[ {"server_command": ["@SERVER@", "--http", "--x509keyfile", "tests/serverX509Key.pem", "--x509certfile", "tests/serverX509Cert.pem", "--x509keyfile", "../../../certs/ecc256.pem", "--x509certfile", "../../../certs/cert-ecc256.pem", "--debug=3", "--noticket", "--httpdata=../http.dat", "--priority=@PRIORITY@", "--disable-client-cert", "--port=@PORT@"], "server_hostname": "localhost", "server_port": @PORT@, "tests" : [ {"name" : "test-fuzzed-plaintext.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-large-hello.py", "arguments" : [ "-p", "@PORT@", "two ext, #80 61384 bytes", "two ext, #80 12276 bytes", "ciphers even 8199", "ciphers odd 8090", "ext padding, 16130 bytes", "ext padding, 65367 bytes", "multiple extensions 9212", "multiple extensions 1", "multiple extensions 16353", "sanity check - fragmented", "fragmented, padding ext 0 bytes", "fragmented, padding ext 65354 bytes", "fragmented, padding ext 16213 bytes"]}, {"name" : "test-ecdsa-sig-flexibility.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-encrypt-then-mac.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ocsp-stapling.py", "arguments" : ["-p", "@PORT@", "--no-status"] }, {"name" : "test-encrypt-then-mac-renegotiation.py", "comment" : "we are not strict in EtM required behavior in renegotiation", "arguments" : ["-p", "@PORT@", "-e", "Encrypt-then-MAC renegotiation crash"]}, {"name" : "test-x25519.py", "arguments" : ["-p", "@PORT@"]}, {"name" : "test-cve-2016-7054.py", "arguments" : ["-p", "@PORT@", "-e", "sanity"]}, {"name" : "test-cve-2016-6309.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-server-name-extension.py", "comment" : "we don't parse past the first valid name, and we don't validate input received", "arguments" : ["-p", "@PORT@", "-e", "SNI name with UTF-8", "-e", "multiple host_names in SNI, RFC 6066 compliance", "-e", "incorrect SNI"]}, {"name" : "test-invalid-server-name-extension-resumption.py", "comment" : "we don't follow the RFC precisely on SNI resumption, we cache the SNI and ignore the extensions", "arguments" : ["-p", "@PORT@", "-e", "Sanity check, bad SNI", "-e", "session resume with different SNI", "-e", "session resume with malformed SNI"]}, {"name" : "test-chacha20.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-aes-gcm-nonces.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-atypical-padding.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-bleichenbacher-workaround.py", "arguments" : ["-p", "@PORT@", "-n", "20"] }, {"name" : "test-clienthello-md5.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-client-compatibility.py", "arguments" : ["-p", "@PORT@", "-e", "18: IE 6 on XP", "-e", "52: YandexBot 3.0 on unknown", "-e", "100: IE 6 on XP"]}, {"name" : "test-conversation.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-client-hello-max-size.py", "comment" : "FIXME: we fail with: Handshake buffer length is 131400 (max: 131072)", "arguments" : ["-p", "@PORT@", "-e", "max client hello"]}, {"name" : "test-atypical-padding.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ffdhe-negotiation.py" , "comment" : ["we don't prefer DHE over RSA if RSA is preferred by peer"], "arguments" : ["-p", "@PORT@", "-e", "Check if DHE preferred", "--alert", "handshake_failure"]}, {"name" : "test-cve-2016-2107.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-key-share-random.py", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-z"]}, {"name" : "test-dhe-no-shared-secret-padding.py", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-n", "6", "-z"]}, {"name" : "test-dhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-rsa-key-exchange-signatures.py", "comment" : "gnutls no longer allows sha224", "arguments" : ["-p", "@PORT@", "-e", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha224 signature", "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha224 signature", "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha224 signature", "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha224 signature"] }, {"name" : "test-dhe-rsa-key-exchange-with-bad-messages.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-early-application-data.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-padded-shared-secret.py", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-z", "-n", "6"]}, {"name" : "test-ecdhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-share-random.py", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-z", "-n", "6"]}, {"name" : "test-empty-extensions.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-export-ciphers-rejected.py", "comment" : "disable SSL3.0 here, will be tested separately", "arguments" : ["-p", "@PORT@", "-e", "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 with AES_128 in SSLv3", "-e", "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA with AES_128 in SSLv3", "-e", "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 with AES_128 in SSLv3", "-e", "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA with AES_128 in SSLv3", "-e", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 with AES_128 in SSLv3", "-e", "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA with AES_128 in SSLv3", "-e", "TLS_KRB5_EXPORT_WITH_RC4_40_MD5 with AES_128 in SSLv3", "-e", "TLS_KRB5_EXPORT_WITH_RC4_40_SHA with AES_128 in SSLv3", "-e", "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA with AES_128 in SSLv3", "-e", "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3", "-e", "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 with AES_128 in SSLv3", "-e", "TLS_RSA_EXPORT_WITH_RC4_40_MD5 with AES_128 in SSLv3"] }, {"name" : "test-extensions.