Fix TLS 1.3 downgrade tests.
The client downgrade detection tests were not asserting on the error (would
have caught the missing error string). Additionally, Downgrade-FalseStart-Draft
isn't testing what it's supposed to; it doesn't actually configure a draft
version or anything. Fix that and have it use ALPN rather than NPN, to match
the test above.
Change-Id: I0b759385641aa00994a912303a6f5bd65522b4bb
Reviewed-on: https://boringssl-review.googlesource.com/31204
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7c5b84c..5955eda 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5902,6 +5902,7 @@
tls13Variant: TLS13RFC,
expectedVersion: VersionTLS12,
shouldFail: true,
+ expectedError: ":TLS13_DOWNGRADE:",
expectedLocalError: "remote error: illegal parameter",
})
testCases = append(testCases, testCase{
@@ -5928,6 +5929,7 @@
tls13Variant: TLS13RFC,
expectedVersion: VersionTLS11,
shouldFail: true,
+ expectedError: ":TLS13_DOWNGRADE:",
expectedLocalError: "remote error: illegal parameter",
})
testCases = append(testCases, testCase{
@@ -5992,23 +5994,27 @@
expectedLocalError: "tls: peer did not false start: EOF",
})
+ // Test that draft TLS 1.3 versions do not trigger disabling False Start.
testCases = append(testCases, testCase{
name: "Downgrade-FalseStart-Draft",
config: Config{
MaxVersion: VersionTLS13,
- CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ TLS13Variant: TLS13RFC,
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
},
},
+ expectedVersion: VersionTLS12,
flags: []string{
"-false-start",
- "-select-next-proto", "foo",
- "-max-version", strconv.Itoa(VersionTLS12),
+ "-advertise-alpn", "\x03foo",
+ "-expect-alpn", "foo",
+ "-ignore-tls13-downgrade",
+ "-tls13-variant", strconv.Itoa(TLS13Draft28),
+ "-max-version", strconv.Itoa(VersionTLS13),
},
shimWritesFirst: true,
- resumeSession: true,
})
// SSL 3.0 support has been removed. Test that the shim does not