Change Post Handshake auth so that it is opt-in
[openssl.git] / test / ssl-tests / 26-tls13_client_auth.conf
1 # Generated with generate_ssl_tests.pl
2
3 num_tests = 14
4
5 test-0 = 0-server-auth-TLSv1.3
6 test-1 = 1-client-auth-TLSv1.3-request
7 test-2 = 2-client-auth-TLSv1.3-require-fail
8 test-3 = 3-client-auth-TLSv1.3-require
9 test-4 = 4-client-auth-TLSv1.3-require-non-empty-names
10 test-5 = 5-client-auth-TLSv1.3-noroot
11 test-6 = 6-client-auth-TLSv1.3-request-post-handshake
12 test-7 = 7-client-auth-TLSv1.3-require-fail-post-handshake
13 test-8 = 8-client-auth-TLSv1.3-require-post-handshake
14 test-9 = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake
15 test-10 = 10-client-auth-TLSv1.3-noroot-post-handshake
16 test-11 = 11-client-auth-TLSv1.3-request-force-client-post-handshake
17 test-12 = 12-client-auth-TLSv1.3-request-force-server-post-handshake
18 test-13 = 13-client-auth-TLSv1.3-request-force-both-post-handshake
19 # ===========================================================
20
21 [0-server-auth-TLSv1.3]
22 ssl_conf = 0-server-auth-TLSv1.3-ssl
23
24 [0-server-auth-TLSv1.3-ssl]
25 server = 0-server-auth-TLSv1.3-server
26 client = 0-server-auth-TLSv1.3-client
27
28 [0-server-auth-TLSv1.3-server]
29 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
30 CipherString = DEFAULT
31 MaxProtocol = TLSv1.3
32 MinProtocol = TLSv1.3
33 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
34
35 [0-server-auth-TLSv1.3-client]
36 CipherString = DEFAULT
37 MaxProtocol = TLSv1.3
38 MinProtocol = TLSv1.3
39 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
40 VerifyMode = Peer
41
42 [test-0]
43 ExpectedResult = Success
44
45
46 # ===========================================================
47
48 [1-client-auth-TLSv1.3-request]
49 ssl_conf = 1-client-auth-TLSv1.3-request-ssl
50
51 [1-client-auth-TLSv1.3-request-ssl]
52 server = 1-client-auth-TLSv1.3-request-server
53 client = 1-client-auth-TLSv1.3-request-client
54
55 [1-client-auth-TLSv1.3-request-server]
56 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
57 CipherString = DEFAULT
58 MaxProtocol = TLSv1.3
59 MinProtocol = TLSv1.3
60 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
61 VerifyMode = Request
62
63 [1-client-auth-TLSv1.3-request-client]
64 CipherString = DEFAULT
65 MaxProtocol = TLSv1.3
66 MinProtocol = TLSv1.3
67 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
68 VerifyMode = Peer
69
70 [test-1]
71 ExpectedResult = Success
72
73
74 # ===========================================================
75
76 [2-client-auth-TLSv1.3-require-fail]
77 ssl_conf = 2-client-auth-TLSv1.3-require-fail-ssl
78
79 [2-client-auth-TLSv1.3-require-fail-ssl]
80 server = 2-client-auth-TLSv1.3-require-fail-server
81 client = 2-client-auth-TLSv1.3-require-fail-client
82
83 [2-client-auth-TLSv1.3-require-fail-server]
84 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
85 CipherString = DEFAULT
86 MaxProtocol = TLSv1.3
87 MinProtocol = TLSv1.3
88 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
89 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
90 VerifyMode = Require
91
92 [2-client-auth-TLSv1.3-require-fail-client]
93 CipherString = DEFAULT
94 MaxProtocol = TLSv1.3
95 MinProtocol = TLSv1.3
96 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
97 VerifyMode = Peer
98
99 [test-2]
100 ExpectedResult = ServerFail
101 ExpectedServerAlert = CertificateRequired
102
103
104 # ===========================================================
105
106 [3-client-auth-TLSv1.3-require]
107 ssl_conf = 3-client-auth-TLSv1.3-require-ssl
108
109 [3-client-auth-TLSv1.3-require-ssl]
110 server = 3-client-auth-TLSv1.3-require-server
111 client = 3-client-auth-TLSv1.3-require-client
112
113 [3-client-auth-TLSv1.3-require-server]
114 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
115 CipherString = DEFAULT
116 ClientSignatureAlgorithms = PSS+SHA256
117 MaxProtocol = TLSv1.3
118 MinProtocol = TLSv1.3
119 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
120 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
121 VerifyMode = Request
122
123 [3-client-auth-TLSv1.3-require-client]
124 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
125 CipherString = DEFAULT
126 MaxProtocol = TLSv1.3
127 MinProtocol = TLSv1.3
128 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
129 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
