[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Wed Feb 7 21:41:49 UTC 2018


The branch master has been updated
       via  4af26979480a42e267ff686210bb63b1ebdd0eab (commit)
       via  04e3bb045f9b407d1ec681cfbeab4da8e53d750a (commit)
       via  0f41dc0e9e9e6a8c2a43fa6af5fdf5359283e2ba (commit)
       via  f518cef40c431188b4910ca9bd8ef3778f599bb5 (commit)
      from  c517ac4c3f6d48cf35b75f148515ce7f3677a03b (commit)


- Log -----------------------------------------------------------------
commit 4af26979480a42e267ff686210bb63b1ebdd0eab
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Feb 7 14:53:31 2018 +0000

    Don't run tls13encryptiontest on a shared Windows build
    
    tls13encryptiontest is an "internal" test. As with all the other internal
    tests it should not be run on a shared native Windows build.
    
    [extended tests]
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5266)

commit 04e3bb045f9b407d1ec681cfbeab4da8e53d750a
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Feb 7 14:20:31 2018 +0000

    Fix some undefined behaviour in ossltest engine
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5266)

commit 0f41dc0e9e9e6a8c2a43fa6af5fdf5359283e2ba
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Feb 7 10:55:02 2018 +0000

    Fix clienthellotest with TLSv1.3
    
    If TLSv1.3 is enabled and combined with other options that extend the
    size of the ClientHello, then the clienthello test can sometimes fail
    because the ClientHello has grown too large. Part of the purpose of the
    test is to check that the padding extension works properly. This requires
    the ClientHello size to be kept within certain bounds.
    
    By restricting the number of ciphersuites sent we can reduce the size of
    the ClientHello.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5266)

commit f518cef40c431188b4910ca9bd8ef3778f599bb5
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 6 17:27:25 2018 +0000

    Enable TLSv1.3 by default
    
    [extended tests]
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5266)

-----------------------------------------------------------------------

Summary of changes:
 .travis.yml                             |    2 +-
 CHANGES                                 |   20 +
 Configure                               |    2 -
 INSTALL                                 |   27 +-
 NEWS                                    |    1 +
 engines/e_ossltest.c                    |   16 +-
 test/clienthellotest.c                  |    9 +
 test/recipes/80-test_ssl_new.t          |    2 +-
 test/recipes/90-test_tls13encryption.t  |    3 +
 test/ssl-tests/02-protocol-version.conf |  478 ++++++----
 test/ssl-tests/10-resumption.conf       | 1473 ++++++++++++++++++++++++++-----
 test/ssl-tests/20-cert-select.conf      |  543 +++++++++++-
 test/ssl-tests/22-compression.conf      |  178 +++-
 13 files changed, 2290 insertions(+), 464 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index b361059..cfc11b6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -43,7 +43,7 @@ matrix:
                   sources:
                       - ubuntu-toolchain-r-test
           compiler: gcc-5
-          env: CONFIG_OPTS="--strict-warnings enable-tls1_3" TESTS="-test_fuzz" COMMENT="Move to the BORINGTEST build when interoperable"
+          env: CONFIG_OPTS="--strict-warnings" TESTS="-test_fuzz" COMMENT="Move to the BORINGTEST build when interoperable"
         - os: linux
           compiler: clang-3.9
           env: CONFIG_OPTS="--strict-warnings no-deprecated" BUILDONLY="yes"
diff --git a/CHANGES b/CHANGES
index f0807c6..178c6c4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,26 @@
 
  Changes between 1.1.0f and 1.1.1 [xx XXX xxxx]
 
+  *) Support for TLSv1.3 added. Note that users upgrading from an earlier
+     version of OpenSSL should review their configuration settings to ensure
+     that they are still appropriate for TLSv1.3. In particular if no TLSv1.3
+     ciphersuites are enabled then OpenSSL will refuse to make a connection
+     unless (1) TLSv1.3 is explicitly disabled or (2) the ciphersuite
+     configuration is updated to include suitable ciphersuites. The DEFAULT
+     ciphersuite configuration does include TLSv1.3 ciphersuites. For further
+     information on this and other related issues please see:
+     https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
+
+     NOTE: In this pre-release of OpenSSL a draft version of the
+     TLSv1.3 standard has been implemented. Implementations of different draft
+     versions of the standard do not inter-operate, and this version will not
+     inter-operate with an implementation of the final standard when it is
+     eventually published. Different pre-release versions may implement
+     different versions of the draft. The final version of OpenSSL 1.1.1 will
+     implement the final version of the standard.
+     TODO(TLS1.3): Remove the above note before final release
+     [Matt Caswell]
+
   *) Changed Configure so it only says what it does and doesn't dump
      so much data.  Instead, ./configdata.pm should be used as a script
      to display all sorts of configuration data.
diff --git a/Configure b/Configure
index a6f5a31..c90a66c 100755
--- a/Configure
+++ b/Configure
@@ -435,8 +435,6 @@ our %disabled = ( # "what"         => "comment"
 		  "ssl3"                => "default",
 		  "ssl3-method"         => "default",
                   "ubsan"		=> "default",
-          #TODO(TLS1.3): Temporarily disabled while this is a WIP
-		  "tls1_3"              => "default",
 		  "tls13downgrade"      => "default",
 		  "unit-test"           => "default",
 		  "weak-ssl-ciphers"    => "default",
diff --git a/INSTALL b/INSTALL
index 48c25e6..9d1f90d 100644
--- a/INSTALL
+++ b/INSTALL
@@ -482,27 +482,24 @@
                    likely to complement configuration command line with
                    suitable compiler-specific option.
 
-  enable-tls1_3
-                   TODO(TLS1.3): Make this enabled by default
-                   Build support for TLS1.3. Note: This is a WIP feature and
-                   only a single draft version is supported.  Implementations
-                   of different draft versions will negotiate TLS 1.2 instead
-                   of (draft) TLS 1.3.  Use with caution!!
-
   no-<prot>
                    Don't build support for negotiating the specified SSL/TLS
-                   protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,
-                   dtls1 or dtls1_2). If "no-tls" is selected then all of tls1,
-                   tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will
-                   disable dtls1 and dtls1_2. The "no-ssl" option is synonymous
-                   with "no-ssl3". Note this only affects version negotiation.
-                   OpenSSL will still provide the methods for applications to
-                   explicitly select the individual protocol versions.
+                   protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2,
+                   tls1_3, dtls, dtls1 or dtls1_2). If "no-tls" is selected then
+                   all of tls1, tls1_1, tls1_2 and tls1_3 are disabled.
+                   Similarly "no-dtls" will disable dtls1 and dtls1_2. The
+                   "no-ssl" option is synonymous with "no-ssl3". Note this only
+                   affects version negotiation. OpenSSL will still provide the
+                   methods for applications to explicitly select the individual
+                   protocol versions.
 
