3 ## SSL test configurations
10 use OpenSSL::Test::Utils;
13 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
14 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
15 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
16 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
17 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
18 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
19 "MaxProtocol" => "TLSv1.2"
23 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
24 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
25 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
26 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
27 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
28 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
29 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
30 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
31 "MaxProtocol" => "TLSv1.2"
34 my $server_pss_only = {
35 "Certificate" => test_pem("server-pss-cert.pem"),
36 "PrivateKey" => test_pem("server-pss-key.pem"),
39 my $server_pss_restrict_only = {
40 "Certificate" => test_pem("server-pss-restrict-cert.pem"),
41 "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
45 my $server_rsa_all = {
46 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
47 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
48 "Certificate" => test_pem("servercert.pem"),
49 "PrivateKey" => test_pem("serverkey.pem"),
54 name => "ECDSA CipherString Selection",
57 "CipherString" => "aECDSA",
58 "MaxProtocol" => "TLSv1.2",
59 "RequestCAFile" => test_pem("root-cert.pem"),
62 "ExpectedServerCertType" =>, "P-256",
63 "ExpectedServerSignType" =>, "EC",
64 # Note: certificate_authorities not sent for TLS < 1.3
65 "ExpectedServerCANames" =>, "empty",
66 "ExpectedResult" => "Success"
70 name => "ECDSA CipherString Selection",
72 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
73 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
74 "MaxProtocol" => "TLSv1.2",
75 #Deliberately set supported_groups to one not in the cert. This
80 "CipherString" => "aECDSA",
81 "MaxProtocol" => "TLSv1.2",
82 "Groups" => "P-256:P-384",
83 "RequestCAFile" => test_pem("root-cert.pem"),
86 "ExpectedServerCertType" =>, "P-256",
87 "ExpectedServerSignType" =>, "EC",
88 # Note: certificate_authorities not sent for TLS < 1.3
89 "ExpectedServerCANames" =>, "empty",
90 "ExpectedResult" => "Success"
94 name => "ECDSA CipherString Selection",
96 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
97 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
98 "MaxProtocol" => "TLSv1.2",
99 "Groups" => "P-256:P-384"
102 "CipherString" => "aECDSA",
103 "MaxProtocol" => "TLSv1.2",
104 #Deliberately set groups to not include the certificate group. This
107 "RequestCAFile" => test_pem("root-cert.pem"),
110 "ExpectedResult" => "ServerFail"
114 name => "Ed25519 CipherString and Signature Algorithm Selection",
117 "CipherString" => "aECDSA",
118 "MaxProtocol" => "TLSv1.2",
119 "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
120 "RequestCAFile" => test_pem("root-cert.pem"),
123 "ExpectedServerCertType" =>, "Ed25519",
124 "ExpectedServerSignType" =>, "Ed25519",
125 # Note: certificate_authorities not sent for TLS < 1.3
126 "ExpectedServerCANames" =>, "empty",
127 "ExpectedResult" => "Success"
131 name => "Ed448 CipherString and Signature Algorithm Selection",
134 "CipherString" => "aECDSA",
135 "MaxProtocol" => "TLSv1.2",
136 "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
137 "RequestCAFile" => test_pem("root-cert.pem"),
140 "ExpectedServerCertType" =>, "Ed448",
141 "ExpectedServerSignType" =>, "Ed448",
142 # Note: certificate_authorities not sent for TLS < 1.3
143 "ExpectedServerCANames" =>, "empty",
144 "ExpectedResult" => "Success"
148 name => "ECDSA with brainpool",
150 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
151 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
152 "Groups" => "brainpoolP256r1",
155 #We don't restrict this to TLSv1.2, although use of brainpool
156 #should force this anyway so that this should succeed
157 "CipherString" => "aECDSA",
158 "RequestCAFile" => test_pem("root-cert.pem"),
159 "Groups" => "brainpoolP256r1",
162 "ExpectedServerCertType" =>, "brainpoolP256r1",
163 "ExpectedServerSignType" =>, "EC",
164 # Note: certificate_authorities not sent for TLS < 1.3
165 "ExpectedServerCANames" =>, "empty",
166 "ExpectedResult" => "Success"
