From 01bf63115950753170a8e452026333cd61c13eff Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 14:15:57 +0100 Subject: [PATCH 1/9] Fix NULL+0 undefined behavior in ECB encryption and decryption psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to a null pointer when the cipher does not use an IV. This is undefined behavior, although it works as naively expected on most platforms. This can cause a crash with modern Clang+ASan (depending on compiler optimizations). Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-ecb-ub.txt | 3 ++ library/common.h | 37 +++++++++++++++++++++ library/psa_crypto.c | 4 +-- library/psa_crypto_cipher.c | 22 +++++++----- tests/suites/test_suite_psa_crypto.function | 5 +-- 5 files changed, 58 insertions(+), 13 deletions(-) create mode 100644 ChangeLog.d/psa-ecb-ub.txt diff --git a/ChangeLog.d/psa-ecb-ub.txt b/ChangeLog.d/psa-ecb-ub.txt new file mode 100644 index 000000000..9d725ac70 --- /dev/null +++ b/ChangeLog.d/psa-ecb-ub.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix undefined behavior (typically harmless in practice) in PSA ECB + encryption and decryption. diff --git a/library/common.h b/library/common.h index c06472418..c36615680 100644 --- a/library/common.h +++ b/library/common.h @@ -29,6 +29,7 @@ #include "mbedtls/config.h" #endif +#include #include /** Helper to define a function as static except when building invasive tests. @@ -52,6 +53,42 @@ #define MBEDTLS_STATIC_TESTABLE static #endif +/** Return an offset into a buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline unsigned char *mbedtls_buffer_offset( + unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + +/** Return an offset into a read-only buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline const unsigned char *mbedtls_buffer_offset_const( + const unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + /** Byte Reading Macros * * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f76c8296d..10c7d1e66 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3638,8 +3638,8 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, local_iv, default_iv_length, input, input_length, - output + default_iv_length, output_size - default_iv_length, - output_length ); + mbedtls_buffer_offset( output, default_iv_length ), + output_size - default_iv_length, output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 38962cd84..13006fa4a 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -514,9 +514,10 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, if( status != PSA_SUCCESS ) goto exit; - status = mbedtls_psa_cipher_finish( &operation, output + update_output_length, - output_size - update_output_length, - &finish_output_length ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, update_output_length ), + output_size - update_output_length, &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; @@ -560,17 +561,20 @@ psa_status_t mbedtls_psa_cipher_decrypt( goto exit; } - status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length, - input_length - operation.iv_length, - output, output_size, &olength ); + status = mbedtls_psa_cipher_update( + &operation, + mbedtls_buffer_offset_const( input, operation.iv_length ), + input_length - operation.iv_length, + output, output_size, &olength ); if( status != PSA_SUCCESS ) goto exit; accumulated_length = olength; - status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, - &olength ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, accumulated_length ), + output_size - accumulated_length, &olength ); if( status != PSA_SUCCESS ) goto exit; diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index f9e909372..0f4e31333 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4,6 +4,7 @@ #include "mbedtls/asn1.h" #include "mbedtls/asn1write.h" #include "mbedtls/oid.h" +#include "common.h" /* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() * uses mbedtls_ctr_drbg internally. */ @@ -2658,7 +2659,7 @@ void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, TEST_LE_U( length, output_buffer_size ); output_length += length; PSA_ASSERT( psa_cipher_finish( &operation, - output + output_length, + mbedtls_buffer_offset( output, output_length ), output_buffer_size - output_length, &length ) ); output_length += length; @@ -2676,7 +2677,7 @@ void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, TEST_LE_U( length, output_buffer_size ); output_length += length; PSA_ASSERT( psa_cipher_finish( &operation, - output + output_length, + mbedtls_buffer_offset( output, output_length ), output_buffer_size - output_length, &length ) ); output_length += length; From 8fe23a065a6226a6fab1ce73523e7d5cb4763568 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 17:24:37 +0100 Subject: [PATCH 2/9] Fix MSVC 12 (Visual Studio 2013) choking on inline Signed-off-by: Gilles Peskine --- library/common.