   no-<prot>-method
                    As for no-<prot> but in addition do not build the methods for
                    applications to explicitly select individual protocol
-                   versions.
+                   versions. Note that there is no "no-tls1_3-method" option
+                   because there is no application method for TLSv1.3. Using
+                   invidivial protocol methods directly is deprecated.
+                   Applications should use TLS_method() instead.
 
   enable-<alg>
                    Build with support for the specified algorithm, where <alg>
diff --git a/NEWS b/NEWS
index 0fb5314..425fbd5 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
 
   Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.1 [under development]
 
+      o Support for TLSv1.3 added
       o Move the display of configuration data to configdata.pm.
       o Allow GNU style "make variables" to be used with Configure.
       o Add a STORE module (OSSL_STORE)
diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c
index d3d6998..8fc056a 100644
--- a/engines/e_ossltest.c
+++ b/engines/e_ossltest.c
@@ -593,17 +593,21 @@ int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     int ret;
 
     tmpbuf = OPENSSL_malloc(inl);
-    if (tmpbuf == NULL)
+
+    /* OPENSSL_malloc will return NULL if inl == 0 */
+    if (tmpbuf == NULL && inl > 0)
         return -1;
 
     /* Remember what we were asked to encrypt */
-    memcpy(tmpbuf, in, inl);
+    if (tmpbuf != NULL)
+        memcpy(tmpbuf, in, inl);
 
     /* Go through the motions of encrypting it */
     ret = EVP_CIPHER_meth_get_do_cipher(EVP_aes_128_cbc())(ctx, out, in, inl);
 
     /* Throw it all away and just use the plaintext as the output */
-    memcpy(out, tmpbuf, inl);
+    if (tmpbuf != NULL)
+        memcpy(out, tmpbuf, inl);
     OPENSSL_free(tmpbuf);
 
     return ret;
@@ -626,13 +630,15 @@ int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         return -1;
 
     /* Remember what we were asked to encrypt */
-    memcpy(tmpbuf, in, inl);
+    if (tmpbuf != NULL)
+        memcpy(tmpbuf, in, inl);
 
     /* Go through the motions of encrypting it */
     EVP_CIPHER_meth_get_do_cipher(EVP_aes_128_gcm())(ctx, out, in, inl);
 
     /* Throw it all away and just use the plaintext as the output */
-    memcpy(out, tmpbuf, inl);
+    if (tmpbuf != NULL)
+        memcpy(out, tmpbuf, inl);
     OPENSSL_free(tmpbuf);
 
     return inl;
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index 88e0a1c..f3e9588 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -87,6 +87,15 @@ static int test_client_hello(int currtest)
         break;
 
     case TEST_ADD_PADDING_AND_PSK:
+        /*
+         * In this case we're doing TLSv1.3 and we're sending a PSK so the
+         * ClientHello is already going to be quite long. To avoid getting one
+         * that is too long for this test we use a restricted ciphersuite list
+         */
+        if (!TEST_true(SSL_CTX_set_cipher_list(ctx,
+                                               "TLS13-AES-128-GCM-SHA256")))
+            goto end;
+         /* Fall through */
     case TEST_ADD_PADDING:
     case TEST_PADDING_NOT_NEEDED:
         SSL_CTX_set_options(ctx, SSL_OP_TLSEXT_PADDING);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index be03388..26bcb39 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -34,7 +34,7 @@ plan tests => 26;  # = scalar @conf_srcs
 # verify generated sources in the default configuration.
 my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
                       !disabled("tls1_1") && !disabled("tls1_2") &&
-                      disabled("tls1_3"));
+                      !disabled("tls1_3"));
 
 my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
 
diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t
index 63e62db..3fb4810 100644
--- a/test/recipes/90-test_tls13encryption.t
+++ b/test/recipes/90-test_tls13encryption.t
@@ -15,6 +15,9 @@ setup($test_name);
 plan skip_all => "$test_name is not supported in this build"
     if disabled("tls1_3");
 
+plan skip_all => "This test is unsupported in a shared library build on Windows"
+    if $^O eq 'MSWin32' && !disabled("shared");
+
 plan tests => 1;
 
 ok(run(test(["tls13encryptiontest"])), "running tls13encryptiontest");
diff --git a/test/ssl-tests/02-protocol-version.conf b/test/ssl-tests/02-protocol-version.conf
index f18d6a3..d0a64cd 100644
--- a/test/ssl-tests/02-protocol-version.conf
+++ b/test/ssl-tests/02-protocol-version.conf
@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 676
+num_tests = 678
 
 test-0 = 0-version-negotiation
 test-1 = 1-version-negotiation
@@ -678,6 +678,8 @@ test-672 = 672-version-negotiation
 test-673 = 673-version-negotiation
 test-674 = 674-version-negotiation
 test-675 = 675-version-negotiation
+test-676 = 676-ciphersuite-sanity-check-client
+test-677 = 677-ciphersuite-sanity-check-server
 # ===========================================================
 
