From 336d92eb206946293a50db667fdc44ab7d69f8ad Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 25 Mar 2022 15:26:13 +0100 Subject: [PATCH] Enable setting SSL_CERT_FLAG_TLS_STRICT with ssl config Reviewed-by: Todd Short Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17989) --- doc/man3/SSL_CONF_cmd.pod | 3 + ssl/ssl_conf.c | 3 +- test/certs/client-pss-restrict-cert.pem | 21 + test/certs/client-pss-restrict-key.pem | 29 + test/certs/setup.sh | 6 + test/ssl-tests/04-client_auth.cnf | 1450 +++++++++++++---------- test/ssl-tests/04-client_auth.cnf.in | 59 + 7 files changed, 912 insertions(+), 659 deletions(-) create mode 100644 test/certs/client-pss-restrict-cert.pem create mode 100644 test/certs/client-pss-restrict-key.pem diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index ae6ca43282..400bd223c6 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -532,6 +532,9 @@ B: Enables kernel TLS if support has been compiled in, and it is supported by the negotiated ciphersuites and extensions. Equivalent to B. +B: Enable strict certificate checking. Equivalent to +setting B with SSL_CTX_set_cert_flags(). + =item B The B argument is a comma separated list of flags to set. diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index b83f9fe3a9..7bfafe8cf7 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -396,7 +396,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY), SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET), SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES), - SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS) + SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS), + SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT) }; if (value == NULL) return -3; diff --git a/test/certs/client-pss-restrict-cert.pem b/test/certs/client-pss-restrict-cert.pem new file mode 100644 index 0000000000..df27482050 --- /dev/null +++ b/test/certs/client-pss-restrict-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIyMDMyNTE1MzcwOFoYDzIxMjIwMzI2MTUzNzA4WjAZMRcwFQYDVQQD +DA5DbGllbnQtUlNBLVBTUzCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQME +AgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEPADCCAQoCggEB +ALNFZQLc/LFLrP8cOIdxgbIhx3mQoBfOst3XvfrxjMUHv5a+wouGvEms5431WHM0 +g/aJKArCHnz5M9ljr/xzLhZVyTtrjd4/59V+zUtptcytNeDdjrRBOoLuvAvoUz2B +HBFmYMMGKWnUTSrp8yttUNirmJ0SpEp058ybo6Z4Tm6kZNojMu7TKLv2mwKdx+WE +SGrbJ0nR7p9nMbyl0un6ExVduEbobMnnIk/bE49kbdCwDm+mTxF/j/dvW3+sV5c/ +bVVjRUcD0RZGgQD0SMExhex53DyhyjfV3ZNItZ+dcYOgKlo+DNilytczJa3jL28q +xOpFz/xmU5Oc2k4jx4OSU40CAwEAAaOBjjCBizAdBgNVHQ4EFgQUXcDRXBMxM9Ua +FdWhAKnZV3ZkbZowHwYDVR0jBBgwFoAUcH8uroNoWZgEIyrN6z4XzSTdAUkwCQYD +VR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjApBgNVHREEIjAggh5DbGllbnQg +UlNBLVBTUyByZXN0cmljdGVkIGNlcnQwDQYJKoZIhvcNAQELBQADggEBAKDXTc7H +g+o0UxsscFT4cklOFOOPKHGciOtNBylZLcs2K8TlN28sUMHal8bXGyh3tqBIMbLj +KLfaUUUcysLKruZ+t5ANDJbPvCaF7C6AD53xoYcTTs3+p2XhFp85ivVgpmVU8c6L +EfUpIr1vhBgUpRE3vdl6sRMB3PveSjBMDfq2f60LSX0mbydZRqeDO0lP5yg/FryH +VLAtO3YvxQgglqNdtrErdxEAV20mthaSMxJguktTP+volr/3BSbIQfl3yuPnffk/ +hK8EgJeD13fJ9f8Gd4OXMXL98+Lii0gvTyJapw105KtKtZ/2ck2rOFLIKqFN/dk9 +W/mBy7X6U0O32tc= +-----END CERTIFICATE----- diff --git a/test/certs/client-pss-restrict-key.pem b/test/certs/client-pss-restrict-key.pem new file mode 100644 index 0000000000..985fa13aaa --- /dev/null +++ b/test/certs/client-pss-restrict-key.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7QIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKcwggSjAgEAAoIBAQCzRWUC3PyxS6z/ +HDiHcYGyIcd5kKAXzrLd17368YzFB7+WvsKLhrxJrOeN9VhzNIP2iSgKwh58+TPZ +Y6/8cy4WVck7a43eP+fVfs1LabXMrTXg3Y60QTqC7rwL6FM9gRwRZmDDBilp1E0q +6fMrbVDYq5idEqRKdOfMm6OmeE5upGTaIzLu0yi79psCncflhEhq2ydJ0e6fZzG8 +pdLp+hMVXbhG6GzJ5yJP2xOPZG3QsA5vpk8Rf4/3b1t/rFeXP21VY0VHA9EWRoEA +9EjBMYXsedw8oco31d2TSLWfnXGDoCpaPgzYpcrXMyWt4y9vKsTqRc/8ZlOTnNpO +I8eDklONAgMBAAECggEBAKUMtO0n7HaHR+UwZFM/C7unIfIoV1zT7xYUNVM+5O3a +LmhphM/U4rGqQR4PzrlyljR7HqSZCFzjSvtQroxstvfVT4ongdwnVhjXv8c4siqZ +Jku7cFFA5M/7YKJN6aVsoxzZ9yhXGfXXgpyJ/Fn1MUPq6H1k1mG+tFNK0CbKCNwP +cBFGIRT1dXHJaXjIyo+nfJs3kcN/y2trmtXfYrsOedMxVzAJD/Rn8Gw393wnrSJq +dCcQ51RcxVjVe59x+mdnU5I+k5oe84uxJpQPT6i6EOoy1y7gNMAv2qncQT8iHM9h +P/yr+kM96uPZpdELfRUkEWNfghR/bvqNtpfd3DedbPkCgYEA3oVMMYk2oU60pbmc +Pk68joqJ3fFM3Bk9vVG65a2FbitFq7Fso1e4gwZCoLYCMZLVNMTIOhkKJEdH4I6o +mxdA9ZaysiAYdDtsP4U/eYxQf/HNsworq7sP9xr0RvnAUixS+sc2B2VJYvyJfanc +LgBIuqZiyRmbNlYV3GC09xMThw8CgYEAzj5GqBUDeUjcDNCR2ooAMjk6afFSFl8Q +kvfASMsMxOF+P035k5LaE804rqM/5bsySGOCGNn+xMmxMKNh1UFAzbJXuTTo4Lv6 +r7SEc5i6usvXhk0zr/y083iY8rx9KOgHzWWmntJJr6Ax88wNH4UpPW1EV18D4ng4 +Ax9VmEjPW6MCgYAVzg4XVJDL4cCF9NhAqsqDVUQJQZn8f2SzZozf8M8AarEbD/nL +T88+16Azy2IPpYnK7/WG6+k4gNukP5Z6DB9LcYb1OXvr9961osMDkCJbR0CW6Mo6 +u8vmtPd29QZJhxpihJ7gvqYgUwrOC5UN1O1LjP5lImM5QdpGjBtvkqj5NQKBgHgl +K0ALTcS/vwDwF6d5sPeRAwhofmtt4dfb3/YH415mBgeWwwdHCydx681AaJ7J2Fb3 +MPiNNa8p18D/zKRQqRGrDRNlUSxqFXV58ZbtqAndaaZhHvUsf7U90cvGJhtIYBM1 +XkUzN53J8o+VlSeBiS6xkphbT4YEhoy7Gj/mWnWFAoGAU1bDM4GhIThnhk2sFgKn +vDUBmu2fXiZXPJmrbITrBlpm6ocqNeFerhSmpU3oLFGQ5NZfMxLgvgLF5rRReY+c +8P5Thav/RIpnFmD+wLxuDtJkpgWuz/4ySEZ7MAD8aLp2u3I1YHu2dFtY1hgeB5x/ +aqfWopW2cxBScbIToCnZnqg= +-----END PRIVATE KEY----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 21f9355b8b..2a505c5895 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -413,6 +413,12 @@ openssl req -new -noenc -subj "/CN=localhost" \ ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \ server-pss-restrict-cert rootkey rootcert +openssl req -new -noenc -subj "/CN=Client-RSA-PSS" \ + -newkey rsa-pss -keyout client-pss-restrict-key.pem \ + -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \ + ./mkcert.sh geneenocsr -p clientAuth "Client RSA-PSS restricted cert" \ + client-pss-restrict-cert rootkey rootcert + # CT entry ./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key diff --git a/test/ssl-tests/04-client_auth.cnf b/test/ssl-tests/04-client_auth.cnf index 46e61cd882..3dae79c370 100644 --- a/test/ssl-tests/04-client_auth.cnf +++ b/test/ssl-tests/04-client_auth.cnf @@ -1,43 +1,47 @@ # Generated with generate_ssl_tests.pl -num_tests = 36 +num_tests = 40 test-0 = 0-server-auth-flex test-1 = 1-client-auth-flex-request test-2 = 2-client-auth-flex-require-fail test-3 = 3-client-auth-flex-require -test-4 = 4-client-auth-flex-require-non-empty-names -test-5 = 5-client-auth-flex-noroot -test-6 = 6-server-auth-TLSv1 -test-7 = 7-client-auth-TLSv1-request -test-8 = 8-client-auth-TLSv1-require-fail -test-9 = 9-client-auth-TLSv1-require -test-10 = 10-client-auth-TLSv1-require-non-empty-names -test-11 = 11-client-auth-TLSv1-noroot -test-12 = 12-server-auth-TLSv1.1 -test-13 = 13-client-auth-TLSv1.1-request -test-14 = 14-client-auth-TLSv1.1-require-fail -test-15 = 15-client-auth-TLSv1.1-require -test-16 = 16-client-auth-TLSv1.1-require-non-empty-names -test-17 = 17-client-auth-TLSv1.1-noroot -test-18 = 18-server-auth-TLSv1.2 -test-19 = 19-client-auth-TLSv1.2-request -test-20 = 20-client-auth-TLSv1.2-require-fail -test-21 = 21-client-auth-TLSv1.2-require -test-22 = 22-client-auth-TLSv1.2-require-non-empty-names -test-23 = 23-client-auth-TLSv1.2-noroot -test-24 = 24-server-auth-DTLSv1 -test-25 = 25-client-auth-DTLSv1-request -test-26 = 26-client-auth-DTLSv1-require-fail -test-27 = 27-client-auth-DTLSv1-require -test-28 = 28-client-auth-DTLSv1-require-non-empty-names -test-29 = 29-client-auth-DTLSv1-noroot -test-30 = 30-server-auth-DTLSv1.2 -test-31 = 31-client-auth-DTLSv1.2-request -test-32 = 32-client-auth-DTLSv1.2-require-fail -test-33 = 33-client-auth-DTLSv1.2-require -test-34 = 34-client-auth-DTLSv1.2-require-non-empty-names -test-35 = 35-client-auth-DTLSv1.2-noroot +test-4 = 4-client-auth-flex-rsa-pss +test-5 = 5-client-auth-flex-rsa-pss-bad +test-6 = 6-client-auth-flex-require-non-empty-names +test-7 = 7-client-auth-flex-noroot +test-8 = 8-server-auth-TLSv1 +test-9 = 9-client-auth-TLSv1-request +test-10 = 10-client-auth-TLSv1-require-fail +test-11 = 11-client-auth-TLSv1-require +test-12 = 12-client-auth-TLSv1-require-non-empty-names +test-13 = 13-client-auth-TLSv1-noroot +test-14 = 14-server-auth-TLSv1.1 +test-15 = 15-client-auth-TLSv1.1-request +test-16 = 16-client-auth-TLSv1.1-require-fail +test-17 = 17-client-auth-TLSv1.1-require +test-18 = 18-client-auth-TLSv1.1-require-non-empty-names +test-19 = 19-client-auth-TLSv1.1-noroot +test-20 = 20-server-auth-TLSv1.2 +test-21 = 21-client-auth-TLSv1.2-request +test-22 = 22-client-auth-TLSv1.2-require-fail +test-23 = 23-client-auth-TLSv1.2-require +test-24 = 24-client-auth-TLSv1.2-rsa-pss +test-25 = 25-client-auth-TLSv1.2-rsa-pss-bad +test-26 = 26-client-auth-TLSv1.2-require-non-empty-names +test-27 = 27-client-auth-TLSv1.2-noroot +test-28 = 28-server-auth-DTLSv1 +test-29 = 29-client-auth-DTLSv1-request +test-30 = 30-client-auth-DTLSv1-require-fail +test-31 = 31-client-auth-DTLSv1-require +test-32 = 32-client-auth-DTLSv1-require-non-empty-names +test-33 = 33-client-auth-DTLSv1-noroot +test-34 = 34-server-auth-DTLSv1.2 +test-35 = 35-client-auth-DTLSv1.2-request +test-36 = 36-client-auth-DTLSv1.2-require-fail +test-37 = 37-client-auth-DTLSv1.2-require +test-38 = 38-client-auth-DTLSv1.2-require-non-empty-names +test-39 = 39-client-auth-DTLSv1.2-noroot # =========================================================== [0-server-auth-flex] @@ -142,14 +146,75 @@ ExpectedResult = Success # =========================================================== -[4-client-auth-flex-require-non-empty-names] -ssl_conf = 4-client-auth-flex-require-non-empty-names-ssl +[4-client-auth-flex-rsa-pss] +ssl_conf = 4-client-auth-flex-rsa-pss-ssl -[4-client-auth-flex-require-non-empty-names-ssl] -server = 4-client-auth-flex-require-non-empty-names-server -client = 4-client-auth-flex-require-non-empty-names-client +[4-client-auth-flex-rsa-pss-ssl] +server = 4-client-auth-flex-rsa-pss-server +client = 4-client-auth-flex-rsa-pss-client -[4-client-auth-flex-require-non-empty-names-server] +[4-client-auth-flex-rsa-pss-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Require + +[4-client-auth-flex-rsa-pss-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem +CipherString = DEFAULT:@SECLEVEL=0 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/rootcert.pem +ExpectedClientCertType = RSA-PSS +ExpectedResult = Success + + +# =========================================================== + +[5-client-auth-flex-rsa-pss-bad] +ssl_conf = 5-client-auth-flex-rsa-pss-bad-ssl + +[5-client-auth-flex-rsa-pss-bad-ssl] +server = 5-client-auth-flex-rsa-pss-bad-server +client = 5-client-auth-flex-rsa-pss-bad-client + +[5-client-auth-flex-rsa-pss-bad-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +VerifyMode = Require + +[5-client-auth-flex-rsa-pss-bad-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem +CipherString = DEFAULT:@SECLEVEL=0 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = ServerFail +ExpectedServerAlert = CertificateRequired + + +# =========================================================== + +[6-client-auth-flex-require-non-empty-names] +ssl_conf = 6-client-auth-flex-require-non-empty-names-ssl + +[6-client-auth-flex-require-non-empty-names-ssl] +server = 6-client-auth-flex-require-non-empty-names-server +client = 6-client-auth-flex-require-non-empty-names-client + +[6-client-auth-flex-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -157,14 +222,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[4-client-auth-flex-require-non-empty-names-client] +[6-client-auth-flex-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-4] +[test-6] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -172,105 +237,48 @@ ExpectedResult = Success # =========================================================== -[5-client-auth-flex-noroot] -ssl_conf = 5-client-auth-flex-noroot-ssl +[7-client-auth-flex-noroot] +ssl_conf = 7-client-auth-flex-noroot-ssl -[5-client-auth-flex-noroot-ssl] -server = 5-client-auth-flex-noroot-server -client = 5-client-auth-flex-noroot-client +[7-client-auth-flex-noroot-ssl] +server = 7-client-auth-flex-noroot-server +client = 7-client-auth-flex-noroot-client -[5-client-auth-flex-noroot-server] +[7-client-auth-flex-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[5-client-auth-flex-noroot-client] +[7-client-auth-flex-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-5] +[test-7] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[6-server-auth-TLSv1] -ssl_conf = 6-server-auth-TLSv1-ssl +[8-server-auth-TLSv1] +ssl_conf = 8-server-auth-TLSv1-ssl -[6-server-auth-TLSv1-ssl] -server = 6-server-auth-TLSv1-server -client = 6-server-auth-TLSv1-client +[8-server-auth-TLSv1-ssl] +server = 8-server-auth-TLSv1-server +client = 8-server-auth-TLSv1-client -[6-server-auth-TLSv1-server] +[8-server-auth-TLSv1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-server-auth-TLSv1-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-6] -ExpectedResult = Success - - -# =========================================================== - -[7-client-auth-TLSv1-request] -ssl_conf = 7-client-auth-TLSv1-request-ssl - -[7-client-auth-TLSv1-request-ssl] -server = 7-client-auth-TLSv1-request-server -client = 7-client-auth-TLSv1-request-client - -[7-client-auth-TLSv1-request-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Request - -[7-client-auth-TLSv1-request-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-7] -ExpectedResult = Success - - -# =========================================================== - -[8-client-auth-TLSv1-require-fail] -ssl_conf = 8-client-auth-TLSv1-require-fail-ssl - -[8-client-auth-TLSv1-require-fail-ssl] -server = 8-client-auth-TLSv1-require-fail-server -client = 8-client-auth-TLSv1-require-fail-client - -[8-client-auth-TLSv1-require-fail-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require - -[8-client-auth-TLSv1-require-fail-client] +[8-server-auth-TLSv1-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 MinProtocol = TLSv1 @@ -278,20 +286,77 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] +ExpectedResult = Success + + +# =========================================================== + +[9-client-auth-TLSv1-request] +ssl_conf = 9-client-auth-TLSv1-request-ssl + +[9-client-auth-TLSv1-request-ssl] +server = 9-client-auth-TLSv1-request-server +client = 9-client-auth-TLSv1-request-client + +[9-client-auth-TLSv1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[9-client-auth-TLSv1-request-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-9] +ExpectedResult = Success + + +# =========================================================== + +[10-client-auth-TLSv1-require-fail] +ssl_conf = 10-client-auth-TLSv1-require-fail-ssl + +[10-client-auth-TLSv1-require-fail-ssl] +server = 10-client-auth-TLSv1-require-fail-server +client = 10-client-auth-TLSv1-require-fail-client + +[10-client-auth-TLSv1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[10-client-auth-TLSv1-require-fail-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-10] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[9-client-auth-TLSv1-require] -ssl_conf = 9-client-auth-TLSv1-require-ssl +[11-client-auth-TLSv1-require] +ssl_conf = 11-client-auth-TLSv1-require-ssl -[9-client-auth-TLSv1-require-ssl] -server = 9-client-auth-TLSv1-require-server -client = 9-client-auth-TLSv1-require-client +[11-client-auth-TLSv1-require-ssl] +server = 11-client-auth-TLSv1-require-server +client = 11-client-auth-TLSv1-require-client -[9-client-auth-TLSv1-require-server] +[11-client-auth-TLSv1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -300,73 +365,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[9-client-auth-TLSv1-require-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-9] -ExpectedClientCANames = empty -ExpectedClientCertType = RSA -ExpectedResult = Success - - -# =========================================================== - -[10-client-auth-TLSv1-require-non-empty-names] -ssl_conf = 10-client-auth-TLSv1-require-non-empty-names-ssl - -[10-client-auth-TLSv1-require-non-empty-names-ssl] -server = 10-client-auth-TLSv1-require-non-empty-names-server -client = 10-client-auth-TLSv1-require-non-empty-names-client - -[10-client-auth-TLSv1-require-non-empty-names-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Request - -[10-client-auth-TLSv1-require-non-empty-names-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-10] -ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem -ExpectedClientCertType = RSA -ExpectedResult = Success - - -# =========================================================== - -[11-client-auth-TLSv1-noroot] -ssl_conf = 11-client-auth-TLSv1-noroot-ssl - -[11-client-auth-TLSv1-noroot-ssl] -server = 11-client-auth-TLSv1-noroot-server -client = 11-client-auth-TLSv1-noroot-client - -[11-client-auth-TLSv1-noroot-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1 -MinProtocol = TLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Require - -[11-client-auth-TLSv1-noroot-client] +[11-client-auth-TLSv1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1 @@ -376,123 +375,6 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] -ExpectedResult = ServerFail -ExpectedServerAlert = UnknownCA - - -# =========================================================== - -[12-server-auth-TLSv1.1] -ssl_conf = 12-server-auth-TLSv1.1-ssl - -[12-server-auth-TLSv1.1-ssl] -server = 12-server-auth-TLSv1.1-server -client = 12-server-auth-TLSv1.1-client - -[12-server-auth-TLSv1.1-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[12-server-auth-TLSv1.1-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-12] -ExpectedResult = Success - - -# =========================================================== - -[13-client-auth-TLSv1.1-request] -ssl_conf = 13-client-auth-TLSv1.1-request-ssl - -[13-client-auth-TLSv1.1-request-ssl] -server = 13-client-auth-TLSv1.1-request-server -client = 13-client-auth-TLSv1.1-request-client - -[13-client-auth-TLSv1.1-request-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Request - -[13-client-auth-TLSv1.1-request-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-13] -ExpectedResult = Success - - -# =========================================================== - -[14-client-auth-TLSv1.1-require-fail] -ssl_conf = 14-client-auth-TLSv1.1-require-fail-ssl - -[14-client-auth-TLSv1.1-require-fail-ssl] -server = 14-client-auth-TLSv1.1-require-fail-server -client = 14-client-auth-TLSv1.1-require-fail-client - -[14-client-auth-TLSv1.1-require-fail-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require - -[14-client-auth-TLSv1.1-require-fail-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-14] -ExpectedResult = ServerFail -ExpectedServerAlert = HandshakeFailure - - -# =========================================================== - -[15-client-auth-TLSv1.1-require] -ssl_conf = 15-client-auth-TLSv1.1-require-ssl - -[15-client-auth-TLSv1.1-require-ssl] -server = 15-client-auth-TLSv1.1-require-server -client = 15-client-auth-TLSv1.1-require-client - -[15-client-auth-TLSv1.1-require-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Request - -[15-client-auth-TLSv1.1-require-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-15] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success @@ -500,33 +382,33 @@ ExpectedResult = Success # =========================================================== -[16-client-auth-TLSv1.1-require-non-empty-names] -ssl_conf = 16-client-auth-TLSv1.1-require-non-empty-names-ssl +[12-client-auth-TLSv1-require-non-empty-names] +ssl_conf = 12-client-auth-TLSv1-require-non-empty-names-ssl -[16-client-auth-TLSv1.1-require-non-empty-names-ssl] -server = 16-client-auth-TLSv1.1-require-non-empty-names-server -client = 16-client-auth-TLSv1.1-require-non-empty-names-client +[12-client-auth-TLSv1-require-non-empty-names-ssl] +server = 12-client-auth-TLSv1-require-non-empty-names-server +client = 12-client-auth-TLSv1-require-non-empty-names-client -[16-client-auth-TLSv1.1-require-non-empty-names-server] +[12-client-auth-TLSv1-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[16-client-auth-TLSv1.1-require-non-empty-names-client] +[12-client-auth-TLSv1-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.1 -MinProtocol = TLSv1.1 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-12] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -534,22 +416,139 @@ ExpectedResult = Success # =========================================================== -[17-client-auth-TLSv1.1-noroot] -ssl_conf = 17-client-auth-TLSv1.1-noroot-ssl +[13-client-auth-TLSv1-noroot] +ssl_conf = 13-client-auth-TLSv1-noroot-ssl -[17-client-auth-TLSv1.1-noroot-ssl] -server = 17-client-auth-TLSv1.1-noroot-server -client = 17-client-auth-TLSv1.1-noroot-client +[13-client-auth-TLSv1-noroot-ssl] +server = 13-client-auth-TLSv1-noroot-server +client = 13-client-auth-TLSv1-noroot-client -[17-client-auth-TLSv1.1-noroot-server] +[13-client-auth-TLSv1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[13-client-auth-TLSv1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-13] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA + + +# =========================================================== + +[14-server-auth-TLSv1.1] +ssl_conf = 14-server-auth-TLSv1.1-ssl + +[14-server-auth-TLSv1.1-ssl] +server = 14-server-auth-TLSv1.1-server +client = 14-server-auth-TLSv1.1-client + +[14-server-auth-TLSv1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 MinProtocol = TLSv1.1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[14-server-auth-TLSv1.1-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-14] +ExpectedResult = Success + + +# =========================================================== + +[15-client-auth-TLSv1.1-request] +ssl_conf = 15-client-auth-TLSv1.1-request-ssl + +[15-client-auth-TLSv1.1-request-ssl] +server = 15-client-auth-TLSv1.1-request-server +client = 15-client-auth-TLSv1.1-request-client + +[15-client-auth-TLSv1.1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[15-client-auth-TLSv1.1-request-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-15] +ExpectedResult = Success + + +# =========================================================== + +[16-client-auth-TLSv1.1-require-fail] +ssl_conf = 16-client-auth-TLSv1.1-require-fail-ssl + +[16-client-auth-TLSv1.1-require-fail-ssl] +server = 16-client-auth-TLSv1.1-require-fail-server +client = 16-client-auth-TLSv1.1-require-fail-client + +[16-client-auth-TLSv1.1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[17-client-auth-TLSv1.1-noroot-client] +[16-client-auth-TLSv1.1-require-fail-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure + + +# =========================================================== + +[17-client-auth-TLSv1.1-require] +ssl_conf = 17-client-auth-TLSv1.1-require-ssl + +[17-client-auth-TLSv1.1-require-ssl] +server = 17-client-auth-TLSv1.1-require-server +client = 