test/ssl-tests/20-cert-select.conf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5
   6 use strict;
   7 use warnings;
   8
   9 package ssltests;
  10 use OpenSSL::Test::Utils;
  11
  12 my $server = {
  13     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  14     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  15     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  16     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  17     "MaxProtocol" => "TLSv1.2"
  18 };
  19
  20 my $server_pss = {
  21     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
  22     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
  23     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
  24     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
  25     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
  26     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
  27     "MaxProtocol" => "TLSv1.2"
  28 };
  29
  30 my $server_pss_only = {
  31     "Certificate" => test_pem("server-pss-cert.pem"),
  32     "PrivateKey" => test_pem("server-pss-key.pem"),
  33 };
  34
  35 our @tests = (
  36     {
  37         name => "ECDSA CipherString Selection",
  38         server => $server,
  39         client => {
  40             "CipherString" => "aECDSA",
  41             "MaxProtocol" => "TLSv1.2",
  42             "RequestCAFile" => test_pem("root-cert.pem"),
  43         },
  44         test   => {
  45             "ExpectedServerCertType" =>, "P-256",
  46             "ExpectedServerSignType" =>, "EC",
  47             # Note: certificate_authorities not sent for TLS < 1.3
  48             "ExpectedServerCANames" =>, "empty",
  49             "ExpectedResult" => "Success"
  50         },
  51     },
  52     {
  53         name => "Ed25519 CipherString and Signature Algorithm Selection",
  54         server => $server,
  55         client => {
  56             "CipherString" => "aECDSA",
  57             "MaxProtocol" => "TLSv1.2",
  58             "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
  59             "RequestCAFile" => test_pem("root-cert.pem"),
  60         },
  61         test   => {
  62             "ExpectedServerCertType" =>, "Ed25519",
  63             "ExpectedServerSignType" =>, "Ed25519",
  64             # Note: certificate_authorities not sent for TLS < 1.3
  65             "ExpectedServerCANames" =>, "empty",
  66             "ExpectedResult" => "Success"
  67         },
  68     },
  69     {
  70         name => "RSA CipherString Selection",
  71         server => $server,
  72         client => {
  73             "CipherString" => "aRSA",
  74             "MaxProtocol" => "TLSv1.2",
  75         },
  76         test   => {
  77             "ExpectedServerCertType" =>, "RSA",
  78             "ExpectedServerSignType" =>, "RSA-PSS",
  79             "ExpectedResult" => "Success"
  80         },
  81     },
  82     {
  83         name => "RSA-PSS Certificate CipherString Selection",
  84         server => $server_pss,
  85         client => {
  86             "CipherString" => "aRSA",
  87             "MaxProtocol" => "TLSv1.2",
  88         },
  89         test   => {
  90             "ExpectedServerCertType" =>, "RSA-PSS",
  91             "ExpectedServerSignType" =>, "RSA-PSS",
  92             "ExpectedResult" => "Success"
  93         },
  94     },
  95     {
  96         name => "P-256 CipherString and Signature Algorithm Selection",
  97         server => $server,
  98         client => {
  99             "CipherString" => "aECDSA",
 100             "MaxProtocol" => "TLSv1.2",
 101             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 102         },
 103         test   => {
 104             "ExpectedServerCertType" => "P-256",
 105             "ExpectedServerSignHash" => "SHA256",
 106             "ExpectedServerSignType" => "EC",
 107             "ExpectedResult" => "Success"
 108         },
 109     },
 110     {
 111         name => "Ed25519 CipherString and Curves Selection",
 112         server => $server,
 113         client => {
 114             "CipherString" => "aECDSA",
 115             "MaxProtocol" => "TLSv1.2",
 116             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 117             # Excluding P-256 from the supported curves list means server
 118             # certificate should be Ed25519 and not P-256
 119             "Curves" => "X25519"
 120         },
 121         test   => {
 122             "ExpectedServerCertType" =>, "Ed25519",
 123             "ExpectedServerSignType" =>, "Ed25519",
 124             "ExpectedResult" => "Success"
 125         },
 126     },
 127     {
 128         name => "ECDSA CipherString Selection, no ECDSA certificate",