 [0-version-negotiation]
@@ -3515,7 +3517,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-108]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3540,7 +3542,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-109]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3674,7 +3676,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-114]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3700,7 +3702,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-115]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3808,7 +3810,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-119]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3834,7 +3836,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-120]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3915,7 +3917,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-123]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3941,7 +3943,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-124]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -3995,7 +3997,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-126]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4021,7 +4023,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-127]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4048,7 +4050,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-128]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -4073,7 +4076,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-129]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -4196,7 +4200,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-134]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4220,7 +4224,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-135]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4349,7 +4353,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-140]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4374,7 +4378,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-141]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4478,7 +4482,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-145]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4503,7 +4507,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-146]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4581,7 +4585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-149]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4606,7 +4610,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-150]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4658,7 +4662,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-152]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4683,7 +4687,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-153]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -4709,7 +4713,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-154]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -4733,7 +4738,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-155]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -7682,7 +7688,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-264]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -7708,7 +7714,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-265]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -7847,7 +7853,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-270]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -7874,7 +7880,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-271]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -7986,7 +7992,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-275]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8013,7 +8019,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-276]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8097,7 +8103,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-279]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8124,7 +8130,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-280]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8180,7 +8186,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-282]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8207,7 +8213,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-283]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8235,7 +8241,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-284]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -8261,7 +8268,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-285]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -8389,7 +8397,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-290]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8414,7 +8422,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-291]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8548,7 +8556,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-296]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8574,7 +8582,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-297]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8682,7 +8690,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-301]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8708,7 +8716,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-302]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8789,7 +8797,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-305]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8815,7 +8823,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-306]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8869,7 +8877,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-308]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8895,7 +8903,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-309]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -8922,7 +8930,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-310]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -8947,7 +8956,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-311]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -11206,7 +11216,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-394]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11232,7 +11242,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-395]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11371,7 +11381,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-400]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11398,7 +11408,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-401]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11510,7 +11520,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-405]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11537,7 +11547,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-406]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11621,7 +11631,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-409]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11648,7 +11658,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-410]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11704,7 +11714,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-412]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11731,7 +11741,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-413]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11759,7 +11769,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-414]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -11785,7 +11796,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-415]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -11913,7 +11925,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-420]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -11938,7 +11950,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-421]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12072,7 +12084,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-426]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12098,7 +12110,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-427]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12206,7 +12218,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-431]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12232,7 +12244,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-432]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12313,7 +12325,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-435]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12339,7 +12351,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-436]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12393,7 +12405,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-438]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12419,7 +12431,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-439]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -12446,7 +12458,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-440]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -12471,7 +12484,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-441]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -13938,7 +13952,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-495]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -14018,7 +14032,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-498]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14044,7 +14058,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-499]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14099,7 +14113,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-501]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -14182,7 +14196,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-504]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14209,7 +14223,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-505]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14237,7 +14251,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-506]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -14320,7 +14334,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-509]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14347,7 +14361,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-510]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14431,7 +14445,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-513]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14458,7 +14472,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-514]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14514,7 +14528,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-516]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14541,7 +14555,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-517]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14569,7 +14583,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-518]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -14595,7 +14610,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-519]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -14645,7 +14661,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-521]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -14722,7 +14738,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-524]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14747,7 +14763,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-525]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14800,7 +14816,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-527]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -14880,7 +14896,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-530]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14906,7 +14922,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-531]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -14933,7 +14949,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-532]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -15013,7 +15029,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-535]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -15039,7 +15055,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-536]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -15120,7 +15136,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-539]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -15146,7 +15162,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-540]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -15200,7 +15216,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-542]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -15226,7 +15242,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-543]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -15253,7 +15269,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-544]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -15278,7 +15295,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-545]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -16035,7 +16053,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-573]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16061,7 +16079,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-574]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16114,7 +16132,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-576]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16140,7 +16158,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-577]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16195,7 +16213,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-579]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16222,7 +16240,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-580]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16277,7 +16295,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-582]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16304,7 +16322,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-583]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16332,7 +16350,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-584]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16359,7 +16377,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-585]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16414,7 +16432,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-587]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16441,7 +16459,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-588]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16469,7 +16487,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-589]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16524,7 +16542,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-591]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16551,7 +16569,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-592]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16607,7 +16625,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-594]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16634,7 +16652,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-595]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16662,7 +16680,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-596]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -16688,7 +16707,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-597]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -16738,7 +16758,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-599]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16763,7 +16783,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-600]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16814,7 +16834,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-602]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16839,7 +16859,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-603]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16892,7 +16912,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-605]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16918,7 +16938,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-606]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -16971,7 +16991,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-608]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -16997,7 +17017,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-609]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17024,7 +17044,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-610]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17050,7 +17070,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-611]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17103,7 +17123,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-613]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17129,7 +17149,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-614]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17156,7 +17176,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-615]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17209,7 +17229,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-617]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17235,7 +17255,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-618]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17289,7 +17309,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-620]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17315,7 +17335,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-621]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 ExpectedResult = Success
 
 
@@ -17342,7 +17362,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-622]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17367,7 +17388,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-623]
-ExpectedResult = ServerFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17393,7 +17415,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-624]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17419,7 +17441,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-625]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17445,7 +17467,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-626]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17471,7 +17493,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-627]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17497,7 +17519,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-628]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17522,7 +17545,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-629]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17549,7 +17573,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-630]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17576,7 +17600,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-631]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17603,7 +17627,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-632]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17630,7 +17654,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-633]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17657,7 +17681,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-634]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17683,7 +17708,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-635]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17710,7 +17736,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-636]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17737,7 +17763,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-637]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17764,7 +17790,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-638]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17791,7 +17817,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-639]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17817,7 +17844,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-640]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17844,7 +17872,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-641]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17871,7 +17899,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-642]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17898,7 +17926,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-643]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17924,7 +17953,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-644]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -17951,7 +17981,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-645]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -17978,7 +18008,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-646]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18004,7 +18035,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-647]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18031,7 +18063,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-648]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18057,7 +18090,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-649]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18082,7 +18116,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-650]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18107,7 +18141,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-651]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18132,7 +18166,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-652]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18157,7 +18191,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-653]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18182,7 +18216,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-654]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18206,7 +18241,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-655]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18232,7 +18268,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-656]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18258,7 +18294,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-657]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18284,7 +18320,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-658]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18310,7 +18346,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-659]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18336,7 +18372,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-660]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18361,7 +18398,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-661]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18387,7 +18425,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-662]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18413,7 +18451,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-663]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18439,7 +18477,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-664]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18465,7 +18503,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-665]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18490,7 +18529,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-666]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18516,7 +18556,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-667]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18542,7 +18582,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-668]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18568,7 +18608,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-669]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18593,7 +18634,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-670]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18619,7 +18661,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-671]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -18645,7 +18687,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-672]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18670,7 +18713,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-673]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18696,7 +18740,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-674]
-ExpectedResult = ClientFail
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
 
 
 # ===========================================================
@@ -18721,6 +18766,55 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-675]
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[676-ciphersuite-sanity-check-client]
+ssl_conf = 676-ciphersuite-sanity-check-client-ssl
+
+[676-ciphersuite-sanity-check-client-ssl]
+server = 676-ciphersuite-sanity-check-client-server
+client = 676-ciphersuite-sanity-check-client-client
+
+[676-ciphersuite-sanity-check-client-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[676-ciphersuite-sanity-check-client-client]
+CipherString = AES128-SHA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-676]
 ExpectedResult = ClientFail
 
 
+# ===========================================================
+
+[677-ciphersuite-sanity-check-server]
+ssl_conf = 677-ciphersuite-sanity-check-server-ssl
+
+[677-ciphersuite-sanity-check-server-ssl]
+server = 677-ciphersuite-sanity-check-server-server
+client = 677-ciphersuite-sanity-check-server-client
+
+[677-ciphersuite-sanity-check-server-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = AES128-SHA
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[677-ciphersuite-sanity-check-server-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-677]
+ExpectedResult = ServerFail
+
+
diff --git a/test/ssl-tests/10-resumption.conf b/test/ssl-tests/10-resumption.conf
index b2deee4..73955de 100644
--- a/test/ssl-tests/10-resumption.conf
+++ b/test/ssl-tests/10-resumption.conf
@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 36
+num_tests = 65
 
 test-0 = 0-resumption
 test-1 = 1-resumption
@@ -38,6 +38,35 @@ test-32 = 32-resumption
 test-33 = 33-resumption
 test-34 = 34-resumption
 test-35 = 35-resumption
+test-36 = 36-resumption
+test-37 = 37-resumption
+test-38 = 38-resumption
+test-39 = 39-resumption
+test-40 = 40-resumption
+test-41 = 41-resumption
+test-42 = 42-resumption
+test-43 = 43-resumption
+test-44 = 44-resumption
+test-45 = 45-resumption
+test-46 = 46-resumption
+test-47 = 47-resumption
+test-48 = 48-resumption
+test-49 = 49-resumption
+test-50 = 50-resumption
+test-51 = 51-resumption
+test-52 = 52-resumption
+test-53 = 53-resumption
+test-54 = 54-resumption
+test-55 = 55-resumption
+test-56 = 56-resumption
+test-57 = 57-resumption
+test-58 = 58-resumption
+test-59 = 59-resumption
+test-60 = 60-resumption
+test-61 = 61-resumption
+test-62 = 62-resumption
+test-63 = 63-resumption
+test-64 = 64-resumption-with-hrr
 # ===========================================================
 
