Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5510863fbdb24867d80d607a78a1ac6437c9ba26^! / . / ssl / test / runner / runner.go
commit5510863fbdb24867d80d607a78a1ac6437c9ba26[log] [tgz]
authorDavid Benjamin <davidben@google.com>Thu Aug 11 22:01:18 2016 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Mon Sep 12 18:10:23 2016 +0000
treea9335dd2107d3d83e39e2909042cf56aa4010db5
parent0e9138d295cd556e830dc8b3be735e808680f4bd [diff] [blame]
Temporary remove the TLS 1.3 anti-downgrade mechanism.

This mechanism is incompatible with deploying draft versions of TLS 1.3.

Suppose a draft M client talks to a draft N server, M != N. (Either M or
N could also be the final standard revision should there be lingering
draft clients or servers.) The server will notice the mismatch and
pretend ClientHello.version is TLS 1.2, not TLS 1.3. But this will
trigger anti-downgrade signal and cause an interop failure! And if it
doesn't trigger, all the clever tricks around ServerHello.random being
signed in TLS 1.2 are moot.

We'll put this back when the dust has settled.

Change-Id: Ic3cf72b7c31ba91e5cca0cfd7a3fca830c493a43
Reviewed-on: https://boringssl-review.googlesource.com/11005
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7d2a6bf..5d77113 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -4207,8 +4207,8 @@
 				NegotiateVersion: VersionTLS12,
 			},
 		},
-		shouldFail:    true,
-		expectedError: ":DOWNGRADE_DETECTED:",
+		// TODO(davidben): This test should fail once TLS 1.3 is final
+		// and the fallback signal restored.
 	})
 	testCases = append(testCases, testCase{
 		testType: serverTest,
@@ -4218,8 +4218,8 @@
 				SendClientVersion: VersionTLS12,
 			},
 		},
-		shouldFail:         true,
-		expectedLocalError: "tls: downgrade from TLS 1.3 detected",
+		// TODO(davidben): This test should fail once TLS 1.3 is final
+		// and the fallback signal restored.
 	})
 
 	// Test that FALLBACK_SCSV is sent and that the downgrade signal works
@@ -4236,8 +4236,8 @@
 			"-max-version", strconv.Itoa(VersionTLS13),
 			"-fallback-version", strconv.Itoa(VersionTLS12),
 		},
-		shouldFail:    true,
-		expectedError: ":DOWNGRADE_DETECTED:",
+		// TODO(davidben): This test should fail once TLS 1.3 is final
+		// and the fallback signal restored.
 	})
 	testCases = append(testCases, testCase{
 		name: "Downgrade-TLS12-Client-FallbackEqualsMax",