foreach (0..$#protocols) {
my $protocol = $protocols[$_];
my $protocol_name = $protocol || "flex";
+ my $caalert;
if (!$is_disabled[$_]) {
+ if ($protocol_name eq "SSLv3") {
+ $caalert = "BadCertificate";
+ } else {
+ $caalert = "UnknownCA";
+ }
+ my $clihash;
+ my $clisigtype;
+ my $clisigalgs;
+ # TODO(TLS1.3) add TLSv1.3 versions
+ if ($protocol_name eq "TLSv1.2") {
+ $clihash = "SHA256";
+ $clisigtype = "RSA";
+ $clisigalgs = "SHA256+RSA";
+ }
# Sanity-check simple handshake.
push @tests, {
name => "server-auth-${protocol_name}",
},
test => {
"ExpectedResult" => "ServerFail",
- "ServerAlert" => "HandshakeFailure",
+ "ExpectedServerAlert" => "HandshakeFailure",
},
};
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
+ "ClientSignatureAlgorithms" => $clisigalgs,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Request",
},
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
- test => { "ExpectedResult" => "Success" },
+ test => { "ExpectedResult" => "Success",
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignType" => $clisigtype,
+ "ExpectedClientSignHash" => $clihash,
+ },
};
# Handshake with client authentication but without the root certificate.
},
test => {
"ExpectedResult" => "ServerFail",
- "ServerAlert" => "UnknownCA",
+ "ExpectedServerAlert" => $caalert,
},
};
}