Add Client CA names tests
authorDr. Stephen Henson <steve@openssl.org>
Wed, 15 Mar 2017 17:26:05 +0000 (17:26 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 16 Mar 2017 18:07:19 +0000 (18:07 +0000)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2969)

test/ssl-tests/04-client_auth.conf
test/ssl-tests/04-client_auth.conf.in
test/ssl-tests/20-cert-select.conf.in

index ef65d71..5696394 100644 (file)
@@ -1,37 +1,43 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 30
+num_tests = 36
 
 test-0 = 0-server-auth-flex
 test-1 = 1-client-auth-flex-request
 test-2 = 2-client-auth-flex-require-fail
 test-3 = 3-client-auth-flex-require
-test-4 = 4-client-auth-flex-noroot
-test-5 = 5-server-auth-TLSv1
-test-6 = 6-client-auth-TLSv1-request
-test-7 = 7-client-auth-TLSv1-require-fail
-test-8 = 8-client-auth-TLSv1-require
-test-9 = 9-client-auth-TLSv1-noroot
-test-10 = 10-server-auth-TLSv1.1
-test-11 = 11-client-auth-TLSv1.1-request
-test-12 = 12-client-auth-TLSv1.1-require-fail
-test-13 = 13-client-auth-TLSv1.1-require
-test-14 = 14-client-auth-TLSv1.1-noroot
-test-15 = 15-server-auth-TLSv1.2
-test-16 = 16-client-auth-TLSv1.2-request
-test-17 = 17-client-auth-TLSv1.2-require-fail
-test-18 = 18-client-auth-TLSv1.2-require
-test-19 = 19-client-auth-TLSv1.2-noroot
-test-20 = 20-server-auth-DTLSv1
-test-21 = 21-client-auth-DTLSv1-request
-test-22 = 22-client-auth-DTLSv1-require-fail
-test-23 = 23-client-auth-DTLSv1-require
-test-24 = 24-client-auth-DTLSv1-noroot
-test-25 = 25-server-auth-DTLSv1.2
-test-26 = 26-client-auth-DTLSv1.2-request
-test-27 = 27-client-auth-DTLSv1.2-require-fail
-test-28 = 28-client-auth-DTLSv1.2-require
-test-29 = 29-client-auth-DTLSv1.2-noroot
+test-4 = 4-client-auth-flex-require-non-empty-names
+test-5 = 5-client-auth-flex-noroot
+test-6 = 6-server-auth-TLSv1
+test-7 = 7-client-auth-TLSv1-request
+test-8 = 8-client-auth-TLSv1-require-fail
+test-9 = 9-client-auth-TLSv1-require
+test-10 = 10-client-auth-TLSv1-require-non-empty-names
+test-11 = 11-client-auth-TLSv1-noroot
+test-12 = 12-server-auth-TLSv1.1
+test-13 = 13-client-auth-TLSv1.1-request
+test-14 = 14-client-auth-TLSv1.1-require-fail
+test-15 = 15-client-auth-TLSv1.1-require
+test-16 = 16-client-auth-TLSv1.1-require-non-empty-names
+test-17 = 17-client-auth-TLSv1.1-noroot
+test-18 = 18-server-auth-TLSv1.2
+test-19 = 19-client-auth-TLSv1.2-request
+test-20 = 20-client-auth-TLSv1.2-require-fail
+test-21 = 21-client-auth-TLSv1.2-require
+test-22 = 22-client-auth-TLSv1.2-require-non-empty-names
+test-23 = 23-client-auth-TLSv1.2-noroot
+test-24 = 24-server-auth-DTLSv1
+test-25 = 25-client-auth-DTLSv1-request
+test-26 = 26-client-auth-DTLSv1-require-fail
+test-27 = 27-client-auth-DTLSv1-require
+test-28 = 28-client-auth-DTLSv1-require-non-empty-names
+test-29 = 29-client-auth-DTLSv1-noroot
+test-30 = 30-server-auth-DTLSv1.2
+test-31 = 31-client-auth-DTLSv1.2-request
+test-32 = 32-client-auth-DTLSv1.2-require-fail
+test-33 = 33-client-auth-DTLSv1.2-require
+test-34 = 34-client-auth-DTLSv1.2-require-non-empty-names
+test-35 = 35-client-auth-DTLSv1.2-noroot
 # ===========================================================
 
 [0-server-auth-flex]
@@ -129,26 +135,29 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-3]
+ExpectedClientCANames = empty
 ExpectedClientCertType = RSA
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[4-client-auth-flex-noroot]
-ssl_conf = 4-client-auth-flex-noroot-ssl
+[4-client-auth-flex-require-non-empty-names]
+ssl_conf = 4-client-auth-flex-require-non-empty-names-ssl
 
