Remove TLS13DowngradeTest
This test mattered in early days of TLS 1.3, because we disabled the
check in BoringSSL and partially replicated it in Chromium. We also
conditioned it on known roots.
That's all cleared now and we just rely on BoringSSL to enforce this. I
think we can thus just rely on BoringSSL's tests, as we do for most of
the rest of the handshake. (This one is a little tricky to test without
tlslite because only a broken TLS server would fully complete the
handshake with an unexpected ServerHello.random marker.)
With this, the last tlslite-specific TLS customization is gone and we
can remove tlslite from testserver.py! (But policy_testserver.py still
has a use to clean up.)
Bug: 1250903
Change-Id: I30cc6edd602bc8c1550a96ec05c053cdfd3efdaf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3286265
Commit-Queue: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#942753}
NOKEYCHECK=True
GitOrigin-RevId: 77862729996272491479ed8983e9fdd427870b4e
diff --git a/testserver.py b/testserver.py
index d523f33..594c0f3 100755
--- a/testserver.py
+++ b/testserver.py
@@ -101,8 +101,7 @@
client verification."""
def __init__(self, server_address, request_hander_class, pem_cert_and_key,
- ssl_client_auth, ssl_client_cas, simulate_tls13_downgrade,
- simulate_tls12_downgrade, tls_max_version):
+ ssl_client_auth, ssl_client_cas):
self.cert_chain = tlslite.api.X509CertChain()
self.cert_chain.parsePemList(pem_cert_and_key)
# Force using only python implementation - otherwise behavior is different
@@ -125,12 +124,6 @@
self.ssl_handshake_settings = tlslite.api.HandshakeSettings()
# Enable SSLv3 for testing purposes.
self.ssl_handshake_settings.minVersion = (3, 0)
- if simulate_tls13_downgrade:
- self.ssl_handshake_settings.simulateTLS13Downgrade = True
- if simulate_tls12_downgrade:
- self.ssl_handshake_settings.simulateTLS12Downgrade = True
- if tls_max_version != 0:
- self.ssl_handshake_settings.maxVersion = (3, tls_max_version)
self.session_cache = tlslite.api.SessionCache()
testserver_base.StoppableHTTPServer.__init__(self,
@@ -394,11 +387,9 @@
'specified trusted client CA file not found: ' + ca_cert +
' exiting...')
- server = HTTPSServer(
- (host, port), TestPageHandler, pem_cert_and_key,
- self.options.ssl_client_auth, self.options.ssl_client_ca,
- self.options.simulate_tls13_downgrade,
- self.options.simulate_tls12_downgrade, self.options.tls_max_version)
+ server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key,
+ self.options.ssl_client_auth,
+ self.options.ssl_client_ca)
print('HTTPS server started on https://%s:%d...' %
(host, server.server_port))
else:
@@ -502,14 +493,6 @@
self.option_parser.add_option('--ws-basic-auth', action='store_true',
dest='ws_basic_auth',
help='Enable basic-auth for WebSocket')
- self.option_parser.add_option('--simulate-tls13-downgrade',
- action='store_true')
- self.option_parser.add_option('--simulate-tls12-downgrade',
- action='store_true')
- self.option_parser.add_option('--tls-max-version', default='0', type='int',
- help='If non-zero, the maximum TLS version '
- 'to support. 1 means TLS 1.0, 2 means '
- 'TLS 1.1, and 3 means TLS 1.2.')
self.option_parser.add_option('--redirect-connect-to-localhost',
dest='redirect_connect_to_localhost',
default=False, action='store_true',