summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--test/confs/20023
-rw-r--r--test/confs/20193
-rwxr-xr-xtest/runtest3
-rw-r--r--test/src/client.c58
4 files changed, 47 insertions, 20 deletions
diff --git a/test/confs/2002 b/test/confs/2002
index b154c82d3..7299122e8 100644
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -40,7 +40,8 @@ check_recipient:
DES-CBC3-SHA : \
DHE_RSA_AES_256_CBC_SHA1 : \
DHE_RSA_3DES_EDE_CBC_SHA : \
- RSA_AES_256_CBC_SHA1
+ RSA_AES_256_CBC_SHA1 : \
+ ECDHE_RSA_AES_256_GCM_SHA384
warn logwrite = ${if def:tls_in_ourcert \
{Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
{We did not present a cert}}
diff --git a/test/confs/2019 b/test/confs/2019
index f3ddd4591..798eb73d7 100644
--- a/test/confs/2019
+++ b/test/confs/2019
@@ -39,7 +39,8 @@ check_recipient:
DES-CBC3-SHA:\
DHE_RSA_AES_256_CBC_SHA1:\
DHE_RSA_3DES_EDE_CBC_SHA:\
- RSA_AES_256_CBC_SHA1
+ RSA_AES_256_CBC_SHA1 :\
+ ECDHE_RSA_AES_256_GCM_SHA384
accept
diff --git a/test/runtest b/test/runtest
index f4e6bc7a5..724ccd9ed 100755
--- a/test/runtest
+++ b/test/runtest
@@ -859,6 +859,9 @@ RESET_AFTER_EXTRA_LINE_READ:
next if /^SSL info: SSLv3 read server key exchange A/;
next if /SSL verify error: depth=0 error=certificate not trusted/;
s/SSL3_READ_BYTES/ssl3_read_bytes/;
+
+ # gnutls version variances
+ next if /^Error in the pull function./;
}
# ======== stderr ========
diff --git a/test/src/client.c b/test/src/client.c
index ac9a965e0..2bd640205 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -93,15 +93,16 @@ latter needs a whole pile of tables. */
/* Local static variables for GNUTLS */
-static gnutls_dh_params dh_params = NULL;
+static gnutls_dh_params_t dh_params = NULL;
static gnutls_certificate_credentials_t x509_cred = NULL;
-static gnutls_session tls_session = NULL;
+static gnutls_session_t tls_session = NULL;
static int ssl_session_timeout = 200;
/* Priorities for TLS algorithms to use. */
+#if GNUTLS_VERSION_NUMBER < 0x030400
static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
static const int kx_priority[16] = {
@@ -123,7 +124,7 @@ static const int mac_priority[16] = {
0 };
static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
-static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 };
+#endif
#endif /*HAVE_GNUTLS*/
@@ -356,7 +357,7 @@ init_dh(void)
{
int fd;
int ret;
-gnutls_datum m;
+gnutls_datum_t m;
uschar filename[200];
struct stat statbuf;
@@ -449,13 +450,14 @@ if (ocsp_stapling)
* Initialize a single GNUTLS session *
*************************************************/
-static gnutls_session
+static gnutls_session_t
tls_session_init(void)
{
-gnutls_session session;
+gnutls_session_t session;
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
+#if GNUTLS_VERSION_NUMBER < 0x030400
gnutls_cipher_set_priority(session, default_cipher_priority);
gnutls_compression_set_priority(session, comp_priority);
gnutls_kx_set_priority(session, kx_priority);
@@ -463,6 +465,10 @@ gnutls_protocol_set_priority(session, protocol_priority);
gnutls_mac_set_priority(session, mac_priority);
gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+#else
+gnutls_set_default_priority(session);
+gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+#endif
gnutls_dh_set_prime_bits(session, DH_BITS);
gnutls_db_set_cache_expiration(session, ssl_session_timeout);
@@ -794,7 +800,7 @@ tls_session = tls_session_init();
if (ocsp_stapling)
gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL);
#endif
-gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)sock);
+gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr_t)(intptr_t)sock);
/* When the server asks for a certificate and the client does not have one,
there is a SIGPIPE error in the gnutls_handshake() function for some reason
@@ -815,24 +821,32 @@ if (tls_on_connect)
{
printf("Attempting to start TLS\n");
- #ifdef HAVE_OPENSSL
+#ifdef HAVE_OPENSSL
tls_active = tls_start(sock, &ssl, ctx);
- #endif
+#endif
- #ifdef HAVE_GNUTLS
+#ifdef HAVE_GNUTLS
+ {
+ int rc;
sigalrm_seen = FALSE;
alarm(timeout);
- tls_active = gnutls_handshake(tls_session) >= 0;
+ do {
+ rc = gnutls_handshake(tls_session);
+ } while (rc < 0 && gnutls_error_is_fatal(rc) == 0);
+ tls_active = rc >= 0;
alarm(0);
- #endif
+
+ if (!tls_active) printf("%s\n", gnutls_strerror(rc));
+ }
+#endif
if (!tls_active)
printf("Failed to start TLS\n");
- #if defined(HAVE_GNUTLS) && defined(HAVE_OCSP)
+#if defined(HAVE_GNUTLS) && defined(HAVE_OCSP)
else if ( ocsp_stapling
&& gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
printf("Failed to verify certificate status\n");
- #endif
+#endif
else
printf("Succeeded in starting TLS\n");
}
@@ -919,10 +933,18 @@ int rc;
#endif
#ifdef HAVE_GNUTLS
- sigalrm_seen = FALSE;
- alarm(timeout);
- tls_active = gnutls_handshake(tls_session) >= 0;
- alarm(0);
+ {
+ int rc;
+ sigalrm_seen = FALSE;
+ alarm(timeout);
+ do {
+ rc = gnutls_handshake(tls_session);
+ } while (rc < 0 && gnutls_error_is_fatal(rc) == 0);
+ tls_active = rc >= 0;
+ alarm(0);
+
+ if (!tls_active) printf("%s\n", gnutls_strerror(rc));
+ }
#endif
if (!tls_active)