However, for verification, we also include checked-in configuration outputs
corresponding to the default configuration. These testcases live in
-`test/ssl-tests/*.conf` files. Therefore, whenever you're adding or updating a
-generated test, you should run
-
-```
-$ ./config
-$ cd test
-$ TOP=.. perl -I testlib/ generate_ssl_tests.pl ssl-tests/my.conf.in \
- > ssl-tests/my.conf
-```
-
-where `my.conf.in` is your test input file.
-
-For example, to generate the test cases in `ssl-tests/01-simple.conf.in`, do
-
-```
-$ TOP=.. perl generate_ssl_tests.pl ssl-tests/01-simple.conf.in > ssl-tests/01-simple.conf
-```
+`test/ssl-tests/*.conf` files.
For more details, see `ssl-tests/01-simple.conf.in` for an example.
* HandshakeMode - which handshake flavour to test:
- Simple - plain handshake (default)
- Resume - test resumption
- - (Renegotiate - test renegotiation, not yet implemented)
+ - RenegotiateServer - test server initiated renegotiation
+ - RenegotiateClient - test client initiated renegotiation
When HandshakeMode is Resume or Renegotiate, the original handshake is expected
to succeed. All configured test expectations are verified against the second
- InternalError - some other error
* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
- `ssl_test_ctx.c` for known values.
+ `ssl_test_ctx.c` for known values. Note: the expected alert is currently
+ matched against the _last_ received alert (i.e., a fatal alert or a
+ `close_notify`). Warning alert expectations are not yet supported. (A warning
+ alert will not be correctly matched, if followed by a `close_notify` or
+ another alert.)
* ExpectedProtocol - expected negotiated protocol. One of
SSLv3, TLSv1, TLSv1.1, TLSv1.2.
- Yes - a session ticket is expected
- No - a session ticket is not expected
+* SessionIdExpected - whether or not a session id is expected
+ - Ignore - do not check for a session id (default)
+ - Yes - a session id is expected
+ - No - a session id is not expected
+
* ResumptionExpected - whether or not resumption is expected (Resume mode only)
- Yes - resumed handshake
- No - full handshake (default)
* ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations.
+* ExpectedTmpKeyType - the expected algorithm or curve of server temp key
+
+* ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or
+ curve of server or client certificate
+
+* ExpectedServerSignHash, ExpectedClientSignHash - the expected
+ signing hash used by server or client certificate
+
+* ExpectedServerSignType, ExpectedClientSignType - the expected
+ signature type used by server or client when signing messages
+
+* ExpectedClientCANames - for client auth list of CA names the server must
+ send. If this is "empty" the list is expected to be empty otherwise it
+ is a file of certificates whose subject names form the list.
+
+* ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only.
+ If this is "empty" the list is expected to be empty otherwise it is a file
+ of certificates whose subject names form the list.
+
## Configuring the client and server
The client and server configurations can be any valid `SSL_CTX`
protocols can be specified as a comma-separated list, and a callback with the
recommended behaviour will be installed automatically.
+* SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to
+ connect as; for server, this is a known SRP user.
+
### Default server and client configurations
The default server certificate and CA files are added to the configurations
## Adding a test to the test harness
-Add your configuration file to `test/recipes/80-test_ssl_new.t`.
+1. Add a new test configuration to `test/ssl-tests`, following the examples of
+ existing `*.conf.in` files (for example, `01-simple.conf.in`).
+
+2. Generate the generated `*.conf` test input file. You can do so by running
+ `generate_ssl_tests.pl`:
+
+```
+$ ./config
+$ cd test
+$ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/my.conf.in \
+ > ssl-tests/my.conf
+```
+
+where `my.conf.in` is your test input file.
+
+For example, to generate the test cases in `ssl-tests/01-simple.conf.in`, do
+
+```
+$ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/01-simple.conf.in > ssl-tests/01-simple.conf
+```
+
+Alternatively (hackish but simple), you can comment out
+
+```
+unlink glob $tmp_file;
+```
+
+in `test/recipes/80-test_ssl_new.t` and run
+
+```
+$ make TESTS=test_ssl_new test
+```
+
+This will save the generated output in a `*.tmp` file in the build directory.
+
+3. Update the number of tests planned in `test/recipes/80-test_ssl_new.t`. If
+ the test suite has any skip conditions, update those too (see
+ `test/recipes/80-test_ssl_new.t` for details).
## Running the tests with the test harness
OpenSSL directory, do
```
-$ TEST_CERTS_DIR=test/certs test/ssl_test test/ssl-tests/01-simple.conf
+$ CTLOG_FILE=test/ct/log_list.conf TEST_CERTS_DIR=test/certs test/ssl_test \
+ test/ssl-tests/01-simple.conf
```
or for shared builds
```
-$ TEST_CERTS_DIR=test/certs util/shlib_wrap.sh test/ssl_test \
- test/ssl-tests/01-simple.conf
+$ CTLOG_FILE=test/ct/log_list.conf TEST_CERTS_DIR=test/certs \
+ util/shlib_wrap.sh test/ssl_test test/ssl-tests/01-simple.conf
```
-Some tests also need additional environment variables; for example, Certificate
-Transparency tests need a `CTLOG_FILE`. See `test/recipes/80-test_ssl_new.t` for
-details.
-
Note that the test expectations sometimes depend on the Configure settings. For
example, the negotiated protocol depends on the set of available (enabled)
protocols: a build with `enable-ssl3` has different test expectations than a