-[4-client-auth-flex-noroot-ssl]
-server = 4-client-auth-flex-noroot-server
-client = 4-client-auth-flex-noroot-client
+[4-client-auth-flex-require-non-empty-names-ssl]
+server = 4-client-auth-flex-require-non-empty-names-server
+client = 4-client-auth-flex-require-non-empty-names-client
 
-[4-client-auth-flex-noroot-server]
+[4-client-auth-flex-require-non-empty-names-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyMode = Require
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
 
-[4-client-auth-flex-noroot-client]
+[4-client-auth-flex-require-non-empty-names-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@@ -156,47 +165,75 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-4]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[5-client-auth-flex-noroot]
+ssl_conf = 5-client-auth-flex-noroot-ssl
+
+[5-client-auth-flex-noroot-ssl]
+server = 5-client-auth-flex-noroot-server
+client = 5-client-auth-flex-noroot-client
+
+[5-client-auth-flex-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Require
+
+[5-client-auth-flex-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnknownCA
 
 
 # ===========================================================
 
-[5-server-auth-TLSv1]
-ssl_conf = 5-server-auth-TLSv1-ssl
+[6-server-auth-TLSv1]
+ssl_conf = 6-server-auth-TLSv1-ssl
 
-[5-server-auth-TLSv1-ssl]
-server = 5-server-auth-TLSv1-server
-client = 5-server-auth-TLSv1-client
+[6-server-auth-TLSv1-ssl]
+server = 6-server-auth-TLSv1-server
+client = 6-server-auth-TLSv1-client
 
-[5-server-auth-TLSv1-server]
+[6-server-auth-TLSv1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
 MinProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[5-server-auth-TLSv1-client]
+[6-server-auth-TLSv1-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1
 MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-5]
+[test-6]
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[6-client-auth-TLSv1-request]
-ssl_conf = 6-client-auth-TLSv1-request-ssl
+[7-client-auth-TLSv1-request]
+ssl_conf = 7-client-auth-TLSv1-request-ssl
 
-[6-client-auth-TLSv1-request-ssl]
-server = 6-client-auth-TLSv1-request-server
-client = 6-client-auth-TLSv1-request-client
+[7-client-auth-TLSv1-request-ssl]
+server = 7-client-auth-TLSv1-request-server
+client = 7-client-auth-TLSv1-request-client
 
-[6-client-auth-TLSv1-request-server]
+[7-client-auth-TLSv1-request-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
@@ -204,27 +241,27 @@ MinProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Request
 
-[6-client-auth-TLSv1-request-client]
+[7-client-auth-TLSv1-request-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1
 MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-6]
+[test-7]
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[7-client-auth-TLSv1-require-fail]
-ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
+[8-client-auth-TLSv1-require-fail]
+ssl_conf = 8-client-auth-TLSv1-require-fail-ssl
 
-[7-client-auth-TLSv1-require-fail-ssl]
-server = 7-client-auth-TLSv1-require-fail-server
-client = 7-client-auth-TLSv1-require-fail-client
+[8-client-auth-TLSv1-require-fail-ssl]
+server = 8-client-auth-TLSv1-require-fail-server
+client = 8-client-auth-TLSv1-require-fail-client
 
-[7-client-auth-TLSv1-require-fail-server]
+[8-client-auth-TLSv1-require-fail-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
@@ -233,28 +270,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
-[7-client-auth-TLSv1-require-fail-client]
+[8-client-auth-TLSv1-require-fail-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1
 MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-7]
+[test-8]
 ExpectedResult = ServerFail
 ExpectedServerAlert = HandshakeFailure
 
 
 # ===========================================================
 
-[8-client-auth-TLSv1-require]
-ssl_conf = 8-client-auth-TLSv1-require-ssl
+[9-client-auth-TLSv1-require]
+ssl_conf = 9-client-auth-TLSv1-require-ssl
 
-[8-client-auth-TLSv1-require-ssl]
-server = 8-client-auth-TLSv1-require-server
-client = 8-client-auth-TLSv1-require-client
+[9-client-auth-TLSv1-require-ssl]
+server = 9-client-auth-TLSv1-require-server
+client = 9-client-auth-TLSv1-require-client
 