17-client-auth-TLSv1.1-require-client + +[17-client-auth-TLSv1.1-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[17-client-auth-TLSv1.1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 @@ -559,84 +558,93 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-17] +ExpectedClientCANames = empty +ExpectedClientCertType = RSA +ExpectedResult = Success + + +# =========================================================== + +[18-client-auth-TLSv1.1-require-non-empty-names] +ssl_conf = 18-client-auth-TLSv1.1-require-non-empty-names-ssl + +[18-client-auth-TLSv1.1-require-non-empty-names-ssl] +server = 18-client-auth-TLSv1.1-require-non-empty-names-server +client = 18-client-auth-TLSv1.1-require-non-empty-names-client + +[18-client-auth-TLSv1.1-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[18-client-auth-TLSv1.1-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-18] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedResult = Success + + +# =========================================================== + +[19-client-auth-TLSv1.1-noroot] +ssl_conf = 19-client-auth-TLSv1.1-noroot-ssl + +[19-client-auth-TLSv1.1-noroot-ssl] +server = 19-client-auth-TLSv1.1-noroot-server +client = 19-client-auth-TLSv1.1-noroot-client + +[19-client-auth-TLSv1.1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[19-client-auth-TLSv1.1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-19] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA # =========================================================== -[18-server-auth-TLSv1.2] -ssl_conf = 18-server-auth-TLSv1.2-ssl +[20-server-auth-TLSv1.2] +ssl_conf = 20-server-auth-TLSv1.2-ssl -[18-server-auth-TLSv1.2-ssl] -server = 18-server-auth-TLSv1.2-server -client = 18-server-auth-TLSv1.2-client +[20-server-auth-TLSv1.2-ssl] +server = 20-server-auth-TLSv1.2-server +client = 20-server-auth-TLSv1.2-client -[18-server-auth-TLSv1.2-server] +[20-server-auth-TLSv1.2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[18-server-auth-TLSv1.2-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-18] -ExpectedResult = Success - - -# =========================================================== - -[19-client-auth-TLSv1.2-request] -ssl_conf = 19-client-auth-TLSv1.2-request-ssl - -[19-client-auth-TLSv1.2-request-ssl] -server = 19-client-auth-TLSv1.2-request-server -client = 19-client-auth-TLSv1.2-request-client - -[19-client-auth-TLSv1.2-request-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Request - -[19-client-auth-TLSv1.2-request-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-19] -ExpectedResult = Success - - -# =========================================================== - -[20-client-auth-TLSv1.2-require-fail] -ssl_conf = 20-client-auth-TLSv1.2-require-fail-ssl - -[20-client-auth-TLSv1.2-require-fail-ssl] -server = 20-client-auth-TLSv1.2-require-fail-server -client = 20-client-auth-TLSv1.2-require-fail-client - -[20-client-auth-TLSv1.2-require-fail-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require - -[20-client-auth-TLSv1.2-require-fail-client] +[20-server-auth-TLSv1.2-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 @@ -644,20 +652,77 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-20] +ExpectedResult = Success + + +# =========================================================== + +[21-client-auth-TLSv1.2-request] +ssl_conf = 21-client-auth-TLSv1.2-request-ssl + +[21-client-auth-TLSv1.2-request-ssl] +server = 21-client-auth-TLSv1.2-request-server +client = 21-client-auth-TLSv1.2-request-client + +[21-client-auth-TLSv1.2-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[21-client-auth-TLSv1.2-request-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-21] +ExpectedResult = Success + + +# =========================================================== + +[22-client-auth-TLSv1.2-require-fail] +ssl_conf = 22-client-auth-TLSv1.2-require-fail-ssl + +[22-client-auth-TLSv1.2-require-fail-ssl] +server = 22-client-auth-TLSv1.2-require-fail-server +client = 22-client-auth-TLSv1.2-require-fail-client + +[22-client-auth-TLSv1.2-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[22-client-auth-TLSv1.2-require-fail-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure # =========================================================== -[21-client-auth-TLSv1.2-require] -ssl_conf = 21-client-auth-TLSv1.2-require-ssl +[23-client-auth-TLSv1.2-require] +ssl_conf = 23-client-auth-TLSv1.2-require-ssl -[21-client-auth-TLSv1.2-require-ssl] -server = 21-client-auth-TLSv1.2-require-server -client = 21-client-auth-TLSv1.2-require-client +[23-client-auth-TLSv1.2-require-ssl] +server = 23-client-auth-TLSv1.2-require-server +client = 23-client-auth-TLSv1.2-require-client -[21-client-auth-TLSv1.2-require-server] +[23-client-auth-TLSv1.2-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientSignatureAlgorithms = SHA256+RSA @@ -667,78 +732,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[21-client-auth-TLSv1.2-require-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-21] -ExpectedClientCANames = empty -ExpectedClientCertType = RSA -ExpectedClientSignHash = SHA256 -ExpectedClientSignType = RSA -ExpectedResult = Success - - -# =========================================================== - -[22-client-auth-TLSv1.2-require-non-empty-names] -ssl_conf = 22-client-auth-TLSv1.2-require-non-empty-names-ssl - -[22-client-auth-TLSv1.2-require-non-empty-names-ssl] -server = 22-client-auth-TLSv1.2-require-non-empty-names-server -client = 22-client-auth-TLSv1.2-require-non-empty-names-client - -[22-client-auth-TLSv1.2-require-non-empty-names-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -ClientSignatureAlgorithms = SHA256+RSA -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Request - -[22-client-auth-TLSv1.2-require-non-empty-names-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-22] -ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem -ExpectedClientCertType = RSA -ExpectedClientSignHash = SHA256 -ExpectedClientSignType = RSA -ExpectedResult = Success - - -# =========================================================== - -[23-client-auth-TLSv1.2-noroot] -ssl_conf = 23-client-auth-TLSv1.2-noroot-ssl - -[23-client-auth-TLSv1.2-noroot-ssl] -server = 23-client-auth-TLSv1.2-noroot-server -client = 23-client-auth-TLSv1.2-noroot-client - -[23-client-auth-TLSv1.2-noroot-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Require - -[23-client-auth-TLSv1.2-noroot-client] +[23-client-auth-TLSv1.2-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.2 @@ -748,282 +742,233 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-23] -ExpectedResult = ServerFail -ExpectedServerAlert = UnknownCA +ExpectedClientCANames = empty +ExpectedClientCertType = RSA +ExpectedClientSignHash = SHA256 +ExpectedClientSignType = RSA +ExpectedResult = Success # =========================================================== -[24-server-auth-DTLSv1] -ssl_conf = 24-server-auth-DTLSv1-ssl +[24-client-auth-TLSv1.2-rsa-pss] +ssl_conf = 24-client-auth-TLSv1.2-rsa-pss-ssl -[24-server-auth-DTLSv1-ssl] -server = 24-server-auth-DTLSv1-server -client = 24-server-auth-DTLSv1-client +[24-client-auth-TLSv1.2-rsa-pss-ssl] +server = 24-client-auth-TLSv1.2-rsa-pss-server +client = 24-client-auth-TLSv1.2-rsa-pss-client -[24-server-auth-DTLSv1-server] +[24-client-auth-TLSv1.2-rsa-pss-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Require -[24-server-auth-DTLSv1-client] +[24-client-auth-TLSv1.2-rsa-pss-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-24] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/rootcert.pem +ExpectedClientCertType = RSA-PSS ExpectedResult = Success -Method = DTLS # =========================================================== -[25-client-auth-DTLSv1-request] -ssl_conf = 25-client-auth-DTLSv1-request-ssl +[25-client-auth-TLSv1.2-rsa-pss-bad] +ssl_conf = 25-client-auth-TLSv1.2-rsa-pss-bad-ssl -[25-client-auth-DTLSv1-request-ssl] -server = 25-client-auth-DTLSv1-request-server -client = 25-client-auth-DTLSv1-request-client +[25-client-auth-TLSv1.2-rsa-pss-bad-ssl] +server = 25-client-auth-TLSv1.2-rsa-pss-bad-server +client = 25-client-auth-TLSv1.2-rsa-pss-bad-client -[25-client-auth-DTLSv1-request-server] +[25-client-auth-TLSv1.2-rsa-pss-bad-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Request +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootCA.pem +VerifyMode = Require -[25-client-auth-DTLSv1-request-client] +[25-client-auth-TLSv1.2-rsa-pss-bad-client] +Certificate = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-cert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +Options = StrictCertCheck +PrivateKey = ${ENV::TEST_CERTS_DIR}/client-pss-restrict-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-25] -ExpectedResult = Success -Method = DTLS - - -# =========================================================== - -[26-client-auth-DTLSv1-require-fail] -ssl_conf = 26-client-auth-DTLSv1-require-fail-ssl - -[26-client-auth-DTLSv1-require-fail-ssl] -server = 26-client-auth-DTLSv1-require-fail-server -client = 26-client-auth-DTLSv1-require-fail-client - -[26-client-auth-DTLSv1-require-fail-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require - -[26-client-auth-DTLSv1-require-fail-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-26] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure -Method = DTLS # =========================================================== -[27-client-auth-DTLSv1-require] -ssl_conf = 27-client-auth-DTLSv1-require-ssl +[26-client-auth-TLSv1.2-require-non-empty-names] +ssl_conf = 26-client-auth-TLSv1.2-require-non-empty-names-ssl -[27-client-auth-DTLSv1-require-ssl] -server = 27-client-auth-DTLSv1-require-server -client = 27-client-auth-DTLSv1-require-client +[26-client-auth-TLSv1.2-require-non-empty-names-ssl] +server = 26-client-auth-TLSv1.2-require-non-empty-names-server +client = 26-client-auth-TLSv1.2-require-non-empty-names-client -[27-client-auth-DTLSv1-require-server] +[26-client-auth-TLSv1.2-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ClientSignatureAlgorithms = SHA256+RSA +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[27-client-auth-DTLSv1-require-client] +[26-client-auth-TLSv1.2-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedClientSignHash = SHA256 +ExpectedClientSignType = RSA +ExpectedResult = Success + + +# =========================================================== + +[27-client-auth-TLSv1.2-noroot] +ssl_conf = 27-client-auth-TLSv1.2-noroot-ssl + +[27-client-auth-TLSv1.2-noroot-ssl] +server = 27-client-auth-TLSv1.2-noroot-server +client = 27-client-auth-TLSv1.2-noroot-client + +[27-client-auth-TLSv1.2-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[27-client-auth-TLSv1.2-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-27] -ExpectedClientCANames = empty -ExpectedClientCertType = RSA -ExpectedResult = Success -Method = DTLS +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA # =========================================================== -[28-client-auth-DTLSv1-require-non-empty-names] -ssl_conf = 28-client-auth-DTLSv1-require-non-empty-names-ssl +[28-server-auth-DTLSv1] +ssl_conf = 28-server-auth-DTLSv1-ssl -[28-client-auth-DTLSv1-require-non-empty-names-ssl] -server = 28-client-auth-DTLSv1-require-non-empty-names-server -client = 28-client-auth-DTLSv1-require-non-empty-names-client +[28-server-auth-DTLSv1-ssl] +server = 28-server-auth-DTLSv1-server +client = 28-server-auth-DTLSv1-client -[28-client-auth-DTLSv1-require-non-empty-names-server] +[28-server-auth-DTLSv1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem MaxProtocol = DTLSv1 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Request -[28-client-auth-DTLSv1-require-non-empty-names-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +[28-server-auth-DTLSv1-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-28] -ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem -ExpectedClientCertType = RSA ExpectedResult = Success Method = DTLS # =========================================================== -[29-client-auth-DTLSv1-noroot] -ssl_conf = 29-client-auth-DTLSv1-noroot-ssl +[29-client-auth-DTLSv1-request] +ssl_conf = 29-client-auth-DTLSv1-request-ssl -[29-client-auth-DTLSv1-noroot-ssl] -server = 29-client-auth-DTLSv1-noroot-server -client = 29-client-auth-DTLSv1-noroot-client +[29-client-auth-DTLSv1-request-ssl] +server = 29-client-auth-DTLSv1-request-server +client = 29-client-auth-DTLSv1-request-client -[29-client-auth-DTLSv1-noroot-server] +[29-client-auth-DTLSv1-request-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Require +VerifyMode = Request -[29-client-auth-DTLSv1-noroot-client] -Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +[29-client-auth-DTLSv1-request-client] CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 MinProtocol = DTLSv1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-29] -ExpectedResult = ServerFail -ExpectedServerAlert = UnknownCA -Method = DTLS - - -# =========================================================== - -[30-server-auth-DTLSv1.2] -ssl_conf = 30-server-auth-DTLSv1.2-ssl - -[30-server-auth-DTLSv1.2-ssl] -server = 30-server-auth-DTLSv1.2-server -client = 30-server-auth-DTLSv1.2-client - -[30-server-auth-DTLSv1.2-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[30-server-auth-DTLSv1.2-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-30] ExpectedResult = Success Method = DTLS # =========================================================== -[31-client-auth-DTLSv1.2-request] -ssl_conf = 31-client-auth-DTLSv1.2-request-ssl +[30-client-auth-DTLSv1-require-fail] +ssl_conf = 30-client-auth-DTLSv1-require-fail-ssl -[31-client-auth-DTLSv1.2-request-ssl] -server = 31-client-auth-DTLSv1.2-request-server -client = 31-client-auth-DTLSv1.2-request-client +[30-client-auth-DTLSv1-require-fail-ssl] +server = 30-client-auth-DTLSv1-require-fail-server +client = 30-client-auth-DTLSv1-require-fail-client -[31-client-auth-DTLSv1.2-request-server] +[30-client-auth-DTLSv1-require-fail-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyMode = Request - -[31-client-auth-DTLSv1.2-request-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-31] -ExpectedResult = Success -Method = DTLS - - -# =========================================================== - -[32-client-auth-DTLSv1.2-require-fail] -ssl_conf = 32-client-auth-DTLSv1.2-require-fail-ssl - -[32-client-auth-DTLSv1.2-require-fail-ssl] -server = 32-client-auth-DTLSv1.2-require-fail-server -client = 32-client-auth-DTLSv1.2-require-fail-client - -[32-client-auth-DTLSv1.2-require-fail-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[32-client-auth-DTLSv1.2-require-fail-client] +[30-client-auth-DTLSv1-require-fail-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-32] +[test-30] ExpectedResult = ServerFail ExpectedServerAlert = HandshakeFailure Method = DTLS @@ -1031,32 +976,32 @@ Method = DTLS # =========================================================== -[33-client-auth-DTLSv1.2-require] -ssl_conf = 33-client-auth-DTLSv1.2-require-ssl +[31-client-auth-DTLSv1-require] +ssl_conf = 31-client-auth-DTLSv1-require-ssl -[33-client-auth-DTLSv1.2-require-ssl] -server = 33-client-auth-DTLSv1.2-require-server -client = 33-client-auth-DTLSv1.2-require-client +[31-client-auth-DTLSv1-require-ssl] +server = 31-client-auth-DTLSv1-require-server +client = 31-client-auth-DTLSv1-require-client -[33-client-auth-DTLSv1.2-require-server] +[31-client-auth-DTLSv1-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[33-client-auth-DTLSv1.2-require-client] +[31-client-auth-DTLSv1-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-33] +[test-31] ExpectedClientCANames = empty ExpectedClientCertType = RSA ExpectedResult = Success @@ -1065,14 +1010,203 @@ Method = DTLS # =========================================================== -[34-client-auth-DTLSv1.2-require-non-empty-names] -ssl_conf = 34-client-auth-DTLSv1.2-require-non-empty-names-ssl +[32-client-auth-DTLSv1-require-non-empty-names] +ssl_conf = 32-client-auth-DTLSv1-require-non-empty-names-ssl -[34-client-auth-DTLSv1.2-require-non-empty-names-ssl] -server = 34-client-auth-DTLSv1.2-require-non-empty-names-server -client = 34-client-auth-DTLSv1.2-require-non-empty-names-client +[32-client-auth-DTLSv1-require-non-empty-names-ssl] +server = 32-client-auth-DTLSv1-require-non-empty-names-server +client = 32-client-auth-DTLSv1-require-non-empty-names-client -[34-client-auth-DTLSv1.2-require-non-empty-names-server] +[32-client-auth-DTLSv1-require-non-empty-names-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[32-client-auth-DTLSv1-require-non-empty-names-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-32] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[33-client-auth-DTLSv1-noroot] +ssl_conf = 33-client-auth-DTLSv1-noroot-ssl + +[33-client-auth-DTLSv1-noroot-ssl] +server = 33-client-auth-DTLSv1-noroot-server +client = 33-client-auth-DTLSv1-noroot-client + +[33-client-auth-DTLSv1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[33-client-auth-DTLSv1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-33] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + +# =========================================================== + +[34-server-auth-DTLSv1.2] +ssl_conf = 34-server-auth-DTLSv1.2-ssl + +[34-server-auth-DTLSv1.2-ssl] +server = 34-server-auth-DTLSv1.2-server +client = 34-server-auth-DTLSv1.2-client + +[34-server-auth-DTLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[34-server-auth-DTLSv1.2-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-34] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[35-client-auth-DTLSv1.2-request] +ssl_conf = 35-client-auth-DTLSv1.2-request-ssl + +[35-client-auth-DTLSv1.2-request-ssl] +server = 35-client-auth-DTLSv1.2-request-server +client = 35-client-auth-DTLSv1.2-request-client + +[35-client-auth-DTLSv1.2-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[35-client-auth-DTLSv1.2-request-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-35] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[36-client-auth-DTLSv1.2-require-fail] +ssl_conf = 36-client-auth-DTLSv1.2-require-fail-ssl + +[36-client-auth-DTLSv1.2-require-fail-ssl] +server = 36-client-auth-DTLSv1.2-require-fail-server +client = 36-client-auth-DTLSv1.2-require-fail-client + +[36-client-auth-DTLSv1.2-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[36-client-auth-DTLSv1.2-require-fail-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-36] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[37-client-auth-DTLSv1.2-require] +ssl_conf = 37-client-auth-DTLSv1.2-require-ssl + +[37-client-auth-DTLSv1.2-require-ssl] +server = 37-client-auth-DTLSv1.2-require-server +client = 37-client-auth-DTLSv1.2-require-client + +[37-client-auth-DTLSv1.2-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[37-client-auth-DTLSv1.2-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-37] +ExpectedClientCANames = empty +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[38-client-auth-DTLSv1.2-require-non-empty-names] +ssl_conf = 38-client-auth-DTLSv1.2-require-non-empty-names-ssl + +[38-client-auth-DTLSv1.2-require-non-empty-names-ssl] +server = 38-client-auth-DTLSv1.2-require-non-empty-names-server +client = 38-client-auth-DTLSv1.2-require-non-empty-names-client + +[38-client-auth-DTLSv1.2-require-non-empty-names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -1082,7 +1216,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Request -[34-client-auth-DTLSv1.2-require-non-empty-names-client] +[38-client-auth-DTLSv1.2-require-non-empty-names-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1091,7 +1225,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-34] +[test-38] ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem ExpectedClientCertType = RSA ExpectedResult = Success @@ -1100,14 +1234,14 @@ Method = DTLS # =========================================================== -[35-client-auth-DTLSv1.2-noroot] -ssl_conf = 35-client-auth-DTLSv1.2-noroot-ssl +[39-client-auth-DTLSv1.2-noroot] +ssl_conf = 39-client-auth-DTLSv1.2-noroot-ssl -[35-client-auth-DTLSv1.2-noroot-ssl] -server = 35-client-auth-DTLSv1.2-noroot-server -client = 35-client-auth-DTLSv1.2-noroot-client +[39-client-auth-DTLSv1.2-noroot-ssl] +server = 39-client-auth-DTLSv1.2-noroot-server +client = 39-client-auth-DTLSv1.2-noroot-client -[35-client-auth-DTLSv1.2-noroot-server] +[39-client-auth-DTLSv1.2-noroot-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1115,7 +1249,7 @@ MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyMode = Require -[35-client-auth-DTLSv1.2-noroot-client] +[39-client-auth-DTLSv1.2-noroot-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 @@ -1124,7 +1258,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-35] +[test-39] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA Method = DTLS diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index d908ad1c7d..57dd49b59d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -155,6 +155,65 @@ sub generate_tests() { }; $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; + # Successful handshake with client RSA-PSS cert, StrictCertCheck + push @tests, { + name => "client-auth-${protocol_name}-rsa-pss" + .($sctp ? "-sctp" : ""), + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientCAFile" => test_pem("rootcert.pem"), + "VerifyCAFile" => test_pem("rootcert.pem"), + "VerifyMode" => "Require", + }, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("client-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("client-pss-restrict-key.pem"), + "Options" => "StrictCertCheck", + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA-PSS", + "ExpectedClientCANames" => test_pem("rootcert.pem"), + "Method" => $method, + }, + } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex"; + + # Failed handshake with client RSA-PSS cert, StrictCertCheck, bad CA + push @tests, { + name => "client-auth-${protocol_name}-rsa-pss-bad" + .($sctp ? "-sctp" : ""), + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientCAFile" => test_pem("rootCA.pem"), + "VerifyCAFile" => test_pem("rootCA.pem"), + "VerifyMode" => "Require", + }, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("client-pss-restrict-cert.pem"), + "PrivateKey" => test_pem("client-pss-restrict-key.pem"), + "Options" => "StrictCertCheck", + }, + test => { + "ExpectedResult" => "ServerFail", + "ExpectedServerAlert" => + ($protocol_name eq "flex" + && !disabled("tls1_3") + && (!disabled("ec") || !disabled("dh"))) + ? "CertificateRequired" : "HandshakeFailure", + "Method" => $method, + }, + } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex"; + # Successful handshake with client authentication non-empty names push @tests, { name => "client-auth-${protocol_name}-require-non-empty-names"