 [0-resumption]
@@ -268,15 +297,15 @@ resume-client = 6-resumption-client
 [6-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [6-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
+MaxProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [6-resumption-client]
@@ -285,7 +314,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-6]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -304,15 +333,15 @@ resume-client = 7-resumption-client
 [7-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [7-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
+MaxProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [7-resumption-client]
@@ -321,7 +350,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-7]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -348,7 +377,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [8-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
+MaxProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [8-resumption-client]
@@ -357,9 +386,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-8]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -384,7 +413,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [9-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
+MaxProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [9-resumption-client]
@@ -393,9 +422,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-9]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -420,7 +449,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [10-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [10-resumption-client]
@@ -429,9 +458,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-10]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -456,7 +485,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [11-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [11-resumption-client]
@@ -465,9 +494,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-11]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -484,15 +513,15 @@ resume-client = 12-resumption-client
 [12-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [12-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [12-resumption-client]
@@ -501,7 +530,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-12]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.2
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -520,15 +549,15 @@ resume-client = 13-resumption-client
 [13-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [13-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [13-resumption-client]
@@ -537,7 +566,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-13]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.2
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -556,15 +585,15 @@ resume-client = 14-resumption-client
 [14-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [14-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
+MaxProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [14-resumption-client]
@@ -573,7 +602,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-14]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -592,15 +621,15 @@ resume-client = 15-resumption-client
 [15-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [15-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
+MaxProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [15-resumption-client]
@@ -609,7 +638,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-15]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -636,7 +665,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [16-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
+MaxProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [16-resumption-client]
@@ -645,9 +674,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-16]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -672,7 +701,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [17-resumption-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
+MaxProtocol = TLSv1
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [17-resumption-client]
@@ -681,9 +710,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-17]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -694,32 +723,32 @@ ssl_conf = 18-resumption-ssl
 [18-resumption-ssl]
 server = 18-resumption-server
 client = 18-resumption-client
-resume-server = 18-resumption-server
-resume-client = 18-resumption-resume-client
+resume-server = 18-resumption-resume-server
+resume-client = 18-resumption-client
 
 [18-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[18-resumption-client]
+[18-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
-MinProtocol = TLSv1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[18-resumption-resume-client]
+[18-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-18]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -730,32 +759,32 @@ ssl_conf = 19-resumption-ssl
 [19-resumption-ssl]
 server = 19-resumption-server
 client = 19-resumption-client
-resume-server = 19-resumption-server
-resume-client = 19-resumption-resume-client
+resume-server = 19-resumption-resume-server
+resume-client = 19-resumption-client
 
 [19-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[19-resumption-client]
+[19-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
-MinProtocol = TLSv1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[19-resumption-resume-client]
+[19-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-19]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -766,32 +795,32 @@ ssl_conf = 20-resumption-ssl
 [20-resumption-ssl]
 server = 20-resumption-server
 client = 20-resumption-client
-resume-server = 20-resumption-server
-resume-client = 20-resumption-resume-client
+resume-server = 20-resumption-resume-server
+resume-client = 20-resumption-client
 
 [20-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[20-resumption-client]
+[20-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
-MinProtocol = TLSv1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[20-resumption-resume-client]
+[20-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-20]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1.2
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -802,32 +831,32 @@ ssl_conf = 21-resumption-ssl
 [21-resumption-ssl]
 server = 21-resumption-server
 client = 21-resumption-client
-resume-server = 21-resumption-server
-resume-client = 21-resumption-resume-client
+resume-server = 21-resumption-resume-server
+resume-client = 21-resumption-client
 
 [21-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[21-resumption-client]
+[21-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
-MinProtocol = TLSv1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[21-resumption-resume-client]
+[21-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-21]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1.2
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -838,30 +867,30 @@ ssl_conf = 22-resumption-ssl
 [22-resumption-ssl]
 server = 22-resumption-server
 client = 22-resumption-client
-resume-server = 22-resumption-server
-resume-client = 22-resumption-resume-client
+resume-server = 22-resumption-resume-server
+resume-client = 22-resumption-client
 
 [22-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[22-resumption-client]
+[22-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
-MinProtocol = TLSv1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[22-resumption-resume-client]
+[22-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-22]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -874,30 +903,30 @@ ssl_conf = 23-resumption-ssl
 [23-resumption-ssl]
 server = 23-resumption-server
 client = 23-resumption-client
-resume-server = 23-resumption-server
-resume-client = 23-resumption-resume-client
+resume-server = 23-resumption-resume-server
+resume-client = 23-resumption-client
 
 [23-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[23-resumption-client]
+[23-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1
-MinProtocol = TLSv1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[23-resumption-resume-client]
+[23-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-23]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
 ResumptionExpected = No
 
@@ -910,25 +939,25 @@ ssl_conf = 24-resumption-ssl
 [24-resumption-ssl]
 server = 24-resumption-server
 client = 24-resumption-client
-resume-server = 24-resumption-server
-resume-client = 24-resumption-resume-client
+resume-server = 24-resumption-resume-server
+resume-client = 24-resumption-client
 
 [24-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[24-resumption-client]
+[24-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[24-resumption-resume-client]
+[24-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -946,25 +975,25 @@ ssl_conf = 25-resumption-ssl
 [25-resumption-ssl]
 server = 25-resumption-server
 client = 25-resumption-client
-resume-server = 25-resumption-server
-resume-client = 25-resumption-resume-client
+resume-server = 25-resumption-resume-server
+resume-client = 25-resumption-client
 
 [25-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[25-resumption-client]
+[25-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[25-resumption-resume-client]
+[25-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -982,32 +1011,32 @@ ssl_conf = 26-resumption-ssl
 [26-resumption-ssl]
 server = 26-resumption-server
 client = 26-resumption-client
-resume-server = 26-resumption-server
-resume-client = 26-resumption-resume-client
+resume-server = 26-resumption-resume-server
+resume-client = 26-resumption-client
 
