diff options
| author | Tomas Mraz <tomas@openssl.org> | 2022-03-25 15:26:13 +0100 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2022-06-03 13:22:42 +1000 |
| commit | 336d92eb206946293a50db667fdc44ab7d69f8ad (patch) | |
| tree | 8d9a2dbe4249c6fd227dfacf3659086fd373dd42 /test/ssl-tests | |
| parent | b7873f92b0f79bdf576795c86d6520656568d672 (diff) | |
| download | openssl-new-336d92eb206946293a50db667fdc44ab7d69f8ad.tar.gz | |
Enable setting SSL_CERT_FLAG_TLS_STRICT with ssl config
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17989)
Diffstat (limited to 'test/ssl-tests')
| -rw-r--r-- | test/ssl-tests/04-client_auth.cnf | 712 | ||||
| -rw-r--r-- | test/ssl-tests/04-client_auth.cnf.in | 59 |
2 files changed, 482 insertions, 289 deletions
diff --git a/test/ssl-tests/04-client_auth.cnf b/test/ssl-tests/04-client_auth.cnf index 46e61cd882..3dae79c370 100644 --- a/test/ssl-tests/04-client_auth.cnf +++ b/test/ssl-tests/04-client_auth.cnf @@ -1,43 +1,47 @@ # Generated with generate_ssl_tests.pl -num_tests = 36 +num_tests = 40 test-0 = 0-server-auth-flex test-1 = 1-client-auth-flex-request test-2 = 2-client-auth-flex-require-fail test-3 = 3-client-auth-flex-require -test-4 = 4-client-auth-flex-require-non-empty-names -test-5 = 5-client-auth-flex-noroot -test-6 = 6-server-auth-TLSv1 -test-7 = 7-client-auth-TLSv1-request -test-8 = 8-client-auth-TLSv1-require-fail -test-9 = 9-client-auth-TLSv1-require -test-10 = 10-client-auth-TLSv1-require-non-empty-names -test-11 = 11-client-auth-TLSv1-noroot -test-12 = 12-server-auth-TLSv1.1 -test-13 = 13-client-auth-TLSv1.1-request -test-14 = 14-client-auth-TLSv1.1-require-fail -test-15 = 15-client-auth-TLSv1.1-require -test-16 = 16-client-auth-TLSv1.1-require-non-empty-names -test-17 = 17-client-auth-TLSv1.1-noroot -test-18 = 18-server-auth-TLSv1.2 -test-19 = 19-client-auth-TLSv1.2-request -test-20 = 20-client-auth-TLSv1.2-require-fail -test-21 = 21-client-auth-TLSv1.2-require -test-22 = 22-client-auth-TLSv1.2-require-non-empty-names -test-23 = 23-client-auth-TLSv1.2-noroot -test-24 = 24-server-auth-DTLSv1 -test-25 = 25-client-auth-DTLSv1-request -test-26 = 26-client-auth-DTLSv1-require-fail -test-27 = 27-client-auth-DTLSv1-require -test-28 = 28-client-auth-DTLSv1-require-non-empty-names -test-29 = 29-client-auth-DTLSv1-noroot -test-30 = 30-server-auth-DTLSv1.2 -test-31 = 31-client-auth-DTLSv1.2-request -test-32 = 32-client-auth-DTLSv1.2-require-fail -test-33 = 33-client-auth-DTLSv1.2-require -test-34 = 34-client-auth-DTLSv1.2-require-non-empty-names -test-35 = 35-client-auth-DTLSv1.2-noroot +test-4 = 4-client-auth-flex-rsa-pss +test-5 = 5-client-auth-flex-rsa-pss-bad +test-6 = 6-client-auth-flex-require-non-empty-names +test-7 = 7-client-auth-flex-noroot +test-8 = 8-server-auth-TLSv1 +test-9 = 9-client-auth-TLSv1-request +test-10 = 10-client-auth-TLSv1-require-fail +test-11 = 11-client-auth-TLSv1-require +test-12 = 12-client-auth-TLSv1-require-non-empty-names +test-13 = 13-client-auth-TLSv1-noroot +test-14 = 14-server-auth-TLSv1.1 +test-15 = 15-client-auth-TLSv1.1-request +test-16 = 16-client-auth-TLSv1.1-require-fail +test-17 = 17-client-auth-TLSv1.1-require +test-18 = 18-client-auth-TLSv1.1-require-non-empty-names +test-19 = 19-client-auth-TLSv1.1-noroot +test-20 = 20-server-auth-TLSv1.2 +test-21 = 21-client-auth-TLSv1.2-request +test-22 = 22-client-auth-TLSv1.2-require-fail +test-23 = 23-client-auth-TLSv1.2-require +test-24 = 24-client-auth-TLSv1.2-rsa-pss +test-25 = 25-client-auth-TLSv1.2-rsa-pss-bad +test-26 = 26-client-auth-TLSv1.2-require-non-empty-names +test-27 = 27-client-auth-TLSv1.2-noroot +test-28 = 28-server-auth-DTLSv1 +test-29 = 29-client-auth-DTLSv1-request +test-30 = 30-client-auth-DTLSv1-require-fail +test-31 = 31-client-auth-DTLSv1-require +test-32 = 32-client-auth-DTLSv1-require-non-empty-names +test-33 = 33-client-auth-DTLSv1-noroot +test-34 = 34-server-auth-DTLSv1.2 +test-35 = 35-client-auth-DTLSv1.2-request +test-36 = 36-client-auth-DTLSv1.2-require-fail +test-37 = 37-client-auth-DTLSv1.2-require +test-38 = 38-client-auth-DTLSv1.2-require-non-empty-names +test-39 = 39-client-auth-DTLSv1.2-noroot # =========================================================== [0-server-auth-flex] @@ -142,14 +146,75 @@ ExpectedResult = Success # =========================================================== -[4-client-auth-flex-require-non-empty-names] -ssl_conf = 4-client-auth-flex-require-non-empty-names-ssl +[4-client-auth-flex-rsa-pss] +ssl_conf = 4-client-auth-flex-rsa-pss-ssl -[4-client-auth-flex-require-non-empty-names-ssl] -server = 4-client-auth-flex-require-non-empty-names-server -client = 4-client-auth-flex-require-non-empty-names-client +[4-client-auth-flex-rsa-pss-ssl] +server = 4-client-auth-flex-rsa-pss-server +client = 4-client-auth-flex-rsa-pss-client -[4-client-auth-flex-require-non-empty-names-server] +[4-client-auth-flex-rsa-pss-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Require + +[4-client-auth-flex-rsa-pss-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem +CipherString = DEFAULT:@SECLEVEL=0 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/rootcert.pem +ExpectedClientCertType = RSA-PSS +ExpectedResult = Success + + +# =========================================================== + +[5-client-auth-flex-rsa-pss-bad] +ssl_conf = 5-client-auth-flex-rsa-pss-bad-ssl + +[5-client-auth-flex-rsa-pss-bad-ssl] +server = 5-client-auth-flex-rsa-pss-bad-server +client = 5-client-auth-flex-rsa-pss-bad-client + +[5-client-auth-flex-rsa-pss-bad-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +VerifyMode = Require + +[5-client-auth-flex-rsa-pss-bad-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem +CipherString = DEFAULT:@SECLEVEL=0 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = ServerFail +ExpectedServerAlert = CertificateRequired + + +# =========================================================== + +[6-client-auth-flex-require-non-empty-names] +ssl_conf = 6-client-auth-flex-require-non-empty-names-ssl + +[6-client-auth-flex-require-non-empty-names-ssl] +server = 6-client-auth-flex-require-non-empty-names-server +client = 6-client-auth-flex-require-non-empty-names-client + +[6-client-auth-flex-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -157,14 +222,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[4-client-auth-flex-require-non-empty-names-client] +[6-client-auth-flex-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-4] +[test-6] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -172,68 +237,68 @@ ExpectedResult = Success # =========================================================== -[5-client-auth-flex-noroot] -ssl_conf = 5-client-auth-flex-noroot-ssl +[7-client-auth-flex-noroot] +ssl_conf = 7-client-auth-flex-noroot-ssl -[5-client-auth-flex-noroot-ssl] -server = 5-client-auth-flex-noroot-server -client = 5-client-auth-flex-noroot-client +[7-client-auth-flex-noroot-ssl] +server = 7-client-auth-flex-noroot-server +client = 7-client-auth-flex-noroot-client -[5-client-auth-flex-noroot-server] +[7-client-auth-flex-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[5-client-auth-flex-noroot-client] +[7-client-auth-flex-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-7] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[6-server-auth-TLSv1] -ssl_conf = 6-server-auth-TLSv1-ssl +[8-server-auth-TLSv1] +ssl_conf = 8-server-auth-TLSv1-ssl -[6-server-auth-TLSv1-ssl] -server = 6-server-auth-TLSv1-server -client = 6-server-auth-TLSv1-client +[8-server-auth-TLSv1-ssl] +server = 8-server-auth-TLSv1-server +client = 8-server-auth-TLSv1-client -[6-server-auth-TLSv1-server] +[8-server-auth-TLSv1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-server-auth-TLSv1-client] +[8-server-auth-TLSv1-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-8] ExpectedResult = Success # =========================================================== -[7-client-auth-TLSv1-request] -ssl_conf = 7-client-auth-TLSv1-request-ssl +[9-client-auth-TLSv1-request] +ssl_conf = 9-client-auth-TLSv1-request-ssl -[7-client-auth-TLSv1-request-ssl] -server = 7-client-auth-TLSv1-request-server -client = 7-client-auth-TLSv1-request-client +[9-client-auth-TLSv1-request-ssl] +server = 9-client-auth-TLSv1-request-server +client = 9-client-auth-TLSv1-request-client -[7-client-auth-TLSv1-request-server] +[9-client-auth-TLSv1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -241,27 +306,27 @@ MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[7-client-auth-TLSv1-request-client] +[9-client-auth-TLSv1-request-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-7] +[test-9] ExpectedResult = Success # =========================================================== -[8-client-auth-TLSv1-require-fail] -ssl_conf = 8-client-auth-TLSv1-require-fail-ssl +[10-client-auth-TLSv1-require-fail] +ssl_conf = 10-client-auth-TLSv1-require-fail-ssl -[8-client-auth-TLSv1-require-fail-ssl] -server = 8-client-auth-TLSv1-require-fail-server -client = 8-client-auth-TLSv1-require-fail-client +[10-client-auth-TLSv1-require-fail-ssl] +server = 10-client-auth-TLSv1-require-fail-server +client = 10-client-auth-TLSv1-require-fail-client -[8-client-auth-TLSv1-require-fail-server] +[10-client-auth-TLSv1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -270,28 +335,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[8-client-auth-TLSv1-require-fail-client] +[10-client-auth-TLSv1-require-fail-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-10] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[9-client-auth-TLSv1-require] -ssl_conf = 9-client-auth-TLSv1-require-ssl +[11-client-auth-TLSv1-require] +ssl_conf = 11-client-auth-TLSv1-require-ssl -[9-client-auth-TLSv1-require-ssl] -server = 9-client-auth-TLSv1-require-server -client = 9-client-auth-TLSv1-require-client +[11-client-auth-TLSv1-require-ssl] +server = 11-client-auth-TLSv1-require-server +client = 11-client-auth-TLSv1-require-client -[9-client-auth-TLSv1-require-server] +[11-client-auth-TLSv1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -300,7 +365,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[9-client-auth-TLSv1-require-client] +[11-client-auth-TLSv1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -309,7 +374,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-11] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success @@ -317,14 +382,14 @@ ExpectedResult = Success # =========================================================== -[10-client-auth-TLSv1-require-non-empty-names] -ssl_conf = 10-client-auth-TLSv1-require-non-empty-names-ssl +[12-client-auth-TLSv1-require-non-empty-names] +ssl_conf = 12-client-auth-TLSv1-require-non-empty-names-ssl -[10-client-auth-TLSv1-require-non-empty-names-ssl] -server = 10-client-auth-TLSv1-require-non-empty-names-server -client = 10-client-auth-TLSv1-require-non-empty-names-client +[12-client-auth-TLSv1-require-non-empty-names-ssl] +server = 12-client-auth-TLSv1-require-non-empty-names-server +client = 12-client-auth-TLSv1-require-non-empty-names-client -[10-client-auth-TLSv1-require-non-empty-names-server] +[12-client-auth-TLSv1-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -334,7 +399,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[10-client-auth-TLSv1-require-non-empty-names-client] +[12-client-auth-TLSv1-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -343,7 +408,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-12] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -351,14 +416,14 @@ ExpectedResult = Success # =========================================================== -[11-client-auth-TLSv1-noroot] -ssl_conf = 11-client-auth-TLSv1-noroot-ssl +[13-client-auth-TLSv1-noroot] +ssl_conf = 13-client-auth-TLSv1-noroot-ssl -[11-client-auth-TLSv1-noroot-ssl] -server = 11-client-auth-TLSv1-noroot-server -client = 11-client-auth-TLSv1-noroot-client +[13-client-auth-TLSv1-noroot-ssl] +server = 13-client-auth-TLSv1-noroot-server +client = 13-client-auth-TLSv1-noroot-client -[11-client-auth-TLSv1-noroot-server] +[13-client-auth-TLSv1-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -366,7 +431,7 @@ MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[11-client-auth-TLSv1-noroot-client] +[13-client-auth-TLSv1-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -375,48 +440,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-11] +[test-13] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[12-server-auth-TLSv1.1] -ssl_conf = 12-server-auth-TLSv1.1-ssl +[14-server-auth-TLSv1.1] +ssl_conf = 14-server-auth-TLSv1.1-ssl -[12-server-auth-TLSv1.1-ssl] -server = 12-server-auth-TLSv1.1-server -client = 12-server-auth-TLSv1.1-client +[14-server-auth-TLSv1.1-ssl] +server = 14-server-auth-TLSv1.1-server +client = 14-server-auth-TLSv1.1-client -[12-server-auth-TLSv1.1-server] +[14-server-auth-TLSv1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-server-auth-TLSv1.1-client] +[14-server-auth-TLSv1.1-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-12] +[test-14] ExpectedResult = Success # =========================================================== -[13-client-auth-TLSv1.1-request] -ssl_conf = 13-client-auth-TLSv1.1-request-ssl +[15-client-auth-TLSv1.1-request] +ssl_conf = 15-client-auth-TLSv1.1-request-ssl -[13-client-auth-TLSv1.1-request-ssl] -server = 13-client-auth-TLSv1.1-request-server -client = 13-client-auth-TLSv1.1-request-client +[15-client-auth-TLSv1.1-request-ssl] +server = 15-client-auth-TLSv1.1-request-server +client = 15-client-auth-TLSv1.1-request-client -[13-client-auth-TLSv1.1-request-server] +[15-client-auth-TLSv1.1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -424,27 +489,27 @@ MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[13-client-auth-TLSv1.1-request-client] +[15-client-auth-TLSv1.1-request-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-13] +[test-15] ExpectedResult = Success # =========================================================== -[14-client-auth-TLSv1.1-require-fail] -ssl_conf = 14-client-auth-TLSv1.1-require-fail-ssl +[16-client-auth-TLSv1.1-require-fail] +ssl_conf = 16-client-auth-TLSv1.1-require-fail-ssl -[14-client-auth-TLSv1.1-require-fail-ssl] -server = 14-client-auth-TLSv1.1-require-fail-server -client = 14-client-auth-TLSv1.1-require-fail-client +[16-client-auth-TLSv1.1-require-fail-ssl] +server = 16-client-auth-TLSv1.1-require-fail-server +client = 16-client-auth-TLSv1.1-require-fail-client -[14-client-auth-TLSv1.1-require-fail-server] +[16-client-auth-TLSv1.1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -453,28 +518,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[14-client-auth-TLSv1.1-require-fail-client] +[16-client-auth-TLSv1.1-require-fail-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-14] +[test-16] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[15-client-auth-TLSv1.1-require] -ssl_conf = 15-client-auth-TLSv1.1-require-ssl +[17-client-auth-TLSv1.1-require] +ssl_conf = 17-client-auth-TLSv1.1-require-ssl -[15-client-auth-TLSv1.1-require-ssl] -server = 15-client-auth-TLSv1.1-require-server -client = 15-client-auth-TLSv1.1-require-client +[17-client-auth-TLSv1.1-require-ssl] +server = 17-client-auth-TLSv1.1-require-server +client = 17-client-auth-TLSv1.1-require-client -[15-client-auth-TLSv1.1-require-server] +[17-client-auth-TLSv1.1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -483,7 +548,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[15-client-auth-TLSv1.1-require-client] +[17-client-auth-TLSv1.1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -492,7 +557,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-15] +[test-17] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success @@ -500,14 +565,14 @@ ExpectedResult = Success # =========================================================== -[16-client-auth-TLSv1.1-require-non-empty-names] -ssl_conf = 16-client-auth-TLSv1.1-require-non-empty-names-ssl +[18-client-auth-TLSv1.1-require-non-empty-names] +ssl_conf = 18-client-auth-TLSv1.1-require-non-empty-names-ssl -[16-client-auth-TLSv1.1-require-non-empty-names-ssl] -server = 16-client-auth-TLSv1.1-require-non-empty-names-server -client = 16-client-auth-TLSv1.1-require-non-empty-names-client +[18-client-auth-TLSv1.1-require-non-empty-names-ssl] +server = 18-client-auth-TLSv1.1-require-non-empty-names-server +client = 18-client-auth-TLSv1.1-require-non-empty-names-client -[16-client-auth-TLSv1.1-require-non-empty-names-server] +[18-client-auth-TLSv1.1-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -517,7 +582,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[16-client-auth-TLSv1.1-require-non-empty-names-client] +[18-client-auth-TLSv1.1-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -526,7 +591,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-18] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -534,14 +599,14 @@ ExpectedResult = Success # =========================================================== -[17-client-auth-TLSv1.1-noroot] -ssl_conf = 17-client-auth-TLSv1.1-noroot-ssl +[19-client-auth-TLSv1.1-noroot] +ssl_conf = 19-client-auth-TLSv1.1-noroot-ssl -[17-client-auth-TLSv1.1-noroot-ssl] -server = 17-client-auth-TLSv1.1-noroot-server -client = 17-client-auth-TLSv1.1-noroot-client +[19-client-auth-TLSv1.1-noroot-ssl] +server = 19-client-auth-TLSv1.1-noroot-server +client = 19-client-auth-TLSv1.1-noroot-client -[17-client-auth-TLSv1.1-noroot-server] +[19-client-auth-TLSv1.1-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -549,7 +614,7 @@ MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[17-client-auth-TLSv1.1-noroot-client] +[19-client-auth-TLSv1.1-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -558,48 +623,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-17] +[test-19] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[18-server-auth-TLSv1.2] -ssl_conf = 18-server-auth-TLSv1.2-ssl +[20-server-auth-TLSv1.2] +ssl_conf = 20-server-auth-TLSv1.2-ssl -[18-server-auth-TLSv1.2-ssl] -server = 18-server-auth-TLSv1.2-server -client = 18-server-auth-TLSv1.2-client +[20-server-auth-TLSv1.2-ssl] +server = 20-server-auth-TLSv1.2-server +client = 20-server-auth-TLSv1.2-client -[18-server-auth-TLSv1.2-server] +[20-server-auth-TLSv1.2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[18-server-auth-TLSv1.2-client] +[20-server-auth-TLSv1.2-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-18] +[test-20] ExpectedResult = Success # =========================================================== -[19-client-auth-TLSv1.2-request] -ssl_conf = 19-client-auth-TLSv1.2-request-ssl +[21-client-auth-TLSv1.2-request] +ssl_conf = 21-client-auth-TLSv1.2-request-ssl -[19-client-auth-TLSv1.2-request-ssl] -server = 19-client-auth-TLSv1.2-request-server -client = 19-client-auth-TLSv1.2-request-client +[21-client-auth-TLSv1.2-request-ssl] +server = 21-client-auth-TLSv1.2-request-server +client = 21-client-auth-TLSv1.2-request-client -[19-client-auth-TLSv1.2-request-server] +[21-client-auth-TLSv1.2-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -607,27 +672,27 @@ MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[19-client-auth-TLSv1.2-request-client] +[21-client-auth-TLSv1.2-request-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-19] +[test-21] ExpectedResult = Success # =========================================================== -[20-client-auth-TLSv1.2-require-fail] -ssl_conf = 20-client-auth-TLSv1.2-require-fail-ssl +[22-client-auth-TLSv1.2-require-fail] +ssl_conf = 22-client-auth-TLSv1.2-require-fail-ssl -[20-client-auth-TLSv1.2-require-fail-ssl] -server = 20-client-auth-TLSv1.2-require-fail-server -client = 20-client-auth-TLSv1.2-require-fail-client +[22-client-auth-TLSv1.2-require-fail-ssl] +server = 22-client-auth-TLSv1.2-require-fail-server +client = 22-client-auth-TLSv1.2-require-fail-client -[20-client-auth-TLSv1.2-require-fail-server] +[22-client-auth-TLSv1.2-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -636,28 +701,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[20-client-auth-TLSv1.2-require-fail-client] +[22-client-auth-TLSv1.2-require-fail-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-20] +[test-22] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[21-client-auth-TLSv1.2-require] -ssl_conf = 21-client-auth-TLSv1.2-require-ssl +[23-client-auth-TLSv1.2-require] +ssl_conf = 23-client-auth-TLSv1.2-require-ssl -[21-client-auth-TLSv1.2-require-ssl] -server = 21-client-auth-TLSv1.2-require-server -client = 21-client-auth-TLSv1.2-require-client +[23-client-auth-TLSv1.2-require-ssl] +server = 23-client-auth-TLSv1.2-require-server +client = 23-client-auth-TLSv1.2-require-client -[21-client-auth-TLSv1.2-require-server] +[23-client-auth-TLSv1.2-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientSignatureAlgorithms = SHA256+RSA @@ -667,7 +732,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[21-client-auth-TLSv1.2-require-client] +[23-client-auth-TLSv1.2-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -676,7 +741,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-21] +[test-23] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -686,14 +751,83 @@ ExpectedResult = Success # =========================================================== -[22-client-auth-TLSv1.2-require-non-empty-names] -ssl_conf = 22-client-auth-TLSv1.2-require-non-empty-names-ssl +[24-client-auth-TLSv1.2-rsa-pss] +ssl_conf = 24-client-auth-TLSv1.2-rsa-pss-ssl + +[24-client-auth-TLSv1.2-rsa-pss-ssl] +server = 24-client-auth-TLSv1.2-rsa-pss-server +client = 24-client-auth-TLSv1.2-rsa-pss-client + +[24-client-auth-TLSv1.2-rsa-pss-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Require + +[24-client-auth-TLSv1.2-rsa-pss-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/rootcert.pem +ExpectedClientCertType = RSA-PSS +ExpectedResult = Success + + +# =========================================================== + +[25-client-auth-TLSv1.2-rsa-pss-bad] +ssl_conf = 25-client-auth-TLSv1.2-rsa-pss-bad-ssl + +[25-client-auth-TLSv1.2-rsa-pss-bad-ssl] +server = 25-client-auth-TLSv1.2-rsa-pss-bad-server +client = 25-client-auth-TLSv1.2-rsa-pss-bad-client + +[25-client-auth-TLSv1.2-rsa-pss-bad-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +VerifyMode = Require + +[25-client-auth-TLSv1.2-rsa-pss-bad-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure + + +# =========================================================== + +[26-client-auth-TLSv1.2-require-non-empty-names] +ssl_conf = 26-client-auth-TLSv1.2-require-non-empty-names-ssl -[22-client-auth-TLSv1.2-require-non-empty-names-ssl] -server = 22-client-auth-TLSv1.2-require-non-empty-names-server -client = 22-client-auth-TLSv1.2-require-non-empty-names-client +[26-client-auth-TLSv1.2-require-non-empty-names-ssl] +server = 26-client-auth-TLSv1.2-require-non-empty-names-server +client = 26-client-auth-TLSv1.2-require-non-empty-names-client -[22-client-auth-TLSv1.2-require-non-empty-names-server] +[26-client-auth-TLSv1.2-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -704,7 +838,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[22-client-auth-TLSv1.2-require-non-empty-names-client] +[26-client-auth-TLSv1.2-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -713,7 +847,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-22] +[test-26] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 @@ -723,14 +857,14 @@ ExpectedResult = Success # =========================================================== -[23-client-auth-TLSv1.2-noroot] -ssl_conf = 23-client-auth-TLSv1.2-noroot-ssl +[27-client-auth-TLSv1.2-noroot] +ssl_conf = 27-client-auth-TLSv1.2-noroot-ssl -[23-client-auth-TLSv1.2-noroot-ssl] -server = 23-client-auth-TLSv1.2-noroot-server -client = 23-client-auth-TLSv1.2-noroot-client +[27-client-auth-TLSv1.2-noroot-ssl] +server = 27-client-auth-TLSv1.2-noroot-server +client = 27-client-auth-TLSv1.2-noroot-client -[23-client-auth-TLSv1.2-noroot-server] +[27-client-auth-TLSv1.2-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -738,7 +872,7 @@ MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[23-client-auth-TLSv1.2-noroot-client] +[27-client-auth-TLSv1.2-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -747,49 +881,49 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-23] +[test-27] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[24-server-auth-DTLSv1] -ssl_conf = 24-server-auth-DTLSv1-ssl +[28-server-auth-DTLSv1] +ssl_conf = 28-server-auth-DTLSv1-ssl -[24-server-auth-DTLSv1-ssl] -server = 24-server-auth-DTLSv1-server -client = 24-server-auth-DTLSv1-client +[28-server-auth-DTLSv1-ssl] +server = 28-server-auth-DTLSv1-server +client = 28-server-auth-DTLSv1-client -[24-server-auth-DTLSv1-server] +[28-server-auth-DTLSv1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[24-server-auth-DTLSv1-client] +[28-server-auth-DTLSv1-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-24] +[test-28] ExpectedResult = Success Method = DTLS # =========================================================== -[25-client-auth-DTLSv1-request] -ssl_conf = 25-client-auth-DTLSv1-request-ssl +[29-client-auth-DTLSv1-request] +ssl_conf = 29-client-auth-DTLSv1-request-ssl -[25-client-auth-DTLSv1-request-ssl] -server = 25-client-auth-DTLSv1-request-server -client = 25-client-auth-DTLSv1-request-client +[29-client-auth-DTLSv1-request-ssl] +server = 29-client-auth-DTLSv1-request-server +client = 29-client-auth-DTLSv1-request-client -[25-client-auth-DTLSv1-request-server] +[29-client-auth-DTLSv1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -797,28 +931,28 @@ MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[25-client-auth-DTLSv1-request-client] +[29-client-auth-DTLSv1-request-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-25] +[test-29] ExpectedResult = Success Method = DTLS # =========================================================== -[26-client-auth-DTLSv1-require-fail] -ssl_conf = 26-client-auth-DTLSv1-require-fail-ssl +[30-client-auth-DTLSv1-require-fail] +ssl_conf = 30-client-auth-DTLSv1-require-fail-ssl -[26-client-auth-DTLSv1-require-fail-ssl] -server = 26-client-auth-DTLSv1-require-fail-server -client = 26-client-auth-DTLSv1-require-fail-client +[30-client-auth-DTLSv1-require-fail-ssl] +server = 30-client-auth-DTLSv1-require-fail-server +client = 30-client-auth-DTLSv1-require-fail-client -[26-client-auth-DTLSv1-require-fail-server] +[30-client-auth-DTLSv1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -827,14 +961,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[26-client-auth-DTLSv1-require-fail-client] +[30-client-auth-DTLSv1-require-fail-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-26] +[test-30] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure Method = DTLS @@ -842,14 +976,14 @@ Method = DTLS # =========================================================== -[27-client-auth-DTLSv1-require] -ssl_conf = 27-client-auth-DTLSv1-require-ssl +[31-client-auth-DTLSv1-require] +ssl_conf = 31-client-auth-DTLSv1-require-ssl -[27-client-auth-DTLSv1-require-ssl] -server = 27-client-auth-DTLSv1-require-server -client = 27-client-auth-DTLSv1-require-client +[31-client-auth-DTLSv1-require-ssl] +server = 31-client-auth-DTLSv1-require-server +client = 31-client-auth-DTLSv1-require-client -[27-client-auth-DTLSv1-require-server] +[31-client-auth-DTLSv1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -858,7 +992,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[27-client-auth-DTLSv1-require-client] +[31-client-auth-DTLSv1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -867,7 +1001,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-27] +[test-31] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success @@ -876,14 +1010,14 @@ Method = DTLS # =========================================================== -[28-client-auth-DTLSv1-require-non-empty-names] -ssl_conf = 28-client-auth-DTLSv1-require-non-empty-names-ssl +[32-client-auth-DTLSv1-require-non-empty-names] +ssl_conf = 32-client-auth-DTLSv1-require-non-empty-names-ssl -[28-client-auth-DTLSv1-require-non-empty-names-ssl] -server = 28-client-auth-DTLSv1-require-non-empty-names-server -client = 28-client-auth-DTLSv1-require-non-empty-names-client +[32-client-auth-DTLSv1-require-non-empty-names-ssl] +server = 32-client-auth-DTLSv1-require-non-empty-names-server +client = 32-client-auth-DTLSv1-require-non-empty-names-client -[28-client-auth-DTLSv1-require-non-empty-names-server] +[32-client-auth-DTLSv1-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -893,7 +1027,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[28-client-auth-DTLSv1-require-non-empty-names-client] +[32-client-auth-DTLSv1-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -902,7 +1036,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-28] +[test-32] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -911,14 +1045,14 @@ Method = DTLS # =========================================================== -[29-client-auth-DTLSv1-noroot] -ssl_conf = 29-client-auth-DTLSv1-noroot-ssl +[33-client-auth-DTLSv1-noroot] +ssl_conf = 33-client-auth-DTLSv1-noroot-ssl -[29-client-auth-DTLSv1-noroot-ssl] -server = 29-client-auth-DTLSv1-noroot-server -client = 29-client-auth-DTLSv1-noroot-client +[33-client-auth-DTLSv1-noroot-ssl] +server = 33-client-auth-DTLSv1-noroot-server +client = 33-client-auth-DTLSv1-noroot-client -[29-client-auth-DTLSv1-noroot-server] +[33-client-auth-DTLSv1-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -926,7 +1060,7 @@ MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[29-client-auth-DTLSv1-noroot-client] +[33-client-auth-DTLSv1-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 @@ -935,7 +1069,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-29] +[test-33] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA Method = DTLS @@ -943,42 +1077,42 @@ Method = DTLS # =========================================================== -[30-server-auth-DTLSv1.2] -ssl_conf = 30-server-auth-DTLSv1.2-ssl +[34-server-auth-DTLSv1.2] +ssl_conf = 34-server-auth-DTLSv1.2-ssl -[30-server-auth-DTLSv1.2-ssl] -server = 30-server-auth-DTLSv1.2-server -client = 30-server-auth-DTLSv1.2-client +[34-server-auth-DTLSv1.2-ssl] +server = 34-server-auth-DTLSv1.2-server +client = 34-server-auth-DTLSv1.2-client -[30-server-auth-DTLSv1.2-server] +[34-server-auth-DTLSv1.2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[30-server-auth-DTLSv1.2-client] +[34-server-auth-DTLSv1.2-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-30] +[test-34] ExpectedResult = Success Method = DTLS # =========================================================== -[31-client-auth-DTLSv1.2-request] -ssl_conf = 31-client-auth-DTLSv1.2-request-ssl +[35-client-auth-DTLSv1.2-request] +ssl_conf = 35-client-auth-DTLSv1.2-request-ssl -[31-client-auth-DTLSv1.2-request-ssl] -server = 31-client-auth-DTLSv1.2-request-server -client = 31-client-auth-DTLSv1.2-request-client +[35-client-auth-DTLSv1.2-request-ssl] +server = 35-client-auth-DTLSv1.2-request-server +client = 35-client-auth-DTLSv1.2-request-client -[31-client-auth-DTLSv1.2-request-server] +[35-client-auth-DTLSv1.2-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -986,28 +1120,28 @@ MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[31-client-auth-DTLSv1.2-request-client] +[35-client-auth-DTLSv1.2-request-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-31] +[test-35] ExpectedResult = Success Method = DTLS # =========================================================== -[32-client-auth-DTLSv1.2-require-fail] -ssl_conf = 32-client-auth-DTLSv1.2-require-fail-ssl +[36-client-auth-DTLSv1.2-require-fail] +ssl_conf = 36-client-auth-DTLSv1.2-require-fail-ssl -[32-client-auth-DTLSv1.2-require-fail-ssl] -server = 32-client-auth-DTLSv1.2-require-fail-server -client = 32-client-auth-DTLSv1.2-require-fail-client +[36-client-auth-DTLSv1.2-require-fail-ssl] +server = 36-client-auth-DTLSv1.2-require-fail-server +client = 36-client-auth-DTLSv1.2-require-fail-client -[32-client-auth-DTLSv1.2-require-fail-server] +[36-client-auth-DTLSv1.2-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1016,14 +1150,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[32-client-auth-DTLSv1.2-require-fail-client] +[36-client-auth-DTLSv1.2-require-fail-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-32] +[test-36] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure Method = DTLS @@ -1031,14 +1165,14 @@ Method = DTLS # =========================================================== -[33-client-auth-DTLSv1.2-require] -ssl_conf = 33-client-auth-DTLSv1.2-require-ssl +[37-client-auth-DTLSv1.2-require] +ssl_conf = 37-client-auth-DTLSv1.2-require-ssl -[33-client-auth-DTLSv1.2-require-ssl] -server = 33-client-auth-DTLSv1.2-require-server -client = 33-client-auth-DTLSv1.2-require-client +[37-client-auth-DTLSv1.2-require-ssl] +server = 37-client-auth-DTLSv1.2-require-server +client = 37-client-auth-DTLSv1.2-require-client -[33-client-auth-DTLSv1.2-require-server] +[37-client-auth-DTLSv1.2-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1047,7 +1181,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[33-client-auth-DTLSv1.2-require-client] +[37-client-auth-DTLSv1.2-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1056,7 +1190,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-33] +[test-37] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success @@ -1065,14 +1199,14 @@ Method = DTLS # =========================================================== -[34-client-auth-DTLSv1.2-require-non-empty-names] -ssl_conf = 34-client-auth-DTLSv1.2-require-non-empty-names-ssl +[38-client-auth-DTLSv1.2-require-non-empty-names] +ssl_conf = 38-client-auth-DTLSv1.2-require-non-empty-names-ssl -[34-client-auth-DTLSv1.2-require-non-empty-names-ssl] -server = 34-client-auth-DTLSv1.2-require-non-empty-names-server -client = 34-client-auth-DTLSv1.2-require-non-empty-names-client +[38-client-auth-DTLSv1.2-require-non-empty-names-ssl] +server = 38-client-auth-DTLSv1.2-require-non-empty-names-server +client = 38-client-auth-DTLSv1.2-require-non-empty-names-client -[34-client-auth-DTLSv1.2-require-non-empty-names-server] +[38-client-auth-DTLSv1.2-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -1082,7 +1216,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[34-client-auth-DTLSv1.2-require-non-empty-names-client] +[38-client-auth-DTLSv1.2-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1091,7 +1225,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-34] +[test-38] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -1100,14 +1234,14 @@ Method = DTLS # =========================================================== -[35-client-auth-DTLSv1.2-noroot] -ssl_conf = 35-client-auth-DTLSv1.2-noroot-ssl +[39-client-auth-DTLSv1.2-noroot] +ssl_conf = 39-client-auth-DTLSv1.2-noroot-ssl -[35-client-auth-DTLSv1.2-noroot-ssl] -server = 35-client-auth-DTLSv1.2-noroot-server -client = 35-client-auth-DTLSv1.2-noroot-client +[39-client-auth-DTLSv1.2-noroot-ssl] +server = 39-client-auth-DTLSv1.2-noroot-server +client = 39-client-auth-DTLSv1.2-noroot-client -[35-client-auth-DTLSv1.2-noroot-server] +[39-client-auth-DTLSv1.2-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1115,7 +1249,7 @@ MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[35-client-auth-DTLSv1.2-noroot-client] +[39-client-auth-DTLSv1.2-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1124,7 +1258,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-35] +[test-39] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA Method = DTLS diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index d908ad1c7d..57dd49b59d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -155,6 +155,65 @@ sub generate_tests() { }; $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; + # Successful handshake with client RSA-PSS cert, StrictCertCheck + push @tests, { + name => "client-auth-${protocol_name}-rsa-pss" + .($sctp ? "-sctp" : ""), + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientCAFile" => test_pem("rootcert.pem"), + "VerifyCAFile" => test_pem("rootcert.pem"), + "VerifyMode" => "Require", + }, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("client-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("client-pss-restrict-key.pem"), + "Options" => "StrictCertCheck", + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA-PSS", + "ExpectedClientCANames" => test_pem("rootcert.pem"), + "Method" => $method, + }, + } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex"; + + # Failed handshake with client RSA-PSS cert, StrictCertCheck, bad CA + push @tests, { + name => "client-auth-${protocol_name}-rsa-pss-bad" + .($sctp ? "-sctp" : ""), + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientCAFile" => test_pem("rootCA.pem"), + "VerifyCAFile" => test_pem("rootCA.pem"), + "VerifyMode" => "Require", + }, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("client-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("client-pss-restrict-key.pem"), + "Options" => "StrictCertCheck", + }, + test => { + "ExpectedResult" => "ServerFail", + "ExpectedServerAlert" => + ($protocol_name eq "flex" + && !disabled("tls1_3") + && (!disabled("ec") || !disabled("dh"))) + ? "CertificateRequired" : "HandshakeFailure", + "Method" => $method, + }, + } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex"; + # Successful handshake with client authentication non-empty names push @tests, { name => "client-auth-${protocol_name}-require-non-empty-names" |