From: Dr. Stephen Henson Date: Wed, 15 Mar 2017 17:26:05 +0000 (+0000) Subject: Add Client CA names tests X-Git-Tag: OpenSSL_1_1_1-pre1~1998 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=2c1b0f1e06759052eec749fadb790fa13a9a4eaf Add Client CA names tests Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/2969) --- diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index ef65d71764..5696394c1b 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -1,37 +1,43 @@ # Generated with generate_ssl_tests.pl -num_tests = 30 +num_tests = 36 test-0 = 0-server-auth-flex test-1 = 1-client-auth-flex-request test-2 = 2-client-auth-flex-require-fail test-3 = 3-client-auth-flex-require -test-4 = 4-client-auth-flex-noroot -test-5 = 5-server-auth-TLSv1 -test-6 = 6-client-auth-TLSv1-request -test-7 = 7-client-auth-TLSv1-require-fail -test-8 = 8-client-auth-TLSv1-require -test-9 = 9-client-auth-TLSv1-noroot -test-10 = 10-server-auth-TLSv1.1 -test-11 = 11-client-auth-TLSv1.1-request -test-12 = 12-client-auth-TLSv1.1-require-fail -test-13 = 13-client-auth-TLSv1.1-require -test-14 = 14-client-auth-TLSv1.1-noroot -test-15 = 15-server-auth-TLSv1.2 -test-16 = 16-client-auth-TLSv1.2-request -test-17 = 17-client-auth-TLSv1.2-require-fail -test-18 = 18-client-auth-TLSv1.2-require -test-19 = 19-client-auth-TLSv1.2-noroot -test-20 = 20-server-auth-DTLSv1 -test-21 = 21-client-auth-DTLSv1-request -test-22 = 22-client-auth-DTLSv1-require-fail -test-23 = 23-client-auth-DTLSv1-require -test-24 = 24-client-auth-DTLSv1-noroot -test-25 = 25-server-auth-DTLSv1.2 -test-26 = 26-client-auth-DTLSv1.2-request -test-27 = 27-client-auth-DTLSv1.2-require-fail -test-28 = 28-client-auth-DTLSv1.2-require -test-29 = 29-client-auth-DTLSv1.2-noroot +test-4 = 4-client-auth-flex-require-non-empty-names +test-5 = 5-client-auth-flex-noroot +test-6 = 6-server-auth-TLSv1 +test-7 = 7-client-auth-TLSv1-request +test-8 = 8-client-auth-TLSv1-require-fail +test-9 = 9-client-auth-TLSv1-require +test-10 = 10-client-auth-TLSv1-require-non-empty-names +test-11 = 11-client-auth-TLSv1-noroot +test-12 = 12-server-auth-TLSv1.1 +test-13 = 13-client-auth-TLSv1.1-request +test-14 = 14-client-auth-TLSv1.1-require-fail +test-15 = 15-client-auth-TLSv1.1-require +test-16 = 16-client-auth-TLSv1.1-require-non-empty-names +test-17 = 17-client-auth-TLSv1.1-noroot +test-18 = 18-server-auth-TLSv1.2 +test-19 = 19-client-auth-TLSv1.2-request +test-20 = 20-client-auth-TLSv1.2-require-fail +test-21 = 21-client-auth-TLSv1.2-require +test-22 = 22-client-auth-TLSv1.2-require-non-empty-names +test-23 = 23-client-auth-TLSv1.2-noroot +test-24 = 24-server-auth-DTLSv1 +test-25 = 25-client-auth-DTLSv1-request +test-26 = 26-client-auth-DTLSv1-require-fail +test-27 = 27-client-auth-DTLSv1-require +test-28 = 28-client-auth-DTLSv1-require-non-empty-names +test-29 = 29-client-auth-DTLSv1-noroot +test-30 = 30-server-auth-DTLSv1.2 +test-31 = 31-client-auth-DTLSv1.2-request +test-32 = 32-client-auth-DTLSv1.2-require-fail +test-33 = 33-client-auth-DTLSv1.2-require +test-34 = 34-client-auth-DTLSv1.2-require-non-empty-names +test-35 = 35-client-auth-DTLSv1.2-noroot # =========================================================== [0-server-auth-flex] @@ -129,26 +135,29 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] +ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success # =========================================================== -[4-client-auth-flex-noroot] -ssl_conf = 4-client-auth-flex-noroot-ssl +[4-client-auth-flex-require-non-empty-names] +ssl_conf = 4-client-auth-flex-require-non-empty-names-ssl -[4-client-auth-flex-noroot-ssl] -server = 4-client-auth-flex-noroot-server -client = 4-client-auth-flex-noroot-client +[4-client-auth-flex-require-non-empty-names-ssl] +server = 4-client-auth-flex-require-non-empty-names-server +client = 4-client-auth-flex-require-non-empty-names-client -[4-client-auth-flex-noroot-server] +[4-client-auth-flex-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Require +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request -[4-client-auth-flex-noroot-client] +[4-client-auth-flex-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem @@ -156,47 +165,75 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedResult = Success + + +# =========================================================== + +[5-client-auth-flex-noroot] +ssl_conf = 5-client-auth-flex-noroot-ssl + +[5-client-auth-flex-noroot-ssl] +server = 5-client-auth-flex-noroot-server +client = 5-client-auth-flex-noroot-client + +[5-client-auth-flex-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[5-client-auth-flex-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[5-server-auth-TLSv1] -ssl_conf = 5-server-auth-TLSv1-ssl +[6-server-auth-TLSv1] +ssl_conf = 6-server-auth-TLSv1-ssl -[5-server-auth-TLSv1-ssl] -server = 5-server-auth-TLSv1-server -client = 5-server-auth-TLSv1-client +[6-server-auth-TLSv1-ssl] +server = 6-server-auth-TLSv1-server +client = 6-server-auth-TLSv1-client -[5-server-auth-TLSv1-server] +[6-server-auth-TLSv1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-server-auth-TLSv1-client] +[6-server-auth-TLSv1-client] CipherString = DEFAULT MaxProtocol = TLSv1 MinProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-6] ExpectedResult = Success # =========================================================== -[6-client-auth-TLSv1-request] -ssl_conf = 6-client-auth-TLSv1-request-ssl +[7-client-auth-TLSv1-request] +ssl_conf = 7-client-auth-TLSv1-request-ssl -[6-client-auth-TLSv1-request-ssl] -server = 6-client-auth-TLSv1-request-server -client = 6-client-auth-TLSv1-request-client +[7-client-auth-TLSv1-request-ssl] +server = 7-client-auth-TLSv1-request-server +client = 7-client-auth-TLSv1-request-client -[6-client-auth-TLSv1-request-server] +[7-client-auth-TLSv1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 @@ -204,27 +241,27 @@ MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[6-client-auth-TLSv1-request-client] +[7-client-auth-TLSv1-request-client] CipherString = DEFAULT MaxProtocol = TLSv1 MinProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-6] +[test-7] ExpectedResult = Success # =========================================================== -[7-client-auth-TLSv1-require-fail] -ssl_conf = 7-client-auth-TLSv1-require-fail-ssl +[8-client-auth-TLSv1-require-fail] +ssl_conf = 8-client-auth-TLSv1-require-fail-ssl -[7-client-auth-TLSv1-require-fail-ssl] -server = 7-client-auth-TLSv1-require-fail-server -client = 7-client-auth-TLSv1-require-fail-client +[8-client-auth-TLSv1-require-fail-ssl] +server = 8-client-auth-TLSv1-require-fail-server +client = 8-client-auth-TLSv1-require-fail-client -[7-client-auth-TLSv1-require-fail-server] +[8-client-auth-TLSv1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 @@ -233,28 +270,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[7-client-auth-TLSv1-require-fail-client] +[8-client-auth-TLSv1-require-fail-client] CipherString = DEFAULT MaxProtocol = TLSv1 MinProtocol = TLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-7] +[test-8] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[8-client-auth-TLSv1-require] -ssl_conf = 8-client-auth-TLSv1-require-ssl +[9-client-auth-TLSv1-require] +ssl_conf = 9-client-auth-TLSv1-require-ssl -[8-client-auth-TLSv1-require-ssl] -server = 8-client-auth-TLSv1-require-server -client = 8-client-auth-TLSv1-require-client +[9-client-auth-TLSv1-require-ssl] +server = 9-client-auth-TLSv1-require-server +client = 9-client-auth-TLSv1-require-client -[8-client-auth-TLSv1-require-server] +[9-client-auth-TLSv1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 @@ -263,7 +300,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[8-client-auth-TLSv1-require-client] +[9-client-auth-TLSv1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = TLSv1 @@ -272,21 +309,56 