 [26-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[26-resumption-client]
+[26-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[26-resumption-resume-client]
+[26-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-26]
 ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -1018,32 +1047,32 @@ ssl_conf = 27-resumption-ssl
 [27-resumption-ssl]
 server = 27-resumption-server
 client = 27-resumption-client
-resume-server = 27-resumption-server
-resume-client = 27-resumption-resume-client
+resume-server = 27-resumption-resume-server
+resume-client = 27-resumption-client
 
 [27-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[27-resumption-client]
+[27-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[27-resumption-resume-client]
+[27-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-27]
 ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -1054,25 +1083,25 @@ ssl_conf = 28-resumption-ssl
 [28-resumption-ssl]
 server = 28-resumption-server
 client = 28-resumption-client
-resume-server = 28-resumption-server
-resume-client = 28-resumption-resume-client
+resume-server = 28-resumption-resume-server
+resume-client = 28-resumption-client
 
 [28-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[28-resumption-client]
+[28-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[28-resumption-resume-client]
+[28-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -1090,25 +1119,25 @@ ssl_conf = 29-resumption-ssl
 [29-resumption-ssl]
 server = 29-resumption-server
 client = 29-resumption-client
-resume-server = 29-resumption-server
-resume-client = 29-resumption-resume-client
+resume-server = 29-resumption-resume-server
+resume-client = 29-resumption-client
 
 [29-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[29-resumption-client]
+[29-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
-MinProtocol = TLSv1.1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[29-resumption-resume-client]
+[29-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -1126,32 +1155,32 @@ ssl_conf = 30-resumption-ssl
 [30-resumption-ssl]
 server = 30-resumption-server
 client = 30-resumption-client
-resume-server = 30-resumption-server
-resume-client = 30-resumption-resume-client
+resume-server = 30-resumption-resume-server
+resume-client = 30-resumption-client
 
 [30-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[30-resumption-client]
+[30-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[30-resumption-resume-client]
+[30-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-30]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -1162,32 +1191,32 @@ ssl_conf = 31-resumption-ssl
 [31-resumption-ssl]
 server = 31-resumption-server
 client = 31-resumption-client
-resume-server = 31-resumption-server
-resume-client = 31-resumption-resume-client
+resume-server = 31-resumption-resume-server
+resume-client = 31-resumption-client
 
 [31-resumption-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 Options = -SessionTicket
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[31-resumption-client]
+[31-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[31-resumption-resume-client]
+[31-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-31]
-ExpectedProtocol = TLSv1
+ExpectedProtocol = TLSv1.3
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -1209,21 +1238,21 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [32-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [32-resumption-resume-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
+MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-32]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -1245,21 +1274,21 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [33-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [33-resumption-resume-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.1
+MaxProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-33]
-ExpectedProtocol = TLSv1.1
+ExpectedProtocol = TLSv1
 HandshakeMode = Resume
-ResumptionExpected = No
+ResumptionExpected = Yes
 
 
 # ===========================================================
@@ -1281,21 +1310,21 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [34-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [34-resumption-resume-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-34]
-ExpectedProtocol = TLSv1.2
+ExpectedProtocol = TLSv1.1
 HandshakeMode = Resume
-ResumptionExpected = Yes
+ResumptionExpected = No
 
