[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Thu Mar 16 18:12:57 UTC 2017
The branch master has been updated
via 2c1b0f1e06759052eec749fadb790fa13a9a4eaf (commit)
via 2e21539b2b57df9926d165243efb60480f546ba7 (commit)
via f8f16d8ea48fd331d384dad3027a925e7dc90f0b (commit)
from 07518cfb3883d1b6ad1d5a413c78a848b6e51177 (commit)
- Log -----------------------------------------------------------------
commit 2c1b0f1e06759052eec749fadb790fa13a9a4eaf
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Mar 15 17:26:05 2017 +0000
Add Client CA names tests
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2969)
commit 2e21539b2b57df9926d165243efb60480f546ba7
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Mar 15 16:07:07 2017 +0000
Add ExpectedClientCANames
Add ExpectedClientCANames: for client auth this checks to see if the
list of certificate authorities supplied by the server matches the
expected value.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2969)
commit f8f16d8ea48fd331d384dad3027a925e7dc90f0b
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Mar 16 15:28:07 2017 +0000
Remove obsolete version test when returning CA names.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2969)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_cert.c | 10 +-
test/README.ssltest.md | 4 +
test/build.info | 2 +-
test/handshake_helper.c | 8 +
test/handshake_helper.h | 2 +
test/ssl-tests/04-client_auth.conf | 687 ++++++++++++++++++++++------------
test/ssl-tests/04-client_auth.conf.in | 28 ++
test/ssl-tests/20-cert-select.conf.in | 18 +
test/ssl_test.c | 57 +++
test/ssl_test_ctx.c | 18 +
test/ssl_test_ctx.h | 2 +
11 files changed, 595 insertions(+), 241 deletions(-)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 70aa697..50b2e64 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -506,15 +506,15 @@ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
if (!s->server) { /* we are in the client */
- if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL))
- return (s->s3->tmp.ca_names);
+ if (s->s3 != NULL)
+ return s->s3->tmp.ca_names;
else
- return (NULL);
+ return NULL;
} else {
if (s->client_CA != NULL)
- return (s->client_CA);
+ return s->client_CA;
else
- return (s->ctx->client_CA);
+ return s->ctx->client_CA;
}
}
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index a326967..0d6f466 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -98,6 +98,10 @@ handshake.
* ExpectedServerSignType, ExpectedClientSignType - the expected
signature type used by server or client when signing messages
+* ExpectedClientCANames - for client auth list of CA names the server must
+ send. If this is "empty" the list is expected to be empty otherwise it
+ is a file of certificates whose subject names form the list.
+
## Configuring the client and server
The client and server configurations can be any valid `SSL_CTX`
diff --git a/test/build.info b/test/build.info
index 104d3a5..9f2f950 100644
--- a/test/build.info
+++ b/test/build.info
@@ -236,7 +236,7 @@ IF[{- !$disabled{tests} -}]
SOURCE[ssl_test_ctx_test]=ssl_test_ctx_test.c ssl_test_ctx.c testutil.c test_main_custom.c
INCLUDE[ssl_test_ctx_test]=.. ../include
- DEPEND[ssl_test_ctx_test]=../libcrypto
+ DEPEND[ssl_test_ctx_test]=../libcrypto ../libssl
SOURCE[ssl_test]=ssl_test.c ssl_test_ctx.c testutil.c handshake_helper.c test_main_custom.c
INCLUDE[ssl_test]=.. ../include
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 30fd479..4bccac1 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -34,6 +34,7 @@ void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result)
OPENSSL_free(result->server_npn_negotiated);
OPENSSL_free(result->client_alpn_negotiated);
OPENSSL_free(result->server_alpn_negotiated);
+ sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free);
OPENSSL_free(result);
}
@@ -1122,6 +1123,7 @@ static HANDSHAKE_RESULT *do_handshake_internal(
/* API dictates unsigned int rather than size_t. */
unsigned int proto_len = 0;
EVP_PKEY *tmp_key;
+ STACK_OF(X509_NAME) *names;
memset(&server_ctx_data, 0, sizeof(server_ctx_data));
memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
@@ -1295,6 +1297,12 @@ static HANDSHAKE_RESULT *do_handshake_internal(
SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type);
SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type);
+ names = SSL_get_client_CA_list(client.ssl);
+ if (names == NULL)
+ ret->client_ca_names = NULL;
+ else
+ ret->client_ca_names = SSL_dup_CA_list(names);
+
ret->server_cert_type = peer_pkey_type(client.ssl);
ret->client_cert_type = peer_pkey_type(server.ssl);
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index 1f079c9..a7df584 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -58,6 +58,8 @@ typedef struct handshake_result {
int client_sign_hash;
/* client signature type */
int client_sign_type;
+ /* Client CA names */
+ STACK_OF(X509_NAME) *client_ca_names;
} HANDSHAKE_RESULT;
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
index ef65d71..5696394 100644
--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -1,37 +1,43 @@
