9 cert=../apps/server.pem
13 ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
15 if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
21 if [ "$3" = "" ]; then
27 if [ "$4" = "" ]; then
33 serverinfo="./serverinfo.pem"
35 #############################################################################
38 $ssltest -ssl2 $extra || exit 1
40 echo test sslv2 with server authentication
41 $ssltest -ssl2 -server_auth $CA $extra || exit 1
43 if [ $dsa_cert = NO ]; then
44 echo test sslv2 with client authentication
45 $ssltest -ssl2 -client_auth $CA $extra || exit 1
47 echo test sslv2 with both client and server authentication
48 $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
52 $ssltest -ssl3 $extra || exit 1
54 echo test sslv3 with server authentication
55 $ssltest -ssl3 -server_auth $CA $extra || exit 1
57 echo test sslv3 with client authentication
58 $ssltest -ssl3 -client_auth $CA $extra || exit 1
60 echo test sslv3 with both client and server authentication
61 $ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1
64 $ssltest $extra || exit 1
66 echo test sslv2/sslv3 with server authentication
67 $ssltest -server_auth $CA $extra || exit 1
69 echo test sslv2/sslv3 with client authentication
70 $ssltest -client_auth $CA $extra || exit 1
72 echo test sslv2/sslv3 with both client and server authentication
73 $ssltest -server_auth -client_auth $CA $extra || exit 1
75 echo test sslv2 via BIO pair
76 $ssltest -bio_pair -ssl2 $extra || exit 1
78 echo test sslv2 with server authentication via BIO pair
79 $ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
81 if [ $dsa_cert = NO ]; then
82 echo test sslv2 with client authentication via BIO pair
83 $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
85 echo test sslv2 with both client and server authentication via BIO pair
86 $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
89 echo test sslv3 via BIO pair
90 $ssltest -bio_pair -ssl3 $extra || exit 1
92 echo test sslv3 with server authentication via BIO pair
93 $ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1
95 echo test sslv3 with client authentication via BIO pair
96 $ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1
98 echo test sslv3 with both client and server authentication via BIO pair
99 $ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1
101 echo test sslv2/sslv3 via BIO pair
102 $ssltest $extra || exit 1
105 $ssltest -dtls1 $extra || exit 1
107 echo test dtlsv1 with server authentication
108 $ssltest -dtls1 -server_auth $CA $extra || exit 1
110 echo test dtlsv1 with client authentication
111 $ssltest -dtls1 -client_auth $CA $extra || exit 1
113 echo test dtlsv1 with both client and server authentication
114 $ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
117 $ssltest -dtls12 $extra || exit 1
119 echo test dtlsv1.2 with server authentication
120 $ssltest -dtls12 -server_auth $CA $extra || exit 1
122 echo test dtlsv1.2 with client authentication
123 $ssltest -dtls12 -client_auth $CA $extra || exit 1
125 echo test dtlsv1.2 with both client and server authentication
126 $ssltest -dtls12 -server_auth -client_auth $CA $extra || exit 1
128 if [ $dsa_cert = NO ]; then
129 echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
130 $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
133 echo test sslv2/sslv3 with 1024bit DHE via BIO pair
134 $ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
136 echo test sslv2/sslv3 with server authentication
137 $ssltest -bio_pair -server_auth $CA $extra || exit 1
139 echo test sslv2/sslv3 with client authentication via BIO pair
140 $ssltest -bio_pair -client_auth $CA $extra || exit 1
142 echo test sslv2/sslv3 with both client and server authentication via BIO pair
143 $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
145 echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
146 $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
150 echo "Testing $_cipher"
152 if [ $2 = "SSLv3" ] ; then
155 $ssltest -cipher $_cipher $prot
156 if [ $? -ne 0 ] ; then
157 echo "Failed $_cipher"
162 echo "Testing ciphersuites"
163 for protocol in TLSv1.2 SSLv3; do
164 echo "Testing ciphersuites for $protocol"
165 for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
166 test_cipher $cipher $protocol
168 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
169 echo "skipping RSA+DHE tests"
171 for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
172 test_cipher $cipher $protocol
174 echo "testing connection with weak DH, expecting failure"
175 if [ $protocol = "SSLv3" ] && ../util/shlib_wrap.sh ../apps/openssl no-ssl3; then
176 echo "skipping weak DH test for disabled protocol"
178 if [ $protocol = "SSLv3" ] ; then
179 $ssltest -cipher EDH -dhe512 -ssl3
181 $ssltest -cipher EDH -dhe512
183 if [ $? -eq 0 ]; then
184 echo "FAIL: connection with weak DH succeeded"
189 if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
190 echo "skipping RSA+ECDHE tests"
192 for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
193 test_cipher $cipher $protocol
198 #############################################################################
200 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
201 echo skipping anonymous DH tests
203 echo test tls1 with 1024bit anonymous DH, multiple handshakes
204 $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
207 if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
208 echo skipping RSA tests
210 echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
211 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
213 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
214 echo skipping RSA+DHE tests
216 echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
217 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