170 name => "RSA CipherString Selection",
173 "CipherString" => "aRSA",
174 "MaxProtocol" => "TLSv1.2",
177 "ExpectedServerCertType" =>, "RSA",
178 "ExpectedServerSignType" =>, "RSA-PSS",
179 "ExpectedResult" => "Success"
183 name => "RSA-PSS Certificate CipherString Selection",
184 server => $server_pss,
186 "CipherString" => "aRSA",
187 "MaxProtocol" => "TLSv1.2",
190 "ExpectedServerCertType" =>, "RSA-PSS",
191 "ExpectedServerSignType" =>, "RSA-PSS",
192 "ExpectedResult" => "Success"
196 name => "P-256 CipherString and Signature Algorithm Selection",
199 "CipherString" => "aECDSA",
200 "MaxProtocol" => "TLSv1.2",
201 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
204 "ExpectedServerCertType" => "P-256",
205 "ExpectedServerSignHash" => "SHA256",
206 "ExpectedServerSignType" => "EC",
207 "ExpectedResult" => "Success"
211 name => "Ed25519 CipherString and Curves Selection",
214 "CipherString" => "aECDSA",
215 "MaxProtocol" => "TLSv1.2",
216 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
217 # Excluding P-256 from the supported curves list means server
218 # certificate should be Ed25519 and not P-256
222 "ExpectedServerCertType" =>, "Ed25519",
223 "ExpectedServerSignType" =>, "Ed25519",
224 "ExpectedResult" => "Success"
228 name => "Ed448 CipherString and Curves Selection",
231 "CipherString" => "aECDSA",
232 "MaxProtocol" => "TLSv1.2",
233 "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
234 # Excluding P-256 from the supported curves list means server
235 # certificate should be Ed25519 and not P-256
239 "ExpectedServerCertType" =>, "Ed448",
240 "ExpectedServerSignType" =>, "Ed448",
241 "ExpectedResult" => "Success"
245 name => "ECDSA CipherString Selection, no ECDSA certificate",
247 "MaxProtocol" => "TLSv1.2"
250 "CipherString" => "aECDSA",
251 "MaxProtocol" => "TLSv1.2"
254 "ExpectedResult" => "ServerFail"
258 name => "ECDSA Signature Algorithm Selection",
261 "SignatureAlgorithms" => "ECDSA+SHA256",
264 "ExpectedServerCertType" => "P-256",
265 "ExpectedServerSignHash" => "SHA256",
266 "ExpectedServerSignType" => "EC",
267 "ExpectedResult" => "Success"
271 name => "ECDSA Signature Algorithm Selection SHA384",
274 "SignatureAlgorithms" => "ECDSA+SHA384",
277 "ExpectedServerCertType" => "P-256",
278 "ExpectedServerSignHash" => "SHA384",
279 "ExpectedServerSignType" => "EC",
280 "ExpectedResult" => "Success"
284 name => "ECDSA Signature Algorithm Selection SHA1",
287 "SignatureAlgorithms" => "ECDSA+SHA1",
290 "ExpectedServerCertType" => "P-256",
291 "ExpectedServerSignHash" => "SHA1",
292 "ExpectedServerSignType" => "EC",
293 "ExpectedResult" => "Success"
297 name => "ECDSA Signature Algorithm Selection compressed point",
299 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
300 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
301 "MaxProtocol" => "TLSv1.2"
304 "SignatureAlgorithms" => "ECDSA+SHA256",
307 "ExpectedServerCertType" => "P-256",
308 "ExpectedServerSignHash" => "SHA256",
309 "ExpectedServerSignType" => "EC",
310 "ExpectedResult" => "Success"
314 name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
316 "MaxProtocol" => "TLSv1.2"
319 "SignatureAlgorithms" => "ECDSA+SHA256",
322 "ExpectedResult" => "ServerFail"
326 name => "RSA Signature Algorithm Selection",
329 "SignatureAlgorithms" => "RSA+SHA256",
332 "ExpectedServerCertType" => "RSA",
333 "ExpectedServerSignHash" => "SHA256",
334 "ExpectedServerSignType" => "RSA",
335 "ExpectedResult" => "Success"
339 name => "RSA-PSS Signature Algorithm Selection",
342 "SignatureAlgorithms" => "RSA-PSS+SHA256",
345 "ExpectedServerCertType" => "RSA",
346 "ExpectedServerSignHash" => "SHA256",
347 "ExpectedServerSignType" => "RSA-PSS",
348 "ExpectedResult" => "Success"
352 name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
353 server => $server_pss,
355 "SignatureAlgorithms" => "RSA-PSS+SHA256",
358 "ExpectedServerCertType" => "RSA",
359 "ExpectedServerSignHash" => "SHA256",
360 "ExpectedServerSignType" => "RSA-PSS",
361 "ExpectedResult" => "Success"
365 name => "RSA-PSS Certificate Unified Signature Algorithm Selection",
366 server => $server_pss,
368 "SignatureAlgorithms" => "rsa_pss_pss_sha256",
371 "ExpectedServerCertType" => "RSA-PSS",
372 "ExpectedServerSignHash" => "SHA256",
373 "ExpectedServerSignType" => "RSA-PSS",
374 "ExpectedResult" => "Success"
378 name => "Only RSA-PSS Certificate",
379 server => $server_pss_only,