# Generated with generate_ssl_tests.pl
-num_tests = 30
+num_tests = 36
test-0 = 0-server-auth-flex
test-1 = 1-client-auth-flex-request
test-2 = 2-client-auth-flex-require-fail
test-3 = 3-client-auth-flex-require
-test-4 = 4-client-auth-flex-noroot
-test-5 = 5-server-auth-TLSv1
-test-6 = 6-client-auth-TLSv1-request
-test-7 = 7-client-auth-TLSv1-require-fail
-test-8 = 8-client-auth-TLSv1-require
-test-9 = 9-client-auth-TLSv1-noroot
-test-10 = 10-server-auth-TLSv1.1
-test-11 = 11-client-auth-TLSv1.1-request
-test-12 = 12-client-auth-TLSv1.1-require-fail
-test-13 = 13-client-auth-TLSv1.1-require
-test-14 = 14-client-auth-TLSv1.1-noroot
-test-15 = 15-server-auth-TLSv1.2
-test-16 = 16-client-auth-TLSv1.2-request
-test-17 = 17-client-auth-TLSv1.2-require-fail
-test-18 = 18-client-auth-TLSv1.2-require
-test-19 = 19-client-auth-TLSv1.2-noroot
-test-20 = 20-server-auth-DTLSv1
-test-21 = 21-client-auth-DTLSv1-request
-test-22 = 22-client-auth-DTLSv1-require-fail
-test-23 = 23-client-auth-DTLSv1-require
-test-24 = 24-client-auth-DTLSv1-noroot
-test-25 = 25-server-auth-DTLSv1.2
-test-26 = 26-client-auth-DTLSv1.2-request
-test-27 = 27-client-auth-DTLSv1.2-require-fail
-test-28 = 28-client-auth-DTLSv1.2-require
-test-29 = 29-client-auth-DTLSv1.2-noroot
+test-4 = 4-client-auth-flex-require-non-empty-names
+test-5 = 5-client-auth-flex-noroot
+test-6 = 6-server-auth-TLSv1
+test-7 = 7-client-auth-TLSv1-request
+test-8 = 8-client-auth-TLSv1-require-fail
+test-9 = 9-client-auth-TLSv1-require
+test-10 = 10-client-auth-TLSv1-require-non-empty-names
+test-11 = 11-client-auth-TLSv1-noroot
+test-12 = 12-server-auth-TLSv1.1
+test-13 = 13-client-auth-TLSv1.1-request
+test-14 = 14-client-auth-TLSv1.1-require-fail
+test-15 = 15-client-auth-TLSv1.1-require
+test-16 = 16-client-auth-TLSv1.1-require-non-empty-names
+test-17 = 17-client-auth-TLSv1.1-noroot
+test-18 = 18-server-auth-TLSv1.2
+test-19 = 19-client-auth-TLSv1.2-request
+test-20 = 20-client-auth-TLSv1.2-require-fail
+test-21 = 21-client-auth-TLSv1.2-require
+test-22 = 22-client-auth-TLSv1.2-require-non-empty-names
+test-23 = 23-client-auth-TLSv1.2-noroot
+test-24 = 24-server-auth-DTLSv1
+test-25 = 25-client-auth-DTLSv1-request
+test-26 = 26-client-auth-DTLSv1-require-fail
+test-27 = 27-client-auth-DTLSv1-require
+test-28 = 28-client-auth-DTLSv1-require-non-empty-names
+test-29 = 29-client-auth-DTLSv1-noroot
+test-30 = 30-server-auth-DTLSv1.2
+test-31 = 31-client-auth-DTLSv1.2-request
+test-32 = 32-client-auth-DTLSv1.2-require-fail
+test-33 = 33-client-auth-DTLSv1.2-require
+test-34 = 34-client-auth-DTLSv1.2-require-non-empty-names
+test-35 = 35-client-auth-DTLSv1.2-noroot
# ===========================================================
[0-server-auth-flex]
@@ -129,26 +135,29 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
+ExpectedClientCANames = empty
ExpectedClientCertType = RSA
ExpectedResult = Success
# ===========================================================
-[4-client-auth-flex-noroot]
-ssl_conf = 4-client-auth-flex-noroot-ssl
+[4-client-auth-flex-require-non-empty-names]
+ssl_conf = 4-client-auth-flex-require-non-empty-names-ssl
-[4-client-auth-flex-noroot-ssl]
-server = 4-client-auth-flex-noroot-server
-client = 4-client-auth-flex-noroot-client
+[4-client-auth-flex-require-non-empty-names-ssl]
+server = 4-client-auth-flex-require-non-empty-names-server
+client = 4-client-auth-flex-require-non-empty-names-client
-[4-client-auth-flex-noroot-server]
+[4-client-auth-flex-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyMode = Require
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
-[4-client-auth-flex-noroot-client]
+[4-client-auth-flex-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@@ -156,47 +165,75 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[5-client-auth-flex-noroot]
+ssl_conf = 5-client-auth-flex-noroot-ssl
+
+[5-client-auth-flex-noroot-ssl]
+server = 5-client-auth-flex-noroot-server
+client = 5-client-auth-flex-noroot-client
+
+[5-client-auth-flex-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Require
+
+[5-client-auth-flex-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
ExpectedResult = ServerFail
ExpectedServerAlert = UnknownCA
# ===========================================================
-[5-server-auth-TLSv1]
-ssl_conf = 5-server-auth-TLSv1-ssl
+[6-server-auth-TLSv1]
+ssl_conf = 6-server-auth-TLSv1-ssl
-[5-server-auth-TLSv1-ssl]
-server = 5-server-auth-TLSv1-server
-client = 5-server-auth-TLSv1-client
+[6-server-auth-TLSv1-ssl]
+server = 6-server-auth-TLSv1-server
+client = 6-server-auth-TLSv1-client
-[5-server-auth-TLSv1-server]
+[6-server-auth-TLSv1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[5-server-auth-TLSv1-client]
+[6-server-auth-TLSv1-client]
CipherString = DEFAULT
MaxProtocol = TLSv1
MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-5]
+[test-6]
ExpectedResult = Success
# ===========================================================
-[6-client-auth-TLSv1-request]
-ssl_conf = 6-client-auth-TLSv1-request-ssl
+[7-client-auth-TLSv1-request]