-[8-client-auth-TLSv1-require-server]
+[9-client-auth-TLSv1-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
@@ -263,7 +300,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
-[8-client-auth-TLSv1-require-client]
+[9-client-auth-TLSv1-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
@@ -272,21 +309,56 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-8]
+[test-9]
+ExpectedClientCANames = empty
 ExpectedClientCertType = RSA
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[9-client-auth-TLSv1-noroot]
-ssl_conf = 9-client-auth-TLSv1-noroot-ssl
+[10-client-auth-TLSv1-require-non-empty-names]
+ssl_conf = 10-client-auth-TLSv1-require-non-empty-names-ssl
 
-[9-client-auth-TLSv1-noroot-ssl]
-server = 9-client-auth-TLSv1-noroot-server
-client = 9-client-auth-TLSv1-noroot-client
+[10-client-auth-TLSv1-require-non-empty-names-ssl]
+server = 10-client-auth-TLSv1-require-non-empty-names-server
+client = 10-client-auth-TLSv1-require-non-empty-names-client
 
-[9-client-auth-TLSv1-noroot-server]
+[10-client-auth-TLSv1-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[10-client-auth-TLSv1-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-10]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[11-client-auth-TLSv1-noroot]
+ssl_conf = 11-client-auth-TLSv1-noroot-ssl
+
+[11-client-auth-TLSv1-noroot-ssl]
+server = 11-client-auth-TLSv1-noroot-server
+client = 11-client-auth-TLSv1-noroot-client
+
+[11-client-auth-TLSv1-noroot-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
@@ -294,7 +366,7 @@ MinProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Require
 
-[9-client-auth-TLSv1-noroot-client]
+[11-client-auth-TLSv1-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1
@@ -303,48 +375,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-9]
+[test-11]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnknownCA
 
 
 # ===========================================================
 
-[10-server-auth-TLSv1.1]
-ssl_conf = 10-server-auth-TLSv1.1-ssl
+[12-server-auth-TLSv1.1]
+ssl_conf = 12-server-auth-TLSv1.1-ssl
 
-[10-server-auth-TLSv1.1-ssl]
-server = 10-server-auth-TLSv1.1-server
-client = 10-server-auth-TLSv1.1-client
+[12-server-auth-TLSv1.1-ssl]
+server = 12-server-auth-TLSv1.1-server
+client = 12-server-auth-TLSv1.1-client
 
-[10-server-auth-TLSv1.1-server]
+[12-server-auth-TLSv1.1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
 MinProtocol = TLSv1.1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[10-server-auth-TLSv1.1-client]
+[12-server-auth-TLSv1.1-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
 MinProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-10]
+[test-12]
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[11-client-auth-TLSv1.1-request]
-ssl_conf = 11-client-auth-TLSv1.1-request-ssl
+[13-client-auth-TLSv1.1-request]
+ssl_conf = 13-client-auth-TLSv1.1-request-ssl
 
-[11-client-auth-TLSv1.1-request-ssl]
-server = 11-client-auth-TLSv1.1-request-server
-client = 11-client-auth-TLSv1.1-request-client
+[13-client-auth-TLSv1.1-request-ssl]
+server = 13-client-auth-TLSv1.1-request-server
+client = 13-client-auth-TLSv1.1-request-client
 
-[11-client-auth-TLSv1.1-request-server]
+[13-client-auth-TLSv1.1-request-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
@@ -352,27 +424,27 @@ MinProtocol = TLSv1.1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Request
 
-[11-client-auth-TLSv1.1-request-client]
+[13-client-auth-TLSv1.1-request-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
 MinProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-11]
+[test-13]
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[12-client-auth-TLSv1.1-require-fail]
-ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
+[14-client-auth-TLSv1.1-require-fail]
+ssl_conf = 14-client-auth-TLSv1.1-require-fail-ssl
 
-[12-client-auth-TLSv1.1-require-fail-ssl]
-server = 12-client-auth-TLSv1.1-require-fail-server
-client = 12-client-auth-TLSv1.1-require-fail-client
+[14-client-auth-TLSv1.1-require-fail-ssl]
+server = 14-client-auth-TLSv1.1-require-fail-server
+client = 14-client-auth-TLSv1.1-require-fail-client
 
-[12-client-auth-TLSv1.1-require-fail-server]
+[14-client-auth-TLSv1.1-require-fail-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
@@ -381,28 +453,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
-[12-client-auth-TLSv1.1-require-fail-client]
+[14-client-auth-TLSv1.1-require-fail-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
 MinProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-12]
+[test-14]
 ExpectedResult = ServerFail
 ExpectedServerAlert = HandshakeFailure
 