 129         server => {
 130             "MaxProtocol" => "TLSv1.2"
 131         },
 132         client => {
 133             "CipherString" => "aECDSA",
 134             "MaxProtocol" => "TLSv1.2"
 135         },
 136         test   => {
 137             "ExpectedResult" => "ServerFail"
 138         },
 139     },
 140     {
 141         name => "ECDSA Signature Algorithm Selection",
 142         server => $server,
 143         client => {
 144             "SignatureAlgorithms" => "ECDSA+SHA256",
 145         },
 146         test   => {
 147             "ExpectedServerCertType" => "P-256",
 148             "ExpectedServerSignHash" => "SHA256",
 149             "ExpectedServerSignType" => "EC",
 150             "ExpectedResult" => "Success"
 151         },
 152     },
 153     {
 154         name => "ECDSA Signature Algorithm Selection SHA384",
 155         server => $server,
 156         client => {
 157             "SignatureAlgorithms" => "ECDSA+SHA384",
 158         },
 159         test   => {
 160             "ExpectedServerCertType" => "P-256",
 161             "ExpectedServerSignHash" => "SHA384",
 162             "ExpectedServerSignType" => "EC",
 163             "ExpectedResult" => "Success"
 164         },
 165     },
 166     {
 167         name => "ECDSA Signature Algorithm Selection SHA1",
 168         server => $server,
 169         client => {
 170             "SignatureAlgorithms" => "ECDSA+SHA1",
 171         },
 172         test   => {
 173             "ExpectedServerCertType" => "P-256",
 174             "ExpectedServerSignHash" => "SHA1",
 175             "ExpectedServerSignType" => "EC",
 176             "ExpectedResult" => "Success"
 177         },
 178     },
 179     {
 180         name => "ECDSA Signature Algorithm Selection compressed point",
 181         server => {
 182             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 183             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 184             "MaxProtocol" => "TLSv1.2"
 185         },
 186         client => {
 187             "SignatureAlgorithms" => "ECDSA+SHA256",
 188         },
 189         test   => {
 190             "ExpectedServerCertType" => "P-256",
 191             "ExpectedServerSignHash" => "SHA256",
 192             "ExpectedServerSignType" => "EC",
 193             "ExpectedResult" => "Success"
 194         },
 195     },
 196     {
 197         name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
 198         server => {
 199              "MaxProtocol" => "TLSv1.2"
 200         },
 201         client => {
 202             "SignatureAlgorithms" => "ECDSA+SHA256",
 203         },
 204         test   => {
 205             "ExpectedResult" => "ServerFail"
 206         },
 207     },
 208     {
 209         name => "RSA Signature Algorithm Selection",
 210         server => $server,
 211         client => {
 212             "SignatureAlgorithms" => "RSA+SHA256",
 213         },
 214         test   => {
 215             "ExpectedServerCertType" => "RSA",
 216             "ExpectedServerSignHash" => "SHA256",
 217             "ExpectedServerSignType" => "RSA",
 218             "ExpectedResult" => "Success"
 219         },
 220     },
 221     {
 222         name => "RSA-PSS Signature Algorithm Selection",
 223         server => $server,
 224         client => {
 225             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 226         },
 227         test   => {
 228             "ExpectedServerCertType" => "RSA",
 229             "ExpectedServerSignHash" => "SHA256",
 230             "ExpectedServerSignType" => "RSA-PSS",
 231             "ExpectedResult" => "Success"
 232         },
 233     },
 234     {
 235         name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
 236         server => $server_pss,
 237         client => {
 238             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 239         },
 240         test   => {
 241             "ExpectedServerCertType" => "RSA",
 242             "ExpectedServerSignHash" => "SHA256",
 243             "ExpectedServerSignType" => "RSA-PSS",
 244             "ExpectedResult" => "Success"
 245         },
 246     },
 247     {
 248         name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
 249         server => $server_pss,
 250         client => {
 251             "SignatureAlgorithms" => "rsa_pss_pss_sha256",
 252         },
 253         test   => {
 254             "ExpectedServerCertType" => "RSA-PSS",
 255             "ExpectedServerSignHash" => "SHA256",
 256             "ExpectedServerSignType" => "RSA-PSS",
 257             "ExpectedResult" => "Success"
 258         },
 259     },
 260     {
 261         name => "Only RSA-PSS Certificate",
