crypto/tls: switch to OpenSSL 1.1.0 for test data.

We will need OpenSSL 1.1.0 in order to test some of the features expected for Go 1.8. However, 1.1.0 also disables (by default) some things that we still want to test, such as RC4, 3DES and SSLv3. Thus developers wanting to update the crypto/tls test data will need to build OpenSSL from source. This change updates the test data with transcripts generated by 1.1.0 (in order to reduce future diffs) and also causes a banner to be printed if 1.1.0 is not used when updating. (The test for an ALPN mismatch is removed because OpenSSL now terminates the connection with a fatal alert if no known ALPN protocols are offered. There's no point testing against this because it's an OpenSSL behaviour.) Change-Id: I957516975e0b8c7def84184f65c81d0b68f1c551 Reviewed-on: https://go-review.googlesource.com/30821 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2025-04-03 20:17:36 +03:00 · 2016-10-11 10:08:57 -07:00 · 2016-10-11 10:08:57 -07:00 · f0c7db843d
commit f0c7db843d
parent 4536ac70b0
64 changed files with 2840 additions and 2725 deletions
--- a/handshake_test.go
+++ b/handshake_test.go
@ -13,9 +13,11 @@ import (
 	"io"
 	"io/ioutil"
 	"net"
+	"os/exec"
 	"strconv"
 	"strings"
 	"sync"
+	"testing"
 )

 // TLS reference tests run a connection against a reference implementation
@ -35,7 +37,52 @@ import (
 // generate fresh random numbers, large parts of the reference connection will
 // always change.

-var update = flag.Bool("update", false, "update golden files on disk")
+var (
+	update = flag.Bool("update", false, "update golden files on disk")
+
+	opensslVersionTestOnce sync.Once
+	opensslVersionTestErr  error
+)
+
+func checkOpenSSLVersion(t *testing.T) {
+	opensslVersionTestOnce.Do(testOpenSSLVersion)
+	if opensslVersionTestErr != nil {
+		t.Fatal(opensslVersionTestErr)
+	}
+}
+
+func testOpenSSLVersion() {
+	// This test ensures that the version of OpenSSL looks reasonable
+	// before updating the test data.
+
+	if !*update {
+		return
+	}
+
+	openssl := exec.Command("openssl", "version")
+	output, err := openssl.CombinedOutput()
+	if err != nil {
+		opensslVersionTestErr = err
+		return
+	}
+
+	version := string(output)
+	if strings.HasPrefix(version, "OpenSSL 1.1.0") {
+		return
+	}
+
+	println("***********************************************")
+	println("")
+	println("You need to build OpenSSL 1.1.0 from source in order")
+	println("to update the test data.")
+	println("")
+	println("Configure it with:")
+	println("./Configure enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method -static linux-x86_64")
+	println("and then add the apps/ directory at the front of your PATH.")
+	println("***********************************************")
+
+	opensslVersionTestErr = errors.New("version of OpenSSL does not appear to be suitable for updating test data")
+}

 // recordingConn is a net.Conn that records the traffic that passes through it.
 // WriteTo can be used to produce output that can be later be loaded with