sync

regress/lib/libssl/Makefile

@@ -1,11 +1,11 @@
-#	$OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $
+#	$OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $
 
 SUBDIR += api
 SUBDIR += asn1
 SUBDIR += buffer
 SUBDIR += bytestring
 SUBDIR += ciphers
-SUBDIR += client
+#SUBDIR += client
 SUBDIR += dtls
 SUBDIR += exporter
 SUBDIR += handshake
@@ -13,7 +13,7 @@ SUBDIR += pqueue
 SUBDIR += quic
 SUBDIR += record
 SUBDIR += record_layer
-SUBDIR += server
+#SUBDIR += server
 SUBDIR += ssl
 SUBDIR += tls
 SUBDIR += tlsext

regress/lib/libssl/interop/version/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -14,7 +14,7 @@ LIBRARIES +=		openssl11
 LIBRARIES +=		openssl30
 .endif
 
-VERSIONS =	any TLS1 TLS1_1 TLS1_2 TLS1_3
+VERSIONS =	any TLS1_2 TLS1_3
 
 .for cver in ${VERSIONS}
 .for sver in ${VERSIONS}

regress/lib/libssl/ssl/ssltest.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
+/*	$OpenBSD: ssltest.c,v 1.41 2023/07/04 08:47:01 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -254,6 +254,7 @@ cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen,
 	 * Make a copy of the selected protocol which will be freed in
 	 * verify_alpn.
 	 */
+	free(alpn_selected);
 	if ((alpn_selected = malloc(*outlen)) == NULL) {
 		fprintf(stderr, "malloc failed\n");
 		abort();
@@ -336,7 +337,7 @@ sv_usage(void)
 	fprintf(stderr, " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
 	fprintf(stderr, " -no_dhe       - disable DHE\n");
 	fprintf(stderr, " -no_ecdhe     - disable ECDHE\n");
-	fprintf(stderr, " -dtls1        - use DTLSv1\n");
+	fprintf(stderr, " -dtls1_2      - use DTLSv1.2\n");
 	fprintf(stderr, " -tls1         - use TLSv1\n");
 	fprintf(stderr, " -tls1_2       - use TLSv1.2\n");
 	fprintf(stderr, " -CApath arg   - PEM format directory of CA's\n");
@@ -409,7 +410,7 @@ main(int argc, char *argv[])
 	int badop = 0;
 	int bio_pair = 0;
 	int force = 0;
-	int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
+	int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1;
 	int client_auth = 0;
 	int server_auth = 0, i;
 	char *app_verify_arg = "Test Callback Argument";
@@ -464,8 +465,8 @@ main(int argc, char *argv[])
 			no_dhe = 1;
 		else if (strcmp(*argv, "-no_ecdhe") == 0)
 			no_ecdhe = 1;
-		else if (strcmp(*argv, "-dtls1") == 0)
-			dtls1 = 1;
+		else if (strcmp(*argv, "-dtls1_2") == 0)
+			dtls1_2 = 1;
 		else if (strcmp(*argv, "-tls1") == 0)
 			tls1 = 1;
 		else if (strcmp(*argv, "-tls1_2") == 0)
@@ -565,7 +566,7 @@ bad:
 		goto end;
 	}
 
-	if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
+	if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
 		fprintf(stderr,
 		    "This case cannot work.  Use -f to perform "
 		    "the test anyway (and\n-d to see what happens), "
@@ -588,8 +589,8 @@ bad:
 	SSL_library_init();
 	SSL_load_error_strings();
 
-	if (dtls1)
-		meth = DTLSv1_method();
+	if (dtls1_2)
+		meth = DTLSv1_2_method();
 	else if (tls1)
 		meth = TLSv1_method();
 	else if (tls1_2)

regress/lib/libssl/ssl/testssl

@@ -95,8 +95,7 @@ done
 if $openssl no-dh; then
   echo skipping anonymous DH tests
 else
-  echo test tls1 with 1024bit anonymous DH, multiple handshakes
-  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+  echo skipping tls1 tests.
 fi
 