 262         server => $server_pss_only,
 263         client => {},
 264         test   => {
 265             "ExpectedServerCertType" => "RSA-PSS",
 266             "ExpectedServerSignHash" => "SHA256",
 267             "ExpectedServerSignType" => "RSA-PSS",
 268             "ExpectedResult" => "Success"
 269         },
 270     },
 271     {
 272         name => "RSA-PSS Certificate, no PSS signature algorithms",
 273         server => $server_pss_only,
 274         client => {
 275             "SignatureAlgorithms" => "RSA+SHA256",
 276         },
 277         test   => {
 278             "ExpectedResult" => "ServerFail"
 279         },
 280     },
 281     {
 282         name => "Suite B P-256 Hash Algorithm Selection",
 283         server =>  {
 284             "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
 285             "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
 286             "MaxProtocol" => "TLSv1.2",
 287             "CipherString" => "SUITEB128"
 288         },
 289         client => {
 290             "VerifyCAFile" => test_pem("p384-root.pem"),
 291             "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
 292         },
 293         test   => {
 294             "ExpectedServerCertType" => "P-256",
 295             "ExpectedServerSignHash" => "SHA256",
 296             "ExpectedServerSignType" => "EC",
 297             "ExpectedResult" => "Success"
 298         },
 299     },
 300     {
 301         name => "Suite B P-384 Hash Algorithm Selection",
 302         server =>  {
 303             "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
 304             "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
 305             "MaxProtocol" => "TLSv1.2",
 306             "CipherString" => "SUITEB128"
 307         },
 308         client => {
 309             "VerifyCAFile" => test_pem("p384-root.pem"),
 310             "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
 311         },
 312         test   => {
 313             "ExpectedServerCertType" => "P-384",
 314             "ExpectedServerSignHash" => "SHA384",
 315             "ExpectedServerSignType" => "EC",
 316             "ExpectedResult" => "Success"
 317         },
 318     },
 319     {
 320         name => "TLS 1.2 Ed25519 Client Auth",
 321         server => {
 322             "VerifyCAFile" => test_pem("root-cert.pem"),
 323             "VerifyMode" => "Require"
 324         },
 325         client => {
 326             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 327             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 328             "MinProtocol" => "TLSv1.2",
 329             "MaxProtocol" => "TLSv1.2"
 330         },
 331         test   => {
 332             "ExpectedClientCertType" => "Ed25519",
 333             "ExpectedClientSignType" => "Ed25519",
 334             "ExpectedResult" => "Success"
 335         },
 336     },
 337 );
 338
 339 my @tests_tls_1_1 = (
 340     {
 341         name => "Only RSA-PSS Certificate, TLS v1.1",
 342         server => $server_pss_only,
 343         client => {
 344             "MaxProtocol" => "TLSv1.1",
 345         },
 346         test   => {
 347             "ExpectedResult" => "ServerFail"
 348         },
 349     },
 350 );
 351
 352 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
 353
 354 my $server_tls_1_3 = {
 355     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 356     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 357     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 358     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 359     "MinProtocol" => "TLSv1.3",
 360     "MaxProtocol" => "TLSv1.3"
 361 };
 362
 363 my $server_tls_1_3_pss = {
 364     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
 365     "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
 366     "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
 367     "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
 368     "EdDSA.Certificate" => test_pem("server-ed25519-cert.pem"),
 369     "EdDSA.PrivateKey" => test_pem("server-ed25519-key.pem"),
 370     "MinProtocol" => "TLSv1.3",
 371     "MaxProtocol" => "TLSv1.3"
 372 };
 373
 374 my $client_tls_1_3 = {
 375     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
 376     "RSA.PrivateKey" => test_pem("ee-key.pem"),
 377     "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
 378     "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
 379     "MinProtocol" => "TLSv1.3",
 380     "MaxProtocol" => "TLSv1.3"
 381 };
 382
 383 my @tests_tls_1_3 = (
 384     {
 385         name => "TLS 1.3 ECDSA Signature Algorithm Selection",
 386         server => $server_tls_1_3,
 387         client => {