+ssl_conf = 7-client-auth-TLSv1-request-ssl
-[6-client-auth-TLSv1-request-ssl]
-server = 6-client-auth-TLSv1-request-server
-client = 6-client-auth-TLSv1-request-client
+[7-client-auth-TLSv1-request-ssl]
+server = 7-client-auth-TLSv1-request-server
+client = 7-client-auth-TLSv1-request-client
-[6-client-auth-TLSv1-request-server]
+[7-client-auth-TLSv1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
@@ -204,27 +241,27 @@ MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
-[6-client-auth-TLSv1-request-client]
+[7-client-auth-TLSv1-request-client]
CipherString = DEFAULT
MaxProtocol = TLSv1
MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-6]
+[test-7]
ExpectedResult = Success
# ===========================================================
-[7-client-auth-TLSv1-require-fail]
-ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
+[8-client-auth-TLSv1-require-fail]
+ssl_conf = 8-client-auth-TLSv1-require-fail-ssl
-[7-client-auth-TLSv1-require-fail-ssl]
-server = 7-client-auth-TLSv1-require-fail-server
-client = 7-client-auth-TLSv1-require-fail-client
+[8-client-auth-TLSv1-require-fail-ssl]
+server = 8-client-auth-TLSv1-require-fail-server
+client = 8-client-auth-TLSv1-require-fail-client
-[7-client-auth-TLSv1-require-fail-server]
+[8-client-auth-TLSv1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
@@ -233,28 +270,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[7-client-auth-TLSv1-require-fail-client]
+[8-client-auth-TLSv1-require-fail-client]
CipherString = DEFAULT
MaxProtocol = TLSv1
MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-7]
+[test-8]
ExpectedResult = ServerFail
ExpectedServerAlert = HandshakeFailure
# ===========================================================
-[8-client-auth-TLSv1-require]
-ssl_conf = 8-client-auth-TLSv1-require-ssl
+[9-client-auth-TLSv1-require]
+ssl_conf = 9-client-auth-TLSv1-require-ssl
-[8-client-auth-TLSv1-require-ssl]
-server = 8-client-auth-TLSv1-require-server
-client = 8-client-auth-TLSv1-require-client
+[9-client-auth-TLSv1-require-ssl]
+server = 9-client-auth-TLSv1-require-server
+client = 9-client-auth-TLSv1-require-client
-[8-client-auth-TLSv1-require-server]
+[9-client-auth-TLSv1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
@@ -263,7 +300,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
-[8-client-auth-TLSv1-require-client]
+[9-client-auth-TLSv1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
@@ -272,21 +309,56 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-8]
+[test-9]
+ExpectedClientCANames = empty
ExpectedClientCertType = RSA
ExpectedResult = Success
# ===========================================================
-[9-client-auth-TLSv1-noroot]
-ssl_conf = 9-client-auth-TLSv1-noroot-ssl
+[10-client-auth-TLSv1-require-non-empty-names]
+ssl_conf = 10-client-auth-TLSv1-require-non-empty-names-ssl
-[9-client-auth-TLSv1-noroot-ssl]
-server = 9-client-auth-TLSv1-noroot-server
-client = 9-client-auth-TLSv1-noroot-client
+[10-client-auth-TLSv1-require-non-empty-names-ssl]
+server = 10-client-auth-TLSv1-require-non-empty-names-server
+client = 10-client-auth-TLSv1-require-non-empty-names-client
-[9-client-auth-TLSv1-noroot-server]
+[10-client-auth-TLSv1-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[10-client-auth-TLSv1-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-10]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[11-client-auth-TLSv1-noroot]
+ssl_conf = 11-client-auth-TLSv1-noroot-ssl
+
+[11-client-auth-TLSv1-noroot-ssl]
+server = 11-client-auth-TLSv1-noroot-server
+client = 11-client-auth-TLSv1-noroot-client
+
+[11-client-auth-TLSv1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
@@ -294,7 +366,7 @@ MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
-[9-client-auth-TLSv1-noroot-client]
+[11-client-auth-TLSv1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
@@ -303,48 +375,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-9]
+[test-11]
ExpectedResult = ServerFail
ExpectedServerAlert = UnknownCA
# ===========================================================
-[10-server-auth-TLSv1.1]
-ssl_conf = 10-server-auth-TLSv1.1-ssl
+[12-server-auth-TLSv1.1]
+ssl_conf = 12-server-auth-TLSv1.1-ssl
-[10-server-auth-TLSv1.1-ssl]
-server = 10-server-auth-TLSv1.1-server
-client = 10-server-auth-TLSv1.1-client
+[12-server-auth-TLSv1.1-ssl]
+server = 12-server-auth-TLSv1.1-server
+client = 12-server-auth-TLSv1.1-client
-[10-server-auth-TLSv1.1-server]
+[12-server-auth-TLSv1.1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-server-auth-TLSv1.1-client]
+[12-server-auth-TLSv1.1-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-10]
+[test-12]
ExpectedResult = Success
# ===========================================================
-[11-client-auth-TLSv1.1-request]
-ssl_conf = 11-client-auth-TLSv1.1-request-ssl
+[13-client-auth-TLSv1.1-request]
+ssl_conf = 13-client-auth-TLSv1.1-request-ssl
-[11-client-auth-TLSv1.1-request-ssl]
-server = 11-client-auth-TLSv1.1-request-server
-client = 11-client-auth-TLSv1.1-request-client
+[13-client-auth-TLSv1.1-request-ssl]