 #if $openssl no-rsa; then
@@ -117,17 +116,16 @@ fi
 # DTLS tests
 #
 
-echo test dtlsv1
-$ssltest -dtls1 $extra || exit 1
+$ssltest -dtls1_2 $extra || exit 1
 
-echo test dtlsv1 with server authentication
-$ssltest -dtls1 -server_auth $CA $extra || exit 1
+echo test dtlsv1_2 with server authentication
+$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
 
-echo test dtlsv1 with client authentication
-$ssltest -dtls1 -client_auth $CA $extra || exit 1
+echo test dtlsv1_2 with client authentication
+$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
 
-echo test dtlsv1 with both client and server authentication
-$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
+echo test dtlsv1_2 with both client and server authentication
+$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
 
 echo "Testing DTLS ciphersuites"
 for protocol in SSLv3; do
@@ -136,7 +134,7 @@ for protocol in SSLv3; do
     awk "/ $protocol / { print \\$1 }" |
     grep -v RC4`; do
     echo "Testing $cipher"
-    $ssltest -cipher $cipher -dtls1
+    $ssltest -cipher $cipher -dtls1_2
     if [ $? -ne 0 ] ; then
       echo "Failed $cipher"
       exit 1
@@ -148,17 +146,17 @@ done
 # ALPN tests
 #
 echo "Testing ALPN..."
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
+$ssltest -bio_pair -alpn_client foo -alpn_server foo \
   -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
   -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
   -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
   -alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
   -alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
   -alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
+$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1

regress/lib/libssl/tls/tlstest.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */
+/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -244,14 +244,6 @@ static const struct tls_test tls_tests[] = {
 		.desc = "Default client and TLSv1.2 server",
 		.server_max_version = TLS1_2_VERSION,
 	},
-	{
-		.desc = "Default client and TLSv1.1 server",
-		.server_max_version = TLS1_1_VERSION,
-	},
-	{
-		.desc = "Default client and TLSv1.0 server",
-		.server_max_version = TLS1_VERSION,
-	},
 	{
 		.desc = "Default client and default server with ECDHE KEX",
 		.server_ciphers = "ECDHE-RSA-AES128-SHA",
@@ -261,16 +253,6 @@ static const struct tls_test tls_tests[] = {
 		.server_max_version = TLS1_2_VERSION,
 		.server_ciphers = "ECDHE-RSA-AES128-SHA",
 	},
-	{
-		.desc = "Default client and TLSv1.1 server with ECDHE KEX",
-		.server_max_version = TLS1_1_VERSION,
-		.server_ciphers = "ECDHE-RSA-AES128-SHA",
-	},
-	{
-		.desc = "Default client and TLSv1.0 server with ECDHE KEX",
-		.server_max_version = TLS1_VERSION,
-		.server_ciphers = "ECDHE-RSA-AES128-SHA",
-	},
 	{
 		.desc = "Default client and default server with DHE KEX",
 		.server_ciphers = "DHE-RSA-AES128-SHA",
@@ -280,16 +262,6 @@ static const struct tls_test tls_tests[] = {
 		.server_max_version = TLS1_2_VERSION,
 		.server_ciphers = "DHE-RSA-AES128-SHA",
 	},
-	{
-		.desc = "Default client and TLSv1.1 server with DHE KEX",
-		.server_max_version = TLS1_1_VERSION,
-		.server_ciphers = "DHE-RSA-AES128-SHA",
-	},
-	{
-		.desc = "Default client and TLSv1.0 server with DHE KEX",
-		.server_max_version = TLS1_VERSION,
-		.server_ciphers = "DHE-RSA-AES128-SHA",
-	},
 	{
 		.desc = "Default client and default server with RSA KEX",
 		.server_ciphers = "AES128-SHA",
@@ -299,73 +271,25 @@ static const struct tls_test tls_tests[] = {
 		.server_max_version = TLS1_2_VERSION,
 		.server_ciphers = "AES128-SHA",
 	},
-	{
-		.desc = "Default client and TLSv1.1 server with RSA KEX",
-		.server_max_version = TLS1_1_VERSION,
-		.server_ciphers = "AES128-SHA",
-	},
-	{
-		.desc = "Default client and TLSv1.0 server with RSA KEX",
-		.server_max_version = TLS1_VERSION,
-		.server_ciphers = "AES128-SHA",
-	},
 	{
 		.desc = "TLSv1.2 client and default server",
 		.client_max_version = TLS1_2_VERSION,
 	},
-	{
-		.desc = "TLSv1.1 client and default server",
-		.client_max_version = TLS1_1_VERSION,
-	},
-	{
-		.desc = "TLSv1.0 client and default server",
-		.client_max_version = TLS1_VERSION,
-	},
 	{
 		.desc = "TLSv1.2 client and default server with ECDHE KEX",
 		.client_max_version = TLS1_2_VERSION,
 		.client_ciphers = "ECDHE-RSA-AES128-SHA",
 	},
-	{
-		.desc = "TLSv1.1 client and default server with ECDHE KEX",
-		.client_max_version = TLS1_1_VERSION,
-		.client_ciphers = "ECDHE-RSA-AES128-SHA",
-	},
-	{
-		.desc = "TLSv1.0 client and default server with ECDHE KEX",
-		.client_max_version = TLS1_VERSION,
-		.client_ciphers = "ECDHE-RSA-AES128-SHA",
-	},
 	{
 		.desc = "TLSv1.2 client and default server with DHE KEX",
 		.server_max_version = TLS1_2_VERSION,
 		.client_ciphers = "DHE-RSA-AES128-SHA",
 	},
-	{
-		.desc = "TLSv1.1 client and default server with DHE KEX",
-		.client_max_version = TLS1_1_VERSION,
-		.client_ciphers = "DHE-RSA-AES128-SHA",
-	},
-	{
-		.desc = "TLSv1.0 client and default server with DHE KEX",
-		.client_max_version = TLS1_VERSION,
-		.client_ciphers = "DHE-RSA-AES128-SHA",
-	},
 	{
 		.desc = "TLSv1.2 client and default server with RSA KEX",
 		.client_max_version = TLS1_2_VERSION,
 		.client_ciphers = "AES128-SHA",
 	},
-	{
-		.desc = "TLSv1.1 client and default server with RSA KEX",
-		.client_max_version = TLS1_1_VERSION,
-		.client_ciphers = "AES128-SHA",
-	},
-	{
-		.desc = "TLSv1.0 client and default server with RSA KEX",
-		.client_max_version = TLS1_VERSION,
-		.client_ciphers = "AES128-SHA",
-	},
 };
 