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/common.h b/library/common.h index c36615680..0169325bb 100644 --- a/library/common.h +++ b/library/common.h @@ -32,6 +32,12 @@ #include #include +/* Define `inline` on some non-C99-compliant compilers. */ +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + /** Helper to define a function as static except when building invasive tests. * * If a function is only used inside its own source file and should be From 4eea196d44299a7f2c35d00bc34f99c962baec57 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Nov 2022 22:21:15 +0100 Subject: [PATCH 3/9] Enable all ciphers in OpenSSL >=1.1.0 OpenSSL may be configured to support features such as cipher suites or protocol versions that are disabled by default. Enable them all: we're testing, we don't care about enabling insecure stuff. This is not needed with the builds of OpenSSL that we're currently using on the Jenkins CI, but it's needed with more recent versions such as typically found on developer machines, and with future CI additions. The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we don't need to do anything special with earlier versions. With OpenSSL 1.1.1f on Ubuntu 20.04, this is needed to enable TLS 1.0, TLS 1.1 and DTLS 1.0. This also allows SHA-1 in certificates, which is still needed for a few test cases in ssl-opt.sh. Curiously, this is also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and no other, including other DHE-PSK or ARIA cipher suites). Signed-off-by: Gilles Peskine --- tests/compat.sh | 14 ++++++++++++++ tests/ssl-opt.sh | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 560af59d6..ee2d46001 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -930,6 +930,20 @@ setup_arguments() G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" + # Newer versions of OpenSSL have a syntax to enable all "ciphers", even + # low-security ones. This covers not just cipher suites but also protocol + # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on + # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in + # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find + # a way to discover it from -help, so check the openssl version. + case $($OPENSSL_CMD version) in + "OpenSSL 0"*|"OpenSSL 1.0"*) :;; + *) + O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0" + O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0" + ;; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fbf3bf7b8..c1fffa9ed 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1493,6 +1493,20 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT" fi +# Newer versions of OpenSSL have a syntax to enable all "ciphers", even +# low-security ones. This covers not just cipher suites but also protocol +# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on +# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in +# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find +# a way to discover it from -help, so check the openssl version. +case $($OPENSSL_CMD version) in + "OpenSSL 0"*|"OpenSSL 1.0"*) :;; + *) + O_CLI="$O_CLI -cipher ALL@SECLEVEL=0" + O_SRV="$O_SRV -cipher ALL@SECLEVEL=0" + ;; +esac + if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" From a7ba2b57af9381e20ba9aab45298810f6b304fe1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 24 Nov 2022 12:59:52 +0100 Subject: [PATCH 4/9] compat.sh: Restore testing against OpenSSL for pre 1.2 TLS versions Restore compatibiltiy testing against OpenSSL for (D)TLS versions smaller that 1.2. . Fix the check for support in OpenSSL for these versions . For test cases for (D)TLS version smaller than 1.2, restore the configuration of OpenSSL client/server with the given TLS version, as it was before #5660 that broke it. Signed-off-by: Ronald Cron --- tests/compat.