Implement FALLBACK_SCSV client-side
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4eafed4..ab7793a 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -80,6 +80,21 @@
fi
}
+# skip next test if OpenSSL doesn't support FALLBACK_SCSV
+requires_openssl_with_fallback_scsv() {
+ if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
+ if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
+ then
+ OPENSSL_HAS_FBSCSV="YES"
+ else
+ OPENSSL_HAS_FBSCSV="NO"
+ fi
+ fi
+ if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
+ SKIP_NEXT="YES"
+ fi
+}
+
# skip next test if GnuTLS isn't available
requires_gnutls() {
if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
@@ -425,6 +440,45 @@
0 \
-s "dumping 'computed mac' (10 bytes)"
+# Tests for FALLBACK_SCSV
+
+run_test "Fallback SCSV: default" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 force_version=tls1_1" \
+ 0 \
+ -C "adding FALLBACK_SCSV" \
+ -C "is a fatal alert message (msg 86)"
+
+run_test "Fallback SCSV: explicitly disabled" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
+ 0 \
+ -C "adding FALLBACK_SCSV" \
+ -C "is a fatal alert message (msg 86)"
+
+run_test "Fallback SCSV: enabled" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
+ 0 \
+ -c "adding FALLBACK_SCSV" \
+ -C "is a fatal alert message (msg 86)"
+
+requires_openssl_with_fallback_scsv
+run_test "Fallback SCSV: default, openssl server" \
+ "$O_SRV" \
+ "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
+ 0 \
+ -C "adding FALLBACK_SCSV" \
+ -C "is a fatal alert message (msg 86)"
+
+requires_openssl_with_fallback_scsv
+run_test "Fallback SCSV: enabled, openssl server" \
+ "$O_SRV" \
+ "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
+ 1 \
+ -c "adding FALLBACK_SCSV" \
+ -c "is a fatal alert message (msg 86)"
+
# Tests for Session Tickets
run_test "Session resume using tickets: basic" \