 
 # ===========================================================
@@ -1317,20 +1346,1062 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [35-resumption-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [35-resumption-resume-client]
 CipherString = DEFAULT
-MaxProtocol = TLSv1.2
+MaxProtocol = TLSv1.1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-35]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[36-resumption]
+ssl_conf = 36-resumption-ssl
+
+[36-resumption-ssl]
+server = 36-resumption-server
+client = 36-resumption-client
+resume-server = 36-resumption-server
+resume-client = 36-resumption-resume-client
+
+[36-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[36-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[36-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-36]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[37-resumption]
+ssl_conf = 37-resumption-ssl
+
+[37-resumption-ssl]
+server = 37-resumption-server
+client = 37-resumption-client
+resume-server = 37-resumption-server
+resume-client = 37-resumption-resume-client
+
+[37-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[37-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[37-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-37]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[38-resumption]
+ssl_conf = 38-resumption-ssl
+
+[38-resumption-ssl]
+server = 38-resumption-server
+client = 38-resumption-client
+resume-server = 38-resumption-server
+resume-client = 38-resumption-resume-client
+
+[38-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[38-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[38-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-38]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[39-resumption]
+ssl_conf = 39-resumption-ssl
+
+[39-resumption-ssl]
+server = 39-resumption-server
+client = 39-resumption-client
+resume-server = 39-resumption-server
+resume-client = 39-resumption-resume-client
+
+[39-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[39-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[39-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-39]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[40-resumption]
+ssl_conf = 40-resumption-ssl
+
+[40-resumption-ssl]
+server = 40-resumption-server
+client = 40-resumption-client
+resume-server = 40-resumption-server
+resume-client = 40-resumption-resume-client
+
+[40-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[40-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[40-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-40]
+ExpectedProtocol = TLSv1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[41-resumption]
+ssl_conf = 41-resumption-ssl
+
+[41-resumption-ssl]
+server = 41-resumption-server
+client = 41-resumption-client
+resume-server = 41-resumption-server
+resume-client = 41-resumption-resume-client
+
+[41-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[41-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[41-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-41]
+ExpectedProtocol = TLSv1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[42-resumption]
+ssl_conf = 42-resumption-ssl
+
+[42-resumption-ssl]
+server = 42-resumption-server
+client = 42-resumption-client
+resume-server = 42-resumption-server
+resume-client = 42-resumption-resume-client
+
+[42-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[42-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[42-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-42]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[43-resumption]
+ssl_conf = 43-resumption-ssl
+
+[43-resumption-ssl]
+server = 43-resumption-server
+client = 43-resumption-client
+resume-server = 43-resumption-server
+resume-client = 43-resumption-resume-client
+
+[43-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[43-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[43-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-43]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[44-resumption]
+ssl_conf = 44-resumption-ssl
+
+[44-resumption-ssl]
+server = 44-resumption-server
+client = 44-resumption-client
+resume-server = 44-resumption-server
+resume-client = 44-resumption-resume-client
+
+[44-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[44-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[44-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-44]
 ExpectedProtocol = TLSv1.2
 HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[45-resumption]
+ssl_conf = 45-resumption-ssl
+
+[45-resumption-ssl]
+server = 45-resumption-server
+client = 45-resumption-client
+resume-server = 45-resumption-server
+resume-client = 45-resumption-resume-client
+
+[45-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[45-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[45-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-45]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[46-resumption]
+ssl_conf = 46-resumption-ssl
+
+[46-resumption-ssl]
+server = 46-resumption-server
+client = 46-resumption-client
+resume-server = 46-resumption-server
+resume-client = 46-resumption-resume-client
+
+[46-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[46-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[46-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-46]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[47-resumption]
+ssl_conf = 47-resumption-ssl
+
+[47-resumption-ssl]
+server = 47-resumption-server
+client = 47-resumption-client
+resume-server = 47-resumption-server
+resume-client = 47-resumption-resume-client
+
+[47-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[47-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+MinProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[47-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-47]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[48-resumption]
+ssl_conf = 48-resumption-ssl
+
+[48-resumption-ssl]
+server = 48-resumption-server
+client = 48-resumption-client
+resume-server = 48-resumption-server
+resume-client = 48-resumption-resume-client
+
+[48-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[48-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[48-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-48]
+ExpectedProtocol = TLSv1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[49-resumption]
+ssl_conf = 49-resumption-ssl
+
+[49-resumption-ssl]
+server = 49-resumption-server
+client = 49-resumption-client
+resume-server = 49-resumption-server
+resume-client = 49-resumption-resume-client
+
+[49-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[49-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[49-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-49]
+ExpectedProtocol = TLSv1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[50-resumption]
+ssl_conf = 50-resumption-ssl
+
+[50-resumption-ssl]
+server = 50-resumption-server
+client = 50-resumption-client
+resume-server = 50-resumption-server
+resume-client = 50-resumption-resume-client
+
+[50-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[50-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[50-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-50]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[51-resumption]
+ssl_conf = 51-resumption-ssl
+
+[51-resumption-ssl]
+server = 51-resumption-server
+client = 51-resumption-client
+resume-server = 51-resumption-server
+resume-client = 51-resumption-resume-client
+
+[51-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[51-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[51-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-51]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[52-resumption]
+ssl_conf = 52-resumption-ssl
+
+[52-resumption-ssl]
+server = 52-resumption-server
+client = 52-resumption-client
+resume-server = 52-resumption-server
+resume-client = 52-resumption-resume-client
+
+[52-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[52-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[52-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-52]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[53-resumption]
+ssl_conf = 53-resumption-ssl
+
+[53-resumption-ssl]
+server = 53-resumption-server
+client = 53-resumption-client
+resume-server = 53-resumption-server
+resume-client = 53-resumption-resume-client
+
+[53-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[53-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[53-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-53]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[54-resumption]
+ssl_conf = 54-resumption-ssl
+
+[54-resumption-ssl]
+server = 54-resumption-server
+client = 54-resumption-client
+resume-server = 54-resumption-server
+resume-client = 54-resumption-resume-client
+
+[54-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[54-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[54-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-54]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[55-resumption]
+ssl_conf = 55-resumption-ssl
+
+[55-resumption-ssl]
+server = 55-resumption-server
+client = 55-resumption-client
+resume-server = 55-resumption-server
+resume-client = 55-resumption-resume-client
+
+[55-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[55-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[55-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-55]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[56-resumption]
+ssl_conf = 56-resumption-ssl
+
+[56-resumption-ssl]
+server = 56-resumption-server
+client = 56-resumption-client
+resume-server = 56-resumption-server
+resume-client = 56-resumption-resume-client
+
+[56-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[56-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[56-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-56]
+ExpectedProtocol = TLSv1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[57-resumption]
+ssl_conf = 57-resumption-ssl
+
+[57-resumption-ssl]
+server = 57-resumption-server
+client = 57-resumption-client
+resume-server = 57-resumption-server
+resume-client = 57-resumption-resume-client
+
+[57-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[57-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[57-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-57]
+ExpectedProtocol = TLSv1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[58-resumption]
+ssl_conf = 58-resumption-ssl
+
+[58-resumption-ssl]
+server = 58-resumption-server
+client = 58-resumption-client
+resume-server = 58-resumption-server
+resume-client = 58-resumption-resume-client
+
+[58-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[58-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[58-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-58]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[59-resumption]
+ssl_conf = 59-resumption-ssl
+
+[59-resumption-ssl]
+server = 59-resumption-server
+client = 59-resumption-client
+resume-server = 59-resumption-server
+resume-client = 59-resumption-resume-client
+
+[59-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[59-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[59-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-59]
+ExpectedProtocol = TLSv1.1
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[60-resumption]
+ssl_conf = 60-resumption-ssl
+
+[60-resumption-ssl]
+server = 60-resumption-server
+client = 60-resumption-client
+resume-server = 60-resumption-server
+resume-client = 60-resumption-resume-client
+
+[60-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[60-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[60-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-60]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[61-resumption]
+ssl_conf = 61-resumption-ssl
+
+[61-resumption-ssl]
+server = 61-resumption-server
+client = 61-resumption-client
+resume-server = 61-resumption-server
+resume-client = 61-resumption-resume-client
+
+[61-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[61-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[61-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-61]
+ExpectedProtocol = TLSv1.2
+HandshakeMode = Resume
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[62-resumption]
+ssl_conf = 62-resumption-ssl
+
+[62-resumption-ssl]
+server = 62-resumption-server
+client = 62-resumption-client
+resume-server = 62-resumption-server
+resume-client = 62-resumption-resume-client
+
+[62-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[62-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[62-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-62]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[63-resumption]
+ssl_conf = 63-resumption-ssl
+
+[63-resumption-ssl]
+server = 63-resumption-server
+client = 63-resumption-client
+resume-server = 63-resumption-server
+resume-client = 63-resumption-resume-client
+
+[63-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -SessionTicket
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[63-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[63-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-63]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[64-resumption-with-hrr]
+ssl_conf = 64-resumption-with-hrr-ssl
+
+[64-resumption-with-hrr-ssl]
+server = 64-resumption-with-hrr-server
+client = 64-resumption-with-hrr-client
+resume-server = 64-resumption-with-hrr-server
+resume-client = 64-resumption-with-hrr-resume-client
+
+[64-resumption-with-hrr-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Curves = P-256
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[64-resumption-with-hrr-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[64-resumption-with-hrr-resume-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-64]
+ExpectedProtocol = TLSv1.3
+HandshakeMode = Resume
+Method = TLS
 ResumptionExpected = Yes
 
 
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index 47ff667..609e216 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 23
+num_tests = 39
 
 test-0 = 0-ECDSA CipherString Selection
 test-1 = 1-Ed25519 CipherString and Signature Algorithm Selection
@@ -24,7 +24,23 @@ test-18 = 18-Suite B P-256 Hash Algorithm Selection
 test-19 = 19-Suite B P-384 Hash Algorithm Selection
 test-20 = 20-TLS 1.2 Ed25519 Client Auth
 test-21 = 21-Only RSA-PSS Certificate, TLS v1.1
-test-22 = 22-TLS 1.2 DSA Certificate Test
+test-22 = 22-TLS 1.3 ECDSA Signature Algorithm Selection
+test-23 = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point
+test-24 = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1
+test-25 = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS
+test-26 = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS
+test-27 = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-28 = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS
+test-29 = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection
+test-30 = 30-TLS 1.3 Ed25519 Signature Algorithm Selection
+test-31 = 31-TLS 1.3 Ed25519 CipherString and Groups Selection
+test-32 = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection
+test-33 = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
+test-34 = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
+test-35 = 35-TLS 1.3 Ed25519 Client Auth
+test-36 = 36-TLS 1.2 DSA Certificate Test
+test-37 = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms
+test-38 = 38-TLS 1.3 DSA Certificate Test
 # ===========================================================
 
