[openssl] master update

Matt Caswell matt at openssl.org
Mon Apr 20 10:37:51 UTC 2020


The branch master has been updated
       via  73d391ad139b6744fa16fb8be1813b2f7ec8f6c0 (commit)
       via  682bc861a92d09fb5155cd1aceee7b1ce298ddb9 (commit)
       via  ab5a02f70726e28b3c39391aac29a4aedb080ea3 (commit)
       via  fea4e2bd36584cebb79f45680c6da0c14fde3d1e (commit)
      from  0aa87e86832ebad4042e2f6298549d598c35b610 (commit)


- Log -----------------------------------------------------------------
commit 73d391ad139b6744fa16fb8be1813b2f7ec8f6c0
Author: Matt Caswell <matt at openssl.org>
Date:   Sat Apr 18 11:54:23 2020 +0100

    Use a fetched MD if appropriate in ssl3_cbc_digest_record
    
    HMACs used via the legacy EVP_DigestSign interface are strange in
    that they use legacy codepath's which eventually (under the covers)
    transform the operation into a new style EVP_MAC. This can mean the
    digest in use can be a legacy one, so we need to be careful with any
    digest we extract from the ctx.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/11511)

commit 682bc861a92d09fb5155cd1aceee7b1ce298ddb9
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Apr 7 17:03:19 2020 +0100

    Teach ssl_test_new how to test the FIPS module
    
    We load the FIPS module and make sure it is configured before running
    the ssl_test_new tests.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/11511)

commit ab5a02f70726e28b3c39391aac29a4aedb080ea3
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Apr 7 16:22:49 2020 +0100

    Teach ssl_test_new to have different tests for different loaded providers
    
    We now run the tests twice: Once with no specific providers loaded and
    just using the default libctx, and a second time with a non-default libctx
    and the default provider.
    
    In the second run we disable tests which use a PSS cert/key because we
    don't yet have support for that.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/11511)

commit fea4e2bd36584cebb79f45680c6da0c14fde3d1e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 3 15:40:00 2020 +0100

    Run ssl_test_new with a non-default library context
    
    We also prepare the way for a future commit to run ssl_test_new with
    just the FIPS provider loaded.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/11511)

-----------------------------------------------------------------------

Summary of changes:
 ssl/record/ssl3_record.c                       |    4 +-
 ssl/s3_cbc.c                                   |   18 +-
 ssl/ssl_local.h                                |    3 +-
 test/generate_ssl_tests.pl                     |    8 +-
 test/recipes/80-test_ssl_new.t                 |   54 +-
 test/ssl-tests/02-protocol-version.cnf.in      |    4 +-
 test/ssl-tests/04-client_auth.cnf.in           |   11 +-
 test/ssl-tests/05-sni.cnf.in                   |    4 +-
 test/ssl-tests/07-dtls-protocol-version.cnf.in |    4 +-
 test/ssl-tests/10-resumption.cnf.in            |    4 +-
 test/ssl-tests/11-dtls_resumption.cnf.in       |    4 +-
 test/ssl-tests/14-curves.cnf                   |  638 ++++++-------
 test/ssl-tests/14-curves.cnf.in                |   20 +-
 test/ssl-tests/20-cert-select.cnf              | 1202 ++++++++++++------------
 test/ssl-tests/20-cert-select.cnf.in           |  599 ++++++------
 test/ssl-tests/25-cipher.cnf.in                |    5 +-
 test/ssl-tests/28-seclevel.cnf.in              |    7 +-
 test/ssl-tests/protocol_version.pm             |  110 ++-
 test/ssl-tests/ssltests_base.pm                |    3 +
 test/ssl_test.c                                |   57 +-
 20 files changed, 1482 insertions(+), 1277 deletions(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index a5ef78dec9..23bbc952ee 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1270,7 +1270,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
         header[j++] = (unsigned char)(rec->length & 0xff);
 
