diff --git a/.travis.yml b/.travis.yml index cdf74c717..eb01a44ab 100644 --- a/.travis.yml +++ b/.travis.yml @@ -55,8 +55,8 @@ jobs: # Exclude a few test cases that are failing mysteriously. # https://github.com/Mbed-TLS/mbedtls/issues/6660 - tests/ssl-opt.sh -e 'Fallback SCSV:\ .*list' - # Modern OpenSSL does not support fixed ECDH, null or ancient ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-\|DES\|RC4' + # Modern OpenSSL does not support null or ancient ciphers. + - tests/compat.sh -p OpenSSL -e 'NULL\|DES\|RC4' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. # Modern GnuTLS does not support DES. diff --git a/tests/compat.sh b/tests/compat.sh index f96c4e4c6..e7f9d4981 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -861,6 +861,16 @@ add_mbedtls_ciphersuites() esac } +# o_check_ciphersuite CIPHER_SUITE_NAME +o_check_ciphersuite() +{ + if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + case "$1" in + *ECDH-*) SKIP_NEXT="YES" + esac + fi +} + setup_arguments() { O_MODE="" @@ -947,6 +957,11 @@ setup_arguments() ;; esac + case $($OPENSSL ciphers ALL) in + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; + *) O_SUPPORT_ECDH="NO";; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" @@ -1160,7 +1175,7 @@ run_client() { if [ $EXIT -eq 0 ]; then RESULT=0 else - # If the cipher isn't supported... + # If it is NULL cipher ... if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then RESULT=1 else @@ -1373,6 +1388,7 @@ for MODE in $MODES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "OpenSSL" for i in $M_CIPHERS; do + o_check_ciphersuite "$i" run_client mbedTLS $i done stop_server @@ -1381,6 +1397,7 @@ for MODE in $MODES; do if [ "X" != "X$O_CIPHERS" ]; then start_server "mbedTLS" for i in $O_CIPHERS; do + o_check_ciphersuite "$i" run_client OpenSSL $i done stop_server