 [0-ECDSA CipherString Selection]
@@ -697,14 +713,467 @@ ExpectedResult = ServerFail
 
 # ===========================================================
 
-[22-TLS 1.2 DSA Certificate Test]
-ssl_conf = 22-TLS 1.2 DSA Certificate Test-ssl
+[22-TLS 1.3 ECDSA Signature Algorithm Selection]
+ssl_conf = 22-TLS 1.3 ECDSA Signature Algorithm Selection-ssl
 
-[22-TLS 1.2 DSA Certificate Test-ssl]
-server = 22-TLS 1.2 DSA Certificate Test-server
-client = 22-TLS 1.2 DSA Certificate Test-client
+[22-TLS 1.3 ECDSA Signature Algorithm Selection-ssl]
+server = 22-TLS 1.3 ECDSA Signature Algorithm Selection-server
+client = 22-TLS 1.3 ECDSA Signature Algorithm Selection-client
 
-[22-TLS 1.2 DSA Certificate Test-server]
+[22-TLS 1.3 ECDSA Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[22-TLS 1.3 ECDSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-22]
+ExpectedResult = Success
+ExpectedServerCANames = empty
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl
+
+[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server
+client = 23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client
+
+[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[23-TLS 1.3 ECDSA Signature Algorithm Selection compressed point-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-23]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl
+
+[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server
+client = 24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client
+
+[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[24-TLS 1.3 ECDSA Signature Algorithm Selection SHA1-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-24]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS]
+ssl_conf = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl
+
+[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-ssl]
+server = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server
+client = 25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client
+
+[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[25-TLS 1.3 ECDSA Signature Algorithm Selection with PSS-client]
+CipherString = DEFAULT
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+SignatureAlgorithms = ECDSA+SHA256:RSA-PSS+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-25]
+ExpectedResult = Success
+ExpectedServerCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS]
+ssl_conf = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl
+
+[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-ssl]
+server = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server
+client = 26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client
+
+[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[26-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA384:RSA-PSS+SHA384
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-26]
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+ExpectedServerSignHash = SHA384
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+
+[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+
+[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[27-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-27]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS]
+ssl_conf = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl
+
+[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-ssl]
+server = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server
+client = 28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client
+
+[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[28-TLS 1.3 RSA Signature Algorithm Selection, no PSS-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-28]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[29-TLS 1.3 RSA-PSS Signature Algorithm Selection]
+ssl_conf = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl
+
+[29-TLS 1.3 RSA-PSS Signature Algorithm Selection-ssl]
+server = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection-server
+client = 29-TLS 1.3 RSA-PSS Signature Algorithm Selection-client
+
+[29-TLS 1.3 RSA-PSS Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[29-TLS 1.3 RSA-PSS Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA-PSS+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-29]
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
+
+
+# ===========================================================
+
+[30-TLS 1.3 Ed25519 Signature Algorithm Selection]
+ssl_conf = 30-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
+
+[30-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
+server = 30-TLS 1.3 Ed25519 Signature Algorithm Selection-server
+client = 30-TLS 1.3 Ed25519 Signature Algorithm Selection-client
+
+[30-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[30-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ed25519
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-30]
+ExpectedResult = Success
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
+
+
+# ===========================================================
+
+[31-TLS 1.3 Ed25519 CipherString and Groups Selection]
+ssl_conf = 31-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
+
+[31-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
+server = 31-TLS 1.3 Ed25519 CipherString and Groups Selection-server
+client = 31-TLS 1.3 Ed25519 CipherString and Groups Selection-client
+
+[31-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[31-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
+CipherString = DEFAULT
+Groups = X25519
+SignatureAlgorithms = ECDSA+SHA256:ed25519
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-31]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
+ssl_conf = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
+
+[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
+server = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
+client = 32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
+
+[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientSignatureAlgorithms = PSS+SHA256
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+[32-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-32]
+ExpectedClientCANames = empty
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA-PSS
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
+ssl_conf = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
+
+[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
+server = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
+client = 33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
+
+[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientSignatureAlgorithms = PSS+SHA256
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+[33-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-33]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA-PSS
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
+ssl_conf = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
+
+[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
+server = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
+client = 34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
+
+[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientSignatureAlgorithms = ECDSA+SHA256
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+[34-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-34]
+ExpectedClientCertType = P-256
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = EC
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[35-TLS 1.3 Ed25519 Client Auth]
+ssl_conf = 35-TLS 1.3 Ed25519 Client Auth-ssl
+
+[35-TLS 1.3 Ed25519 Client Auth-ssl]
+server = 35-TLS 1.3 Ed25519 Client Auth-server
+client = 35-TLS 1.3 Ed25519 Client Auth-client
+
+[35-TLS 1.3 Ed25519 Client Auth-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+[35-TLS 1.3 Ed25519 Client Auth-client]
+CipherString = DEFAULT
+EdDSA.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
+EdDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-35]
+ExpectedClientCertType = Ed25519
+ExpectedClientSignType = Ed25519
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[36-TLS 1.2 DSA Certificate Test]
+ssl_conf = 36-TLS 1.2 DSA Certificate Test-ssl
+
+[36-TLS 1.2 DSA Certificate Test-ssl]
+server = 36-TLS 1.2 DSA Certificate Test-server
+client = 36-TLS 1.2 DSA Certificate Test-client
+
+[36-TLS 1.2 DSA Certificate Test-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = ALL
 DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem
@@ -714,13 +1183,67 @@ MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[22-TLS 1.2 DSA Certificate Test-client]
+[36-TLS 1.2 DSA Certificate Test-client]
 CipherString = ALL
 SignatureAlgorithms = DSA+SHA256:DSA+SHA1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-22]
+[test-36]
 ExpectedResult = Success
 