 
 # ===========================================================
 
-[13-client-auth-TLSv1.1-require]
-ssl_conf = 13-client-auth-TLSv1.1-require-ssl
+[15-client-auth-TLSv1.1-require]
+ssl_conf = 15-client-auth-TLSv1.1-require-ssl
 
-[13-client-auth-TLSv1.1-require-ssl]
-server = 13-client-auth-TLSv1.1-require-server
-client = 13-client-auth-TLSv1.1-require-client
+[15-client-auth-TLSv1.1-require-ssl]
+server = 15-client-auth-TLSv1.1-require-server
+client = 15-client-auth-TLSv1.1-require-client
 
-[13-client-auth-TLSv1.1-require-server]
+[15-client-auth-TLSv1.1-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
@@ -411,7 +483,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
-[13-client-auth-TLSv1.1-require-client]
+[15-client-auth-TLSv1.1-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
@@ -420,21 +492,56 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-13]
+[test-15]
+ExpectedClientCANames = empty
 ExpectedClientCertType = RSA
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[14-client-auth-TLSv1.1-noroot]
-ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
+[16-client-auth-TLSv1.1-require-non-empty-names]
+ssl_conf = 16-client-auth-TLSv1.1-require-non-empty-names-ssl
 
-[14-client-auth-TLSv1.1-noroot-ssl]
-server = 14-client-auth-TLSv1.1-noroot-server
-client = 14-client-auth-TLSv1.1-noroot-client
+[16-client-auth-TLSv1.1-require-non-empty-names-ssl]
+server = 16-client-auth-TLSv1.1-require-non-empty-names-server
+client = 16-client-auth-TLSv1.1-require-non-empty-names-client
 
-[14-client-auth-TLSv1.1-noroot-server]
+[16-client-auth-TLSv1.1-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[16-client-auth-TLSv1.1-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[17-client-auth-TLSv1.1-noroot]
+ssl_conf = 17-client-auth-TLSv1.1-noroot-ssl
+
+[17-client-auth-TLSv1.1-noroot-ssl]
+server = 17-client-auth-TLSv1.1-noroot-server
+client = 17-client-auth-TLSv1.1-noroot-client
+
+[17-client-auth-TLSv1.1-noroot-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
@@ -442,7 +549,7 @@ MinProtocol = TLSv1.1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Require
 
-[14-client-auth-TLSv1.1-noroot-client]
+[17-client-auth-TLSv1.1-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
@@ -451,48 +558,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-14]
+[test-17]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnknownCA
 
 
 # ===========================================================
 
-[15-server-auth-TLSv1.2]
-ssl_conf = 15-server-auth-TLSv1.2-ssl
+[18-server-auth-TLSv1.2]
+ssl_conf = 18-server-auth-TLSv1.2-ssl
 
-[15-server-auth-TLSv1.2-ssl]
-server = 15-server-auth-TLSv1.2-server
-client = 15-server-auth-TLSv1.2-client
+[18-server-auth-TLSv1.2-ssl]
+server = 18-server-auth-TLSv1.2-server
+client = 18-server-auth-TLSv1.2-client
 
-[15-server-auth-TLSv1.2-server]
+[18-server-auth-TLSv1.2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[15-server-auth-TLSv1.2-client]
+[18-server-auth-TLSv1.2-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-15]
+[test-18]
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[16-client-auth-TLSv1.2-request]
-ssl_conf = 16-client-auth-TLSv1.2-request-ssl
+[19-client-auth-TLSv1.2-request]
+ssl_conf = 19-client-auth-TLSv1.2-request-ssl
 
-[16-client-auth-TLSv1.2-request-ssl]
-server = 16-client-auth-TLSv1.2-request-server
-client = 16-client-auth-TLSv1.2-request-client
+[19-client-auth-TLSv1.2-request-ssl]
+server = 19-client-auth-TLSv1.2-request-server
+client = 19-client-auth-TLSv1.2-request-client
 
-[16-client-auth-TLSv1.2-request-server]
+[19-client-auth-TLSv1.2-request-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
@@ -500,27 +607,27 @@ MinProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Request
 
-[16-client-auth-TLSv1.2-request-client]
+[19-client-auth-TLSv1.2-request-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-16]
+[test-19]
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[17-client-auth-TLSv1.2-require-fail]
-ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
+[20-client-auth-TLSv1.2-require-fail]
+ssl_conf = 20-client-auth-TLSv1.2-require-fail-ssl
 