         /* Final param == is SSLv3 */
-        if (ssl3_cbc_digest_record(hash,
+        if (ssl3_cbc_digest_record(ssl, hash,
                                    md, &md_size,
                                    header, rec->input,
                                    rec->length + md_size, rec->orig_len,
@@ -1374,7 +1374,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
          * are hashing because that gives an attacker a timing-oracle.
          */
         /* Final param == not SSLv3 */
-        if (ssl3_cbc_digest_record(mac_ctx,
+        if (ssl3_cbc_digest_record(ssl, mac_ctx,
                                    md, &md_size,
                                    header, rec->input,
                                    rec->length + md_size, rec->orig_len,
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 888ff3c2f6..bbc24cc6d1 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -131,7 +131,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
  * padding too. )
  * Returns 1 on success or 0 on error
  */
-int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
+int ssl3_cbc_digest_record(SSL *s,
+                           const EVP_MD_CTX *ctx,
                            unsigned char *md_out,
                            size_t *md_out_size,
                            const unsigned char header[13],
@@ -166,7 +167,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
      */
     size_t md_length_size = 8;
     char length_is_big_endian = 1;
-    int ret;
+    int ret = 0;
+    const EVP_MD *md = NULL;
 
     /*
      * This is a, hopefully redundant, check that allows us to forget about
@@ -461,7 +463,11 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
     md_ctx = EVP_MD_CTX_new();
     if (md_ctx == NULL)
         goto err;
-    if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0)
+    md = ssl_evp_md_fetch(s->ctx->libctx, EVP_MD_type(EVP_MD_CTX_md(ctx)),
+                          s->ctx->propq);
+    if (md == NULL)
+        goto err;
+    if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0)
         goto err;
     if (is_sslv3) {
         /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
@@ -484,10 +490,10 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
     ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
     if (ret && md_out_size)
         *md_out_size = md_out_size_u;
-    EVP_MD_CTX_free(md_ctx);
 
-    return 1;
+    ret = 1;
  err:
     EVP_MD_CTX_free(md_ctx);
-    return 0;
+    ssl_evp_md_free(md);
+    return ret;
 }
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index d8b25bb4e8..22cae481e1 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2713,7 +2713,8 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
 
 /* s3_cbc.c */
 __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
-__owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
+__owur int ssl3_cbc_digest_record(SSL *s,
+                                  const EVP_MD_CTX *ctx,
                                   unsigned char *md_out,
                                   size_t *md_out_size,
                                   const unsigned char header[13],
diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl
index 8cfc451fbb..21515b7a20 100644
--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@@ -127,6 +127,11 @@ sub print_templates {
 # Shamelessly copied from Configure.
 sub read_config {
     my $fname = shift;
+    my $provider = shift;
+    local $ssltests::fips_mode = $provider eq "fips";
+    local $ssltests::no_deflt_libctx =
+        $provider eq "default" || $provider eq "fips";
+
     open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
     local $/ = undef;
     my $content = <INPUT>;
@@ -136,8 +141,9 @@ sub read_config {
 }
 
 my $input_file = shift;
+my $provider = shift;
 # Reads the tests into ssltests::tests.
-read_config($input_file);
+read_config($input_file, $provider);
 print_templates();
 
 1;
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 3b1857cc79..aa57d1565d 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -13,11 +13,21 @@ use warnings;
 use File::Basename;
 use File::Compare qw/compare_text/;
 use OpenSSL::Glob;
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
 use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
 
+BEGIN {
 setup("test_ssl_new");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");
 
@@ -28,7 +38,8 @@ map { s/\^// } @conf_files if $^O eq "VMS";
 
 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 30;  # = scalar @conf_srcs
+plan tests => 30 # = scalar @conf_srcs
+              + ($no_fips ? 0 : 1); # fipsinstall
 
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
@@ -106,28 +117,46 @@ my %skip = (
   "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
 );
 