 
+# ===========================================================
+
+[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms]
+ssl_conf = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl
+
+[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-ssl]
+server = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server
+client = 37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client
+
+[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ClientSignatureAlgorithms = ECDSA+SHA1:DSA+SHA256:RSA+SHA256
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+[37-TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-37]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[38-TLS 1.3 DSA Certificate Test]
+ssl_conf = 38-TLS 1.3 DSA Certificate Test-ssl
+
+[38-TLS 1.3 DSA Certificate Test-ssl]
+server = 38-TLS 1.3 DSA Certificate Test-server
+client = 38-TLS 1.3 DSA Certificate Test-client
+
+[38-TLS 1.3 DSA Certificate Test-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ALL
+DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem
+DSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-dsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[38-TLS 1.3 DSA Certificate Test-client]
+CipherString = ALL
+SignatureAlgorithms = DSA+SHA1:DSA+SHA256:ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-38]
+ExpectedResult = ServerFail
+
+
diff --git a/test/ssl-tests/22-compression.conf b/test/ssl-tests/22-compression.conf
index 999b008..c85d312 100644
--- a/test/ssl-tests/22-compression.conf
+++ b/test/ssl-tests/22-compression.conf
@@ -1,111 +1,215 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 4
+num_tests = 8
+
+test-0 = 0-tlsv1_3-both-compress
+test-1 = 1-tlsv1_3-client-compress
+test-2 = 2-tlsv1_3-server-compress
+test-3 = 3-tlsv1_3-neither-compress
+test-4 = 4-tlsv1_2-both-compress
+test-5 = 5-tlsv1_2-client-compress
+test-6 = 6-tlsv1_2-server-compress
+test-7 = 7-tlsv1_2-neither-compress
+# ===========================================================
+
+[0-tlsv1_3-both-compress]
+ssl_conf = 0-tlsv1_3-both-compress-ssl
+
+[0-tlsv1_3-both-compress-ssl]
+server = 0-tlsv1_3-both-compress-server
+client = 0-tlsv1_3-both-compress-client
+
+[0-tlsv1_3-both-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = Compression
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-tlsv1_3-both-compress-client]
+CipherString = DEFAULT
+Options = Compression
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+CompressionExpected = No
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-tlsv1_3-client-compress]
+ssl_conf = 1-tlsv1_3-client-compress-ssl
+
+[1-tlsv1_3-client-compress-ssl]
+server = 1-tlsv1_3-client-compress-server
+client = 1-tlsv1_3-client-compress-client
+
+[1-tlsv1_3-client-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-tlsv1_3-client-compress-client]
+CipherString = DEFAULT
+Options = Compression
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+CompressionExpected = No
+ExpectedResult = Success
+
 
-test-0 = 0-tlsv1_2-both-compress
-test-1 = 1-tlsv1_2-client-compress
-test-2 = 2-tlsv1_2-server-compress
-test-3 = 3-tlsv1_2-neither-compress
 # ===========================================================
 
-[0-tlsv1_2-both-compress]
-ssl_conf = 0-tlsv1_2-both-compress-ssl
+[2-tlsv1_3-server-compress]
+ssl_conf = 2-tlsv1_3-server-compress-ssl
 
-[0-tlsv1_2-both-compress-ssl]
-server = 0-tlsv1_2-both-compress-server
-client = 0-tlsv1_2-both-compress-client
+[2-tlsv1_3-server-compress-ssl]
+server = 2-tlsv1_3-server-compress-server
+client = 2-tlsv1_3-server-compress-client
 
-[0-tlsv1_2-both-compress-server]
+[2-tlsv1_3-server-compress-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Options = Compression
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[0-tlsv1_2-both-compress-client]
+[2-tlsv1_3-server-compress-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+CompressionExpected = No
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[3-tlsv1_3-neither-compress]
+ssl_conf = 3-tlsv1_3-neither-compress-ssl
+
+[3-tlsv1_3-neither-compress-ssl]
+server = 3-tlsv1_3-neither-compress-server
+client = 3-tlsv1_3-neither-compress-client
+
+[3-tlsv1_3-neither-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-tlsv1_3-neither-compress-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+CompressionExpected = No
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[4-tlsv1_2-both-compress]
+ssl_conf = 4-tlsv1_2-both-compress-ssl
+
+[4-tlsv1_2-both-compress-ssl]
+server = 4-tlsv1_2-both-compress-server
+client = 4-tlsv1_2-both-compress-client
+
+[4-tlsv1_2-both-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = Compression
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[4-tlsv1_2-both-compress-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 Options = Compression
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-0]
+[test-4]
 CompressionExpected = Yes
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[1-tlsv1_2-client-compress]
-ssl_conf = 1-tlsv1_2-client-compress-ssl
+[5-tlsv1_2-client-compress]
+ssl_conf = 5-tlsv1_2-client-compress-ssl
 
-[1-tlsv1_2-client-compress-ssl]
-server = 1-tlsv1_2-client-compress-server
-client = 1-tlsv1_2-client-compress-client
+[5-tlsv1_2-client-compress-ssl]
+server = 5-tlsv1_2-client-compress-server
+client = 5-tlsv1_2-client-compress-client
 
-[1-tlsv1_2-client-compress-server]
+[5-tlsv1_2-client-compress-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[1-tlsv1_2-client-compress-client]
+[5-tlsv1_2-client-compress-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 Options = Compression
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-1]
+[test-5]
 CompressionExpected = No
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[2-tlsv1_2-server-compress]
-ssl_conf = 2-tlsv1_2-server-compress-ssl
+[6-tlsv1_2-server-compress]
+ssl_conf = 6-tlsv1_2-server-compress-ssl
 
-[2-tlsv1_2-server-compress-ssl]
-server = 2-tlsv1_2-server-compress-server
-client = 2-tlsv1_2-server-compress-client
+[6-tlsv1_2-server-compress-ssl]
+server = 6-tlsv1_2-server-compress-server
+client = 6-tlsv1_2-server-compress-client
 
-[2-tlsv1_2-server-compress-server]
+[6-tlsv1_2-server-compress-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Options = Compression
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[2-tlsv1_2-server-compress-client]
+[6-tlsv1_2-server-compress-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-2]
+[test-6]
 CompressionExpected = No
 ExpectedResult = Success
 
 
 # ===========================================================
 
-[3-tlsv1_2-neither-compress]
-ssl_conf = 3-tlsv1_2-neither-compress-ssl
+[7-tlsv1_2-neither-compress]
+ssl_conf = 7-tlsv1_2-neither-compress-ssl
 
-[3-tlsv1_2-neither-compress-ssl]
-server = 3-tlsv1_2-neither-compress-server
-client = 3-tlsv1_2-neither-compress-client
+[7-tlsv1_2-neither-compress-ssl]
+server = 7-tlsv1_2-neither-compress-server
+client = 7-tlsv1_2-neither-compress-client
 
-[3-tlsv1_2-neither-compress-server]
+[7-tlsv1_2-neither-compress-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[3-tlsv1_2-neither-compress-client]
+[7-tlsv1_2-neither-compress-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[test-3]
+[test-7]
 CompressionExpected = No
 ExpectedResult = Success
 


More information about the openssl-commits mailing list