3 ## SSL test configurations
10 use OpenSSL::Test::Utils;
13 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
16 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
17 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
18 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
19 "MaxProtocol" => "TLSv1.2"
23 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
24 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
25 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
26 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
27 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
28 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
29 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
30 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
31 "MaxProtocol" => "TLSv1.2"
34 my $server_pss_only = {
35 "Certificate" => test_pem("server-pss-cert.pem"),
36 "PrivateKey" => test_pem("server-pss-key.pem"),
39 my $server_pss_restrict_only = {
40 "Certificate" => test_pem("server-pss-restrict-cert.pem"),
41 "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
45 my $server_rsa_all = {
46 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
47 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
48 "Certificate" => test_pem("servercert.pem"),
49 "PrivateKey" => test_pem("serverkey.pem"),
54 name => "ECDSA CipherString Selection",
57 "CipherString" => "aECDSA",
58 "MaxProtocol" => "TLSv1.2",
59 "RequestCAFile" => test_pem("root-cert.pem"),
62 "ExpectedServerCertType" =>, "P-256",
63 "ExpectedServerSignType" =>, "EC",
64 # Note: certificate_authorities not sent for TLS < 1.3
65 "ExpectedServerCANames" =>, "empty",
66 "ExpectedResult" => "Success"
70 name => "ECDSA CipherString Selection",
72 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
73 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
74 "MaxProtocol" => "TLSv1.2",
75 #Deliberately set supported_groups to one not in the cert. This
80 "CipherString" => "aECDSA",
81 "MaxProtocol" => "TLSv1.2",
82 "Groups" => "P-256:P-384",
83 "RequestCAFile" => test_pem("root-cert.pem"),
86 "ExpectedServerCertType" =>, "P-256",
87 "ExpectedServerSignType" =>, "EC",
88 # Note: certificate_authorities not sent for TLS < 1.3
89 "ExpectedServerCANames" =>, "empty",
90 "ExpectedResult" => "Success"
94 name => "ECDSA CipherString Selection",
96 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
97 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
98 "MaxProtocol" => "TLSv1.2",
99 "Groups" => "P-256:P-384"
102 "CipherString" => "aECDSA",
103 "MaxProtocol" => "TLSv1.2",
104 #Deliberately set groups to not include the certificate group. This
107 "RequestCAFile" => test_pem("root-cert.pem"),
110 "ExpectedResult" => "ServerFail"
114 name => "Ed25519 CipherString and Signature Algorithm Selection",
117 "CipherString" => "aECDSA",
118 "MaxProtocol" => "TLSv1.2",
119 "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
120 "RequestCAFile" => test_pem("root-cert.pem"),
123 "ExpectedServerCertType" =>, "Ed25519",
124 "ExpectedServerSignType" =>, "Ed25519",
125 # Note: certificate_authorities not sent for TLS < 1.3
126 "ExpectedServerCANames" =>, "empty",
127 "ExpectedResult" => "Success"
131 name => "Ed448 CipherString and Signature Algorithm Selection",
134 "CipherString" => "aECDSA",
135 "MaxProtocol" => "TLSv1.2",
136 "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
137 "RequestCAFile" => test_pem("root-ed448-cert.pem"),
138 "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
141 "ExpectedServerCertType" =>, "Ed448",
142 "ExpectedServerSignType" =>, "Ed448",
143 # Note: certificate_authorities not sent for TLS < 1.3
144 "ExpectedServerCANames" =>, "empty",
145 "ExpectedResult" => "Success"
149 name => "ECDSA with brainpool",
151 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
152 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
153 "Groups" => "brainpoolP256r1",
156 #We don't restrict this to TLSv1.2, although use of brainpool
157 #should force this anyway so that this should succeed
158 "CipherString" => "aECDSA",
159 "RequestCAFile" => test_pem("root-cert.pem"),
160 "Groups" => "brainpoolP256r1",
163 "ExpectedServerCertType" =>, "brainpoolP256r1",
164 "ExpectedServerSignType" =>, "EC",
165 # Note: certificate_authorities not sent for TLS < 1.3
166 "ExpectedServerCANames" =>, "empty",
167 "ExpectedResult" => "Success"
171 name => "RSA CipherString Selection",