+unless ($no_fips) {
+    ok(run(app(['openssl', 'fipsinstall',
+                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-module', bldtop_file('providers', platform->dso('fips')),
+                '-provider_name', 'fips', '-mac_name', 'HMAC',
+                '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+                '-section_name', 'fips_sect'])),
+       "fipsinstall");
+}
+
 foreach my $conf (@conf_files) {
     subtest "Test configuration $conf" => sub {
+        plan tests => 6 + ($no_fips ? 0 : 3);
         test_conf($conf,
                   $conf_dependent_tests{$conf} || $^O eq "VMS" ?  0 : 1,
-                  defined($skip{$conf}) ? $skip{$conf} : $no_tls);
+                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
+                  "none");
+        test_conf($conf,
+                  0,
+                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
+                  "default");
+        test_conf($conf,
+                  0,
+                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
+                  "fips") unless $no_fips;
     }
 }
 
 sub test_conf {
-    plan tests => 3;
-
-    my ($conf, $check_source, $skip) = @_;
+    my ($conf, $check_source, $skip, $provider) = @_;
 
     my $conf_file = srctop_file("test", "ssl-tests", $conf);
     my $input_file = $conf_file . ".in";
-    my $output_file = $conf;
+    my $output_file = $conf . "." . $provider;
     my $run_test = 1;
 
   SKIP: {
       # "Test" 1. Generate the source.
       skip 'failure', 2 unless
-        ok(run(perltest(["generate_ssl_tests.pl", $input_file],
+        ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
                         interpreter_args => [ "-I", srctop_dir("util", "perl")],
                         stdout => $output_file)),
            "Getting output from generate_ssl_tests.pl.");
@@ -145,7 +174,14 @@ sub test_conf {
       skip "No tests available; skipping tests", 1 if $skip;
       skip "Stale sources; skipping tests", 1 if !$run_test;
 
-      ok(run(test(["ssl_test", $output_file])), "running ssl_test $conf");
+      if ($provider eq "fips") {
+          ok(run(test(["ssl_test", $output_file, $provider,
+                       srctop_file("test", "fips.cnf")])),
+             "running ssl_test $conf");
+      } else {
+          ok(run(test(["ssl_test", $output_file, $provider])),
+             "running ssl_test $conf");
+      }
     }
 }
 
diff --git a/test/ssl-tests/02-protocol-version.cnf.in b/test/ssl-tests/02-protocol-version.cnf.in
index a6799df0ac..70bad4cf6c 100644
--- a/test/ssl-tests/02-protocol-version.cnf.in
+++ b/test/ssl-tests/02-protocol-version.cnf.in
@@ -16,4 +16,6 @@ use warnings;
 
 use protocol_version;
 
-our @tests = generate_version_tests("TLS");
+our $fips_mode;
+
+our @tests = generate_version_tests("TLS", $fips_mode);
diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in
index b9c014d2c0..f90f7eb79d 100644
--- a/test/ssl-tests/04-client_auth.cnf.in
+++ b/test/ssl-tests/04-client_auth.cnf.in
@@ -11,12 +11,19 @@ use OpenSSL::Test;
 use OpenSSL::Test::Utils qw(anydisabled disabled);
 setup("no_test_here");
 
-# We test version-flexible negotiation (undef) and each protocol version.
-my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
+our $fips_mode;
 
+my @protocols;
 my @is_disabled = (0);
 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
 
+# We test version-flexible negotiation (undef) and each protocol version.
+if ($fips_mode) {
+    @protocols = (undef, "TLSv1.2", "DTLSv1.2");
+} else {
+    @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
+}
+
 our @tests = ();
 
 sub generate_tests() {
diff --git a/test/ssl-tests/05-sni.cnf.in b/test/ssl-tests/05-sni.cnf.in
index 6651899618..b34a55c7d2 100644
--- a/test/ssl-tests/05-sni.cnf.in
+++ b/test/ssl-tests/05-sni.cnf.in
@@ -15,6 +15,8 @@ use warnings;
 package ssltests;
 use OpenSSL::Test::Utils;
 
+our $fips_mode;
+
 our @tests = (
     {
         name => "SNI-switch-context",
@@ -166,4 +168,4 @@ our @tests_tls_1_1 = (
     },
 );
 
