Implement TLS 1.3's downgrade signal.
For now, skip the 1.2 -> 1.1 signal since that will affect shipping
code. We may as well enable it too, but wait until things have settled
down. This implements the version in draft-14 since draft-13's isn't
backwards-compatible.
Change-Id: I46be43e6f4c5203eb4ae006d1c6a2fe7d7a949ec
Reviewed-on: https://boringssl-review.googlesource.com/8724
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index a54c357..3531909 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3614,6 +3614,29 @@
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
})
+
+ // Test TLS 1.3's downgrade signal.
+ testCases = append(testCases, testCase{
+ name: "Downgrade-TLS12-Client",
+ config: Config{
+ Bugs: ProtocolBugs{
+ NegotiateVersion: VersionTLS12,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":DOWNGRADE_DETECTED:",
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "Downgrade-TLS12-Server",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendClientVersion: VersionTLS12,
+ },
+ },
+ shouldFail: true,
+ expectedLocalError: "tls: downgrade from TLS 1.3 detected",
+ })
}
func addMinimumVersionTests() {