+server = 13-client-auth-TLSv1.1-request-server
+client = 13-client-auth-TLSv1.1-request-client
-[11-client-auth-TLSv1.1-request-server]
+[13-client-auth-TLSv1.1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
@@ -352,27 +424,27 @@ MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
-[11-client-auth-TLSv1.1-request-client]
+[13-client-auth-TLSv1.1-request-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-11]
+[test-13]
ExpectedResult = Success
# ===========================================================
-[12-client-auth-TLSv1.1-require-fail]
-ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
+[14-client-auth-TLSv1.1-require-fail]
+ssl_conf = 14-client-auth-TLSv1.1-require-fail-ssl
-[12-client-auth-TLSv1.1-require-fail-ssl]
-server = 12-client-auth-TLSv1.1-require-fail-server
-client = 12-client-auth-TLSv1.1-require-fail-client
+[14-client-auth-TLSv1.1-require-fail-ssl]
+server = 14-client-auth-TLSv1.1-require-fail-server
+client = 14-client-auth-TLSv1.1-require-fail-client
-[12-client-auth-TLSv1.1-require-fail-server]
+[14-client-auth-TLSv1.1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
@@ -381,28 +453,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[12-client-auth-TLSv1.1-require-fail-client]
+[14-client-auth-TLSv1.1-require-fail-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-12]
+[test-14]
ExpectedResult = ServerFail
ExpectedServerAlert = HandshakeFailure
# ===========================================================
-[13-client-auth-TLSv1.1-require]
-ssl_conf = 13-client-auth-TLSv1.1-require-ssl
+[15-client-auth-TLSv1.1-require]
+ssl_conf = 15-client-auth-TLSv1.1-require-ssl
-[13-client-auth-TLSv1.1-require-ssl]
-server = 13-client-auth-TLSv1.1-require-server
-client = 13-client-auth-TLSv1.1-require-client
+[15-client-auth-TLSv1.1-require-ssl]
+server = 15-client-auth-TLSv1.1-require-server
+client = 15-client-auth-TLSv1.1-require-client
-[13-client-auth-TLSv1.1-require-server]
+[15-client-auth-TLSv1.1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
@@ -411,7 +483,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
-[13-client-auth-TLSv1.1-require-client]
+[15-client-auth-TLSv1.1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
@@ -420,21 +492,56 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-13]
+[test-15]
+ExpectedClientCANames = empty
ExpectedClientCertType = RSA
ExpectedResult = Success
# ===========================================================
-[14-client-auth-TLSv1.1-noroot]
-ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
+[16-client-auth-TLSv1.1-require-non-empty-names]
+ssl_conf = 16-client-auth-TLSv1.1-require-non-empty-names-ssl
-[14-client-auth-TLSv1.1-noroot-ssl]
-server = 14-client-auth-TLSv1.1-noroot-server
-client = 14-client-auth-TLSv1.1-noroot-client
+[16-client-auth-TLSv1.1-require-non-empty-names-ssl]
+server = 16-client-auth-TLSv1.1-require-non-empty-names-server
+client = 16-client-auth-TLSv1.1-require-non-empty-names-client
-[14-client-auth-TLSv1.1-noroot-server]
+[16-client-auth-TLSv1.1-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[16-client-auth-TLSv1.1-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[17-client-auth-TLSv1.1-noroot]
+ssl_conf = 17-client-auth-TLSv1.1-noroot-ssl
+
+[17-client-auth-TLSv1.1-noroot-ssl]
+server = 17-client-auth-TLSv1.1-noroot-server
+client = 17-client-auth-TLSv1.1-noroot-client
+
+[17-client-auth-TLSv1.1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
@@ -442,7 +549,7 @@ MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
-[14-client-auth-TLSv1.1-noroot-client]
+[17-client-auth-TLSv1.1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
@@ -451,48 +558,48 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-14]
+[test-17]
ExpectedResult = ServerFail
ExpectedServerAlert = UnknownCA
# ===========================================================
-[15-server-auth-TLSv1.2]
-ssl_conf = 15-server-auth-TLSv1.2-ssl
+[18-server-auth-TLSv1.2]
+ssl_conf = 18-server-auth-TLSv1.2-ssl
-[15-server-auth-TLSv1.2-ssl]
-server = 15-server-auth-TLSv1.2-server
-client = 15-server-auth-TLSv1.2-client
+[18-server-auth-TLSv1.2-ssl]
+server = 18-server-auth-TLSv1.2-server
+client = 18-server-auth-TLSv1.2-client
-[15-server-auth-TLSv1.2-server]
+[18-server-auth-TLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[15-server-auth-TLSv1.2-client]
+[18-server-auth-TLSv1.2-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-15]
+[test-18]
ExpectedResult = Success
# ===========================================================
-[16-client-auth-TLSv1.2-request]
-ssl_conf = 16-client-auth-TLSv1.2-request-ssl
+[19-client-auth-TLSv1.2-request]
+ssl_conf = 19-client-auth-TLSv1.2-request-ssl
-[16-client-auth-TLSv1.2-request-ssl]
-server = 16-client-auth-TLSv1.2-request-server
-client = 16-client-auth-TLSv1.2-request-client
+[19-client-auth-TLSv1.2-request-ssl]
+server = 19-client-auth-TLSv1.2-request-server
+client = 19-client-auth-TLSv1.2-request-client
-[16-client-auth-TLSv1.2-request-server]
+[19-client-auth-TLSv1.2-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