-[17-client-auth-TLSv1.2-require-fail-ssl]
-server = 17-client-auth-TLSv1.2-require-fail-server
-client = 17-client-auth-TLSv1.2-require-fail-client
+[20-client-auth-TLSv1.2-require-fail-ssl]
+server = 20-client-auth-TLSv1.2-require-fail-server
+client = 20-client-auth-TLSv1.2-require-fail-client
 
-[17-client-auth-TLSv1.2-require-fail-server]
+[20-client-auth-TLSv1.2-require-fail-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
@@ -529,28 +636,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
-[17-client-auth-TLSv1.2-require-fail-client]
+[20-client-auth-TLSv1.2-require-fail-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-17]
+[test-20]
 ExpectedResult = ServerFail
 ExpectedServerAlert = HandshakeFailure
 
 
 # ===========================================================
 
-[18-client-auth-TLSv1.2-require]
-ssl_conf = 18-client-auth-TLSv1.2-require-ssl
+[21-client-auth-TLSv1.2-require]
+ssl_conf = 21-client-auth-TLSv1.2-require-ssl
 
-[18-client-auth-TLSv1.2-require-ssl]
-server = 18-client-auth-TLSv1.2-require-server
-client = 18-client-auth-TLSv1.2-require-client
+[21-client-auth-TLSv1.2-require-ssl]
+server = 21-client-auth-TLSv1.2-require-server
+client = 21-client-auth-TLSv1.2-require-client
 
-[18-client-auth-TLSv1.2-require-server]
+[21-client-auth-TLSv1.2-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ClientSignatureAlgorithms = SHA256+RSA
@@ -560,7 +667,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
-[18-client-auth-TLSv1.2-require-client]
+[21-client-auth-TLSv1.2-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
@@ -569,7 +676,8 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-18]
+[test-21]
+ExpectedClientCANames = empty
 ExpectedClientCertType = RSA
 ExpectedClientSignHash = SHA256
 ExpectedClientSignType = RSA
@@ -578,14 +686,51 @@ ExpectedResult = Success
 
 # ===========================================================
 
-[19-client-auth-TLSv1.2-noroot]
-ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
+[22-client-auth-TLSv1.2-require-non-empty-names]
+ssl_conf = 22-client-auth-TLSv1.2-require-non-empty-names-ssl
 
-[19-client-auth-TLSv1.2-noroot-ssl]
-server = 19-client-auth-TLSv1.2-noroot-server
-client = 19-client-auth-TLSv1.2-noroot-client
+[22-client-auth-TLSv1.2-require-non-empty-names-ssl]
+server = 22-client-auth-TLSv1.2-require-non-empty-names-server
+client = 22-client-auth-TLSv1.2-require-non-empty-names-client
 
-[19-client-auth-TLSv1.2-noroot-server]
+[22-client-auth-TLSv1.2-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ClientSignatureAlgorithms = SHA256+RSA
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[22-client-auth-TLSv1.2-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-22]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[23-client-auth-TLSv1.2-noroot]
+ssl_conf = 23-client-auth-TLSv1.2-noroot-ssl
+
+[23-client-auth-TLSv1.2-noroot-ssl]
+server = 23-client-auth-TLSv1.2-noroot-server
+client = 23-client-auth-TLSv1.2-noroot-client
+
+[23-client-auth-TLSv1.2-noroot-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
@@ -593,7 +738,7 @@ MinProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Require
 
-[19-client-auth-TLSv1.2-noroot-client]
+[23-client-auth-TLSv1.2-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
@@ -602,49 +747,49 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-19]
+[test-23]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnknownCA
 
 
 # ===========================================================
 
-[20-server-auth-DTLSv1]
-ssl_conf = 20-server-auth-DTLSv1-ssl
+[24-server-auth-DTLSv1]
+ssl_conf = 24-server-auth-DTLSv1-ssl
 
-[20-server-auth-DTLSv1-ssl]
-server = 20-server-auth-DTLSv1-server
-client = 20-server-auth-DTLSv1-client
+[24-server-auth-DTLSv1-ssl]
+server = 24-server-auth-DTLSv1-server
+client = 24-server-auth-DTLSv1-client
 
-[20-server-auth-DTLSv1-server]
+[24-server-auth-DTLSv1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
 MinProtocol = DTLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[20-server-auth-DTLSv1-client]
+[24-server-auth-DTLSv1-client]
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
 MinProtocol = DTLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-20]
+[test-24]
 ExpectedResult = Success
 Method = DTLS
 
 
 # ===========================================================
 
-[21-client-auth-DTLSv1-request]
-ssl_conf = 21-client-auth-DTLSv1-request-ssl
+[25-client-auth-DTLSv1-request]
+ssl_conf = 25-client-auth-DTLSv1-request-ssl
 