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index ee2d46001..6791c5511 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -867,12 +867,15 @@ setup_arguments() G_MODE="" case "$MODE" in "ssl3") + O_MODE="ssl3" G_PRIO_MODE="+VERS-SSL3.0" ;; "tls1") + O_MODE="tls1" G_PRIO_MODE="+VERS-TLS1.0" ;; "tls1_1") + O_MODE="tls1_1" G_PRIO_MODE="+VERS-TLS1.1" ;; "tls12") @@ -880,6 +883,7 @@ setup_arguments() G_PRIO_MODE="+VERS-TLS1.2" ;; "dtls1") + O_MODE="dtls1" G_PRIO_MODE="+VERS-DTLS1.0" G_MODE="-u" ;; From 35e58d8e2abf9796dcb94dccdf5d6ac2f89e7441 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 14:30:00 +0100 Subject: [PATCH 5/9] Update the Travis "full" build to use modern Clang Don't use an all.sh component because there isn't one that does what we want (modern Clang with ASan, and test everything). * We need to set CC explicitly or tweak PATH, because clang in $PATH on Travis focal instances is Clang 7 which is too old (we want Clang 10). * Travis lacks the array of versions of openssl and gnutls that we normally use for testing, so we need to exclude some tests (or build our own multiple versions of openssl and gnutls). The SSL test exclusions are ad hoc and based on what currently works. Signed-off-by: Gilles Peskine --- .travis.yml | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2b41c28f1..0e3f9b0e7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -27,8 +27,42 @@ jobs: - tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus - name: full configuration + os: linux + dist: focal + addons: + apt: + packages: + - clang-10 + - gnutls-bin script: - - tests/scripts/all.sh -k test_full_cmake_gcc_asan + # Do a manual build+test sequence rather than using all.sh, + # because there's no all.sh component that does what we want, + # which is a build with Clang >= 10 and ASan, running all the SSL + # testing. + # - The clang executable in the default PATH is Clang 7 on + # Travis's focal instances, but we want Clang >= 10. + # - Running all the SSL testing requires a specific set of + # OpenSSL and GnuTLS versions and we don't want to bother + # with those on Travis. + # So we explicitly select clang-10 as the compiler, and we + # have ad hoc restrictions on SSL testing based on what is + # passing at the time of writing. We will remove these limitations + # gradually. + - make CC=clang-10 CFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all -O2' LDFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all' + - make test + - programs/test/selftest + - tests/scripts/test_psa_constant_names.py + - tests/ssl-opt.sh + # Modern OpenSSL does not support fixed ECDH, null or ancient ciphers. + - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-\|DES\|RC4' + - tests/scripts/travis-log-failure.sh + # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. + # Modern GnuTLS does not support DES. + # One NULL cipher suite is strangely missing in pre-1.2 protocol + # versions (it works with (D)TLS1.2, but don't bother). + - tests/compat.sh -p GnuTLS -e 'CAMELLIA\|DES\|TLS-RSA-WITH-NULL-SHA256' + - tests/scripts/travis-log-failure.sh + - tests/context-info.sh - name: Windows os: windows From 53740c84731a05dcc3358004b5dfcfb1e83d2246 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 11:33:11 +0100 Subject: [PATCH 6/9] Travis: exclude test cases that are failing mysteriously The test cases using tcp_client.pl are failing only on Travis's bionic and focal systems (I can't reproduce the failure locally). Exclude them. Signed-off-by: Gilles Peskine --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 0e3f9b0e7..d7d2c7d43 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,7 +52,9 @@ jobs: - make test - programs/test/selftest - tests/scripts/test_psa_constant_names.py - - tests/ssl-opt.sh + # Exclude a few test cases that are failing mysteriously. + # https://github.com/Mbed-TLS/mbedtls/issues/6660 + - tests/ssl-opt.sh -e 'Fallback SCSV: .*list' # Modern OpenSSL does not support fixed ECDH, null or ancient ciphers. - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-\|DES\|RC4' - tests/scripts/travis-log-failure.sh From d5514130275005e82f701cbec3d9ca52688991de Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:27:34 +0100 Subject: [PATCH 7/9] Remove now-redundant definitions of inline Signed-off-by: Gilles Peskine --- library/aria.c | 5 ----- library/chacha20.c | 5 ----- library/debug.c | 5 ----- library/ecp.c | 5 ----- library/ecp_curves.c | 5 ----- library/mps_reader.c | 5 ----- library/poly1305.c | 5 ----- 7 files changed, 35 deletions(-) diff --git a/library/aria.c b/library/aria.c index 924f95283..5e52eea91 100644 --- a/library/aria.c +++ b/library/aria.c @@ -37,11 +37,6 @@ #include "mbedtls/platform_util.