wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update client authentication tests

Browse source 
Port client auth tests to the new framework, add coverage. The old tests
were only testing success, and only for some protocol versions; the new
tests add all protocol versions and various failure modes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper 2016-05-31 16:42:58 +02:00
parent 66bceb5f19
commit 63936115e8
5 changed files with 778 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
test/certs/ee-client-chain.pem Normal file
View file

@ -0,0 +1,37 @@
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
Fw0xNjAxMTUwODE5NTBaGA8yMTE2MDExNjA4MTk1MFowGTEXMBUGA1UEAwwOc2Vy
dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl
MA0GCSqGSIb3DQEBCwUAA4IBAQB+x23yjviJ9/n0G65xjntoPCLpsZtqId+WvN/9
sXGqRZyAnBWPFpWrf9qXdxXZpTw7KRfywnEVsUQP12XKCc9JH4tG4l/wCDaHi9qO
pLstQskcXk40gWaU83ojjchdtDFBaxR5KxC83SR669Rw9mn66bWz/6zpK9VYohVh
A5/3RqteQaeQETFbZdlb6e7jAjiGp6DmAiH/WLrVvMY8k0z81TD0+UjJqI9097mF
VtNX0l+46/tR4zvyA4yYqxK+L8M57SjfwxvwUpDxxVVnRsf3kHhudeAc+UDWzqws
n5P71o+AfbkYzhHsSFIZyYUnGv+JApFpcGEMEiHL2iBhCRdx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk
IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6
AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi
8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6
uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR
5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4=
-----END CERTIFICATE-----

2
test/recipes/80-test_ssl_new.t
View file

@ -42,7 +42,7 @@ foreach my $conf (@conf_files) {
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
plan tests => 3; # = scalar @conf_srcs
plan tests => 4; # = scalar @conf_srcs
sub test_conf {
plan tests => 3;

89
test/recipes/80-test_ssl_old.t
View file

@ -311,11 +311,8 @@ sub testss {
}
sub testssl {
my $key = shift || bldtop_file("apps","server.pem");
my $cert = shift || bldtop_file("apps","server.pem");
my $CAtmp = shift;
my ($key, $cert, $CAtmp) = @_;
my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
my @extra = @_;
my @ssltest = ("ssltest_old",
"-s_key", $key, "-s_cert", $cert,
@ -334,47 +331,19 @@ sub testssl {
subtest 'standard SSL tests' => sub {
######################################################################
plan tests => 29;
plan tests => 21;
SKIP: {
skip "SSLv3 is not supported by this OpenSSL build", 4
if disabled("ssl3");
ok(run(test([@ssltest, "-ssl3", @extra])),
'test sslv3');
ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
'test sslv3 with server authentication');
ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
'test sslv3 with client authentication');
ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
'test sslv3 with both server and client authentication');
}
SKIP: {
skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4
if $no_anytls;
ok(run(test([@ssltest, @extra])),
'test sslv2/sslv3');
ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
'test sslv2/sslv3 with client authentication');
ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
'test sslv2/sslv3 with both server and client authentication');
}
SKIP: {
skip "SSLv3 is not supported by this OpenSSL build", 4
if disabled("ssl3");
ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
'test sslv3 via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
'test sslv3 with server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
'test sslv3 with client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
'test sslv3 with both server and client authentication via BIO pair');
}
@ -382,7 +351,7 @@ sub testssl {
skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
if $no_anytls;
ok(run(test([@ssltest, "-bio_pair", @extra])),
ok(run(test([@ssltest, "-bio_pair"])),
'test sslv2/sslv3 via BIO pair');
}
@ -390,13 +359,13 @@ sub testssl {
skip "DTLSv1 is not supported by this OpenSSL build", 4
if disabled("dtls1");
ok(run(test([@ssltest, "-dtls1", @extra])),
ok(run(test([@ssltest, "-dtls1"])),
'test dtlsv1');
ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])),
'test dtlsv1 with server authentication');
ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])),
'test dtlsv1 with client authentication');
ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])),
'test dtlsv1 with both server and client authentication');
}
@ -404,13 +373,13 @@ sub testssl {
skip "DTLSv1.2 is not supported by this OpenSSL build", 4
if disabled("dtls1_2");
ok(run(test([@ssltest, "-dtls12", @extra])),
ok(run(test([@ssltest, "-dtls12"])),
'test dtlsv1.2');
ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])),
'test dtlsv1.2 with server authentication');
ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])),
'test dtlsv1.2 with client authentication');
ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])),
'test dtlsv1.2 with both server and client authentication');
}
@ -421,32 +390,32 @@ sub testssl {
SKIP: {
skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
}
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
'test sslv2/sslv3 with client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
SKIP: {
skip "No IPv4 available on this machine", 1
unless !disabled("sock") && have_IPv4();
ok(run(test([@ssltest, "-ipv4", @extra])),
ok(run(test([@ssltest, "-ipv4"])),
'test TLS via IPv4');
}
SKIP: {
skip "No IPv6 available on this machine", 1
unless !disabled("sock") && have_IPv6();
ok(run(test([@ssltest, "-ipv6", @extra])),
ok(run(test([@ssltest, "-ipv6"])),
'test TLS via IPv6');
}
}
@ -525,7 +494,7 @@ sub testssl {
skip "skipping anonymous DH tests", 1
if ($no_dh);
ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
}
@ -533,13 +502,13 @@ sub testssl {
skip "skipping RSA tests", 2
if $no_rsa;
ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
skip "skipping RSA+DHE tests", 1
if $no_dh;
ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
}
@ -547,10 +516,10 @@ sub testssl {
skip "skipping PSK tests", 2
if ($no_psk);
ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
'test tls1 with PSK');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
'test tls1 with PSK via BIO pair');
}
}
@ -702,7 +671,7 @@ sub testssl {
if $no_anytls;
skip "skipping multi-buffer tests", 2
if @extra || (POSIX::uname())[4] ne "x86_64";
if (POSIX::uname())[4] ne "x86_64";
ok(run(test([@ssltest, "-cipher", "AES128-SHA", "-bytes", "8m"])));