382 "ExpectedServerCertType" => "RSA-PSS",
383 "ExpectedServerSignHash" => "SHA256",
384 "ExpectedServerSignType" => "RSA-PSS",
385 "ExpectedResult" => "Success"
389 name => "Only RSA-PSS Certificate Valid Signature Algorithms",
390 server => $server_pss_only,
392 "SignatureAlgorithms" => "rsa_pss_pss_sha512",
395 "ExpectedServerCertType" => "RSA-PSS",
396 "ExpectedServerSignHash" => "SHA512",
397 "ExpectedServerSignType" => "RSA-PSS",
398 "ExpectedResult" => "Success"
402 name => "RSA-PSS Certificate, no PSS signature algorithms",
403 server => $server_pss_only,
405 "SignatureAlgorithms" => "RSA+SHA256",
408 "ExpectedResult" => "ServerFail"
412 name => "Only RSA-PSS Restricted Certificate",
413 server => $server_pss_restrict_only,
416 "ExpectedServerCertType" => "RSA-PSS",
417 "ExpectedServerSignHash" => "SHA256",
418 "ExpectedServerSignType" => "RSA-PSS",
419 "ExpectedResult" => "Success"
423 name => "RSA-PSS Restricted Certificate Valid Signature Algorithms",
424 server => $server_pss_restrict_only,
426 "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512",
429 "ExpectedServerCertType" => "RSA-PSS",
430 "ExpectedServerSignHash" => "SHA256",
431 "ExpectedServerSignType" => "RSA-PSS",
432 "ExpectedResult" => "Success"
436 name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm",
437 server => $server_pss_restrict_only,
439 "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256",
442 "ExpectedServerCertType" => "RSA-PSS",
443 "ExpectedServerSignHash" => "SHA256",
444 "ExpectedServerSignType" => "RSA-PSS",
445 "ExpectedResult" => "Success"
449 name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms",
450 server => $server_pss_restrict_only,
452 "SignatureAlgorithms" => "rsa_pss_pss_sha512",
455 "ExpectedResult" => "ServerFail"
459 name => "RSA key exchange with all RSA certificate types",
460 server => $server_rsa_all,
462 "CipherString" => "kRSA",
463 "MaxProtocol" => "TLSv1.2",
466 "ExpectedServerCertType" =>, "RSA",
467 "ExpectedResult" => "Success"
471 name => "RSA key exchange with only RSA-PSS certificate",
472 server => $server_pss_only,
474 "CipherString" => "kRSA",
475 "MaxProtocol" => "TLSv1.2",
478 "ExpectedResult" => "ServerFail"
482 name => "Suite B P-256 Hash Algorithm Selection",
484 "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
485 "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
486 "MaxProtocol" => "TLSv1.2",
487 "CipherString" => "SUITEB128"
490 "VerifyCAFile" => test_pem("p384-root.pem"),
491 "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
494 "ExpectedServerCertType" => "P-256",
495 "ExpectedServerSignHash" => "SHA256",
496 "ExpectedServerSignType" => "EC",
497 "ExpectedResult" => "Success"
501 name => "Suite B P-384 Hash Algorithm Selection",
503 "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
504 "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
505 "MaxProtocol" => "TLSv1.2",
506 "CipherString" => "SUITEB128"
509 "VerifyCAFile" => test_pem("p384-root.pem"),
510 "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
513 "ExpectedServerCertType" => "P-384",
514 "ExpectedServerSignHash" => "SHA384",
515 "ExpectedServerSignType" => "EC",
516 "ExpectedResult" => "Success"
520 name => "TLS 1.2 Ed25519 Client Auth",
522 "VerifyCAFile" => test_pem("root-cert.pem"),
523 "VerifyMode" => "Require"
526 "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
527 "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
528 "MinProtocol" => "TLSv1.2",
529 "MaxProtocol" => "TLSv1.2"
532 "ExpectedClientCertType" => "Ed25519",
533 "ExpectedClientSignType" => "Ed25519",
534 "ExpectedResult" => "Success"
538 name => "TLS 1.2 Ed448 Client Auth",
540 "VerifyCAFile" => test_pem("root-cert.pem"),
541 "VerifyMode" => "Require"
544 "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
545 "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
546 "MinProtocol" => "TLSv1.2",
547 "MaxProtocol" => "TLSv1.2"
550 "ExpectedClientCertType" => "Ed448",
551 "ExpectedClientSignType" => "Ed448",
552 "ExpectedResult" => "Success"
557 my @tests_tls_1_1 = (
559 name => "Only RSA-PSS Certificate, TLS v1.1",
560 server => $server_pss_only,
562 "MaxProtocol" => "TLSv1.1",
565 "ExpectedResult" => "ServerFail"
570 push @tests, @tests_tls_1_1 unless disabled("tls1_1");
572 my $server_tls_1_3 = {
573 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
574 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