174 "CipherString" => "aRSA",
175 "MaxProtocol" => "TLSv1.2",
178 "ExpectedServerCertType" =>, "RSA",
179 "ExpectedServerSignType" =>, "RSA-PSS",
180 "ExpectedResult" => "Success"
184 name => "RSA-PSS Certificate CipherString Selection",
185 server => $server_pss,
187 "CipherString" => "aRSA",
188 "MaxProtocol" => "TLSv1.2",
191 "ExpectedServerCertType" =>, "RSA-PSS",
192 "ExpectedServerSignType" =>, "RSA-PSS",
193 "ExpectedResult" => "Success"
197 name => "P-256 CipherString and Signature Algorithm Selection",
200 "CipherString" => "aECDSA",
201 "MaxProtocol" => "TLSv1.2",
202 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
205 "ExpectedServerCertType" => "P-256",
206 "ExpectedServerSignHash" => "SHA256",
207 "ExpectedServerSignType" => "EC",
208 "ExpectedResult" => "Success"
212 name => "Ed25519 CipherString and Curves Selection",
215 "CipherString" => "aECDSA",
216 "MaxProtocol" => "TLSv1.2",
217 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
218 # Excluding P-256 from the supported curves list means server
219 # certificate should be Ed25519 and not P-256
223 "ExpectedServerCertType" =>, "Ed25519",
224 "ExpectedServerSignType" =>, "Ed25519",
225 "ExpectedResult" => "Success"
229 name => "Ed448 CipherString and Curves Selection",
232 "CipherString" => "aECDSA",
233 "MaxProtocol" => "TLSv1.2",
234 "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
235 "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
236 # Excluding P-256 from the supported curves list means server
237 # certificate should be Ed25519 and not P-256
241 "ExpectedServerCertType" =>, "Ed448",
242 "ExpectedServerSignType" =>, "Ed448",
243 "ExpectedResult" => "Success"
247 name => "ECDSA CipherString Selection, no ECDSA certificate",
249 "MaxProtocol" => "TLSv1.2"
252 "CipherString" => "aECDSA",
253 "MaxProtocol" => "TLSv1.2"
256 "ExpectedResult" => "ServerFail"
260 name => "ECDSA Signature Algorithm Selection",
263 "SignatureAlgorithms" => "ECDSA+SHA256",
266 "ExpectedServerCertType" => "P-256",
267 "ExpectedServerSignHash" => "SHA256",
268 "ExpectedServerSignType" => "EC",
269 "ExpectedResult" => "Success"
273 name => "ECDSA Signature Algorithm Selection SHA384",
276 "SignatureAlgorithms" => "ECDSA+SHA384",
279 "ExpectedServerCertType" => "P-256",
280 "ExpectedServerSignHash" => "SHA384",
281 "ExpectedServerSignType" => "EC",
282 "ExpectedResult" => "Success"
286 name => "ECDSA Signature Algorithm Selection SHA1",
289 "SignatureAlgorithms" => "ECDSA+SHA1",
292 "ExpectedServerCertType" => "P-256",
293 "ExpectedServerSignHash" => "SHA1",
294 "ExpectedServerSignType" => "EC",
295 "ExpectedResult" => "Success"
299 name => "ECDSA Signature Algorithm Selection compressed point",
301 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
302 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
303 "MaxProtocol" => "TLSv1.2"
306 "SignatureAlgorithms" => "ECDSA+SHA256",
309 "ExpectedServerCertType" => "P-256",
310 "ExpectedServerSignHash" => "SHA256",
311 "ExpectedServerSignType" => "EC",
312 "ExpectedResult" => "Success"
316 name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
318 "MaxProtocol" => "TLSv1.2"
321 "SignatureAlgorithms" => "ECDSA+SHA256",
324 "ExpectedResult" => "ServerFail"
328 name => "RSA Signature Algorithm Selection",
331 "SignatureAlgorithms" => "RSA+SHA256",
334 "ExpectedServerCertType" => "RSA",
335 "ExpectedServerSignHash" => "SHA256",
336 "ExpectedServerSignType" => "RSA",
337 "ExpectedResult" => "Success"
341 name => "RSA-PSS Signature Algorithm Selection",
344 "SignatureAlgorithms" => "RSA-PSS+SHA256",
347 "ExpectedServerCertType" => "RSA",
348 "ExpectedServerSignHash" => "SHA256",
349 "ExpectedServerSignType" => "RSA-PSS",
350 "ExpectedResult" => "Success"
354 name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
355 server => $server_pss,
357 "SignatureAlgorithms" => "RSA-PSS+SHA256",
360 "ExpectedServerCertType" => "RSA",
361 "ExpectedServerSignHash" => "SHA256",
362 "ExpectedServerSignType" => "RSA-PSS",
363 "ExpectedResult" => "Success"
367 name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
368 server => $server_pss,
370 "SignatureAlgorithms" => "rsa_pss_pss_sha256",
373 "ExpectedServerCertType" => "RSA-PSS",
374 "ExpectedServerSignHash" => "SHA256",
375 "ExpectedServerSignType" => "RSA-PSS",
376 "ExpectedResult" => "Success"
380 name => "Only RSA-PSS Certificate",
381 server => $server_pss_only,
