3 ## SSL test configurations
11 use OpenSSL::Test::Utils qw(anydisabled);
12 setup("no_test_here");
14 # We test version-flexible negotiation (undef) and each protocol version.
15 my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
22 sub generate_tests() {
23 foreach (0..$#protocols) {
24 my $protocol = $protocols[$_];
25 my $protocol_name = $protocol || "flex";
28 if (!$is_disabled[$_]) {
29 if ($protocol_name eq "SSLv3") {
30 $caalert = "BadCertificate";
32 $caalert = "UnknownCA";
34 if ($protocol_name =~ m/^DTLS/) {
40 # TODO(TLS1.3) add TLSv1.3 versions
41 if ($protocol_name eq "TLSv1.2") {
44 $clisigalgs = "SHA256+RSA";
46 # Sanity-check simple handshake.
48 name => "server-auth-${protocol_name}",
50 "MinProtocol" => $protocol,
51 "MaxProtocol" => $protocol
54 "MinProtocol" => $protocol,
55 "MaxProtocol" => $protocol
58 "ExpectedResult" => "Success",
63 # Handshake with client cert requested but not required or received.
65 name => "client-auth-${protocol_name}-request",
67 "MinProtocol" => $protocol,
68 "MaxProtocol" => $protocol,
69 "VerifyMode" => "Request"
72 "MinProtocol" => $protocol,
73 "MaxProtocol" => $protocol
76 "ExpectedResult" => "Success",
81 # Handshake with client cert required but not present.
83 name => "client-auth-${protocol_name}-require-fail",
85 "MinProtocol" => $protocol,
86 "MaxProtocol" => $protocol,
87 "VerifyCAFile" => test_pem("root-cert.pem"),
88 "VerifyMode" => "Require",
91 "MinProtocol" => $protocol,
92 "MaxProtocol" => $protocol
95 "ExpectedResult" => "ServerFail",
96 "ExpectedServerAlert" => "HandshakeFailure",
101 # Successful handshake with client authentication.
103 name => "client-auth-${protocol_name}-require",
105 "MinProtocol" => $protocol,
106 "MaxProtocol" => $protocol,
107 "ClientSignatureAlgorithms" => $clisigalgs,
108 "VerifyCAFile" => test_pem("root-cert.pem"),
109 "VerifyMode" => "Request",
112 "MinProtocol" => $protocol,
113 "MaxProtocol" => $protocol,
114 "Certificate" => test_pem("ee-client-chain.pem"),
115 "PrivateKey" => test_pem("ee-key.pem"),
118 "ExpectedResult" => "Success",
119 "ExpectedClientCertType" => "RSA",
120 "ExpectedClientSignType" => $clisigtype,
121 "ExpectedClientSignHash" => $clihash,
122 "ExpectedClientCANames" => "empty",
127 # Successful handshake with client authentication non-empty names
129 name => "client-auth-${protocol_name}-require-non-empty-names",
131 "MinProtocol" => $protocol,
132 "MaxProtocol" => $protocol,
133 "ClientSignatureAlgorithms" => $clisigalgs,
134 "ClientCAFile" => test_pem("root-cert.pem"),
135 "VerifyCAFile" => test_pem("root-cert.pem"),
136 "VerifyMode" => "Request",
139 "MinProtocol" => $protocol,
140 "MaxProtocol" => $protocol,
141 "Certificate" => test_pem("ee-client-chain.pem"),
142 "PrivateKey" => test_pem("ee-key.pem"),
145 "ExpectedResult" => "Success",
146 "ExpectedClientCertType" => "RSA",
147 "ExpectedClientSignType" => $clisigtype,
148 "ExpectedClientSignHash" => $clihash,
149 "ExpectedClientCANames" => test_pem("root-cert.pem"),
154 # Handshake with client authentication but without the root certificate.
156 name => "client-auth-${protocol_name}-noroot",
158 "MinProtocol" => $protocol,
159 "MaxProtocol" => $protocol,
160 "VerifyMode" => "Require",
163 "MinProtocol" => $protocol,
164 "MaxProtocol" => $protocol,
165 "Certificate" => test_pem("ee-client-chain.pem"),
166 "PrivateKey" => test_pem("ee-key.pem"),
169 "ExpectedResult" => "ServerFail",
170 "ExpectedServerAlert" => $caalert,