@@ -500,27 +607,27 @@ MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
-[16-client-auth-TLSv1.2-request-client]
+[19-client-auth-TLSv1.2-request-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-16]
+[test-19]
ExpectedResult = Success
# ===========================================================
-[17-client-auth-TLSv1.2-require-fail]
-ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
+[20-client-auth-TLSv1.2-require-fail]
+ssl_conf = 20-client-auth-TLSv1.2-require-fail-ssl
-[17-client-auth-TLSv1.2-require-fail-ssl]
-server = 17-client-auth-TLSv1.2-require-fail-server
-client = 17-client-auth-TLSv1.2-require-fail-client
+[20-client-auth-TLSv1.2-require-fail-ssl]
+server = 20-client-auth-TLSv1.2-require-fail-server
+client = 20-client-auth-TLSv1.2-require-fail-client
-[17-client-auth-TLSv1.2-require-fail-server]
+[20-client-auth-TLSv1.2-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
@@ -529,28 +636,28 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[17-client-auth-TLSv1.2-require-fail-client]
+[20-client-auth-TLSv1.2-require-fail-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-17]
+[test-20]
ExpectedResult = ServerFail
ExpectedServerAlert = HandshakeFailure
# ===========================================================
-[18-client-auth-TLSv1.2-require]
-ssl_conf = 18-client-auth-TLSv1.2-require-ssl
+[21-client-auth-TLSv1.2-require]
+ssl_conf = 21-client-auth-TLSv1.2-require-ssl
-[18-client-auth-TLSv1.2-require-ssl]
-server = 18-client-auth-TLSv1.2-require-server
-client = 18-client-auth-TLSv1.2-require-client
+[21-client-auth-TLSv1.2-require-ssl]
+server = 21-client-auth-TLSv1.2-require-server
+client = 21-client-auth-TLSv1.2-require-client
-[18-client-auth-TLSv1.2-require-server]
+[21-client-auth-TLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ClientSignatureAlgorithms = SHA256+RSA
@@ -560,7 +667,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
-[18-client-auth-TLSv1.2-require-client]
+[21-client-auth-TLSv1.2-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
@@ -569,7 +676,8 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-18]
+[test-21]
+ExpectedClientCANames = empty
ExpectedClientCertType = RSA
ExpectedClientSignHash = SHA256
ExpectedClientSignType = RSA
@@ -578,14 +686,51 @@ ExpectedResult = Success
# ===========================================================
-[19-client-auth-TLSv1.2-noroot]
-ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
+[22-client-auth-TLSv1.2-require-non-empty-names]
+ssl_conf = 22-client-auth-TLSv1.2-require-non-empty-names-ssl
-[19-client-auth-TLSv1.2-noroot-ssl]
-server = 19-client-auth-TLSv1.2-noroot-server
-client = 19-client-auth-TLSv1.2-noroot-client
+[22-client-auth-TLSv1.2-require-non-empty-names-ssl]
+server = 22-client-auth-TLSv1.2-require-non-empty-names-server
+client = 22-client-auth-TLSv1.2-require-non-empty-names-client
-[19-client-auth-TLSv1.2-noroot-server]
+[22-client-auth-TLSv1.2-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ClientSignatureAlgorithms = SHA256+RSA
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[22-client-auth-TLSv1.2-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-22]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[23-client-auth-TLSv1.2-noroot]
+ssl_conf = 23-client-auth-TLSv1.2-noroot-ssl
+
+[23-client-auth-TLSv1.2-noroot-ssl]
+server = 23-client-auth-TLSv1.2-noroot-server
+client = 23-client-auth-TLSv1.2-noroot-client
+
+[23-client-auth-TLSv1.2-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
@@ -593,7 +738,7 @@ MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
-[19-client-auth-TLSv1.2-noroot-client]
+[23-client-auth-TLSv1.2-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
@@ -602,49 +747,49 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-19]
+[test-23]
ExpectedResult = ServerFail
ExpectedServerAlert = UnknownCA
# ===========================================================
-[20-server-auth-DTLSv1]
-ssl_conf = 20-server-auth-DTLSv1-ssl
+[24-server-auth-DTLSv1]
+ssl_conf = 24-server-auth-DTLSv1-ssl
-[20-server-auth-DTLSv1-ssl]
-server = 20-server-auth-DTLSv1-server
-client = 20-server-auth-DTLSv1-client
+[24-server-auth-DTLSv1-ssl]
+server = 24-server-auth-DTLSv1-server
+client = 24-server-auth-DTLSv1-client
-[20-server-auth-DTLSv1-server]
+[24-server-auth-DTLSv1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[20-server-auth-DTLSv1-client]
+[24-server-auth-DTLSv1-client]
CipherString = DEFAULT
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-20]
+[test-24]
ExpectedResult = Success
Method = DTLS
# ===========================================================
-[21-client-auth-DTLSv1-request]
-ssl_conf = 21-client-auth-DTLSv1-request-ssl
+[25-client-auth-DTLSv1-request]
+ssl_conf = 25-client-auth-DTLSv1-request-ssl
-[21-client-auth-DTLSv1-request-ssl]
-server = 21-client-auth-DTLSv1-request-server
-client = 21-client-auth-DTLSv1-request-client
+[25-client-auth-DTLSv1-request-ssl]
+server = 25-client-auth-DTLSv1-request-server
+client = 25-client-auth-DTLSv1-request-client