 #define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests))

regress/lib/libssl/tlsext/tlsexttest.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.81 2023/04/27 10:53:58 tb Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.82 2023/07/05 17:30:14 tb Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1774,8 +1774,11 @@ static const unsigned char tlsext_sni_client[] = {
 	0x6c, 0x2e, 0x6f, 0x72, 0x67,
 };
 
+/* An empty array is an incomplete type and sizeof() is undefined. */
 static const unsigned char tlsext_sni_server[] = {
+	0x00,
 };
+static size_t tlsext_sni_server_len = 0;
 
 static int
 test_tlsext_sni_client(void)
@@ -1973,9 +1976,9 @@ test_tlsext_sni_server(void)
 	if (!CBB_finish(&cbb, &data, &dlen))
 		errx(1, "failed to finish CBB");
 
-	if (dlen != sizeof(tlsext_sni_server)) {
+	if (dlen != tlsext_sni_server_len) {
 		FAIL("got server SNI with length %zu, "
-		    "want length %zu\n", dlen, sizeof(tlsext_sni_server));
+		    "want length %zu\n", dlen, tlsext_sni_server_len);
 		goto err;
 	}
 
@@ -1984,14 +1987,14 @@ test_tlsext_sni_server(void)
 		fprintf(stderr, "received:\n");
 		hexdump(data, dlen);
 		fprintf(stderr, "test data:\n");
-		hexdump(tlsext_sni_server, sizeof(tlsext_sni_server));
+		hexdump(tlsext_sni_server, tlsext_sni_server_len);
 		goto err;
 	}
 
 	free(ssl->session->tlsext_hostname);
 	ssl->session->tlsext_hostname = NULL;
 