130 VerifyMode = Peer
131
132 [test-3]
133 ExpectedClientCANames = empty
134 ExpectedClientCertType = RSA
135 ExpectedClientSignHash = SHA256
136 ExpectedClientSignType = RSA-PSS
137 ExpectedResult = Success
138
139
140 # ===========================================================
141
142 [4-client-auth-TLSv1.3-require-non-empty-names]
143 ssl_conf = 4-client-auth-TLSv1.3-require-non-empty-names-ssl
144
145 [4-client-auth-TLSv1.3-require-non-empty-names-ssl]
146 server = 4-client-auth-TLSv1.3-require-non-empty-names-server
147 client = 4-client-auth-TLSv1.3-require-non-empty-names-client
148
149 [4-client-auth-TLSv1.3-require-non-empty-names-server]
150 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
151 CipherString = DEFAULT
152 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
153 ClientSignatureAlgorithms = PSS+SHA256
154 MaxProtocol = TLSv1.3
155 MinProtocol = TLSv1.3
156 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
157 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
158 VerifyMode = Request
159
160 [4-client-auth-TLSv1.3-require-non-empty-names-client]
161 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
162 CipherString = DEFAULT
163 MaxProtocol = TLSv1.3
164 MinProtocol = TLSv1.3
165 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
166 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
167 VerifyMode = Peer
168
169 [test-4]
170 ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
171 ExpectedClientCertType = RSA
172 ExpectedClientSignHash = SHA256
173 ExpectedClientSignType = RSA-PSS
174 ExpectedResult = Success
175
176
177 # ===========================================================
178
179 [5-client-auth-TLSv1.3-noroot]
180 ssl_conf = 5-client-auth-TLSv1.3-noroot-ssl
181
182 [5-client-auth-TLSv1.3-noroot-ssl]
183 server = 5-client-auth-TLSv1.3-noroot-server
184 client = 5-client-auth-TLSv1.3-noroot-client
185
186 [5-client-auth-TLSv1.3-noroot-server]
187 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
188 CipherString = DEFAULT
189 MaxProtocol = TLSv1.3
190 MinProtocol = TLSv1.3
191 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
192 VerifyMode = Require
193
194 [5-client-auth-TLSv1.3-noroot-client]
195 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
196 CipherString = DEFAULT
197 MaxProtocol = TLSv1.3
198 MinProtocol = TLSv1.3
199 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
200 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
201 VerifyMode = Peer
202
203 [test-5]
204 ExpectedResult = ServerFail
205 ExpectedServerAlert = UnknownCA
206
207
208 # ===========================================================
209
210 [6-client-auth-TLSv1.3-request-post-handshake]
211 ssl_conf = 6-client-auth-TLSv1.3-request-post-handshake-ssl
212
213 [6-client-auth-TLSv1.3-request-post-handshake-ssl]
214 server = 6-client-auth-TLSv1.3-request-post-handshake-server
215 client = 6-client-auth-TLSv1.3-request-post-handshake-client
216
217 [6-client-auth-TLSv1.3-request-post-handshake-server]
218 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
219 CipherString = DEFAULT
220 MaxProtocol = TLSv1.3
221 MinProtocol = TLSv1.3
222 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
223 VerifyMode = RequestPostHandshake
224
225 [6-client-auth-TLSv1.3-request-post-handshake-client]
226 CipherString = DEFAULT
227 MaxProtocol = TLSv1.3
228 MinProtocol = TLSv1.3
229 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
230 VerifyMode = Peer
231
232 [test-6]
233 ExpectedResult = ServerFail
234 HandshakeMode = PostHandshakeAuth
235
236
237 # ===========================================================
238
239 [7-client-auth-TLSv1.3-require-fail-post-handshake]
240 ssl_conf = 7-client-auth-TLSv1.3-require-fail-post-handshake-ssl
241
242 [7-client-auth-TLSv1.3-require-fail-post-handshake-ssl]
243 server = 7-client-auth-TLSv1.3-require-fail-post-handshake-server
244 client = 7-client-auth-TLSv1.3-require-fail-post-handshake-client
245
246 [7-client-auth-TLSv1.3-require-fail-post-handshake-server]
247 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
248 CipherString = DEFAULT
249 MaxProtocol = TLSv1.3
250 MinProtocol = TLSv1.3
251 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
252 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
253 VerifyMode = RequirePostHandshake
254
