From 25fa1c2d67f7d7a01050e2bf2854ad8f4a6eedc4 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Fri, 22 Jan 2021 16:47:35 -0800 Subject: [PATCH] in tests/obsolete-server-crypto, do not override GNUTLS_SYSTEM_PRIORITY_FILE when invoking OpenConnect This will allow us to test OpenConnect's ability to disable the system-wide crypto policy by itself. Signed-off-by: Daniel Lenski --- tests/obsolete-server-crypto | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tests/obsolete-server-crypto b/tests/obsolete-server-crypto index fff723d4..90d93ef6 100755 --- a/tests/obsolete-server-crypto +++ b/tests/obsolete-server-crypto @@ -25,13 +25,6 @@ top_builddir=${top_builddir:-..} . `dirname $0`/common.sh -######################################## -# Need to override mandatory system-wide crypto policy on Fedora 31+, -# for both ocserv and openconnect. -######################################## - -export GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null - ######################################## # Verify that we cannot connect to a server offering only obsolete, insecure # crypto UNLESS --allow-insecure-crypto is specified. @@ -43,7 +36,16 @@ echo "Testing against server with insecure crypto (3DES and RC4 only)... " PORT=4568 TLS_PRIORITIES="LEGACY:%SERVER_PRECEDENCE:%COMPAT:-VERS-TLS-ALL:+VERS-TLS1.0:-CIPHER-ALL:+3DES-CBC:+ARCFOUR-128:+MD5:+SHA1" update_config test-obsolete-server-crypto.config -launch_simple_sr_server -d 1 -f -c $CONFIG + +######################################## +# Need to override mandatory system-wide crypto policy on Fedora 31+, in +# order for ocserv to offer 3DES and RC4. +# +# However, we want to leave this policy in place for openconnect, +# in order to verify the client's ability to disable it on its own. +######################################## +GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null launch_simple_sr_server -d 1 -f -c $CONFIG + PID=$! wait_server $PID