-[21-client-auth-DTLSv1-request-ssl]
-server = 21-client-auth-DTLSv1-request-server
-client = 21-client-auth-DTLSv1-request-client
+[25-client-auth-DTLSv1-request-ssl]
+server = 25-client-auth-DTLSv1-request-server
+client = 25-client-auth-DTLSv1-request-client
 
-[21-client-auth-DTLSv1-request-server]
+[25-client-auth-DTLSv1-request-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
@@ -652,28 +797,28 @@ MinProtocol = DTLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Request
 
-[21-client-auth-DTLSv1-request-client]
+[25-client-auth-DTLSv1-request-client]
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
 MinProtocol = DTLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-21]
+[test-25]
 ExpectedResult = Success
 Method = DTLS
 
 
 # ===========================================================
 
-[22-client-auth-DTLSv1-require-fail]
-ssl_conf = 22-client-auth-DTLSv1-require-fail-ssl
+[26-client-auth-DTLSv1-require-fail]
+ssl_conf = 26-client-auth-DTLSv1-require-fail-ssl
 
-[22-client-auth-DTLSv1-require-fail-ssl]
-server = 22-client-auth-DTLSv1-require-fail-server
-client = 22-client-auth-DTLSv1-require-fail-client
+[26-client-auth-DTLSv1-require-fail-ssl]
+server = 26-client-auth-DTLSv1-require-fail-server
+client = 26-client-auth-DTLSv1-require-fail-client
 
-[22-client-auth-DTLSv1-require-fail-server]
+[26-client-auth-DTLSv1-require-fail-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
@@ -682,14 +827,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
-[22-client-auth-DTLSv1-require-fail-client]
+[26-client-auth-DTLSv1-require-fail-client]
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
 MinProtocol = DTLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-22]
+[test-26]
 ExpectedResult = ServerFail
 ExpectedServerAlert = HandshakeFailure
 Method = DTLS
@@ -697,14 +842,14 @@ Method = DTLS
 
 # ===========================================================
 
-[23-client-auth-DTLSv1-require]
-ssl_conf = 23-client-auth-DTLSv1-require-ssl
+[27-client-auth-DTLSv1-require]
+ssl_conf = 27-client-auth-DTLSv1-require-ssl
 
-[23-client-auth-DTLSv1-require-ssl]
-server = 23-client-auth-DTLSv1-require-server
-client = 23-client-auth-DTLSv1-require-client
+[27-client-auth-DTLSv1-require-ssl]
+server = 27-client-auth-DTLSv1-require-server
+client = 27-client-auth-DTLSv1-require-client
 
-[23-client-auth-DTLSv1-require-server]
+[27-client-auth-DTLSv1-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
@@ -713,7 +858,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
-[23-client-auth-DTLSv1-require-client]
+[27-client-auth-DTLSv1-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
@@ -722,7 +867,43 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-23]
+[test-27]
+ExpectedClientCANames = empty
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+Method = DTLS
+
+
+# ===========================================================
+
+[28-client-auth-DTLSv1-require-non-empty-names]
+ssl_conf = 28-client-auth-DTLSv1-require-non-empty-names-ssl
+
+[28-client-auth-DTLSv1-require-non-empty-names-ssl]
+server = 28-client-auth-DTLSv1-require-non-empty-names-server
+client = 28-client-auth-DTLSv1-require-non-empty-names-client
+
+[28-client-auth-DTLSv1-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = DTLSv1
+MinProtocol = DTLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[28-client-auth-DTLSv1-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = DTLSv1
+MinProtocol = DTLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-28]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 ExpectedClientCertType = RSA
 ExpectedResult = Success
 Method = DTLS
@@ -730,14 +911,14 @@ Method = DTLS
 
 # ===========================================================
 
-[24-client-auth-DTLSv1-noroot]
-ssl_conf = 24-client-auth-DTLSv1-noroot-ssl
+[29-client-auth-DTLSv1-noroot]
+ssl_conf = 29-client-auth-DTLSv1-noroot-ssl
 
-[24-client-auth-DTLSv1-noroot-ssl]
-server = 24-client-auth-DTLSv1-noroot-server
-client = 24-client-auth-DTLSv1-noroot-client
+[29-client-auth-DTLSv1-noroot-ssl]
+server = 29-client-auth-DTLSv1-noroot-server
+client = 29-client-auth-DTLSv1-noroot-client
 
-[24-client-auth-DTLSv1-noroot-server]
+[29-client-auth-DTLSv1-noroot-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
@@ -745,7 +926,7 @@ MinProtocol = DTLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Require
 