-push @tests, @tests_tls_1_1 unless disabled("tls1_1");
+push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $fips_mode;
diff --git a/test/ssl-tests/07-dtls-protocol-version.cnf.in b/test/ssl-tests/07-dtls-protocol-version.cnf.in
index 2a53433b68..9f9ab6e72f 100644
--- a/test/ssl-tests/07-dtls-protocol-version.cnf.in
+++ b/test/ssl-tests/07-dtls-protocol-version.cnf.in
@@ -16,4 +16,6 @@ use warnings;
 
 use protocol_version;
 
-our @tests = generate_version_tests("DTLS");
+our $fips_mode;
+
+our @tests = generate_version_tests("DTLS", $fips_mode);
diff --git a/test/ssl-tests/10-resumption.cnf.in b/test/ssl-tests/10-resumption.cnf.in
index 39c69395bf..ace714a8b5 100644
--- a/test/ssl-tests/10-resumption.cnf.in
+++ b/test/ssl-tests/10-resumption.cnf.in
@@ -16,4 +16,6 @@ package ssltests;
 
 use protocol_version;
 
-our @tests = generate_resumption_tests("TLS");
+our $fips_mode;
+
+our @tests = generate_resumption_tests("TLS", $fips_mode);
diff --git a/test/ssl-tests/11-dtls_resumption.cnf.in b/test/ssl-tests/11-dtls_resumption.cnf.in
index 9f600e6625..4cee1e2022 100644
--- a/test/ssl-tests/11-dtls_resumption.cnf.in
+++ b/test/ssl-tests/11-dtls_resumption.cnf.in
@@ -16,4 +16,6 @@ package ssltests;
 
 use protocol_version;
 
-our @tests = generate_resumption_tests("DTLS");
+our $fips_mode;
+
+our @tests = generate_resumption_tests("DTLS", $fips_mode);
diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf
index f76f08fd7d..26d0949f0d 100644
--- a/test/ssl-tests/14-curves.cnf
+++ b/test/ssl-tests/14-curves.cnf
@@ -3,35 +3,35 @@
 num_tests = 30
 
 test-0 = 0-curve-sect163k1
-test-1 = 1-curve-sect163r1
-test-2 = 2-curve-sect163r2
-test-3 = 3-curve-sect193r1
-test-4 = 4-curve-sect193r2
-test-5 = 5-curve-sect233k1
-test-6 = 6-curve-sect233r1
-test-7 = 7-curve-sect239k1
-test-8 = 8-curve-sect283k1
-test-9 = 9-curve-sect283r1
-test-10 = 10-curve-sect409k1
-test-11 = 11-curve-sect409r1
-test-12 = 12-curve-sect571k1
-test-13 = 13-curve-sect571r1
-test-14 = 14-curve-secp160k1
-test-15 = 15-curve-secp160r1
-test-16 = 16-curve-secp160r2
-test-17 = 17-curve-secp192k1
-test-18 = 18-curve-prime192v1
-test-19 = 19-curve-secp224k1
-test-20 = 20-curve-secp224r1
-test-21 = 21-curve-secp256k1
-test-22 = 22-curve-prime256v1
-test-23 = 23-curve-secp384r1
-test-24 = 24-curve-secp521r1
-test-25 = 25-curve-brainpoolP256r1
-test-26 = 26-curve-brainpoolP384r1
-test-27 = 27-curve-brainpoolP512r1
-test-28 = 28-curve-X25519
-test-29 = 29-curve-X448
+test-1 = 1-curve-sect163r2
+test-2 = 2-curve-sect233k1
+test-3 = 3-curve-sect233r1
+test-4 = 4-curve-sect283k1
+test-5 = 5-curve-sect283r1
+test-6 = 6-curve-sect409k1
+test-7 = 7-curve-sect409r1
+test-8 = 8-curve-sect571k1
+test-9 = 9-curve-sect571r1
+test-10 = 10-curve-prime192v1
+test-11 = 11-curve-secp224r1
+test-12 = 12-curve-prime256v1
+test-13 = 13-curve-secp384r1
+test-14 = 14-curve-secp521r1
+test-15 = 15-curve-X25519
+test-16 = 16-curve-X448
+test-17 = 17-curve-sect163r1
+test-18 = 18-curve-sect193r1
+test-19 = 19-curve-sect193r2
+test-20 = 20-curve-sect239k1
+test-21 = 21-curve-secp160k1
+test-22 = 22-curve-secp160r1
+test-23 = 23-curve-secp160r2
+test-24 = 24-curve-secp192k1
+test-25 = 25-curve-secp224k1
+test-26 = 26-curve-secp256k1
+test-27 = 27-curve-brainpoolP256r1
+test-28 = 28-curve-brainpoolP384r1
+test-29 = 29-curve-brainpoolP512r1
 # ===========================================================
 