 388             "SignatureAlgorithms" => "ECDSA+SHA256",
 389         },
 390         test   => {
 391             "ExpectedServerCertType" => "P-256",
 392             "ExpectedServerSignHash" => "SHA256",
 393             "ExpectedServerSignType" => "EC",
 394             "ExpectedServerCANames" => "empty",
 395             "ExpectedResult" => "Success"
 396         },
 397     },
 398     {
 399         name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
 400         server => {
 401             "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
 402             "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
 403             "MinProtocol" => "TLSv1.3",
 404             "MaxProtocol" => "TLSv1.3"
 405         },
 406         client => {
 407             "SignatureAlgorithms" => "ECDSA+SHA256",
 408         },
 409         test   => {
 410             "ExpectedResult" => "ServerFail"
 411         },
 412     },
 413     {
 414         name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
 415         server => $server_tls_1_3,
 416         client => {
 417             "SignatureAlgorithms" => "ECDSA+SHA1",
 418         },
 419         test   => {
 420             "ExpectedResult" => "ServerFail"
 421         },
 422     },
 423     {
 424         name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
 425         server => $server_tls_1_3,
 426         client => {
 427             "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
 428             "RequestCAFile" => test_pem("root-cert.pem"),
 429         },
 430         test   => {
 431             "ExpectedServerCertType" => "P-256",
 432             "ExpectedServerSignHash" => "SHA256",
 433             "ExpectedServerSignType" => "EC",
 434             "ExpectedServerCANames" => test_pem("root-cert.pem"),
 435             "ExpectedResult" => "Success"
 436         },
 437     },
 438     {
 439         name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
 440         server => $server_tls_1_3,
 441         client => {
 442             "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
 443         },
 444         test   => {
 445             "ExpectedServerCertType" => "RSA",
 446             "ExpectedServerSignHash" => "SHA384",
 447             "ExpectedServerSignType" => "RSA-PSS",
 448             "ExpectedResult" => "Success"
 449         },
 450     },
 451     {
 452         name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
 453         server => {
 454             "MinProtocol" => "TLSv1.3",
 455             "MaxProtocol" => "TLSv1.3"
 456         },
 457         client => {
 458             "SignatureAlgorithms" => "ECDSA+SHA256",
 459         },
 460         test   => {
 461             "ExpectedResult" => "ServerFail"
 462         },
 463     },
 464     {
 465         name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
 466         server => $server_tls_1_3,
 467         client => {
 468             "SignatureAlgorithms" => "RSA+SHA256",
 469         },
 470         test   => {
 471             "ExpectedResult" => "ServerFail"
 472         },
 473     },
 474     {
 475         name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
 476         server => $server_tls_1_3,
 477         client => {
 478             "SignatureAlgorithms" => "RSA-PSS+SHA256",
 479         },
 480         test   => {
 481             "ExpectedServerCertType" => "RSA",
 482             "ExpectedServerSignHash" => "SHA256",
 483             "ExpectedServerSignType" => "RSA-PSS",
 484             "ExpectedResult" => "Success"
 485         },
 486     },
 487     {
 488         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
 489         server => $server_tls_1_3,
 490         client => {
 491             "SignatureAlgorithms" => "ed25519",
 492         },
 493         test   => {
 494             "ExpectedServerCertType" => "Ed25519",
 495             "ExpectedServerSignType" => "Ed25519",
 496             "ExpectedResult" => "Success"
 497         },
 498     },
 499     {
 500         name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
 501         server => $server_tls_1_3,
 502         client => {
 503             "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
 504             # Excluding P-256 from the supported groups list should
 505             # mean server still uses a P-256 certificate because supported
 506             # groups is not used in signature selection for TLS 1.3
 507             "Groups" => "X25519"
 508         },
 509         test   => {
 510             "ExpectedServerCertType" =>, "P-256",
 511             "ExpectedServerSignType" =>, "EC",
 512             "ExpectedResult" => "Success"
 513         },
 514     },