575 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
576 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
577 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
578 "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
579 "MinProtocol" => "TLSv1.3",
580 "MaxProtocol" => "TLSv1.3"
583 my $server_tls_1_3_pss = {
584 "PSS.Certificate" => test_pem("server-pss-cert.pem"),
585 "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
586 "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
587 "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
588 "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
589 "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
590 "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
591 "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
592 "MinProtocol" => "TLSv1.3",
593 "MaxProtocol" => "TLSv1.3"
596 my $client_tls_1_3 = {
597 "RSA.Certificate" => test_pem("ee-client-chain.pem"),
598 "RSA.PrivateKey" => test_pem("ee-key.pem"),
599 "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
600 "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
601 "MinProtocol" => "TLSv1.3",
602 "MaxProtocol" => "TLSv1.3"
605 my @tests_tls_1_3 = (
607 name => "TLS 1.3 ECDSA Signature Algorithm Selection",
608 server => $server_tls_1_3,
610 "SignatureAlgorithms" => "ECDSA+SHA256",
613 "ExpectedServerCertType" => "P-256",
614 "ExpectedServerSignHash" => "SHA256",
615 "ExpectedServerSignType" => "EC",
616 "ExpectedServerCANames" => "empty",
617 "ExpectedResult" => "Success"
621 name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
623 "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
624 "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
625 "MinProtocol" => "TLSv1.3",
626 "MaxProtocol" => "TLSv1.3"
629 "SignatureAlgorithms" => "ECDSA+SHA256",
632 "ExpectedServerCertType" => "P-256",
633 "ExpectedServerSignHash" => "SHA256",
634 "ExpectedServerSignType" => "EC",
635 "ExpectedServerCANames" => "empty",
636 "ExpectedResult" => "Success"
640 name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
641 server => $server_tls_1_3,
643 "SignatureAlgorithms" => "ECDSA+SHA1",
646 "ExpectedResult" => "ServerFail"
650 name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
651 server => $server_tls_1_3,
653 "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
654 "RequestCAFile" => test_pem("root-cert.pem"),
657 "ExpectedServerCertType" => "P-256",
658 "ExpectedServerSignHash" => "SHA256",
659 "ExpectedServerSignType" => "EC",
660 "ExpectedServerCANames" => test_pem("root-cert.pem"),
661 "ExpectedResult" => "Success"
665 name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
666 server => $server_tls_1_3,
668 "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
671 "ExpectedServerCertType" => "RSA",
672 "ExpectedServerSignHash" => "SHA384",
673 "ExpectedServerSignType" => "RSA-PSS",
674 "ExpectedResult" => "Success"
678 name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
680 "MinProtocol" => "TLSv1.3",
681 "MaxProtocol" => "TLSv1.3"
684 "SignatureAlgorithms" => "ECDSA+SHA256",
687 "ExpectedResult" => "ServerFail"
691 name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
692 server => $server_tls_1_3,
694 "SignatureAlgorithms" => "RSA+SHA256",
697 "ExpectedResult" => "ServerFail"
701 name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
702 server => $server_tls_1_3,
704 "SignatureAlgorithms" => "RSA-PSS+SHA256",
707 "ExpectedServerCertType" => "RSA",
708 "ExpectedServerSignHash" => "SHA256",
709 "ExpectedServerSignType" => "RSA-PSS",
710 "ExpectedResult" => "Success"
714 name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
715 server => $server_tls_1_3,
717 "SignatureAlgorithms" => "ed25519",
720 "ExpectedServerCertType" => "Ed25519",
721 "ExpectedServerSignType" => "Ed25519",
722 "ExpectedResult" => "Success"
726 name => "TLS 1.3 Ed448 Signature Algorithm Selection",
727 server => $server_tls_1_3,
729 "SignatureAlgorithms" => "ed448",
732 "ExpectedServerCertType" => "Ed448",
733 "ExpectedServerSignType" => "Ed448",
734 "ExpectedResult" => "Success"
738 name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
739 server => $server_tls_1_3,
741 "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
742 # Excluding P-256 from the supported groups list should
743 # mean server still uses a P-256 certificate because supported
744 # groups is not used in signature selection for TLS 1.3
