,
+           "The following handshake should fail (and print an error message)...\n");
+  if (0 !=
    test_wrap ("TLS1.0 vs SSL3",
               &test_unmatching_ssl_version, NULL, daemon_flags,
               aes256_sha,
@@ -156,7 +175,11 @@ main (int argc, char *const *argv)
               MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
               MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
               MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
-               MHD_OPTION_END);
+               MHD_OPTION_END))
+    {
+      fprintf (stderr, "TLS1.0 vs SSL3 test failed\n");
+      errorCount++;
+    }
  curl_global_cleanup ();
  return errorCount != 0;

diff --git a/src/testcurl/https/mhds_session_info_test.c b/src/testcurl/https/mhds_session_info_test.c index 3cfb39c4..d77add8f 100644 --- a/src/testcurl/https/mhds_session_info_test.c +++ b/src/testcurl/https/mhds_session_info_test.c
@@ -56,13 +56,13 @@ query_session_ahc (void cls, struct MHD_Connection connection,
56	}	56	}
57		57
58	/* assert actual connection cipher is the one negotiated */	58	/* assert actual connection cipher is the one negotiated */
59	if (GNUTLS_CIPHER_AES_256_CBC !=	59	if (GNUTLS_CIPHER_ARCFOUR_128 !=
60	(ret = MHD_get_connection_info	60	(ret = MHD_get_connection_info
61	(connection,	61	(connection,
62	MHD_CONNECTION_INFO_CIPHER_ALGO)->cipher_algorithm))	62	MHD_CONNECTION_INFO_CIPHER_ALGO)->cipher_algorithm))
63	{	63	{
64	fprintf (stderr, "Error: requested cipher mismatch (wanted %d, got %d)\n",	64	fprintf (stderr, "Error: requested cipher mismatch (wanted %d, got %d)\n",
65	GNUTLS_CIPHER_AES_256_CBC,	65	GNUTLS_CIPHER_ARCFOUR_128,
66	ret);	66	ret);
67	return -1;	67	return -1;
68	}	68	}
@@ -86,7 +86,8 @@ query_session_ahc (void cls, struct MHD_Connection connection,
86	return ret;	86	return ret;
87	}	87	}
88		88
89	/*	89
		90	/**
90	* negotiate a secure connection with server & query negotiated security parameters	91	* negotiate a secure connection with server & query negotiated security parameters
91	*/	92	*/
92	static int	93	static int
@@ -108,7 +109,7 @@ test_query_session ()
108	d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION \| MHD_USE_SSL \|	109	d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION \| MHD_USE_SSL \|
109	MHD_USE_DEBUG, DEAMON_TEST_PORT,	110	MHD_USE_DEBUG, DEAMON_TEST_PORT,
110	NULL, NULL, &query_session_ahc, NULL,	111	NULL, NULL, &query_session_ahc, NULL,
111	MHD_OPTION_HTTPS_PRIORITIES, "NORMAL:-AES-128-CBC",	112	MHD_OPTION_HTTPS_PRIORITIES, "NORMAL:+ARCFOUR-128",
112	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,	113	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
113	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,	114	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
114	MHD_OPTION_END);	115	MHD_OPTION_END);
@@ -116,7 +117,7 @@ test_query_session ()
116	if (d == NULL)	117	if (d == NULL)
117	return 2;	118	return 2;
118		119
119	char *aes256_sha = "AES256-SHA";	120	const char *aes256_sha = "AES256-SHA";
120	if (curl_uses_nss_ssl() == 0)	121	if (curl_uses_nss_ssl() == 0)
121	{	122	{
122	aes256_sha = "rsa_aes_256_sha";	123	aes256_sha = "rsa_aes_256_sha";
@@ -155,8 +156,8 @@ test_query_session ()
155	return -1;	156	return -1;
156	}	157	}
157		158
158	MHD_stop_daemon (d);
159	curl_easy_cleanup (c);	159	curl_easy_cleanup (c);
		160	MHD_stop_daemon (d);
160	free (cbc.buf);	161	free (cbc.buf);
161	return 0;	162	return 0;
162	}	163	}


diff --git a/src/testcurl/https/tls_daemon_options_test.c b/src/testcurl/https/tls_daemon_options_test.c index f1b1b7fd..1c604daf 100644 --- a/src/testcurl/https/tls_daemon_options_test.c +++ b/src/testcurl/https/tls_daemon_options_test.c
@@ -58,6 +58,7 @@ test_unmatching_ssl_version (void * cls, const char *cipher_suite,
58	if (gen_test_file_url (url, DEAMON_TEST_PORT))	58	if (gen_test_file_url (url, DEAMON_TEST_PORT))
59	{	59	{
60	free (cbc.buf);	60	free (cbc.buf);
		61	fprintf (stderr, "Internal error in gen_test_file_url\n");
61	return -1;	62	return -1;
62	}	63	}
63		64
@@ -104,7 +105,7 @@ main (int argc, char const argv)