 [0-curve-sect163k1]
@@ -62,813 +62,813 @@ ExpectedTmpKeyType = sect163k1
 
 # ===========================================================
 
-[1-curve-sect163r1]
-ssl_conf = 1-curve-sect163r1-ssl
+[1-curve-sect163r2]
+ssl_conf = 1-curve-sect163r2-ssl
 
-[1-curve-sect163r1-ssl]
-server = 1-curve-sect163r1-server
-client = 1-curve-sect163r1-client
+[1-curve-sect163r2-ssl]
+server = 1-curve-sect163r2-server
+client = 1-curve-sect163r2-client
 
-[1-curve-sect163r1-server]
+[1-curve-sect163r2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect163r1
+Curves = sect163r2
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[1-curve-sect163r1-client]
+[1-curve-sect163r2-client]
 CipherString = ECDHE
-Curves = sect163r1
+Curves = sect163r2
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-1]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect163r1
+ExpectedTmpKeyType = sect163r2
 
 
 # ===========================================================
 
-[2-curve-sect163r2]
-ssl_conf = 2-curve-sect163r2-ssl
+[2-curve-sect233k1]
+ssl_conf = 2-curve-sect233k1-ssl
 
-[2-curve-sect163r2-ssl]
-server = 2-curve-sect163r2-server
-client = 2-curve-sect163r2-client
+[2-curve-sect233k1-ssl]
+server = 2-curve-sect233k1-server
+client = 2-curve-sect233k1-client
 
-[2-curve-sect163r2-server]
+[2-curve-sect233k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect163r2
+Curves = sect233k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[2-curve-sect163r2-client]
+[2-curve-sect233k1-client]
 CipherString = ECDHE
-Curves = sect163r2
+Curves = sect233k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-2]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect163r2
+ExpectedTmpKeyType = sect233k1
 
 
 # ===========================================================
 
-[3-curve-sect193r1]
-ssl_conf = 3-curve-sect193r1-ssl
+[3-curve-sect233r1]
+ssl_conf = 3-curve-sect233r1-ssl
 
-[3-curve-sect193r1-ssl]
-server = 3-curve-sect193r1-server
-client = 3-curve-sect193r1-client
+[3-curve-sect233r1-ssl]
+server = 3-curve-sect233r1-server
+client = 3-curve-sect233r1-client
 
-[3-curve-sect193r1-server]
+[3-curve-sect233r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect193r1
+Curves = sect233r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[3-curve-sect193r1-client]
+[3-curve-sect233r1-client]
 CipherString = ECDHE
-Curves = sect193r1
+Curves = sect233r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-3]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect193r1
+ExpectedTmpKeyType = sect233r1
 
 
 # ===========================================================
 
-[4-curve-sect193r2]
-ssl_conf = 4-curve-sect193r2-ssl
+[4-curve-sect283k1]
+ssl_conf = 4-curve-sect283k1-ssl
 
-[4-curve-sect193r2-ssl]
-server = 4-curve-sect193r2-server
-client = 4-curve-sect193r2-client
+[4-curve-sect283k1-ssl]
+server = 4-curve-sect283k1-server
+client = 4-curve-sect283k1-client
 