602
test/ssl-tests/04-client_auth.conf Normal file
View file

@ -0,0 +1,602 @@
# Generated with generate_ssl_tests.pl
num_tests = 20
test-0 = 0-server-auth-flex
test-1 = 1-client-auth-flex-request
test-2 = 2-client-auth-flex-require-fail
test-3 = 3-client-auth-flex-require
test-4 = 4-client-auth-flex-noroot
test-5 = 5-server-auth-TLSv1
test-6 = 6-client-auth-TLSv1-request
test-7 = 7-client-auth-TLSv1-require-fail
test-8 = 8-client-auth-TLSv1-require
test-9 = 9-client-auth-TLSv1-noroot
test-10 = 10-server-auth-TLSv1.1
test-11 = 11-client-auth-TLSv1.1-request
test-12 = 12-client-auth-TLSv1.1-require-fail
test-13 = 13-client-auth-TLSv1.1-require
test-14 = 14-client-auth-TLSv1.1-noroot
test-15 = 15-server-auth-TLSv1.2
test-16 = 16-client-auth-TLSv1.2-request
test-17 = 17-client-auth-TLSv1.2-require-fail
test-18 = 18-client-auth-TLSv1.2-require
test-19 = 19-client-auth-TLSv1.2-noroot
# ===========================================================
[0-server-auth-flex]
ssl_conf = 0-server-auth-flex-ssl
[0-server-auth-flex-ssl]
server = 0-server-auth-flex-server
client = 0-server-auth-flex-client
[0-server-auth-flex-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-server-auth-flex-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedResult = Success
# ===========================================================
[1-client-auth-flex-request]
ssl_conf = 1-client-auth-flex-request-ssl
[1-client-auth-flex-request-ssl]
server = 1-client-auth-flex-request-server
client = 1-client-auth-flex-request-client
[1-client-auth-flex-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[1-client-auth-flex-request-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ExpectedResult = Success
# ===========================================================
[2-client-auth-flex-require-fail]
ssl_conf = 2-client-auth-flex-require-fail-ssl
[2-client-auth-flex-require-fail-ssl]
server = 2-client-auth-flex-require-fail-server
client = 2-client-auth-flex-require-fail-client
[2-client-auth-flex-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[2-client-auth-flex-require-fail-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
# ===========================================================
[3-client-auth-flex-require]
ssl_conf = 3-client-auth-flex-require-ssl
[3-client-auth-flex-require-ssl]
server = 3-client-auth-flex-require-server
client = 3-client-auth-flex-require-client
[3-client-auth-flex-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[3-client-auth-flex-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ExpectedResult = Success
# ===========================================================
[4-client-auth-flex-noroot]
ssl_conf = 4-client-auth-flex-noroot-ssl
[4-client-auth-flex-noroot-ssl]
server = 4-client-auth-flex-noroot-server
client = 4-client-auth-flex-noroot-client
[4-client-auth-flex-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
[4-client-auth-flex-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
# ===========================================================
[5-server-auth-TLSv1]
ssl_conf = 5-server-auth-TLSv1-ssl
[5-server-auth-TLSv1-ssl]
server = 5-server-auth-TLSv1-server
client = 5-server-auth-TLSv1-client
[5-server-auth-TLSv1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1
[5-server-auth-TLSv1-client]
CipherString = DEFAULT
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ExpectedResult = Success
# ===========================================================
[6-client-auth-TLSv1-request]
ssl_conf = 6-client-auth-TLSv1-request-ssl
[6-client-auth-TLSv1-request-ssl]
server = 6-client-auth-TLSv1-request-server
client = 6-client-auth-TLSv1-request-client
[6-client-auth-TLSv1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1
VerifyMode = Request
[6-client-auth-TLSv1-request-client]
CipherString = DEFAULT
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ExpectedResult = Success
# ===========================================================
[7-client-auth-TLSv1-require-fail]
ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
[7-client-auth-TLSv1-require-fail-ssl]
server = 7-client-auth-TLSv1-require-fail-server
client = 7-client-auth-TLSv1-require-fail-client
[7-client-auth-TLSv1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[7-client-auth-TLSv1-require-fail-client]
CipherString = DEFAULT
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
# ===========================================================
[8-client-auth-TLSv1-require]
ssl_conf = 8-client-auth-TLSv1-require-ssl
[8-client-auth-TLSv1-require-ssl]
server = 8-client-auth-TLSv1-require-server
client = 8-client-auth-TLSv1-require-client
[8-client-auth-TLSv1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[8-client-auth-TLSv1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ExpectedResult = Success
# ===========================================================
[9-client-auth-TLSv1-noroot]
ssl_conf = 9-client-auth-TLSv1-noroot-ssl
[9-client-auth-TLSv1-noroot-ssl]
server = 9-client-auth-TLSv1-noroot-server
client = 9-client-auth-TLSv1-noroot-client
[9-client-auth-TLSv1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1
VerifyMode = Require
[9-client-auth-TLSv1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
Protocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
# ===========================================================
[10-server-auth-TLSv1.1]
ssl_conf = 10-server-auth-TLSv1.1-ssl
[10-server-auth-TLSv1.1-ssl]
server = 10-server-auth-TLSv1.1-server
client = 10-server-auth-TLSv1.1-client
[10-server-auth-TLSv1.1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.1
[10-server-auth-TLSv1.1-client]
CipherString = DEFAULT
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-10]
ExpectedResult = Success
# ===========================================================
[11-client-auth-TLSv1.1-request]
ssl_conf = 11-client-auth-TLSv1.1-request-ssl
[11-client-auth-TLSv1.1-request-ssl]
server = 11-client-auth-TLSv1.1-request-server
client = 11-client-auth-TLSv1.1-request-client
[11-client-auth-TLSv1.1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.1
VerifyMode = Request
[11-client-auth-TLSv1.1-request-client]
CipherString = DEFAULT
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ExpectedResult = Success
# ===========================================================
[12-client-auth-TLSv1.1-require-fail]
ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
[12-client-auth-TLSv1.1-require-fail-ssl]
server = 12-client-auth-TLSv1.1-require-fail-server
client = 12-client-auth-TLSv1.1-require-fail-client
[12-client-auth-TLSv1.1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[12-client-auth-TLSv1.1-require-fail-client]
CipherString = DEFAULT
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-12]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
# ===========================================================
[13-client-auth-TLSv1.1-require]
ssl_conf = 13-client-auth-TLSv1.1-require-ssl
[13-client-auth-TLSv1.1-require-ssl]
server = 13-client-auth-TLSv1.1-require-server
client = 13-client-auth-TLSv1.1-require-client
[13-client-auth-TLSv1.1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[13-client-auth-TLSv1.1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
ExpectedResult = Success
# ===========================================================
[14-client-auth-TLSv1.1-noroot]
ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
[14-client-auth-TLSv1.1-noroot-ssl]
server = 14-client-auth-TLSv1.1-noroot-server
client = 14-client-auth-TLSv1.1-noroot-client
[14-client-auth-TLSv1.1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.1
VerifyMode = Require
[14-client-auth-TLSv1.1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
Protocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-14]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
# ===========================================================
[15-server-auth-TLSv1.2]
ssl_conf = 15-server-auth-TLSv1.2-ssl
[15-server-auth-TLSv1.2-ssl]
server = 15-server-auth-TLSv1.2-server
client = 15-server-auth-TLSv1.2-client
[15-server-auth-TLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.2
[15-server-auth-TLSv1.2-client]
CipherString = DEFAULT
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-15]
ExpectedResult = Success
# ===========================================================
[16-client-auth-TLSv1.2-request]
ssl_conf = 16-client-auth-TLSv1.2-request-ssl
[16-client-auth-TLSv1.2-request-ssl]
server = 16-client-auth-TLSv1.2-request-server
client = 16-client-auth-TLSv1.2-request-client
[16-client-auth-TLSv1.2-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.2
VerifyMode = Request
[16-client-auth-TLSv1.2-request-client]
CipherString = DEFAULT
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-16]
ExpectedResult = Success
# ===========================================================
[17-client-auth-TLSv1.2-require-fail]
ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
[17-client-auth-TLSv1.2-require-fail-ssl]
server = 17-client-auth-TLSv1.2-require-fail-server
client = 17-client-auth-TLSv1.2-require-fail-client
[17-client-auth-TLSv1.2-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[17-client-auth-TLSv1.2-require-fail-client]
CipherString = DEFAULT
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-17]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
# ===========================================================
[18-client-auth-TLSv1.2-require]
ssl_conf = 18-client-auth-TLSv1.2-require-ssl
[18-client-auth-TLSv1.2-require-ssl]
server = 18-client-auth-TLSv1.2-require-server
client = 18-client-auth-TLSv1.2-require-client
[18-client-auth-TLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[18-client-auth-TLSv1.2-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-18]
ExpectedResult = Success
# ===========================================================
[19-client-auth-TLSv1.2-noroot]
ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
[19-client-auth-TLSv1.2-noroot-ssl]
server = 19-client-auth-TLSv1.2-noroot-server
client = 19-client-auth-TLSv1.2-noroot-client
[19-client-auth-TLSv1.2-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
Protocol = TLSv1.2
VerifyMode = Require
[19-client-auth-TLSv1.2-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
Protocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-19]
ExpectedResult = ServerFail
ServerAlert = UnknownCA