255 [7-client-auth-TLSv1.3-require-fail-post-handshake-client]
256 CipherString = DEFAULT
257 MaxProtocol = TLSv1.3
258 MinProtocol = TLSv1.3
259 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
260 VerifyMode = Peer
261
262 [test-7]
263 ExpectedResult = ServerFail
264 HandshakeMode = PostHandshakeAuth
265
266
267 # ===========================================================
268
269 [8-client-auth-TLSv1.3-require-post-handshake]
270 ssl_conf = 8-client-auth-TLSv1.3-require-post-handshake-ssl
271
272 [8-client-auth-TLSv1.3-require-post-handshake-ssl]
273 server = 8-client-auth-TLSv1.3-require-post-handshake-server
274 client = 8-client-auth-TLSv1.3-require-post-handshake-client
275
276 [8-client-auth-TLSv1.3-require-post-handshake-server]
277 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
278 CipherString = DEFAULT
279 ClientSignatureAlgorithms = PSS+SHA256
280 MaxProtocol = TLSv1.3
281 MinProtocol = TLSv1.3
282 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
283 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
284 VerifyMode = RequestPostHandshake
285
286 [8-client-auth-TLSv1.3-require-post-handshake-client]
287 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
288 CipherString = DEFAULT
289 MaxProtocol = TLSv1.3
290 MinProtocol = TLSv1.3
291 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
292 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
293 VerifyMode = Peer
294
295 [test-8]
296 ExpectedClientCANames = empty
297 ExpectedClientCertType = RSA
298 ExpectedClientSignHash = SHA256
299 ExpectedClientSignType = RSA-PSS
300 ExpectedResult = Success
301 HandshakeMode = PostHandshakeAuth
302 client = 8-client-auth-TLSv1.3-require-post-handshake-client-extra
303
304 [8-client-auth-TLSv1.3-require-post-handshake-client-extra]
305 EnablePHA = Yes
306
307
308 # ===========================================================
309
310 [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake]
311 ssl_conf = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-ssl
312
313 [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-ssl]
314 server = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-server
315 client = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client
316
317 [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-server]
318 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
319 CipherString = DEFAULT
320 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
321 ClientSignatureAlgorithms = PSS+SHA256
322 MaxProtocol = TLSv1.3
323 MinProtocol = TLSv1.3
324 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
325 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
326 VerifyMode = RequestPostHandshake
327
328 [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client]
329 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
330 CipherString = DEFAULT
331 MaxProtocol = TLSv1.3
332 MinProtocol = TLSv1.3
333 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
334 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
335 VerifyMode = Peer
336
337 [test-9]
338 ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
339 ExpectedClientCertType = RSA
340 ExpectedClientSignHash = SHA256
341 ExpectedClientSignType = RSA-PSS
342 ExpectedResult = Success
343 HandshakeMode = PostHandshakeAuth
344 client = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client-extra
345
346 [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client-extra]
347 EnablePHA = Yes
348
349
350 # ===========================================================
351
352 [10-client-auth-TLSv1.3-noroot-post-handshake]
353 ssl_conf = 10-client-auth-TLSv1.3-noroot-post-handshake-ssl
354
355 [10-client-auth-TLSv1.3-noroot-post-handshake-ssl]
356 server = 10-client-auth-TLSv1.3-noroot-post-handshake-server
357 client = 10-client-auth-TLSv1.3-noroot-post-handshake-client
358
359 [10-client-auth-TLSv1.3-noroot-post-handshake-server]
360 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
361 CipherString = DEFAULT
362 MaxProtocol = TLSv1.3
363 MinProtocol = TLSv1.3
364 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
365 VerifyMode = RequirePostHandshake
366
367 [10-client-auth-TLSv1.3-noroot-post-handshake-client]
368 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
369 CipherString = DEFAULT
370 MaxProtocol = TLSv1.3
371 MinProtocol = TLSv1.3
372 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
