3 ## SSL test configurations
11 use OpenSSL::Test::Utils qw(anydisabled disabled);
12 setup("no_test_here");
14 # We test version-flexible negotiation (undef) and each protocol version.
15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
22 sub generate_tests() {
23 foreach (0..$#protocols) {
24 my $protocol = $protocols[$_];
25 my $protocol_name = $protocol || "flex";
29 if (!$is_disabled[$_]) {
30 if ($protocol_name eq "SSLv3") {
31 $caalert = "BadCertificate";
33 $caalert = "UnknownCA";
35 if ($protocol_name =~ m/^DTLS/) {
37 $sctpenabled = 1 if !disabled("sctp");
42 # TODO(TLS1.3) add TLSv1.3 versions
43 if ($protocol_name eq "TLSv1.2") {
46 $clisigalgs = "SHA256+RSA";
48 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
49 # Sanity-check simple handshake.
51 name => "server-auth-${protocol_name}"
52 .($sctp ? "-sctp" : ""),
54 "MinProtocol" => $protocol,
55 "MaxProtocol" => $protocol
58 "MinProtocol" => $protocol,
59 "MaxProtocol" => $protocol
62 "ExpectedResult" => "Success",
66 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
68 # Handshake with client cert requested but not required or received.
70 name => "client-auth-${protocol_name}-request"
71 .($sctp ? "-sctp" : ""),
73 "MinProtocol" => $protocol,
74 "MaxProtocol" => $protocol,
75 "VerifyMode" => "Request"
78 "MinProtocol" => $protocol,
79 "MaxProtocol" => $protocol
82 "ExpectedResult" => "Success",
86 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
88 # Handshake with client cert required but not present.
90 name => "client-auth-${protocol_name}-require-fail"
91 .($sctp ? "-sctp" : ""),
93 "MinProtocol" => $protocol,
94 "MaxProtocol" => $protocol,
95 "VerifyCAFile" => test_pem("root-cert.pem"),
96 "VerifyMode" => "Require",
99 "MinProtocol" => $protocol,
100 "MaxProtocol" => $protocol
103 "ExpectedResult" => "ServerFail",
104 "ExpectedServerAlert" => "HandshakeFailure",
108 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
110 # Successful handshake with client authentication.
112 name => "client-auth-${protocol_name}-require"
113 .($sctp ? "-sctp" : ""),
115 "MinProtocol" => $protocol,
116 "MaxProtocol" => $protocol,
117 "ClientSignatureAlgorithms" => $clisigalgs,
118 "VerifyCAFile" => test_pem("root-cert.pem"),
119 "VerifyMode" => "Request",
122 "MinProtocol" => $protocol,
123 "MaxProtocol" => $protocol,
124 "Certificate" => test_pem("ee-client-chain.pem"),
125 "PrivateKey" => test_pem("ee-key.pem"),
128 "ExpectedResult" => "Success",
129 "ExpectedClientCertType" => "RSA",
130 "ExpectedClientSignType" => $clisigtype,
131 "ExpectedClientSignHash" => $clihash,
132 "ExpectedClientCANames" => "empty",
136 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
138 # Successful handshake with client authentication non-empty names
140 name => "client-auth-${protocol_name}-require-non-empty-names"
141 .($sctp ? "-sctp" : ""),
143 "MinProtocol" => $protocol,
144 "MaxProtocol" => $protocol,
145 "ClientSignatureAlgorithms" => $clisigalgs,
146 "ClientCAFile" => test_pem("root-cert.pem"),
147 "VerifyCAFile" => test_pem("root-cert.pem"),
148 "VerifyMode" => "Request",
151 "MinProtocol" => $protocol,
152 "MaxProtocol" => $protocol,
153 "Certificate" => test_pem("ee-client-chain.pem"),
154 "PrivateKey" => test_pem("ee-key.pem"),
157 "ExpectedResult" => "Success",
158 "ExpectedClientCertType" => "RSA",
159 "ExpectedClientSignType" => $clisigtype,
160 "ExpectedClientSignHash" => $clihash,
161 "ExpectedClientCANames" => test_pem("root-cert.pem"),
165 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
167 # Handshake with client authentication but without the root certificate.
169 name => "client-auth-${protocol_name}-noroot"
170 .($sctp ? "-sctp" : ""),
172 "MinProtocol" => $protocol,
173 "MaxProtocol" => $protocol,
174 "VerifyMode" => "Require",
177 "MinProtocol" => $protocol,
178 "MaxProtocol" => $protocol,
179 "Certificate" => test_pem("ee-client-chain.pem"),
180 "PrivateKey" => test_pem("ee-key.pem"),
183 "ExpectedResult" => "ServerFail",
184 "ExpectedServerAlert" => $caalert,
188 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;