-	CBS_init(&cbs, tlsext_sni_server, sizeof(tlsext_sni_server));
+	CBS_init(&cbs, tlsext_sni_server, tlsext_sni_server_len);
 	if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
 		FAIL("failed to parse server SNI\n");
 		goto err;
@@ -3186,7 +3189,7 @@ test_tlsext_srtp_server(void)
 }
 #endif /* OPENSSL_NO_SRTP */
 
-unsigned char tlsext_clienthello_default[] = {
+static const unsigned char tlsext_clienthello_default[] = {
 	0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
 	0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d,
 	0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23,
@@ -3196,7 +3199,11 @@ unsigned char tlsext_clienthello_default[] = {
 	0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
 };
 
-unsigned char tlsext_clienthello_disabled[] = {};
+/* An empty array is an incomplete type and sizeof() is undefined. */
+static const unsigned char tlsext_clienthello_disabled[] = {
+	0x00,
+};
+static size_t tlsext_clienthello_disabled_len = 0;
 
 static int
 test_tlsext_clienthello_build(void)
@@ -3287,18 +3294,18 @@ test_tlsext_clienthello_build(void)
 		goto err;
 	}
 
-	if (dlen != sizeof(tlsext_clienthello_disabled)) {
+	if (dlen != tlsext_clienthello_disabled_len) {
 		FAIL("got clienthello extensions with length %zu, "
 		    "want length %zu\n", dlen,
-		    sizeof(tlsext_clienthello_disabled));
+		    tlsext_clienthello_disabled_len);
 		compare_data(data, dlen, tlsext_clienthello_disabled,
-		    sizeof(tlsext_clienthello_disabled));
+		    tlsext_clienthello_disabled_len);
 		goto err;
 	}
 	if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
 		FAIL("clienthello extensions differs:\n");
 		compare_data(data, dlen, tlsext_clienthello_disabled,
-		    sizeof(tlsext_clienthello_disabled));
+		    tlsext_clienthello_disabled_len);
 		goto err;
 	}
 

regress/lib/libssl/tlsfuzzer/tlsfuzzer.py

@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
 tls12_exclude_legacy_protocols = [
     # all these have BIO_read timeouts against TLSv1.3
     "-e", "Protocol (3, 0)",
+    "-e", "Protocol (3, 1)",
+    "-e", "Protocol (3, 2)",
     "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
     # the following only fail with TLSv1.3
     "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
@@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [
     "-e", "Protocol (3, 1) with x448 group",
     "-e", "Protocol (3, 2) with x448 group",
     "-e", "Protocol (3, 3) with x448 group",
+    # These don't work without TLSv1.0 and TLSv1.1
+    "-e", "Protocol (3, 1) with secp256r1 group",
+    "-e", "Protocol (3, 1) with secp384r1 group",
+    "-e", "Protocol (3, 1) with secp521r1 group",
+    "-e", "Protocol (3, 1) with x25519 group",
+    "-e", "Protocol (3, 2) with secp256r1 group",
+    "-e", "Protocol (3, 2) with secp384r1 group",
+    "-e", "Protocol (3, 2) with secp521r1 group",
+    "-e", "Protocol (3, 2) with x25519 group",
 ]
 
 tls12_tests = TestGroup("TLSv1.2 tests", [
     # Tests that pass as they are.
-    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
     Test("test-aes-gcm-nonces.py"),
-    Test("test-chacha20.py"),
     Test("test-connection-abort.py"),
     Test("test-conversation.py"),
     Test("test-cve-2016-2107.py"),
@@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
         ]
     ),
     Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
-    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]),
+    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
     Test(
         "test-downgrade-protection.py",
         tls12_args = ["--server-max-protocol", "TLSv1.2"],
-        tls13_args = ["--server-max-protocol", "TLSv1.3"],
+        tls13_args = [
+            "--server-max-protocol", "TLSv1.3",
+            "-e", "TLS 1.3 downgrade check for Protocol (3, 1)",
+            "-e", "TLS 1.3 downgrade check for Protocol (3, 2)",
+        ]
+    ),
+    Test(
+        "test-fallback-scsv.py",
+        tls13_args = [
+            "--tls-1.3",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 0",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 1",
+            "-e", "FALLBACK - hello TLSv1.1 - pos 2",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1",
+            "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2",
+            "-e", "record TLSv1.1 hello TLSv1.1",
+            "-e", "sanity - TLSv1.1",
+        ]
     ),
-    Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ),
 