-[21-client-auth-DTLSv1-request-server]
+[25-client-auth-DTLSv1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
@@ -652,28 +797,28 @@ MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
-[21-client-auth-DTLSv1-request-client]
+[25-client-auth-DTLSv1-request-client]
CipherString = DEFAULT
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-21]
+[test-25]
ExpectedResult = Success
Method = DTLS
# ===========================================================
-[22-client-auth-DTLSv1-require-fail]
-ssl_conf = 22-client-auth-DTLSv1-require-fail-ssl
+[26-client-auth-DTLSv1-require-fail]
+ssl_conf = 26-client-auth-DTLSv1-require-fail-ssl
-[22-client-auth-DTLSv1-require-fail-ssl]
-server = 22-client-auth-DTLSv1-require-fail-server
-client = 22-client-auth-DTLSv1-require-fail-client
+[26-client-auth-DTLSv1-require-fail-ssl]
+server = 26-client-auth-DTLSv1-require-fail-server
+client = 26-client-auth-DTLSv1-require-fail-client
-[22-client-auth-DTLSv1-require-fail-server]
+[26-client-auth-DTLSv1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
@@ -682,14 +827,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[22-client-auth-DTLSv1-require-fail-client]
+[26-client-auth-DTLSv1-require-fail-client]
CipherString = DEFAULT
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-22]
+[test-26]
ExpectedResult = ServerFail
ExpectedServerAlert = HandshakeFailure
Method = DTLS
@@ -697,14 +842,14 @@ Method = DTLS
# ===========================================================
-[23-client-auth-DTLSv1-require]
-ssl_conf = 23-client-auth-DTLSv1-require-ssl
+[27-client-auth-DTLSv1-require]
+ssl_conf = 27-client-auth-DTLSv1-require-ssl
-[23-client-auth-DTLSv1-require-ssl]
-server = 23-client-auth-DTLSv1-require-server
-client = 23-client-auth-DTLSv1-require-client
+[27-client-auth-DTLSv1-require-ssl]
+server = 27-client-auth-DTLSv1-require-server
+client = 27-client-auth-DTLSv1-require-client
-[23-client-auth-DTLSv1-require-server]
+[27-client-auth-DTLSv1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
@@ -713,7 +858,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
-[23-client-auth-DTLSv1-require-client]
+[27-client-auth-DTLSv1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
@@ -722,7 +867,43 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-23]
+[test-27]
+ExpectedClientCANames = empty
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+Method = DTLS
+
+
+# ===========================================================
+
+[28-client-auth-DTLSv1-require-non-empty-names]
+ssl_conf = 28-client-auth-DTLSv1-require-non-empty-names-ssl
+
+[28-client-auth-DTLSv1-require-non-empty-names-ssl]
+server = 28-client-auth-DTLSv1-require-non-empty-names-server
+client = 28-client-auth-DTLSv1-require-non-empty-names-client
+
+[28-client-auth-DTLSv1-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = DTLSv1
+MinProtocol = DTLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[28-client-auth-DTLSv1-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = DTLSv1
+MinProtocol = DTLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-28]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
ExpectedClientCertType = RSA
ExpectedResult = Success
Method = DTLS
@@ -730,14 +911,14 @@ Method = DTLS
# ===========================================================
-[24-client-auth-DTLSv1-noroot]
-ssl_conf = 24-client-auth-DTLSv1-noroot-ssl
+[29-client-auth-DTLSv1-noroot]
+ssl_conf = 29-client-auth-DTLSv1-noroot-ssl
-[24-client-auth-DTLSv1-noroot-ssl]
-server = 24-client-auth-DTLSv1-noroot-server
-client = 24-client-auth-DTLSv1-noroot-client
+[29-client-auth-DTLSv1-noroot-ssl]
+server = 29-client-auth-DTLSv1-noroot-server
+client = 29-client-auth-DTLSv1-noroot-client
-[24-client-auth-DTLSv1-noroot-server]
+[29-client-auth-DTLSv1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
@@ -745,7 +926,7 @@ MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
-[24-client-auth-DTLSv1-noroot-client]
+[29-client-auth-DTLSv1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
@@ -754,7 +935,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-24]
+[test-29]
ExpectedResult = ServerFail
ExpectedServerAlert = UnknownCA
Method = DTLS
@@ -762,42 +943,42 @@ Method = DTLS
# ===========================================================
-[25-server-auth-DTLSv1.2]
-ssl_conf = 25-server-auth-DTLSv1.2-ssl
+[30-server-auth-DTLSv1.2]
+ssl_conf = 30-server-auth-DTLSv1.2-ssl
-[25-server-auth-DTLSv1.2-ssl]
-server = 25-server-auth-DTLSv1.2-server
-client = 25-server-auth-DTLSv1.2-client
+[30-server-auth-DTLSv1.2-ssl]
+server = 30-server-auth-DTLSv1.2-server
+client = 30-server-auth-DTLSv1.2-client
-[25-server-auth-DTLSv1.2-server]
+[30-server-auth-DTLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[25-server-auth-DTLSv1.2-client]
+[30-server-auth-DTLSv1.2-client]
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-25]
+[test-30]
ExpectedResult = Success
Method = DTLS
# ===========================================================
-[26-client-auth-DTLSv1.2-request]
-ssl_conf = 26-client-auth-DTLSv1.2-request-ssl