384 "ExpectedServerCertType" => "RSA-PSS",
385 "ExpectedServerSignHash" => "SHA256",
386 "ExpectedServerSignType" => "RSA-PSS",
387 "ExpectedResult" => "Success"
391 name => "Only RSA-PSS Certificate Valid Signature Algorithms",
392 server => $server_pss_only,
394 "SignatureAlgorithms" => "rsa_pss_pss_sha512",
397 "ExpectedServerCertType" => "RSA-PSS",
398 "ExpectedServerSignHash" => "SHA512",
399 "ExpectedServerSignType" => "RSA-PSS",
400 "ExpectedResult" => "Success"
404 name => "RSA-PSS Certificate, no PSS signature algorithms",
405 server => $server_pss_only,
407 "SignatureAlgorithms" => "RSA+SHA256",
410 "ExpectedResult" => "ServerFail"
414 name => "Only RSA-PSS Restricted Certificate",
415 server => $server_pss_restrict_only,
418 "ExpectedServerCertType" => "RSA-PSS",
419 "ExpectedServerSignHash" => "SHA256",
420 "ExpectedServerSignType" => "RSA-PSS",
421 "ExpectedResult" => "Success"
425 name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
426 server => $server_pss_restrict_only,
428 "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
431 "ExpectedServerCertType" => "RSA-PSS",
432 "ExpectedServerSignHash" => "SHA256",
433 "ExpectedServerSignType" => "RSA-PSS",
434 "ExpectedResult" => "Success"
438 name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
439 server => $server_pss_restrict_only,
441 "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
444 "ExpectedServerCertType" => "RSA-PSS",
445 "ExpectedServerSignHash" => "SHA256",
446 "ExpectedServerSignType" => "RSA-PSS",
447 "ExpectedResult" => "Success"
451 name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
452 server => $server_pss_restrict_only,
454 "SignatureAlgorithms" => "rsa_pss_pss_sha512",
457 "ExpectedResult" => "ServerFail"
461 name => "RSA key exchange with all RSA certificate types",
462 server => $server_rsa_all,
464 "CipherString" => "kRSA",
465 "MaxProtocol" => "TLSv1.2",
468 "ExpectedServerCertType" =>, "RSA",
469 "ExpectedResult" => "Success"
473 name => "RSA key exchange with only RSA-PSS certificate",
474 server => $server_pss_only,
476 "CipherString" => "kRSA",
477 "MaxProtocol" => "TLSv1.2",
480 "ExpectedResult" => "ServerFail"
484 name => "Suite B P-256 Hash Algorithm Selection",
486 "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
487 "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
488 "MaxProtocol" => "TLSv1.2",
489 "CipherString" => "SUITEB128"
492 "VerifyCAFile" => test_pem("p384-root.pem"),
493 "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
496 "ExpectedServerCertType" => "P-256",
497 "ExpectedServerSignHash" => "SHA256",
498 "ExpectedServerSignType" => "EC",
499 "ExpectedResult" => "Success"
503 name => "Suite B P-384 Hash Algorithm Selection",
505 "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
506 "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
507 "MaxProtocol" => "TLSv1.2",
508 "CipherString" => "SUITEB128"
511 "VerifyCAFile" => test_pem("p384-root.pem"),
512 "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
515 "ExpectedServerCertType" => "P-384",
516 "ExpectedServerSignHash" => "SHA384",
517 "ExpectedServerSignType" => "EC",
518 "ExpectedResult" => "Success"
522 name => "TLS 1.2 Ed25519 Client Auth",
524 "VerifyCAFile" => test_pem("root-cert.pem"),
525 "VerifyMode" => "Require"
528 "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
529 "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
530 "MinProtocol" => "TLSv1.2",
531 "MaxProtocol" => "TLSv1.2"
534 "ExpectedClientCertType" => "Ed25519",
535 "ExpectedClientSignType" => "Ed25519",
536 "ExpectedResult" => "Success"
540 name => "TLS 1.2 Ed448 Client Auth",
542 "VerifyCAFile" => test_pem("root-cert.pem"),
543 "VerifyMode" => "Require"
546 "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
547 "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
548 "MinProtocol" => "TLSv1.2",
549 "MaxProtocol" => "TLSv1.2"
552 "ExpectedClientCertType" => "Ed448",
553 "ExpectedClientSignType" => "Ed448",
554 "ExpectedResult" => "Success"
559 my @tests_tls_1_1 = (
561 name => "Only RSA-PSS Certificate, TLS v1.1",
562 server => $server_pss_only,
564 "MaxProtocol" => "TLSv1.1",
567 "ExpectedResult" => "ServerFail"
572 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
574 my $server_tls_1_3 = {
575 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
576 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
577 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