     Test("test-invalid-compression-methods.py", [
         "-x", "invalid compression methods",
@@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
     Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
 
     Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
+
+    Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
 ])
 
 tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
@@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
 
     # x448 tests need disabling plus x25519 corner cases need sorting out
     Test("test-x25519.py"),
+
+    # Needs TLS 1.0 or 1.1
+    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
 ])
 
 tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [

regress/lib/libssl/unit/ssl_versions.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -32,43 +32,43 @@ static struct version_range_test version_range_tests[] = {
 		.options = 0,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_3_VERSION,
-		.want_minver = TLS1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_3_VERSION,
 	},
 	{
 		.options = 0,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_2_VERSION,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_2_VERSION,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1_3,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_3_VERSION,
-		.want_minver = TLS1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_2_VERSION,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1_2,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_minver = 0,
+		.want_maxver = 0,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1_1,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_minver = TLS1_2_VERSION,
+		.want_maxver = TLS1_2_VERSION,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
@@ -81,15 +81,15 @@ static struct version_range_test version_range_tests[] = {
 		.options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_minver = 0,
+		.want_maxver = 0,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_1_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_minver = 0,
+		.want_maxver = 0,
 	},
 	{
 		.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
@@ -119,14 +119,14 @@ static struct version_range_test version_range_tests[] = {
 		.options = 0,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_2_VERSION,
 	},
 	{
 		.options = 0,
 		.minver = TLS1_1_VERSION,
 		.maxver = TLS1_2_VERSION,
-		.want_minver = TLS1_1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_2_VERSION,
 	},
 	{
@@ -140,14 +140,14 @@ static struct version_range_test version_range_tests[] = {
 		.options = 0,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_3_VERSION,
-		.want_minver = TLS1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_3_VERSION,
 	},
 	{
 		.options = 0,
 		.minver = TLS1_1_VERSION,
 		.maxver = TLS1_3_VERSION,
-		.want_minver = TLS1_1_VERSION,
+		.want_minver = TLS1_2_VERSION,
 		.want_maxver = TLS1_3_VERSION,
 	},
 	{
@@ -168,15 +168,15 @@ static struct version_range_test version_range_tests[] = {
 		.options = 0,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_1_VERSION,
-		.want_minver = TLS1_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_minver = 0,
+		.want_maxver = 0,
 	},
 	{
 		.options = 0,
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_VERSION,
-		.want_minver = TLS1_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_minver = 0,
+		.want_maxver = 0,
 	},
 };
 
@@ -276,7 +276,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -284,7 +284,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_1_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -316,7 +316,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_2_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -324,7 +324,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_2_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -340,7 +340,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_1_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -356,7 +356,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_1_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -372,7 +372,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_1_VERSION,
 		.peerver = TLS1_2_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLS_method,
@@ -380,7 +380,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_VERSION,
 		.peerver = TLS1_2_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLSv1_method,
@@ -388,7 +388,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_VERSION,
-		.want_maxver = TLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = TLSv1_method,
@@ -404,7 +404,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = TLS1_1_VERSION,
-		.want_maxver = TLS1_1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = DTLS_method,
@@ -412,7 +412,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = DTLS1_VERSION,
-		.want_maxver = DTLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = DTLS_method,
@@ -436,7 +436,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_1_VERSION,
 		.maxver = TLS1_1_VERSION,
 		.peerver = DTLS1_2_VERSION,
-		.want_maxver = DTLS1_VERSION,
+		.want_maxver = 0,
 	},
 	{
 		.ssl_method = DTLSv1_2_method,
@@ -476,7 +476,7 @@ static struct shared_version_test shared_version_tests[] = {
 		.minver = TLS1_1_VERSION,
 		.maxver = TLS1_2_VERSION,
 		.peerver = DTLS1_2_VERSION,
-		.want_maxver = DTLS1_VERSION,
+		.want_maxver = 0,
 	},
 };