748 "ExpectedServerCertType" =>, "P-256",
749 "ExpectedServerSignType" =>, "EC",
750 "ExpectedResult" => "Success"
754 name => "TLS 1.3 Ed448 CipherString and Groups Selection",
755 server => $server_tls_1_3,
757 "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
758 # Excluding P-256 from the supported groups list should
759 # mean server still uses a P-256 certificate because supported
760 # groups is not used in signature selection for TLS 1.3
764 "ExpectedServerCertType" =>, "P-256",
765 "ExpectedServerSignType" =>, "EC",
766 "ExpectedResult" => "Success"
770 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
772 "ClientSignatureAlgorithms" => "PSS+SHA256",
773 "VerifyCAFile" => test_pem("root-cert.pem"),
774 "VerifyMode" => "Require"
776 client => $client_tls_1_3,
778 "ExpectedClientCertType" => "RSA",
779 "ExpectedClientSignHash" => "SHA256",
780 "ExpectedClientSignType" => "RSA-PSS",
781 "ExpectedClientCANames" => "empty",
782 "ExpectedResult" => "Success"
786 name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
788 "ClientSignatureAlgorithms" => "PSS+SHA256",
789 "VerifyCAFile" => test_pem("root-cert.pem"),
790 "RequestCAFile" => test_pem("root-cert.pem"),
791 "VerifyMode" => "Require"
793 client => $client_tls_1_3,
795 "ExpectedClientCertType" => "RSA",
796 "ExpectedClientSignHash" => "SHA256",
797 "ExpectedClientSignType" => "RSA-PSS",
798 "ExpectedClientCANames" => test_pem("root-cert.pem"),
799 "ExpectedResult" => "Success"
803 name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
805 "ClientSignatureAlgorithms" => "ECDSA+SHA256",
806 "VerifyCAFile" => test_pem("root-cert.pem"),
807 "VerifyMode" => "Require"
809 client => $client_tls_1_3,
811 "ExpectedClientCertType" => "P-256",
812 "ExpectedClientSignHash" => "SHA256",
813 "ExpectedClientSignType" => "EC",
814 "ExpectedResult" => "Success"
818 name => "TLS 1.3 Ed25519 Client Auth",
820 "VerifyCAFile" => test_pem("root-cert.pem"),
821 "VerifyMode" => "Require"
824 "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"),
825 "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"),
826 "MinProtocol" => "TLSv1.3",
827 "MaxProtocol" => "TLSv1.3"
830 "ExpectedClientCertType" => "Ed25519",
831 "ExpectedClientSignType" => "Ed25519",
832 "ExpectedResult" => "Success"
836 name => "TLS 1.3 Ed448 Client Auth",
838 "VerifyCAFile" => test_pem("root-cert.pem"),
839 "VerifyMode" => "Require"
842 "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"),
843 "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"),
844 "MinProtocol" => "TLSv1.3",
845 "MaxProtocol" => "TLSv1.3"
848 "ExpectedClientCertType" => "Ed448",
849 "ExpectedClientSignType" => "Ed448",
850 "ExpectedResult" => "Success"
854 name => "TLS 1.3 ECDSA with brainpool",
856 "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
857 "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
858 "Groups" => "brainpoolP256r1",
861 "RequestCAFile" => test_pem("root-cert.pem"),
862 "Groups" => "brainpoolP256r1",
863 "MinProtocol" => "TLSv1.3",
864 "MaxProtocol" => "TLSv1.3"
867 "ExpectedResult" => "ServerFail"
872 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
874 my @tests_dsa_tls_1_2 = (
876 name => "TLS 1.2 DSA Certificate Test",
878 "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
879 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
880 "DHParameters" => test_pem("dhp2048.pem"),
881 "MinProtocol" => "TLSv1.2",
882 "MaxProtocol" => "TLSv1.2",
883 "CipherString" => "ALL",
886 "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
887 "CipherString" => "ALL",
890 "ExpectedResult" => "Success"
895 my @tests_dsa_tls_1_3 = (
897 name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
899 "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
900 "VerifyCAFile" => test_pem("root-cert.pem"),
901 "VerifyMode" => "Request"
905 "ExpectedResult" => "ServerFail"
909 name => "TLS 1.3 DSA Certificate Test",
911 "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
912 "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
913 "MinProtocol" => "TLSv1.3",
914 "MaxProtocol" => "TLSv1.3",
915 "CipherString" => "ALL",
918 "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
919 "CipherString" => "ALL",
922 "ExpectedResult" => "ServerFail"
927 if (!disabled("dsa")) {
928 push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
929 push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");