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-extended-master-secret-extension.py", "comment" : "gnutls does not allow switching from EMS to no EMS, and w/ECDHE test is incomplete", "arguments" : ["-p", "@PORT@", "-e", "renegotiate without EMS in session with EMS", "-e", "EMS with session resume without extension"]}, {"name" : "test-fallback-scsv.py", "arguments" : ["-p", "@PORT@", "--tls-1.3"]}, {"name" : "test-fuzzed-ciphertext.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-fuzzed-finished.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-fuzzed-MAC.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-fuzzed-padding.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-hello-request-by-client.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-interleaved-application-data-and-fragmented-handshakes-in-renegotiation.py", "comment" : "gnutls doesn't support interleaved data with handshake", "exp_pass" : false}, {"name" : "test-interleaved-application-data-in-renegotiation.py", "comment" : "gnutls doesn't support interleaved data with handshake", "exp_pass" : false}, {"name" : "test-invalid-cipher-suites.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-client-hello.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-client-hello-w-record-overflow.py", "arguments" : ["-p", "@PORT@", "-n", "10"] }, {"name" : "test-invalid-compression-methods.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-content-type.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-rsa-key-exchange-messages.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-session-id.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-version.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-large-number-of-extensions.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-message-duplication.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-message-skipping.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ocsp-stapling.py", "comment" : "test requires OCSP setup", "exp_pass" : false, "arguments" : ["-p", "@PORT@"] }, {"name" : "test-openssl-3712.py", "comment" : "gnutls doesn't support interleaved data with handshake", "exp_pass" : false, "arguments" : ["-p", "@PORT@"] }, {"name" : "test-record-layer-fragmentation.py", "comment" : "These tests rely on fragmenting the first bytes of the handshake header. Gnutls is limited on that, and doesn't accept handshake header fragmentation.", "arguments" : ["-p", "@PORT@", "-e", "non fragmented, over fragmentation limit: 65535 fragment - 16332B extension", "-e", "small, maximum fragmentation: 1 fragment - 20B extension", "-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]}, {"name" : "test-record-size-limit.py", "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0", "arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024", "--minimal-size", "512", "-e", "check if server accepts maximum size in TLS 1.0", "-e", "check if server accepts maximum size in TLS 1.3", "-e", "check if server accepts minimal size in TLS 1.0", "-e", "check if server accepts minimal size in TLS 1.3", "-e", "check if server omits extension for unrecognized size 64 in TLS 1.3", "-e", "check if server omits extension for unrecognized size 511 in TLS 1.3", "-e", "check server sent size in TLS 1.0", "-e", "check server sent size in TLS 1.3", "-e", "HRR sanity", "-e", "too large record payload in TLS 1.3", "-e", "change size in TLS 1.3 session resumption", "-e", "drop extension in TLS 1.3 session resumption", "-e", "modified extension in 2nd CH in HRR handshake", "-e", "added extension in 2nd CH in HRR handshake", "-e", "check server sent size in TLS 1.0 with max_fragment_length", "-e", "check server sent size in TLS 1.3 with max_fragment_length", "-e", "removed extension in 2nd CH in HRR handshake"] }, {"name" : "test-sessionID-resumption.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-serverhello-random.py", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-z", "-n", "6"]}, {"name" : "test-sig-algs.py", "arguments" : ["-p", "@PORT@", "-e", "rsa_pss_pss_sha256 only", "-e", "rsa_pss_pss_sha384 only", "-e", "rsa_pss_pss_sha512 only"] }, {"name" : "test-signature-algorithms.py", "comment" : "gnutls doesn't handle well duplicated sign algorithms; this is not an issue in practice", "arguments" : ["-p", "@PORT@", "-e", "duplicated 202 non-rsa schemes", "-e", "duplicated 2342 non-rsa schemes", "-e", "duplicated 8119 non-rsa schemes", "-e", "duplicated 23741 non-rsa schemes", "-e", "duplicated 32748 non-rsa schemes", "-e", "tolerance max (32764) number of methods"] }, {"name" : "test-sslv2-connection.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-sslv2-force-cipher-3des.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-sslv2-force-cipher-non3des.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-sslv2-force-cipher.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-sslv2-force-export-cipher.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-sslv2hello-protocol.py", "comment" : "https://gitlab.com/gnutls/gnutls/issues/771", "arguments" : ["-p", "@PORT@", "--no-ssl2", "-e", "Empty SSLv2 record - type 0", "-e", "Empty SSLv2 record - type 1", "-e", "Just version in SSLv2 hello", "-e", "SSLv2 Client Hello"] }, {"name" : "test-TLSv1_2-rejected-without-TLSv1_2.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-truncating-of-client-hello.py", "comment" : "https://gitlab.com/gnutls/gnutls/issues/771", "arguments" : ["-p", "@PORT@", "-e", "max pad: 16777167 of \"0\" byte padding"] }, {"name" : "test-truncating-of-finished.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-truncating-of-kRSA-client-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-unsupported-curve-fallback.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-version-numbers.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-zero-length-data.py", "arguments" : ["-p", "@PORT@"] } ] } ]