104	}	105	}
105		106
106		107
107	errorCount +=	108	if (0 !=
108	test_wrap ("TLS1.0-AES-SHA1",	109	test_wrap ("TLS1.0-AES-SHA1",
109	&test_https_transfer, NULL, daemon_flags,	110	&test_https_transfer, NULL, daemon_flags,
110	aes128_sha,	111	aes128_sha,
@@ -112,26 +113,42 @@ main (int argc, char const argv)
112	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,	113	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
113	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,	114	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
114	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",	115	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
115	MHD_OPTION_END);	116	MHD_OPTION_END))
		117	{
		118	fprintf (stderr, "TLS1.0-AES-SHA1 test failed\n");
		119	errorCount++;
		120	}
		121	#if 0
		122	/* this used to work, but somehow no longer. gnutls issue? */
		123	if (0 !=
		124	test_wrap ("SSL3.0-AES256-SHA1",
		125	&test_https_transfer, NULL, daemon_flags,
		126	aes256_sha,
		127	CURL_SSLVERSION_SSLv3,
		128	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
		129	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
		130	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
		131	MHD_OPTION_END))
		132	{
		133	fprintf (stderr, "SSL3.0-AES256-SHA1 test failed\n");
		134	errorCount++;
		135	}
		136	if (0 !=
		137	test_wrap ("SSL3.0-AES-SHA1",
		138	&test_https_transfer, NULL, daemon_flags,
		139	aes128_sha,
		140	CURL_SSLVERSION_SSLv3,
		141	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
		142	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
		143	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
		144	MHD_OPTION_END))
		145	{
		146	fprintf (stderr, "SSL3.0-AES-SHA1 test failed\n");
		147	errorCount++;
		148	}
		149	#endif
		150
116		151
117	errorCount +=
118	test_wrap ("SSL3.0-AES256-SHA1",
119	&test_https_transfer, NULL, daemon_flags,
120	aes256_sha,
121	CURL_SSLVERSION_SSLv3,
122	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
123	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
124	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
125	MHD_OPTION_END);
126	errorCount +=
127	test_wrap ("SSL3.0-AES-SHA1",
128	&test_https_transfer, NULL, daemon_flags,
129	aes128_sha,
130	CURL_SSLVERSION_SSLv3,
131	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
132	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
133	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-SSL3.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL",
134	MHD_OPTION_END);
135	#if 0	152	#if 0
136	/* manual inspection of the handshake suggests that CURL will	153	/* manual inspection of the handshake suggests that CURL will
137	request TLSv1, we send back "SSL3" and CURL takes it despite	154	request TLSv1, we send back "SSL3" and CURL takes it despite
@@ -148,7 +165,9 @@ main (int argc, char const argv)
148	MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END);	165	MHD_OPTION_CIPHER_ALGORITHM, "SSL3", MHD_OPTION_END);
149	#endif	166	#endif
150		167
151	errorCount +=	168	fprintf (stderr,
		169	"The following handshake should fail (and print an error message)...\n");
		170	if (0 !=
152	test_wrap ("TLS1.0 vs SSL3",	171	test_wrap ("TLS1.0 vs SSL3",
153	&test_unmatching_ssl_version, NULL, daemon_flags,	172	&test_unmatching_ssl_version, NULL, daemon_flags,
154	aes256_sha,	173	aes256_sha,
@@ -156,7 +175,11 @@ main (int argc, char const argv)
156	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,	175	MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
157	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,	176	MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
158	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",	177	MHD_OPTION_HTTPS_PRIORITIES, "NONE:+VERS-TLS1.0:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL",
159	MHD_OPTION_END);	178	MHD_OPTION_END))
		179	{
		180	fprintf (stderr, "TLS1.0 vs SSL3 test failed\n");
		181	errorCount++;
		182	}
160	curl_global_cleanup ();	183	curl_global_cleanup ();
161		184
162	return errorCount != 0;	185	return errorCount != 0;