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Parameter validation macros */ #define ARIA_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) diff --git a/library/chacha20.c b/library/chacha20.c index 44d1612bf..bd0701482 100644 --- a/library/chacha20.c +++ b/library/chacha20.c @@ -36,11 +36,6 @@ #if !defined(MBEDTLS_CHACHA20_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Parameter validation macros */ #define CHACHA20_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ) diff --git a/library/debug.c b/library/debug.c index 0cc5af8d1..353b4bf07 100644 --- a/library/debug.c +++ b/library/debug.c @@ -30,11 +30,6 @@ #include #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define DEBUG_BUF_SIZE 512 static int debug_threshold = 0; diff --git a/library/ecp.c b/library/ecp.c index 80adc55c8..ad19e05fb 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -104,11 +104,6 @@ #endif #endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */ -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_SELF_TEST) /* * Counts of point addition and doubling, and field multiplications. diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 2199be646..47761eef4 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -38,11 +38,6 @@ #define ECP_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} #define ECP_MPI_INIT_ARRAY(x) \ diff --git a/library/mps_reader.c b/library/mps_reader.c index 9af5073cc..b304db3f4 100644 --- a/library/mps_reader.c +++ b/library/mps_reader.c @@ -29,11 +29,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_MPS_ENABLE_TRACE) static int mbedtls_mps_trace_id = MBEDTLS_MPS_TRACE_BIT_READER; #endif /* MBEDTLS_MPS_ENABLE_TRACE */ diff --git a/library/poly1305.c b/library/poly1305.c index f38f48a45..a1c5b19d8 100644 --- a/library/poly1305.c +++ b/library/poly1305.c @@ -32,11 +32,6 @@ #if !defined(MBEDTLS_POLY1305_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Parameter validation macros */ #define POLY1305_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ) From ff97f336e3f05849d9e80412f98ebaa383463456 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:34:59 +0100 Subject: [PATCH 8/9] Explain why p + n isn't good enough Signed-off-by: Gilles Peskine --- library/common.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/common.h b/library/common.h index 0169325bb..1663d5022 100644 --- a/library/common.h +++ b/library/common.h @@ -63,6 +63,9 @@ * * This is just the addition of an offset to a pointer, except that this * function also accepts an offset of 0 into a buffer whose pointer is null. + * (`p + n` has undefined behavior when `p` is null, even when `n == 0`. + * A null pointer is a valid buffer pointer when the size is 0, for example + * as the result of `malloc(0)` on some platforms.) * * \param p Pointer to a buffer of at least n bytes. * This may be \p NULL if \p n is zero. @@ -79,8 +82,7 @@ static inline unsigned char *mbedtls_buffer_offset( /** Return an offset into a read-only buffer. * - * This is just the addition of an offset to a pointer, except that this - * function also accepts an offset of 0 into a buffer whose pointer is null. + * Similar to mbedtls_buffer_offset(), but for const pointers. * * \param p Pointer to a buffer of at least n bytes. * This may be \p NULL if \p n is zero. From a1d41c0a7546f1839c2d02504e5b1154f177e4f8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:57:34 +0100 Subject: [PATCH 9/9] You can't have colon-space in unquoted YAML (plain scalars) Signed-off-by: Gilles Peskine --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d7d2c7d43..cdf74c717 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,7 +54,7 @@ jobs: - tests/scripts/test_psa_constant_names.py # Exclude a few test cases that are failing mysteriously. # https://github.com/Mbed-TLS/mbedtls/issues/6660 - - tests/ssl-opt.sh -e 'Fallback SCSV: .*list' + - tests/ssl-opt.sh -e 'Fallback SCSV:\ .*list' # Modern OpenSSL does not support fixed ECDH, null or ancient ciphers. - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-\|DES\|RC4' - tests/scripts/travis-log-failure.sh