221 echo test tls1 with PSK
222 $ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
224 echo test tls1 with PSK via BIO pair
225 $ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
227 #############################################################################
228 # Custom Extension tests
230 echo test tls1 with custom extensions
231 $ssltest -bio_pair -tls1 -custom_ext || exit 1
233 #############################################################################
236 echo test tls1 with serverinfo
237 $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo || exit 1
238 $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct || exit 1
239 $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_tack || exit 1
240 $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
241 $ssltest -bio_pair -tls1 -custom_ext -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
243 #############################################################################
246 $ssltest -bio_pair -sn_client foo || exit 1
247 $ssltest -bio_pair -sn_server1 foo || exit 1
248 $ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_expect1 || exit 1
249 $ssltest -bio_pair -sn_client foo -sn_server1 bar -sn_expect1 || exit 1
250 $ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1
251 $ssltest -bio_pair -sn_client bar -sn_server1 foo -sn_server2 bar -sn_expect2 || exit 1
252 # Negative test - make sure it doesn't crash, and doesn't switch contexts
253 $ssltest -bio_pair -sn_client foobar -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1
255 #############################################################################
258 $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
259 $ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo -alpn_expected foo || exit 1
260 $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo -alpn_expected foo || exit 1
261 $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo -alpn_expected foo || exit 1
262 $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar -alpn_expected foo || exit 1
263 $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo -alpn_expected bar || exit 1
264 $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo -alpn_expected bar || exit 1
265 $ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
268 #############################################################################
271 $ssltest -bio_pair -alpn_client foo,bar -sn_client alice -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected foo || exit 1
272 $ssltest -bio_pair -alpn_client foo,bar -sn_client bob -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1
273 $ssltest -bio_pair -alpn_client foo,bar -sn_client bob -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1
275 if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
276 echo skipping SRP tests
278 echo test tls1 with SRP
279 $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
281 echo test tls1 with SRP via BIO pair
282 $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
284 echo test tls1 with SRP auth
285 $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
287 echo test tls1 with SRP auth via BIO pair
288 $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
291 #############################################################################
294 if [ -z "$extra" -a `uname -m` = "x86_64" ]; then
295 $ssltest -cipher AES128-SHA -bytes 8m || exit 1
296 $ssltest -cipher AES128-SHA256 -bytes 8m || exit 1
299 #############################################################################
300 # Signature algorithms + SNI
302 $ssltest -tls12 -sn_client server1 -sn_server1 server1 -sn_server2 server2 -sn_expect1 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 || exit 1
303 $ssltest -tls12 -sn_client server1 -sn_server1 server1 -sn_server2 server2 -sn_expect1 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 -sni_in_cert_cb || exit 1
304 # Switching SSL_CTX on SNI must not break signature algorithm negotiation.
305 $ssltest -tls12 -sn_client server2 -sn_server1 server1 -sn_server2 server2 -sn_expect2 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 || exit 1
306 $ssltest -tls12 -sn_client server2 -sn_server1 server1 -sn_server2 server2 -sn_expect2 -client_sigalgs RSA+SHA256 -server_digest_expect SHA256 -sni_in_cert_cb || exit 1
309 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
310 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
311 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
312 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket yes -ticket_expect no || exit 1
313 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
314 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket yes -ticket_expect yes || exit 1
315 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
316 $ssltest -bio_pair -sn_client alice -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket yes -ticket_expect yes || exit 1
318 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
319 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
320 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
321 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 no -s_ticket2 yes -c_ticket yes -ticket_expect no || exit 1
322 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket no -ticket_expect no || exit 1
323 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 no -c_ticket yes -ticket_expect no || exit 1
324 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket no -ticket_expect no || exit 1
325 $ssltest -bio_pair -sn_client bob -sn_server1 alice -sn_server2 bob -s_ticket1 yes -s_ticket2 yes -c_ticket yes -ticket_expect yes || exit 1
327 $ssltest -bio_pair -s_ticket1 broken -c_ticket yes -ticket_expect no || exit 1