-[4-curve-sect193r2-server]
+[4-curve-sect283k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect193r2
+Curves = sect283k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[4-curve-sect193r2-client]
+[4-curve-sect283k1-client]
 CipherString = ECDHE
-Curves = sect193r2
+Curves = sect283k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-4]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect193r2
+ExpectedTmpKeyType = sect283k1
 
 
 # ===========================================================
 
-[5-curve-sect233k1]
-ssl_conf = 5-curve-sect233k1-ssl
+[5-curve-sect283r1]
+ssl_conf = 5-curve-sect283r1-ssl
 
-[5-curve-sect233k1-ssl]
-server = 5-curve-sect233k1-server
-client = 5-curve-sect233k1-client
+[5-curve-sect283r1-ssl]
+server = 5-curve-sect283r1-server
+client = 5-curve-sect283r1-client
 
-[5-curve-sect233k1-server]
+[5-curve-sect283r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect233k1
+Curves = sect283r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[5-curve-sect233k1-client]
+[5-curve-sect283r1-client]
 CipherString = ECDHE
-Curves = sect233k1
+Curves = sect283r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-5]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect233k1
+ExpectedTmpKeyType = sect283r1
 
 
 # ===========================================================
 
-[6-curve-sect233r1]
-ssl_conf = 6-curve-sect233r1-ssl
+[6-curve-sect409k1]
+ssl_conf = 6-curve-sect409k1-ssl
 
-[6-curve-sect233r1-ssl]
-server = 6-curve-sect233r1-server
-client = 6-curve-sect233r1-client
+[6-curve-sect409k1-ssl]
+server = 6-curve-sect409k1-server
+client = 6-curve-sect409k1-client
 
-[6-curve-sect233r1-server]
+[6-curve-sect409k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect233r1
+Curves = sect409k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[6-curve-sect233r1-client]
+[6-curve-sect409k1-client]
 CipherString = ECDHE
-Curves = sect233r1
+Curves = sect409k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-6]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect233r1
+ExpectedTmpKeyType = sect409k1
 
 
 # ===========================================================
 
-[7-curve-sect239k1]
-ssl_conf = 7-curve-sect239k1-ssl
+[7-curve-sect409r1]
+ssl_conf = 7-curve-sect409r1-ssl
 
-[7-curve-sect239k1-ssl]
-server = 7-curve-sect239k1-server
-client = 7-curve-sect239k1-client
+[7-curve-sect409r1-ssl]
+server = 7-curve-sect409r1-server
+client = 7-curve-sect409r1-client
 
-[7-curve-sect239k1-server]
+[7-curve-sect409r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect239k1
+Curves = sect409r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[7-curve-sect239k1-client]
+[7-curve-sect409r1-client]
 CipherString = ECDHE
-Curves = sect239k1
+Curves = sect409r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-7]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect239k1
+ExpectedTmpKeyType = sect409r1
 
 
 # ===========================================================
 
-[8-curve-sect283k1]
-ssl_conf = 8-curve-sect283k1-ssl
+[8-curve-sect571k1]
+ssl_conf = 8-curve-sect571k1-ssl
 
-[8-curve-sect283k1-ssl]
-server = 8-curve-sect283k1-server
-client = 8-curve-sect283k1-client
+[8-curve-sect571k1-ssl]
+server = 8-curve-sect571k1-server
+client = 8-curve-sect571k1-client
 
-[8-curve-sect283k1-server]
+[8-curve-sect571k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect283k1
+Curves = sect571k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[8-curve-sect283k1-client]
+[8-curve-sect571k1-client]
 CipherString = ECDHE
-Curves = sect283k1
+Curves = sect571k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-8]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect283k1
+ExpectedTmpKeyType = sect571k1
 