 515     {
 516         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
 517         server => {
 518             "ClientSignatureAlgorithms" => "PSS+SHA256",
 519             "VerifyCAFile" => test_pem("root-cert.pem"),
 520             "VerifyMode" => "Require"
 521         },
 522         client => $client_tls_1_3,
 523         test   => {
 524             "ExpectedClientCertType" => "RSA",
 525             "ExpectedClientSignHash" => "SHA256",
 526             "ExpectedClientSignType" => "RSA-PSS",
 527             "ExpectedClientCANames" => "empty",
 528             "ExpectedResult" => "Success"
 529         },
 530     },
 531     {
 532         name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
 533         server => {
 534             "ClientSignatureAlgorithms" => "PSS+SHA256",
 535             "VerifyCAFile" => test_pem("root-cert.pem"),
 536             "RequestCAFile" => test_pem("root-cert.pem"),
 537             "VerifyMode" => "Require"
 538         },
 539         client => $client_tls_1_3,
 540         test   => {
 541             "ExpectedClientCertType" => "RSA",
 542             "ExpectedClientSignHash" => "SHA256",
 543             "ExpectedClientSignType" => "RSA-PSS",
 544             "ExpectedClientCANames" => test_pem("root-cert.pem"),
 545             "ExpectedResult" => "Success"
 546         },
 547     },
 548     {
 549         name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
 550         server => {
 551             "ClientSignatureAlgorithms" => "ECDSA+SHA256",
 552             "VerifyCAFile" => test_pem("root-cert.pem"),
 553             "VerifyMode" => "Require"
 554         },
 555         client => $client_tls_1_3,
 556         test   => {
 557             "ExpectedClientCertType" => "P-256",
 558             "ExpectedClientSignHash" => "SHA256",
 559             "ExpectedClientSignType" => "EC",
 560             "ExpectedResult" => "Success"
 561         },
 562     },
 563     {
 564         name => "TLS 1.3 Ed25519 Client Auth",
 565         server => {
 566             "VerifyCAFile" => test_pem("root-cert.pem"),
 567             "VerifyMode" => "Require"
 568         },
 569         client => {
 570             "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
 571             "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
 572             "MinProtocol" => "TLSv1.3",
 573             "MaxProtocol" => "TLSv1.3"
 574         },
 575         test   => {
 576             "ExpectedClientCertType" => "Ed25519",
 577             "ExpectedClientSignType" => "Ed25519",
 578             "ExpectedResult" => "Success"
 579         },
 580     },
 581 );
 582
 583 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
 584
 585 my @tests_dsa_tls_1_2 = (
 586     {
 587         name => "TLS 1.2 DSA Certificate Test",
 588         server => {
 589             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 590             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 591             "DHParameters" => test_pem("dhp2048.pem"),
 592             "MinProtocol" => "TLSv1.2",
 593             "MaxProtocol" => "TLSv1.2",
 594             "CipherString" => "ALL",
 595         },
 596         client => {
 597             "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
 598             "CipherString" => "ALL",
 599         },
 600         test   => {
 601             "ExpectedResult" => "Success"
 602         },
 603     },
 604 );
 605
 606 my @tests_dsa_tls_1_3 = (
 607     {
 608         name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
 609         server => {
 610             "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
 611             "VerifyCAFile" => test_pem("root-cert.pem"),
 612             "VerifyMode" => "Request"
 613         },
 614         client => {},
 615         test   => {
 616             "ExpectedResult" => "ServerFail"
 617         },
 618     },
 619     {
 620         name => "TLS 1.3 DSA Certificate Test",
 621         server => {
 622             "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
 623             "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
 624             "MinProtocol" => "TLSv1.3",
 625             "MaxProtocol" => "TLSv1.3",
 626             "CipherString" => "ALL",
 627         },
 628         client => {
 629             "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
 630             "CipherString" => "ALL",
 631         },
 632         test   => {
 633             "ExpectedResult" => "ServerFail"
 634         },
 635     },
 636 );
 637
 638 if (!disabled("dsa")) {
 639     push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
 640     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 641 }