-[24-client-auth-DTLSv1-noroot-client]
+[29-client-auth-DTLSv1-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1
@@ -754,7 +935,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-24]
+[test-29]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnknownCA
 Method = DTLS
@@ -762,42 +943,42 @@ Method = DTLS
 
 # ===========================================================
 
-[25-server-auth-DTLSv1.2]
-ssl_conf = 25-server-auth-DTLSv1.2-ssl
+[30-server-auth-DTLSv1.2]
+ssl_conf = 30-server-auth-DTLSv1.2-ssl
 
-[25-server-auth-DTLSv1.2-ssl]
-server = 25-server-auth-DTLSv1.2-server
-client = 25-server-auth-DTLSv1.2-client
+[30-server-auth-DTLSv1.2-ssl]
+server = 30-server-auth-DTLSv1.2-server
+client = 30-server-auth-DTLSv1.2-client
 
-[25-server-auth-DTLSv1.2-server]
+[30-server-auth-DTLSv1.2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
 MinProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[25-server-auth-DTLSv1.2-client]
+[30-server-auth-DTLSv1.2-client]
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
 MinProtocol = DTLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-25]
+[test-30]
 ExpectedResult = Success
 Method = DTLS
 
 
 # ===========================================================
 
-[26-client-auth-DTLSv1.2-request]
-ssl_conf = 26-client-auth-DTLSv1.2-request-ssl
+[31-client-auth-DTLSv1.2-request]
+ssl_conf = 31-client-auth-DTLSv1.2-request-ssl
 
-[26-client-auth-DTLSv1.2-request-ssl]
-server = 26-client-auth-DTLSv1.2-request-server
-client = 26-client-auth-DTLSv1.2-request-client
+[31-client-auth-DTLSv1.2-request-ssl]
+server = 31-client-auth-DTLSv1.2-request-server
+client = 31-client-auth-DTLSv1.2-request-client
 
-[26-client-auth-DTLSv1.2-request-server]
+[31-client-auth-DTLSv1.2-request-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
@@ -805,28 +986,28 @@ MinProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Request
 
-[26-client-auth-DTLSv1.2-request-client]
+[31-client-auth-DTLSv1.2-request-client]
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
 MinProtocol = DTLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-26]
+[test-31]
 ExpectedResult = Success
 Method = DTLS
 
 
 # ===========================================================
 
-[27-client-auth-DTLSv1.2-require-fail]
-ssl_conf = 27-client-auth-DTLSv1.2-require-fail-ssl
+[32-client-auth-DTLSv1.2-require-fail]
+ssl_conf = 32-client-auth-DTLSv1.2-require-fail-ssl
 
-[27-client-auth-DTLSv1.2-require-fail-ssl]
-server = 27-client-auth-DTLSv1.2-require-fail-server
-client = 27-client-auth-DTLSv1.2-require-fail-client
+[32-client-auth-DTLSv1.2-require-fail-ssl]
+server = 32-client-auth-DTLSv1.2-require-fail-server
+client = 32-client-auth-DTLSv1.2-require-fail-client
 
-[27-client-auth-DTLSv1.2-require-fail-server]
+[32-client-auth-DTLSv1.2-require-fail-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
@@ -835,14 +1016,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
-[27-client-auth-DTLSv1.2-require-fail-client]
+[32-client-auth-DTLSv1.2-require-fail-client]
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
 MinProtocol = DTLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-27]
+[test-32]
 ExpectedResult = ServerFail
 ExpectedServerAlert = HandshakeFailure
 Method = DTLS
@@ -850,14 +1031,14 @@ Method = DTLS
 
 # ===========================================================
 
-[28-client-auth-DTLSv1.2-require]
-ssl_conf = 28-client-auth-DTLSv1.2-require-ssl
+[33-client-auth-DTLSv1.2-require]
+ssl_conf = 33-client-auth-DTLSv1.2-require-ssl
 
-[28-client-auth-DTLSv1.2-require-ssl]
-server = 28-client-auth-DTLSv1.2-require-server
-client = 28-client-auth-DTLSv1.2-require-client
+[33-client-auth-DTLSv1.2-require-ssl]
+server = 33-client-auth-DTLSv1.2-require-server
+client = 33-client-auth-DTLSv1.2-require-client
 
-[28-client-auth-DTLSv1.2-require-server]
+[33-client-auth-DTLSv1.2-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
@@ -866,7 +1047,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Request
 