578 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
579 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
580 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
581 "MinProtocol" => "TLSv1.3",
582 "MaxProtocol" => "TLSv1.3"
585 my $server_tls_1_3_pss = {
586 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
587 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
588 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
589 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
590 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
591 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
592 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
593 "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
594 "MinProtocol" => "TLSv1.3",
595 "MaxProtocol" => "TLSv1.3"
598 my $client_tls_1_3 = {
599 "RSA.Certificate" => test_pem("ee-client-chain.pem"),
600 "RSA.PrivateKey" => test_pem("ee-key.pem"),
601 "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
602 "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
603 "MinProtocol" => "TLSv1.3",
604 "MaxProtocol" => "TLSv1.3"
607 my @tests_tls_1_3 = (
609 name => "TLS 1.3 ECDSA Signature Algorithm Selection",
610 server => $server_tls_1_3,
612 "SignatureAlgorithms" => "ECDSA+SHA256",
615 "ExpectedServerCertType" => "P-256",
616 "ExpectedServerSignHash" => "SHA256",
617 "ExpectedServerSignType" => "EC",
618 "ExpectedServerCANames" => "empty",
619 "ExpectedResult" => "Success"
623 name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
625 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
626 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
627 "MinProtocol" => "TLSv1.3",
628 "MaxProtocol" => "TLSv1.3"
631 "SignatureAlgorithms" => "ECDSA+SHA256",
634 "ExpectedServerCertType" => "P-256",
635 "ExpectedServerSignHash" => "SHA256",
636 "ExpectedServerSignType" => "EC",
637 "ExpectedServerCANames" => "empty",
638 "ExpectedResult" => "Success"
642 name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
643 server => $server_tls_1_3,
645 "SignatureAlgorithms" => "ECDSA+SHA1",
648 "ExpectedResult" => "ServerFail"
652 name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
653 server => $server_tls_1_3,
655 "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
656 "RequestCAFile" => test_pem("root-cert.pem"),
659 "ExpectedServerCertType" => "P-256",
660 "ExpectedServerSignHash" => "SHA256",
661 "ExpectedServerSignType" => "EC",
662 "ExpectedServerCANames" => test_pem("root-cert.pem"),
663 "ExpectedResult" => "Success"
667 name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
668 server => $server_tls_1_3,
670 "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
673 "ExpectedServerCertType" => "RSA",
674 "ExpectedServerSignHash" => "SHA384",
675 "ExpectedServerSignType" => "RSA-PSS",
676 "ExpectedResult" => "Success"
680 name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
682 "MinProtocol" => "TLSv1.3",
683 "MaxProtocol" => "TLSv1.3"
686 "SignatureAlgorithms" => "ECDSA+SHA256",
689 "ExpectedResult" => "ServerFail"
693 name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
694 server => $server_tls_1_3,
696 "SignatureAlgorithms" => "RSA+SHA256",
699 "ExpectedResult" => "ServerFail"
703 name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
704 server => $server_tls_1_3,
706 "SignatureAlgorithms" => "RSA-PSS+SHA256",
709 "ExpectedServerCertType" => "RSA",
710 "ExpectedServerSignHash" => "SHA256",
711 "ExpectedServerSignType" => "RSA-PSS",
712 "ExpectedResult" => "Success"
716 name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
717 server => $server_tls_1_3,
719 "SignatureAlgorithms" => "ed25519",
722 "ExpectedServerCertType" => "Ed25519",
723 "ExpectedServerSignType" => "Ed25519",
724 "ExpectedResult" => "Success"
728 name => "TLS 1.3 Ed448 Signature Algorithm Selection",
729 server => $server_tls_1_3,
731 "SignatureAlgorithms" => "ed448",
732 "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
735 "ExpectedServerCertType" => "Ed448",
736 "ExpectedServerSignType" => "Ed448",
737 "ExpectedResult" => "Success"
741 name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
742 server => $server_tls_1_3,
744 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
745 # Excluding P-256 from the supported groups list should
746 # mean server still uses a P-256 certificate because supported
