+#Test 12: ALPN handshake (server support only)
+$proxy->clear();
+$proxy->clientflags("-no_tls1_3");
+$proxy->serverflags("-alpn test");
+$proxy->start();
+checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS,
+ "ALPN handshake test (server)");
+
+#Test 13: ALPN handshake (client and server)
+$proxy->clear();
+$proxy->clientflags("-no_tls1_3 -alpn test");
+$proxy->serverflags("-alpn test");
+$proxy->start();
+checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::ALPN_CLI_EXTENSION
+ | checkhandshake::ALPN_SRV_EXTENSION,
+ "ALPN handshake test");
+
+SKIP: {
+ skip "No CT, EC or OCSP support in this OpenSSL build", 1
+ if disabled("ct") || disabled("ec") || disabled("ocsp");
+
+ #Test 14: SCT handshake (client request only)
+ $proxy->clear();
+ #Note: -ct also sends status_request
+ $proxy->clientflags("-no_tls1_3 -ct");
+ $proxy->serverflags("-status_file "
+ .srctop_file("test", "recipes", "ocsp-response.der"));
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::SCT_CLI_EXTENSION
+ | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
+ | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
+ "SCT handshake test (client)");
+}
+
+SKIP: {
+ skip "No OCSP support in this OpenSSL build", 1
+ if disabled("ocsp");
+
+ #Test 15: SCT handshake (server support only)
+ $proxy->clear();
+ #Note: -ct also sends status_request
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->serverflags("-status_file "
+ .srctop_file("test", "recipes", "ocsp-response.der"));
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS,
+ "SCT handshake test (server)");
+}
+
+SKIP: {
+ skip "No CT, EC or OCSP support in this OpenSSL build", 1
+ if disabled("ct") || disabled("ec") || disabled("ocsp");
+
+ #Test 16: SCT handshake (client and server)
+ #There is no built-in server side support for this so we are actually also
+ #testing custom extensions here
+ $proxy->clear();
+ #Note: -ct also sends status_request
+ $proxy->clientflags("-no_tls1_3 -ct");
+ $proxy->serverflags("-status_file "
+ .srctop_file("test", "recipes", "ocsp-response.der")
+ ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::SCT_CLI_EXTENSION
+ | checkhandshake::SCT_SRV_EXTENSION
+ | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
+ | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
+ "SCT handshake test");
+}
+
+
+SKIP: {
+ skip "No NPN support in this OpenSSL build", 3
+ if disabled("nextprotoneg");
+
+ #Test 17: NPN handshake (client request only)
+ $proxy->clear();
+ $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::NPN_CLI_EXTENSION,
+ "NPN handshake test (client)");
+
+ #Test 18: NPN handshake (server support only)
+ $proxy->clear();
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->serverflags("-nextprotoneg test");
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS,
+ "NPN handshake test (server)");
+
+ #Test 19: NPN handshake (client and server)
+ $proxy->clear();
+ $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
+ $proxy->serverflags("-nextprotoneg test");
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::NPN_CLI_EXTENSION
+ | checkhandshake::NPN_SRV_EXTENSION,
+ "NPN handshake test");
+}
+
+SKIP: {
+ skip "No SRP support in this OpenSSL build", 1
+ if disabled("srp");
+
+ #Test 20: SRP extension
+ #Note: We are not actually going to perform an SRP handshake (TLSProxy
+ #does not support it). However it is sufficient for us to check that the
+ #SRP extension gets added on the client side. There is no SRP extension
+ #generated on the server side anyway.
+ $proxy->clear();
+ $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::SRP_CLI_EXTENSION,
+ "SRP extension test");
+}
+
+#Test 21: EC handshake
+SKIP: {
+ skip "No EC support in this OpenSSL build", 1 if disabled("ec");
+ $proxy->clear();
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->serverflags("-no_tls1_3");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
+ "EC handshake test");
+}