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-9] +ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success # =========================================================== -[9-client-auth-TLSv1-noroot] -ssl_conf = 9-client-auth-TLSv1-noroot-ssl +[10-client-auth-TLSv1-require-non-empty-names] +ssl_conf = 10-client-auth-TLSv1-require-non-empty-names-ssl -[9-client-auth-TLSv1-noroot-ssl] -server = 9-client-auth-TLSv1-noroot-server -client = 9-client-auth-TLSv1-noroot-client +[10-client-auth-TLSv1-require-non-empty-names-ssl] +server = 10-client-auth-TLSv1-require-non-empty-names-server +client = 10-client-auth-TLSv1-require-non-empty-names-client -[9-client-auth-TLSv1-noroot-server] +[10-client-auth-TLSv1-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[10-client-auth-TLSv1-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-10] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedResult = Success + + +# =========================================================== + +[11-client-auth-TLSv1-noroot] +ssl_conf = 11-client-auth-TLSv1-noroot-ssl + +[11-client-auth-TLSv1-noroot-ssl] +server = 11-client-auth-TLSv1-noroot-server +client = 11-client-auth-TLSv1-noroot-client + +[11-client-auth-TLSv1-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 @@ -294,7 +366,7 @@ MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[9-client-auth-TLSv1-noroot-client] +[11-client-auth-TLSv1-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = TLSv1 @@ -303,48 +375,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-11] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[10-server-auth-TLSv1.1] -ssl_conf = 10-server-auth-TLSv1.1-ssl +[12-server-auth-TLSv1.1] +ssl_conf = 12-server-auth-TLSv1.1-ssl -[10-server-auth-TLSv1.1-ssl] -server = 10-server-auth-TLSv1.1-server -client = 10-server-auth-TLSv1.1-client +[12-server-auth-TLSv1.1-ssl] +server = 12-server-auth-TLSv1.1-server +client = 12-server-auth-TLSv1.1-client -[10-server-auth-TLSv1.1-server] +[12-server-auth-TLSv1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-server-auth-TLSv1.1-client] +[12-server-auth-TLSv1.1-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-10] +[test-12] ExpectedResult = Success # =========================================================== -[11-client-auth-TLSv1.1-request] -ssl_conf = 11-client-auth-TLSv1.1-request-ssl +[13-client-auth-TLSv1.1-request] +ssl_conf = 13-client-auth-TLSv1.1-request-ssl -[11-client-auth-TLSv1.1-request-ssl] -server = 11-client-auth-TLSv1.1-request-server -client = 11-client-auth-TLSv1.1-request-client +[13-client-auth-TLSv1.1-request-ssl] +server = 13-client-auth-TLSv1.1-request-server +client = 13-client-auth-TLSv1.1-request-client -[11-client-auth-TLSv1.1-request-server] +[13-client-auth-TLSv1.1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 @@ -352,27 +424,27 @@ MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[11-client-auth-TLSv1.1-request-client] +[13-client-auth-TLSv1.1-request-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-11] +[test-13] ExpectedResult = Success # =========================================================== -[12-client-auth-TLSv1.1-require-fail] -ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl +[14-client-auth-TLSv1.1-require-fail] +ssl_conf = 14-client-auth-TLSv1.1-require-fail-ssl -[12-client-auth-TLSv1.1-require-fail-ssl] -server = 12-client-auth-TLSv1.1-require-fail-server -client = 12-client-auth-TLSv1.1-require-fail-client +[14-client-auth-TLSv1.1-require-fail-ssl] +server = 14-client-auth-TLSv1.1-require-fail-server +client = 14-client-auth-TLSv1.1-require-fail-client -[12-client-auth-TLSv1.1-require-fail-server] +[14-client-auth-TLSv1.1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 @@ -381,28 +453,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[12-client-auth-TLSv1.1-require-fail-client] +[14-client-auth-TLSv1.1-require-fail-client] CipherString = DEFAULT MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-12] +[test-14] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[13-client-auth-TLSv1.1-require] -ssl_conf = 13-client-auth-TLSv1.1-require-ssl +[15-client-auth-TLSv1.1-require] +ssl_conf = 15-client-auth-TLSv1.1-require-ssl -[13-client-auth-TLSv1.1-require-ssl] -server = 13-client-auth-TLSv1.1-require-server -client = 13-client-auth-TLSv1.1-require-client +[15-client-auth-TLSv1.1-require-ssl] +server = 15-client-auth-TLSv1.1-require-server +client = 15-client-auth-TLSv1.1-require-client -[13-client-auth-TLSv1.1-require-server] +[15-client-auth-TLSv1.1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 @@ -411,7 +483,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[13-client-auth-TLSv1.1-require-client] +[15-client-auth-TLSv1.1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 @@ -420,21 +492,56 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-13] +[test-15] +ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success # =========================================================== -[14-client-auth-TLSv1.1-noroot] -ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl +[16-client-auth-TLSv1.1-require-non-empty-names] +ssl_conf = 16-client-auth-TLSv1.1-require-non-empty-names-ssl -[14-client-auth-TLSv1.1-noroot-ssl] -server = 14-client-auth-TLSv1.1-noroot-server -client = 14-client-auth-TLSv1.1-noroot-client +[16-client-auth-TLSv1.1-require-non-empty-names-ssl] +server = 16-client-auth-TLSv1.1-require-non-empty-names-server +client = 16-client-auth-TLSv1.1-require-non-empty-names-client -[14-client-auth-TLSv1.1-noroot-server] +[16-client-auth-TLSv1.1-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[16-client-auth-TLSv1.1-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedResult = Success + + +# =========================================================== + +[17-client-auth-TLSv1.1-noroot] +ssl_conf = 17-client-auth-TLSv1.1-noroot-ssl + +[17-client-auth-TLSv1.1-noroot-ssl] +server = 17-client-auth-TLSv1.1-noroot-server +client = 17-client-auth-TLSv1.1-noroot-client + +[17-client-auth-TLSv1.1-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 @@ -442,7 +549,7 @@ MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[14-client-auth-TLSv1.1-noroot-client] +[17-client-auth-TLSv1.1-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 @@ -451,48 +558,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-14] +[test-17] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[15-server-auth-TLSv1.2] -ssl_conf = 15-server-auth-TLSv1.2-ssl +[18-server-auth-TLSv1.2] +ssl_conf = 18-server-auth-TLSv1.2-ssl -[15-server-auth-TLSv1.2-ssl] -server = 15-server-auth-TLSv1.2-server -client = 15-server-auth-TLSv1.2-client +[18-server-auth-TLSv1.2-ssl] +server = 18-server-auth-TLSv1.2-server +client = 18-server-auth-TLSv1.2-client -[15-server-auth-TLSv1.2-server] +[18-server-auth-TLSv1.2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-server-auth-TLSv1.2-client] +[18-server-auth-TLSv1.2-client] CipherString = DEFAULT MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-15] +[test-18] ExpectedResult = Success # =========================================================== -[16-client-auth-TLSv1.2-request] -ssl_conf = 16-client-auth-TLSv1.2-request-ssl +[19-client-auth-TLSv1.2-request] +ssl_conf = 19-client-auth-TLSv1.2-request-ssl -[16-client-auth-TLSv1.2-request-ssl] -server = 16-client-auth-TLSv1.2-request-server -client = 16-client-auth-TLSv1.2-request-client +[19-client-auth-TLSv1.2-request-ssl] +server = 19-client-auth-TLSv1.2-request-server +client = 19-client-auth-TLSv1.2-request-client -[16-client-auth-TLSv1.2-request-server] +[19-client-auth-TLSv1.2-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 @@ -500,27 +607,27 @@ MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[16-client-auth-TLSv1.2-request-client] +[19-client-auth-TLSv1.2-request-client] CipherString = DEFAULT MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-19] ExpectedResult = Success # =========================================================== -[17-client-auth-TLSv1.2-require-fail] -ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl +[20-client-auth-TLSv1.2-require-fail] +ssl_conf = 20-client-auth-TLSv1.2-require-fail-ssl -[17-client-auth-TLSv1.2-require-fail-ssl] -server = 17-client-auth-TLSv1.2-require-fail-server -client = 17-client-auth-TLSv1.2-require-fail-client +[20-client-auth-TLSv1.2-require-fail-ssl] +server = 20-client-auth-TLSv1.2-require-fail-server +client = 20-client-auth-TLSv1.2-require-fail-client -[17-client-auth-TLSv1.2-require-fail-server] +[20-client-auth-TLSv1.2-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 @@ -529,28 +636,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[17-client-auth-TLSv1.2-require-fail-client] +[20-client-auth-TLSv1.2-require-fail-client] CipherString = DEFAULT MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-17] +[test-20] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[18-client-auth-TLSv1.2-require] -ssl_conf = 18-client-auth-TLSv1.2-require-ssl +[21-client-auth-TLSv1.2-require] +ssl_conf = 21-client-auth-TLSv1.2-require-ssl -[18-client-auth-TLSv1.2-require-ssl] -server = 18-client-auth-TLSv1.2-require-server -client = 18-client-auth-TLSv1.2-require-client +[21-client-auth-TLSv1.2-require-ssl] +server = 21-client-auth-TLSv1.2-require-server +client = 21-client-auth-TLSv1.2-require-client -[18-client-auth-TLSv1.2-require-server] +[21-client-auth-TLSv1.2-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ClientSignatureAlgorithms = SHA256+RSA @@ -560,7 +667,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[18-client-auth-TLSv1.2-require-client] +[21-client-auth-TLSv1.2-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 @@ -569,7 +676,8 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-18] +[test-21] +ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedClientSignHash = SHA256 ExpectedClientSignType = RSA @@ -578,14 +686,51 @@ ExpectedResult = Success # =========================================================== -[19-client-auth-TLSv1.2-noroot] -ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl +[22-client-auth-TLSv1.2-require-non-empty-names] +ssl_conf = 22-client-auth-TLSv1.2-require-non-empty-names-ssl -[19-client-auth-TLSv1.2-noroot-ssl] -server = 19-client-auth-TLSv1.2-noroot-server -client = 19-client-auth-TLSv1.2-noroot-client +[22-client-auth-TLSv1.2-require-non-empty-names-ssl] +server = 22-client-auth-TLSv1.2-require-non-empty-names-server +client = 22-client-auth-TLSv1.2-require-non-empty-names-client -[19-client-auth-TLSv1.2-noroot-server] +[22-client-auth-TLSv1.2-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ClientSignatureAlgorithms = SHA256+RSA +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[22-client-auth-TLSv1.2-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedClientSignHash = SHA256 +ExpectedClientSignType = RSA +ExpectedResult = Success + + +# =========================================================== + +[23-client-auth-TLSv1.2-noroot] +ssl_conf = 23-client-auth-TLSv1.2-noroot-ssl + +[23-client-auth-TLSv1.2-noroot-ssl] +server = 23-client-auth-TLSv1.2-noroot-server +client = 23-client-auth-TLSv1.2-noroot-client + +[23-client-auth-TLSv1.2-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 @@ -593,7 +738,7 @@ MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[19-client-auth-TLSv1.2-noroot-client] +[23-client-auth-TLSv1.2-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 @@ -602,49 +747,49 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-19] +[test-23] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[20-server-auth-DTLSv1] -ssl_conf = 20-server-auth-DTLSv1-ssl +[24-server-auth-DTLSv1] +ssl_conf = 24-server-auth-DTLSv1-ssl -[20-server-auth-DTLSv1-ssl] -server = 20-server-auth-DTLSv1-server -client = 20-server-auth-DTLSv1-client +[24-server-auth-DTLSv1-ssl] +server = 24-server-auth-DTLSv1-server +client = 24-server-auth-DTLSv1-client -[20-server-auth-DTLSv1-server] +[24-server-auth-DTLSv1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-server-auth-DTLSv1-client] +[24-server-auth-DTLSv1-client] CipherString = DEFAULT MaxProtocol = DTLSv1 MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-20] +[test-24] ExpectedResult = Success Method = DTLS # =========================================================== -[21-client-auth-DTLSv1-request] -ssl_conf = 21-client-auth-DTLSv1-request-ssl +[25-client-auth-DTLSv1-request] +ssl_conf = 25-client-auth-DTLSv1-request-ssl -[21-client-auth-DTLSv1-request-ssl] -server = 21-client-auth-DTLSv1-request-server -client = 21-client-auth-DTLSv1-request-client +[25-client-auth-DTLSv1-request-ssl] +server = 25-client-auth-DTLSv1-request-server +client = 25-client-auth-DTLSv1-request-client -[21-client-auth-DTLSv1-request-server] +[25-client-auth-DTLSv1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 @@ -652,28 +797,28 @@ MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[21-client-auth-DTLSv1-request-client] +[25-client-auth-DTLSv1-request-client] CipherString = DEFAULT MaxProtocol = DTLSv1 MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-21] +[test-25] ExpectedResult = Success Method = DTLS # =========================================================== -[22-client-auth-DTLSv1-require-fail] -ssl_conf = 22-client-auth-DTLSv1-require-fail-ssl +[26-client-auth-DTLSv1-require-fail] +ssl_conf = 26-client-auth-DTLSv1-require-fail-ssl -[22-client-auth-DTLSv1-require-fail-ssl] -server = 22-client-auth-DTLSv1-require-fail-server -client = 22-client-auth-DTLSv1-require-fail-client +[26-client-auth-DTLSv1-require-fail-ssl] +server = 26-client-auth-DTLSv1-require-fail-server +client = 26-client-auth-DTLSv1-require-fail-client -[22-client-auth-DTLSv1-require-fail-server] +[26-client-auth-DTLSv1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 @@ -682,14 +827,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[22-client-auth-DTLSv1-require-fail-client] +[26-client-auth-DTLSv1-require-fail-client] CipherString = DEFAULT MaxProtocol = DTLSv1 MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-22] +[test-26] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure Method = DTLS @@ -697,14 +842,14 @@ Method = DTLS # =========================================================== -[23-client-auth-DTLSv1-require] -ssl_conf = 23-client-auth-DTLSv1-require-ssl +[27-client-auth-DTLSv1-require] +ssl_conf = 27-client-auth-DTLSv1-require-ssl -[23-client-auth-DTLSv1-require-ssl] -server = 23-client-auth-DTLSv1-require-server -client = 23-client-auth-DTLSv1-require-client +[27-client-auth-DTLSv1-require-ssl] +server = 27-client-auth-DTLSv1-require-server +client = 27-client-auth-DTLSv1-require-client -[23-client-auth-DTLSv1-require-server] +[27-client-auth-DTLSv1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 @@ -713,7 +858,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[23-client-auth-DTLSv1-require-client] +[27-client-auth-DTLSv1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = DTLSv1 @@ -722,7 +867,43 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-23] +[test-27] +ExpectedClientCANames = empty +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[28-client-auth-DTLSv1-require-non-empty-names] +ssl_conf = 28-client-auth-DTLSv1-require-non-empty-names-ssl + +[28-client-auth-DTLSv1-require-non-empty-names-ssl] +server = 28-client-auth-DTLSv1-require-non-empty-names-server +client = 28-client-auth-DTLSv1-require-non-empty-names-client + +[28-client-auth-DTLSv1-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[28-client-auth-DTLSv1-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-28] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success Method = DTLS @@ -730,14 +911,14 @@ Method = DTLS # =========================================================== -[24-client-auth-DTLSv1-noroot] -ssl_conf = 24-client-auth-DTLSv1-noroot-ssl +[29-client-auth-DTLSv1-noroot] +ssl_conf = 29-client-auth-DTLSv1-noroot-ssl -[24-client-auth-DTLSv1-noroot-ssl] -server = 24-client-auth-DTLSv1-noroot-server -client = 24-client-auth-DTLSv1-noroot-client +[29-client-auth-DTLSv1-noroot-ssl] +server = 29-client-auth-DTLSv1-noroot-server +client = 29-client-auth-DTLSv1-noroot-client -[24-client-auth-DTLSv1-noroot-server] +[29-client-auth-DTLSv1-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 @@ -745,7 +926,7 @@ MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[24-client-auth-DTLSv1-noroot-client] +[29-client-auth-DTLSv1-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = DTLSv1 @@ -754,7 +935,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-24] +[test-29] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA Method = DTLS @@ -762,42 +943,42 @@ Method = DTLS # =========================================================== -[25-server-auth-DTLSv1.2] -ssl_conf = 25-server-auth-DTLSv1.2-ssl +[30-server-auth-DTLSv1.2] +ssl_conf = 30-server-auth-DTLSv1.2-ssl -[25-server-auth-DTLSv1.2-ssl] -server = 25-server-auth-DTLSv1.2-server -client = 25-server-auth-DTLSv1.2-client +[30-server-auth-DTLSv1.2-ssl] +server = 30-server-auth-DTLSv1.2-server +client = 30-server-auth-DTLSv1.2-client -[25-server-auth-DTLSv1.2-server] +[30-server-auth-DTLSv1.2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-server-auth-DTLSv1.2-client] +[30-server-auth-DTLSv1.2-client] CipherString = DEFAULT MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-25] +[test-30] ExpectedResult = Success Method = DTLS # =========================================================== -[26-client-auth-DTLSv1.2-request] -ssl_conf = 26-client-auth-DTLSv1.2-request-ssl +[31-client-auth-DTLSv1.2-request] +ssl_conf = 31-client-auth-DTLSv1.2-request-ssl -[26-client-auth-DTLSv1.2-request-ssl] -server = 26-client-auth-DTLSv1.2-request-server -client = 26-client-auth-DTLSv1.2-request-client +[31-client-auth-DTLSv1.2-request-ssl] +server = 31-client-auth-DTLSv1.2-request-server +client = 31-client-auth-DTLSv1.2-request-client -[26-client-auth-DTLSv1.2-request-server] +[31-client-auth-DTLSv1.2-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 @@ -805,28 +986,28 @@ MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Request -[26-client-auth-DTLSv1.2-request-client] +[31-client-auth-DTLSv1.2-request-client] CipherString = DEFAULT MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-26] +[test-31] ExpectedResult = Success Method = DTLS # =========================================================== -[27-client-auth-DTLSv1.2-require-fail] -ssl_conf = 27-client-auth-DTLSv1.2-require-fail-ssl +[32-client-auth-DTLSv1.2-require-fail] +ssl_conf = 32-client-auth-DTLSv1.2-require-fail-ssl -[27-client-auth-DTLSv1.2-require-fail-ssl] -server = 27-client-auth-DTLSv1.2-require-fail-server -client = 27-client-auth-DTLSv1.2-require-fail-client +[32-client-auth-DTLSv1.2-require-fail-ssl] +server = 32-client-auth-DTLSv1.2-require-fail-server +client = 32-client-auth-DTLSv1.2-require-fail-client -[27-client-auth-DTLSv1.2-require-fail-server] +[32-client-auth-DTLSv1.2-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 @@ -835,14 +1016,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[27-client-auth-DTLSv1.2-require-fail-client] +[32-client-auth-DTLSv1.2-require-fail-client] CipherString = DEFAULT MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-27] +[test-32] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure Method = DTLS @@ -850,14 +1031,14 @@ Method = DTLS # =========================================================== -[28-client-auth-DTLSv1.2-require] -ssl_conf = 28-client-auth-DTLSv1.2-require-ssl +[33-client-auth-DTLSv1.2-require] +ssl_conf = 33-client-auth-DTLSv1.2-require-ssl -[28-client-auth-DTLSv1.2-require-ssl] -server = 28-client-auth-DTLSv1.2-require-server -client = 28-client-auth-DTLSv1.2-require-client +[33-client-auth-DTLSv1.2-require-ssl] +server = 33-client-auth-DTLSv1.2-require-server +client = 33-client-auth-DTLSv1.2-require-client -[28-client-auth-DTLSv1.2-require-server] +[33-client-auth-DTLSv1.2-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 @@ -866,7 +1047,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[28-client-auth-DTLSv1.2-require-client] +[33-client-auth-DTLSv1.2-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 @@ -875,7 +1056,8 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-28] +[test-33] +ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success Method = DTLS @@ -883,14 +1065,49 @@ Method = DTLS # =========================================================== -[29-client-auth-DTLSv1.2-noroot] -ssl_conf = 29-client-auth-DTLSv1.2-noroot-ssl +[34-client-auth-DTLSv1.2-require-non-empty-names] +ssl_conf = 34-client-auth-DTLSv1.2-require-non-empty-names-ssl -[29-client-auth-DTLSv1.2-noroot-ssl] -server = 29-client-auth-DTLSv1.2-noroot-server -client = 29-client-auth-DTLSv1.2-noroot-client +[34-client-auth-DTLSv1.2-require-non-empty-names-ssl] +server = 34-client-auth-DTLSv1.2-require-non-empty-names-server +client = 34-client-auth-DTLSv1.2-require-non-empty-names-client -[29-client-auth-DTLSv1.2-noroot-server] +[34-client-auth-DTLSv1.2-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[34-client-auth-DTLSv1.2-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-34] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[35-client-auth-DTLSv1.2-noroot] +ssl_conf = 35-client-auth-DTLSv1.2-noroot-ssl + +[35-client-auth-DTLSv1.2-noroot-ssl] +server = 35-client-auth-DTLSv1.2-noroot-server +client = 35-client-auth-DTLSv1.2-noroot-client + +[35-client-auth-DTLSv1.2-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 @@ -898,7 +1115,7 @@ MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[29-client-auth-DTLSv1.2-noroot-client] +[35-client-auth-DTLSv1.2-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 @@ -907,7 +1124,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-29] +[test-35] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA Method = DTLS diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index abe6ad43e4..3da76a3e2a 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -119,6 +119,34 @@ sub generate_tests() { "ExpectedClientCertType" => "RSA", "ExpectedClientSignType" => $clisigtype, "ExpectedClientSignHash" => $clihash, + "ExpectedClientCANames" => "empty", + "Method" => $method, + }, + }; + + # Successful handshake with client authentication non-empty names + push @tests, { + name => "client-auth-${protocol_name}-require-non-empty-names", + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientSignatureAlgorithms" => $clisigalgs, + "ClientCAFile" => test_pem("root-cert.pem"), + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Request", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "ExpectedClientCANames" => test_pem("root-cert.pem"), "Method" => $method, }, }; diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index 3d50f0220d..1d92e68d25 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -316,6 +316,24 @@ my @tests_tls_1_3 = ( "ExpectedClientCertType" => "RSA", "ExpectedClientSignHash" => "SHA256", "ExpectedClientSignType" => "RSA-PSS", + "ExpectedClientCANames" => "empty", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names", + server => { + "ClientSignatureAlgorithms" => "PSS+SHA256", + "VerifyCAFile" => test_pem("root-cert.pem"), + "ClientCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => $client_tls_1_3, + test => { + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignHash" => "SHA256", + "ExpectedClientSignType" => "RSA-PSS", + "ExpectedClientCANames" => test_pem("root-cert.pem"), "ExpectedResult" => "Success" }, },