+[31-client-auth-DTLSv1.2-request]
+ssl_conf = 31-client-auth-DTLSv1.2-request-ssl
-[26-client-auth-DTLSv1.2-request-ssl]
-server = 26-client-auth-DTLSv1.2-request-server
-client = 26-client-auth-DTLSv1.2-request-client
+[31-client-auth-DTLSv1.2-request-ssl]
+server = 31-client-auth-DTLSv1.2-request-server
+client = 31-client-auth-DTLSv1.2-request-client
-[26-client-auth-DTLSv1.2-request-server]
+[31-client-auth-DTLSv1.2-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
@@ -805,28 +986,28 @@ MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
-[26-client-auth-DTLSv1.2-request-client]
+[31-client-auth-DTLSv1.2-request-client]
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-26]
+[test-31]
ExpectedResult = Success
Method = DTLS
# ===========================================================
-[27-client-auth-DTLSv1.2-require-fail]
-ssl_conf = 27-client-auth-DTLSv1.2-require-fail-ssl
+[32-client-auth-DTLSv1.2-require-fail]
+ssl_conf = 32-client-auth-DTLSv1.2-require-fail-ssl
-[27-client-auth-DTLSv1.2-require-fail-ssl]
-server = 27-client-auth-DTLSv1.2-require-fail-server
-client = 27-client-auth-DTLSv1.2-require-fail-client
+[32-client-auth-DTLSv1.2-require-fail-ssl]
+server = 32-client-auth-DTLSv1.2-require-fail-server
+client = 32-client-auth-DTLSv1.2-require-fail-client
-[27-client-auth-DTLSv1.2-require-fail-server]
+[32-client-auth-DTLSv1.2-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
@@ -835,14 +1016,14 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[27-client-auth-DTLSv1.2-require-fail-client]
+[32-client-auth-DTLSv1.2-require-fail-client]
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-27]
+[test-32]
ExpectedResult = ServerFail
ExpectedServerAlert = HandshakeFailure
Method = DTLS
@@ -850,14 +1031,14 @@ Method = DTLS
# ===========================================================
-[28-client-auth-DTLSv1.2-require]
-ssl_conf = 28-client-auth-DTLSv1.2-require-ssl
+[33-client-auth-DTLSv1.2-require]
+ssl_conf = 33-client-auth-DTLSv1.2-require-ssl
-[28-client-auth-DTLSv1.2-require-ssl]
-server = 28-client-auth-DTLSv1.2-require-server
-client = 28-client-auth-DTLSv1.2-require-client
+[33-client-auth-DTLSv1.2-require-ssl]
+server = 33-client-auth-DTLSv1.2-require-server
+client = 33-client-auth-DTLSv1.2-require-client
-[28-client-auth-DTLSv1.2-require-server]
+[33-client-auth-DTLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
@@ -866,7 +1047,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
-[28-client-auth-DTLSv1.2-require-client]
+[33-client-auth-DTLSv1.2-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
@@ -875,7 +1056,8 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-28]
+[test-33]
+ExpectedClientCANames = empty
ExpectedClientCertType = RSA
ExpectedResult = Success
Method = DTLS
@@ -883,14 +1065,49 @@ Method = DTLS
# ===========================================================
-[29-client-auth-DTLSv1.2-noroot]
-ssl_conf = 29-client-auth-DTLSv1.2-noroot-ssl
+[34-client-auth-DTLSv1.2-require-non-empty-names]
+ssl_conf = 34-client-auth-DTLSv1.2-require-non-empty-names-ssl
-[29-client-auth-DTLSv1.2-noroot-ssl]
-server = 29-client-auth-DTLSv1.2-noroot-server
-client = 29-client-auth-DTLSv1.2-noroot-client
+[34-client-auth-DTLSv1.2-require-non-empty-names-ssl]
+server = 34-client-auth-DTLSv1.2-require-non-empty-names-server
+client = 34-client-auth-DTLSv1.2-require-non-empty-names-client
-[29-client-auth-DTLSv1.2-noroot-server]
+[34-client-auth-DTLSv1.2-require-non-empty-names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = DTLSv1.2
+MinProtocol = DTLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[34-client-auth-DTLSv1.2-require-non-empty-names-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
+MinProtocol = DTLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-34]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedResult = Success
+Method = DTLS
+
+
+# ===========================================================
+
+[35-client-auth-DTLSv1.2-noroot]
+ssl_conf = 35-client-auth-DTLSv1.2-noroot-ssl
+
+[35-client-auth-DTLSv1.2-noroot-ssl]
+server = 35-client-auth-DTLSv1.2-noroot-server
+client = 35-client-auth-DTLSv1.2-noroot-client
+
+[35-client-auth-DTLSv1.2-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
@@ -898,7 +1115,7 @@ MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
-[29-client-auth-DTLSv1.2-noroot-client]
+[35-client-auth-DTLSv1.2-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
@@ -907,7 +1124,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-29]
+[test-35]
ExpectedResult = ServerFail
ExpectedServerAlert = UnknownCA
Method = DTLS
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index abe6ad4..3da76a3 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -119,6 +119,34 @@ sub generate_tests() {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignType" => $clisigtype,
"ExpectedClientSignHash" => $clihash,
+ "ExpectedClientCANames" => "empty",
+ "Method" => $method,
+ },
+ };
+
+ # Successful handshake with client authentication non-empty names
+ push @tests, {