373 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
374 VerifyMode = Peer
375
376 [test-10]
377 ExpectedResult = ServerFail
378 ExpectedServerAlert = UnknownCA
379 HandshakeMode = PostHandshakeAuth
380 client = 10-client-auth-TLSv1.3-noroot-post-handshake-client-extra
381
382 [10-client-auth-TLSv1.3-noroot-post-handshake-client-extra]
383 EnablePHA = Yes
384
385
386 # ===========================================================
387
388 [11-client-auth-TLSv1.3-request-force-client-post-handshake]
389 ssl_conf = 11-client-auth-TLSv1.3-request-force-client-post-handshake-ssl
390
391 [11-client-auth-TLSv1.3-request-force-client-post-handshake-ssl]
392 server = 11-client-auth-TLSv1.3-request-force-client-post-handshake-server
393 client = 11-client-auth-TLSv1.3-request-force-client-post-handshake-client
394
395 [11-client-auth-TLSv1.3-request-force-client-post-handshake-server]
396 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
397 CipherString = DEFAULT
398 MaxProtocol = TLSv1.3
399 MinProtocol = TLSv1.3
400 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
401 VerifyMode = RequestPostHandshake
402
403 [11-client-auth-TLSv1.3-request-force-client-post-handshake-client]
404 CipherString = DEFAULT
405 MaxProtocol = TLSv1.3
406 MinProtocol = TLSv1.3
407 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
408 VerifyMode = Peer
409
410 [test-11]
411 ExpectedResult = Success
412 HandshakeMode = PostHandshakeAuth
413 client = 11-client-auth-TLSv1.3-request-force-client-post-handshake-client-extra
414
415 [11-client-auth-TLSv1.3-request-force-client-post-handshake-client-extra]
416 EnablePHA = Yes
417
418
419 # ===========================================================
420
421 [12-client-auth-TLSv1.3-request-force-server-post-handshake]
422 ssl_conf = 12-client-auth-TLSv1.3-request-force-server-post-handshake-ssl
423
424 [12-client-auth-TLSv1.3-request-force-server-post-handshake-ssl]
425 server = 12-client-auth-TLSv1.3-request-force-server-post-handshake-server
426 client = 12-client-auth-TLSv1.3-request-force-server-post-handshake-client
427
428 [12-client-auth-TLSv1.3-request-force-server-post-handshake-server]
429 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
430 CipherString = DEFAULT
431 MaxProtocol = TLSv1.3
432 MinProtocol = TLSv1.3
433 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
434 VerifyMode = RequestPostHandshake
435
436 [12-client-auth-TLSv1.3-request-force-server-post-handshake-client]
437 CipherString = DEFAULT
438 MaxProtocol = TLSv1.3
439 MinProtocol = TLSv1.3
440 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
441 VerifyMode = Peer
442
443 [test-12]
444 ExpectedResult = ClientFail
445 HandshakeMode = PostHandshakeAuth
446 server = 12-client-auth-TLSv1.3-request-force-server-post-handshake-server-extra
447
448 [12-client-auth-TLSv1.3-request-force-server-post-handshake-server-extra]
449 ForcePHA = Yes
450
451
452 # ===========================================================
453
454 [13-client-auth-TLSv1.3-request-force-both-post-handshake]
455 ssl_conf = 13-client-auth-TLSv1.3-request-force-both-post-handshake-ssl
456
457 [13-client-auth-TLSv1.3-request-force-both-post-handshake-ssl]
458 server = 13-client-auth-TLSv1.3-request-force-both-post-handshake-server
459 client = 13-client-auth-TLSv1.3-request-force-both-post-handshake-client
460
461 [13-client-auth-TLSv1.3-request-force-both-post-handshake-server]
462 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
463 CipherString = DEFAULT
464 MaxProtocol = TLSv1.3
465 MinProtocol = TLSv1.3
466 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
467 VerifyMode = RequestPostHandshake
468
469 [13-client-auth-TLSv1.3-request-force-both-post-handshake-client]
470 CipherString = DEFAULT
471 MaxProtocol = TLSv1.3
472 MinProtocol = TLSv1.3
473 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
474 VerifyMode = Peer
475
476 [test-13]
477 ExpectedResult = Success
478 HandshakeMode = PostHandshakeAuth
479 server = 13-client-auth-TLSv1.3-request-force-both-post-handshake-server-extra
480 client = 13-client-auth-TLSv1.3-request-force-both-post-handshake-client-extra
481
482 [13-client-auth-TLSv1.3-request-force-both-post-handshake-server-extra]
483 ForcePHA = Yes
484
485 [13-client-auth-TLSv1.3-request-force-both-post-handshake-client-extra]
486 EnablePHA = Yes
487
488