From cf170f558b6051a66b5e182ac447b7b8ce85c8d2 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 26 Aug 2015 14:28:38 +0100 Subject: [PATCH] Extend ciphersuite test coverage. Add support for testing ECDSA and DSA ciphersuites. Reviewed-by: Matt Caswell --- test/testssl | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/test/testssl b/test/testssl index 365cfd9623..d41a4bdf63 100644 --- a/test/testssl +++ b/test/testssl @@ -124,7 +124,8 @@ test_cipher() { if [ $2 = "SSLv3" ] ; then prot="-ssl3" fi - $ssltest -cipher $_cipher $prot + _exarg=$3 + $ssltest $_exarg -cipher $_cipher $prot if [ $? -ne 0 ] ; then echo "Failed $_cipher" exit 1 @@ -132,17 +133,31 @@ test_cipher() { } echo "Testing ciphersuites" +exkeys="" +ciphers="-EXP:-PSK:-SRP:-kDH:-kECDHe" +if ../util/shlib_wrap.sh ../apps/openssl no-dhparam >/dev/null; then + echo "skipping DHE tests" + ciphers="$ciphers:-kDHE" +fi +if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then + echo "skipping DSA tests" + ciphers="$ciphers:-aDSA" +else + exkeys="$exkeys -s_cert certD.ss -s_key keyD.ss" +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then + echo "skipping EC tests" + ciphers="$ciphers:!aECDSA:!kECDH" +else + exkeys="$exkeys -s_cert certE.ss -s_key keyE.ss" +fi + for protocol in TLSv1.2 SSLv3; do echo "Testing ciphersuites for $protocol" - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do - test_cipher $cipher $protocol + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "$protocol:$ciphers" | tr ':' ' '`; do + test_cipher $cipher $protocol "$exkeys" done - if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then - echo "skipping RSA+DHE tests" - else - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do - test_cipher $cipher $protocol - done echo "testing connection with weak DH, expecting failure" if [ $protocol = "SSLv3" ] ; then $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3 @@ -153,14 +168,6 @@ for protocol in TLSv1.2 SSLv3; do echo "FAIL: connection with weak DH succeeded" exit 1 fi - fi - if ../util/shlib_wrap.sh ../apps/openssl no-ec; then - echo "skipping RSA+ECDHE tests" - else - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do - test_cipher $cipher $protocol - done - fi done ############################################################################# -- 2.25.1