747 # groups is not used in signature selection for TLS 1.3
751 "ExpectedServerCertType" =>, "P-256",
752 "ExpectedServerSignType" =>, "EC",
753 "ExpectedResult" => "Success"
757 name => "TLS 1.3 Ed448 CipherString and Groups Selection",
758 server => $server_tls_1_3,
760 "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
761 # Excluding P-256 from the supported groups list should
762 # mean server still uses a P-256 certificate because supported
763 # groups is not used in signature selection for TLS 1.3
767 "ExpectedServerCertType" =>, "P-256",
768 "ExpectedServerSignType" =>, "EC",
769 "ExpectedResult" => "Success"
773 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
775 "ClientSignatureAlgorithms" => "PSS+SHA256",
776 "VerifyCAFile" => test_pem("root-cert.pem"),
777 "VerifyMode" => "Require"
779 client => $client_tls_1_3,
781 "ExpectedClientCertType" => "RSA",
782 "ExpectedClientSignHash" => "SHA256",
783 "ExpectedClientSignType" => "RSA-PSS",
784 "ExpectedClientCANames" => "empty",
785 "ExpectedResult" => "Success"
789 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
791 "ClientSignatureAlgorithms" => "PSS+SHA256",
792 "VerifyCAFile" => test_pem("root-cert.pem"),
793 "RequestCAFile" => test_pem("root-cert.pem"),
794 "VerifyMode" => "Require"
796 client => $client_tls_1_3,
798 "ExpectedClientCertType" => "RSA",
799 "ExpectedClientSignHash" => "SHA256",
800 "ExpectedClientSignType" => "RSA-PSS",
801 "ExpectedClientCANames" => test_pem("root-cert.pem"),
802 "ExpectedResult" => "Success"
806 name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
808 "ClientSignatureAlgorithms" => "ECDSA+SHA256",
809 "VerifyCAFile" => test_pem("root-cert.pem"),
810 "VerifyMode" => "Require"
812 client => $client_tls_1_3,
814 "ExpectedClientCertType" => "P-256",
815 "ExpectedClientSignHash" => "SHA256",
816 "ExpectedClientSignType" => "EC",
817 "ExpectedResult" => "Success"
821 name => "TLS 1.3 Ed25519 Client Auth",
823 "VerifyCAFile" => test_pem("root-cert.pem"),
824 "VerifyMode" => "Require"
827 "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
828 "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
829 "MinProtocol" => "TLSv1.3",
830 "MaxProtocol" => "TLSv1.3"
833 "ExpectedClientCertType" => "Ed25519",
834 "ExpectedClientSignType" => "Ed25519",
835 "ExpectedResult" => "Success"
839 name => "TLS 1.3 Ed448 Client Auth",
841 "VerifyCAFile" => test_pem("root-cert.pem"),
842 "VerifyMode" => "Require"
845 "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
846 "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
847 "MinProtocol" => "TLSv1.3",
848 "MaxProtocol" => "TLSv1.3"
851 "ExpectedClientCertType" => "Ed448",
852 "ExpectedClientSignType" => "Ed448",
853 "ExpectedResult" => "Success"
857 name => "TLS 1.3 ECDSA with brainpool",
859 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
860 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
861 "Groups" => "brainpoolP256r1",
864 "RequestCAFile" => test_pem("root-cert.pem"),
865 "Groups" => "brainpoolP256r1",
866 "MinProtocol" => "TLSv1.3",
867 "MaxProtocol" => "TLSv1.3"
870 "ExpectedResult" => "ServerFail"
875 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
877 my @tests_dsa_tls_1_2 = (
879 name => "TLS 1.2 DSA Certificate Test",
881 "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
882 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
883 "DHParameters" => test_pem("dhp2048.pem"),
884 "MinProtocol" => "TLSv1.2",
885 "MaxProtocol" => "TLSv1.2",
886 "CipherString" => "ALL",
889 "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
890 "CipherString" => "ALL",
893 "ExpectedResult" => "Success"
898 my @tests_dsa_tls_1_3 = (
900 name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
902 "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
903 "VerifyCAFile" => test_pem("root-cert.pem"),
904 "VerifyMode" => "Request"
908 "ExpectedResult" => "ServerFail"
912 name => "TLS 1.3 DSA Certificate Test",
914 "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
915 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
916 "MinProtocol" => "TLSv1.3",
917 "MaxProtocol" => "TLSv1.3",
918 "CipherString" => "ALL",
921 "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
922 "CipherString" => "ALL",
925 "ExpectedResult" => "ServerFail"
930 if (!disabled("dsa")) {
931 push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
932 push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");