+ name => "client-auth-${protocol_name}-require-non-empty-names",
+ server => {
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
+ "ClientSignatureAlgorithms" => $clisigalgs,
+ "ClientCAFile" => test_pem("root-cert.pem"),
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Request",
+ },
+ client => {
+ "MinProtocol" => $protocol,
+ "MaxProtocol" => $protocol,
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
+ },
+ test => {
+ "ExpectedResult" => "Success",
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignType" => $clisigtype,
+ "ExpectedClientSignHash" => $clihash,
+ "ExpectedClientCANames" => test_pem("root-cert.pem"),
"Method" => $method,
},
};
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index 3d50f02..1d92e68 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -316,6 +316,24 @@ my @tests_tls_1_3 = (
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedClientCANames" => "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
+ server => {
+ "ClientSignatureAlgorithms" => "PSS+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "ClientCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedClientCANames" => test_pem("root-cert.pem"),
"ExpectedResult" => "Success"
},
},
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 948eb17..387f3a6 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -255,6 +255,62 @@ static int check_client_sign_type(HANDSHAKE_RESULT *result,
result->client_sign_type);
}
+static void print_ca_names(STACK_OF(X509_NAME) *names)
+{
+ BIO *err;
+ int i;
+
+ if (names == NULL || sk_X509_NAME_num(names) == 0) {
+ fprintf(stderr, " <empty>\n");
+ return;
+ }
+ err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ for (i = 0; i < sk_X509_NAME_num(names); i++) {
+ X509_NAME_print_ex(err, sk_X509_NAME_value(names, i), 4,
+ XN_FLAG_ONELINE);
+ BIO_puts(err, "\n");
+ }
+ BIO_free(err);
+}
+
+static int check_ca_names(const char *name,
+ STACK_OF(X509_NAME) *expected_names,
+ STACK_OF(X509_NAME) *names)
+{
+ int i;
+
+ if (expected_names == NULL)
+ return 1;
+ if (names == NULL || sk_X509_NAME_num(names) == 0) {
+ if (sk_X509_NAME_num(expected_names) == 0)
+ return 1;
+ goto err;
+ }
+ if (sk_X509_NAME_num(names) != sk_X509_NAME_num(expected_names))
+ goto err;
+ for (i = 0; i < sk_X509_NAME_num(names); i++) {
+ if (X509_NAME_cmp(sk_X509_NAME_value(names, i),
+ sk_X509_NAME_value(expected_names, i)) != 0) {
+ goto err;
+ }
+ }
+ return 1;
+ err:
+ fprintf(stderr, "%s: list mismatch\nExpected Names:\n", name);
+ print_ca_names(expected_names);
+ fprintf(stderr, "Received Names:\n");
+ print_ca_names(names);
+ return 0;
+}
+
+static int check_client_ca_names(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_ca_names("Client CA names",
+ test_ctx->expected_client_ca_names,
+ result->client_ca_names);
+}
+
/*
* This could be further simplified by constructing an expected
* HANDSHAKE_RESULT, and implementing comparison methods for
@@ -283,6 +339,7 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
ret &= check_client_cert_type(result, test_ctx);
ret &= check_client_sign_hash(result, test_ctx);
ret &= check_client_sign_type(result, test_ctx);
+ ret &= check_client_ca_names(result, test_ctx);
}
return ret;
}
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index 3e3be9e..7189777 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -535,6 +535,22 @@ __owur static int parse_expected_client_sign_hash(SSL_TEST_CTX *test_ctx,
value);
}
+__owur static int parse_expected_ca_names(STACK_OF(X509_NAME) **pnames,
+ const char *value)
+{
+ if (value == NULL)
+ return 0;
+ if (!strcmp(value, "empty"))
+ *pnames = sk_X509_NAME_new_null();
+ else
+ *pnames = SSL_load_client_CA_file(value);
+ return *pnames != NULL;
+}
+__owur static int parse_expected_client_ca_names(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_ca_names(&test_ctx->expected_client_ca_names, value);
+}
/* Known test options and their corresponding parse methods. */
@@ -567,6 +583,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "ExpectedClientCertType", &parse_expected_client_cert_type },
{ "ExpectedClientSignHash", &parse_expected_client_sign_hash },
{ "ExpectedClientSignType", &parse_expected_client_sign_type },
+ { "ExpectedClientCANames", &parse_expected_client_ca_names },
};
/* Nested client options. */
@@ -644,6 +661,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx)
ssl_test_ctx_free_extra_data(ctx);
OPENSSL_free(ctx->expected_npn_protocol);
OPENSSL_free(ctx->expected_alpn_protocol);
+ sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
OPENSSL_free(ctx);
}
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 3d8f72b..0b37b15 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -194,6 +194,8 @@ typedef struct {
int expected_client_sign_hash;
/* Expected client signature type */
int expected_client_sign_type;
+ /* Expected CA names for client auth */
+ STACK_OF(X509_NAME) *expected_client_ca_names;
} SSL_TEST_CTX;
const char *ssl_test_result_name(ssl_test_result_t result);
More information about the openssl-commits
mailing list