diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py index a2d1b422cd6aa5..f8d699282d550b 100644 --- a/tests/http/test_17_ssl_use.py +++ b/tests/http/test_17_ssl_use.py @@ -258,3 +258,35 @@ def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto): ]) # CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info assert r.exit_code == 91, f'{r}' + + @pytest.mark.parametrize("server_ver", ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']) + def test_17_09_ssl_min_max(self, env: Env, httpd, nghttpx, server_ver): + httpd.set_extra_config('base', [ + f'SSLProtocol {server_ver}' + ]) + httpd.reload() + proto = 'http/1.1' + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' + if env.curl_uses_lib('bearssl') or env.curl_uses_lib('sectransp'): + supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None] + elif env.curl_uses_lib('mbedtls') and not env.curl_lib_version_at_least('mbedtls', '3.6.0'): + supported = ['TLSv1.2', 'TLSv1.2', 'TLSv1.2', None] # tls-max is minimal 1.2 + elif env.curl_uses_lib('rustls') or env.curl_uses_lib('mbedtls'): + supported = ['TLSv1.2', 'TLSv1.2', 'TLSv1.2', 'TLSv1.3'] # tls-max is minimal 1.2 + else: + supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'] + for max_ver in range(0, 5): + for min_ver in range(-2, 4): + extra_args = [] + if min_ver >= -1: + extra_args += [['--tlsv1', '--tlsv1.0', '--tlsv1.1', '--tlsv1.2', '--tlsv1.3'][min_ver + 1]] + if max_ver < 4: + extra_args += ['--tls-max', ['1.0', '1.1', '1.2', '1.3'][max_ver]] + r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args) + if max_ver >= min_ver and server_ver in supported[max(0, min_ver):min(max_ver, 3)+1]: + assert r.exit_code == 0 , f'{r}' + assert r.json['HTTPS'] == 'on', f'{r}' + assert r.json['SSL_PROTOCOL'] == server_ver, f'{r}' + else: + assert r.exit_code != 0, f'{r}'