-[28-client-auth-DTLSv1.2-require-client]
+[33-client-auth-DTLSv1.2-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
@@ -875,7 +1056,8 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-28]
+[test-33]
+ExpectedClientCANames = empty
 ExpectedClientCertType = RSA
 ExpectedResult = Success
 Method = DTLS
@@ -883,14 +1065,49 @@ Method = DTLS
 
 # ===========================================================
 
-[29-client-auth-DTLSv1.2-noroot]
-ssl_conf = 29-client-auth-DTLSv1.2-noroot-ssl
+[34-client-auth-DTLSv1.2-require-non-empty-names]
+ssl_conf = 34-client-auth-DTLSv1.2-require-non-empty-names-ssl
 
-[29-client-auth-DTLSv1.2-noroot-ssl]
-server = 29-client-auth-DTLSv1.2-noroot-server
-client = 29-client-auth-DTLSv1.2-noroot-client
+[34-client-auth-DTLSv1.2-require-non-empty-names-ssl]
+server = 34-client-auth-DTLSv1.2-require-non-empty-names-server
+client = 34-client-auth-DTLSv1.2-require-non-empty-names-client
 
-[29-client-auth-DTLSv1.2-noroot-server]
+[34-client-auth-DTLSv1.2-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = DTLSv1.2
+MinProtocol = DTLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[34-client-auth-DTLSv1.2-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
+MinProtocol = DTLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-34]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+Method = DTLS
+
+
+# ===========================================================
+
+[35-client-auth-DTLSv1.2-noroot]
+ssl_conf = 35-client-auth-DTLSv1.2-noroot-ssl
+
+[35-client-auth-DTLSv1.2-noroot-ssl]
+server = 35-client-auth-DTLSv1.2-noroot-server
+client = 35-client-auth-DTLSv1.2-noroot-client
+
+[35-client-auth-DTLSv1.2-noroot-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
@@ -898,7 +1115,7 @@ MinProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyMode = Require
 
-[29-client-auth-DTLSv1.2-noroot-client]
+[35-client-auth-DTLSv1.2-noroot-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
 CipherString = DEFAULT
 MaxProtocol = DTLSv1.2
@@ -907,7 +1124,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-29]
+[test-35]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnknownCA
 Method = DTLS
index abe6ad4..3da76a3 100644 (file)
@@ -119,6 +119,34 @@ sub generate_tests() {
                     "ExpectedClientCertType" => "RSA",
                     "ExpectedClientSignType" => $clisigtype,
                     "ExpectedClientSignHash" => $clihash,
+                    "ExpectedClientCANames" => "empty",
+                    "Method" => $method,
+                },
+            };
+
+            # Successful handshake with client authentication non-empty names
+            push @tests, {
+                name => "client-auth-${protocol_name}-require-non-empty-names",
+                server => {
+                    "MinProtocol" => $protocol,
+                    "MaxProtocol" => $protocol,
+                    "ClientSignatureAlgorithms" => $clisigalgs,
+                    "ClientCAFile" => test_pem("root-cert.pem"),
+                    "VerifyCAFile" => test_pem("root-cert.pem"),
+                    "VerifyMode" => "Request",
+                },
+                client => {
+                    "MinProtocol" => $protocol,
+                    "MaxProtocol" => $protocol,
+                    "Certificate" => test_pem("ee-client-chain.pem"),
+                    "PrivateKey"  => test_pem("ee-key.pem"),
+                },
+                test   => {
+                    "ExpectedResult" => "Success",
+                    "ExpectedClientCertType" => "RSA",
+                    "ExpectedClientSignType" => $clisigtype,
+                    "ExpectedClientSignHash" => $clihash,
+                    "ExpectedClientCANames" => test_pem("root-cert.pem"),
                     "Method" => $method,
                 },
             };
index 3d50f02..1d92e68 100644 (file)
@@ -316,6 +316,24 @@ my @tests_tls_1_3 = (
             "ExpectedClientCertType" => "RSA",
             "ExpectedClientSignHash" => "SHA256",
             "ExpectedClientSignType" => "RSA-PSS",
+            "ExpectedClientCANames" => "empty",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
+        server => {
+            "ClientSignatureAlgorithms" => "PSS+SHA256",
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "ClientCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
+        client => $client_tls_1_3,
+        test   => {
+            "ExpectedClientCertType" => "RSA",
+            "ExpectedClientSignHash" => "SHA256",
+            "ExpectedClientSignType" => "RSA-PSS",
+            "ExpectedClientCANames" => test_pem("root-cert.pem"),
             "ExpectedResult" => "Success"
         },
     },