109
test/ssl-tests/04-client_auth.conf.in Normal file
View file

@ -0,0 +1,109 @@
# -*- mode: perl; -*-
## SSL test configurations
package ssltests;
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled);
setup("no_test_here");
# We test version-flexible negotiation (undef) and each protocol version.
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
our @tests = ();
my $dir_sep = $^O ne "VMS" ? "/" : "";
sub generate_tests() {
foreach (0..$#protocols) {
my $protocol = $protocols[$_];
my $protocol_name = $protocol || "flex";
if (!$is_disabled[$_]) {
# Sanity-check simple handshake.
push @tests, {
name => "server-auth-${protocol_name}",
server => {
"Protocol" => $protocol
},
client => {
"Protocol" => $protocol
},
test => { "ExpectedResult" => "Success" },
};
# Handshake with client cert requested but not required or received.
push @tests, {
name => "client-auth-${protocol_name}-request",
server => {
"Protocol" => $protocol,
"VerifyMode" => "Request",
},
client => {
"Protocol" => $protocol
},
test => { "ExpectedResult" => "Success" },
};
# Handshake with client cert required but not present.
push @tests, {
name => "client-auth-${protocol_name}-require-fail",
server => {
"Protocol" => $protocol,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Require",
},
client => {
"Protocol" => $protocol,
},
test => {
"ExpectedResult" => "ServerFail",
"ServerAlert" => "HandshakeFailure",
},
};
# Successful handshake with client authentication.
push @tests, {
name => "client-auth-${protocol_name}-require",
server => {
"Protocol" => $protocol,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Request",
},
client => {
"Protocol" => $protocol,
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
test => { "ExpectedResult" => "Success" },
};
# Handshake with client authentication but without the root certificate.
push @tests, {
name => "client-auth-${protocol_name}-noroot",
server => {
"Protocol" => $protocol,
"VerifyMode" => "Require",
},
client => {
"Protocol" => $protocol,
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
},
test => {
"ExpectedResult" => "ServerFail",
"ServerAlert" => "UnknownCA",
},
};
}
}
}
generate_tests();