else
cert="$2"
fi
-ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+ssltest="../util/shlib_wrap.sh ./ssltest -s_key $key -s_cert $cert -c_key $key -c_cert $cert"
if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
dsa_cert=YES
#############################################################################
-echo test sslv2
-$ssltest -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication
-$ssltest -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
- echo test sslv2 with client authentication
- $ssltest -ssl2 -client_auth $CA $extra || exit 1
-
- echo test sslv2 with both client and server authentication
- $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
echo test sslv3
$ssltest -ssl3 $extra || exit 1
echo test sslv2/sslv3 with both client and server authentication
$ssltest -server_auth -client_auth $CA $extra || exit 1
-echo test sslv2 via BIO pair
-$ssltest -bio_pair -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication via BIO pair
-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
- echo test sslv2 with client authentication via BIO pair
- $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
-
- echo test sslv2 with both client and server authentication via BIO pair
- $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
echo test sslv3 via BIO pair
$ssltest -bio_pair -ssl3 $extra || exit 1
echo test sslv2/sslv3 via BIO pair
$ssltest $extra || exit 1
+echo test dtlsv1
+$ssltest -dtls1 $extra || exit 1
+
+echo test dtlsv1 with server authentication
+$ssltest -dtls1 -server_auth $CA $extra || exit 1
+
+echo test dtlsv1 with client authentication
+$ssltest -dtls1 -client_auth $CA $extra || exit 1
+
+echo test dtlsv1 with both client and server authentication
+$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
+
+echo test dtlsv1.2
+$ssltest -dtls12 $extra || exit 1
+
+echo test dtlsv1.2 with server authentication
+$ssltest -dtls12 -server_auth $CA $extra || exit 1
+
+echo test dtlsv1.2 with client authentication
+$ssltest -dtls12 -client_auth $CA $extra || exit 1
+
+echo test dtlsv1.2 with both client and server authentication
+$ssltest -dtls12 -server_auth -client_auth $CA $extra || exit 1
+
if [ $dsa_cert = NO ]; then
echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
$ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
-echo "Testing ciphersuites"
-for protocol in TLSv1.2 SSLv3; do
- echo "Testing ciphersuites for $protocol"
- for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
- echo "Testing $cipher"
+test_cipher() {
+ _cipher=$1
+ echo "Testing $_cipher"
prot=""
- if [ $protocol = "SSLv3" ] ; then
+ if [ $2 = "SSLv3" ] ; then
prot="-ssl3"
fi
- $ssltest -cipher $cipher $prot
+ _exarg=$3
+ $ssltest $_exarg -cipher $_cipher $prot
if [ $? -ne 0 ] ; then
- echo "Failed $cipher"
+ echo "Failed $_cipher"
exit 1
fi
+}
+
+echo "Testing ciphersuites"
+exkeys=""
+ciphers="-EXP:-PSK:-SRP:-kDH:-kECDHe"
+if ../util/shlib_wrap.sh ../apps/openssl no-dhparam >/dev/null; then
+ echo "skipping DHE tests"
+ ciphers="$ciphers:-kDHE"
+fi
+if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then
+ echo "skipping DSA tests"
+ ciphers="$ciphers:-aDSA"
+else
+ exkeys="$exkeys -s_cert certD.ss -s_key keyD.ss"
+fi
+
+if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then
+ echo "skipping EC tests"
+ ciphers="$ciphers:!aECDSA:!kECDH"
+else
+ exkeys="$exkeys -s_cert certE.ss -s_key keyE.ss"
+fi
+
+for protocol in TLSv1.2 SSLv3; do
+ echo "Testing ciphersuites for $protocol"
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "$protocol:$ciphers" | tr ':' ' '`; do
+ test_cipher $cipher $protocol "$exkeys"
done
+ echo "testing connection with weak DH, expecting failure"
+ if [ $protocol = "SSLv3" ] ; then
+ $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3
+ else
+ $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512
+ fi
+ if [ $? -eq 0 ]; then
+ echo "FAIL: connection with weak DH succeeded"
+ exit 1
+ fi
done
#############################################################################
-if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
echo skipping anonymous DH tests
else
echo test tls1 with 1024bit anonymous DH, multiple handshakes
echo skipping RSA tests
else
echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
- ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
+ ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
- if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+ if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
echo skipping RSA+DHE tests
else
echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
- ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+ ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
fi
fi
$ssltest -bio_pair -tls1 -custom_ext -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1
+#############################################################################
+# ALPN tests
+
+$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
+$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo -alpn_expected foo || exit 1
+$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo -alpn_expected foo || exit 1
+$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo -alpn_expected foo || exit 1
+$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar -alpn_expected foo || exit 1
+$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo -alpn_expected bar || exit 1
+$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo -alpn_expected bar || exit 1
+$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
+
if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
echo skipping SRP tests
else
echo test tls1 with SRP
- $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123
+ $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
echo test tls1 with SRP via BIO pair
- $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123
+ $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
+
+ echo test tls1 with SRP auth
+ $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
+
+ echo test tls1 with SRP auth via BIO pair
+ $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
+fi
+
+#############################################################################
+# Multi-buffer tests
+
+if [ -z "$extra" -a `uname -m` = "x86_64" ]; then
+ $ssltest -cipher AES128-SHA -bytes 8m || exit 1
+ $ssltest -cipher AES128-SHA256 -bytes 8m || exit 1
fi
exit 0