 
 # ===========================================================
 
-[9-curve-sect283r1]
-ssl_conf = 9-curve-sect283r1-ssl
+[9-curve-sect571r1]
+ssl_conf = 9-curve-sect571r1-ssl
 
-[9-curve-sect283r1-ssl]
-server = 9-curve-sect283r1-server
-client = 9-curve-sect283r1-client
+[9-curve-sect571r1-ssl]
+server = 9-curve-sect571r1-server
+client = 9-curve-sect571r1-client
 
-[9-curve-sect283r1-server]
+[9-curve-sect571r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect283r1
+Curves = sect571r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[9-curve-sect283r1-client]
+[9-curve-sect571r1-client]
 CipherString = ECDHE
-Curves = sect283r1
+Curves = sect571r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-9]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect283r1
+ExpectedTmpKeyType = sect571r1
 
 
 # ===========================================================
 
-[10-curve-sect409k1]
-ssl_conf = 10-curve-sect409k1-ssl
+[10-curve-prime192v1]
+ssl_conf = 10-curve-prime192v1-ssl
 
-[10-curve-sect409k1-ssl]
-server = 10-curve-sect409k1-server
-client = 10-curve-sect409k1-client
+[10-curve-prime192v1-ssl]
+server = 10-curve-prime192v1-server
+client = 10-curve-prime192v1-client
 
-[10-curve-sect409k1-server]
+[10-curve-prime192v1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect409k1
+Curves = prime192v1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[10-curve-sect409k1-client]
+[10-curve-prime192v1-client]
 CipherString = ECDHE
-Curves = sect409k1
+Curves = prime192v1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-10]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect409k1
+ExpectedTmpKeyType = prime192v1
 
 
 # ===========================================================
 
-[11-curve-sect409r1]
-ssl_conf = 11-curve-sect409r1-ssl
+[11-curve-secp224r1]
+ssl_conf = 11-curve-secp224r1-ssl
 
-[11-curve-sect409r1-ssl]
-server = 11-curve-sect409r1-server
-client = 11-curve-sect409r1-client
+[11-curve-secp224r1-ssl]
+server = 11-curve-secp224r1-server
+client = 11-curve-secp224r1-client
 
-[11-curve-sect409r1-server]
+[11-curve-secp224r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect409r1
+Curves = secp224r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[11-curve-sect409r1-client]
+[11-curve-secp224r1-client]
 CipherString = ECDHE
-Curves = sect409r1
+Curves = secp224r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-11]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect409r1
+ExpectedTmpKeyType = secp224r1
 
 
 # ===========================================================
 
-[12-curve-sect571k1]
-ssl_conf = 12-curve-sect571k1-ssl
+[12-curve-prime256v1]
+ssl_conf = 12-curve-prime256v1-ssl
 
-[12-curve-sect571k1-ssl]
-server = 12-curve-sect571k1-server
-client = 12-curve-sect571k1-client
+[12-curve-prime256v1-ssl]
+server = 12-curve-prime256v1-server
+client = 12-curve-prime256v1-client
 
-[12-curve-sect571k1-server]
+[12-curve-prime256v1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect571k1
+Curves = prime256v1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[12-curve-sect571k1-client]
+[12-curve-prime256v1-client]
 CipherString = ECDHE
-Curves = sect571k1
+Curves = prime256v1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-12]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect571k1
+ExpectedTmpKeyType = prime256v1
 
 
 # ===========================================================
 
-[13-curve-sect571r1]
-ssl_conf = 13-curve-sect571r1-ssl
+[13-curve-secp384r1]
+ssl_conf = 13-curve-secp384r1-ssl
 
-[13-curve-sect571r1-ssl]
-server = 13-curve-sect571r1-server
-client = 13-curve-sect571r1-client
+[13-curve-secp384r1-ssl]
+server = 13-curve-secp384r1-server
+client = 13-curve-secp384r1-client
 
-[13-curve-sect571r1-server]
+[13-curve-secp384r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect571r1
+Curves = secp384r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[13-curve-sect571r1-client]
+[13-curve-secp384r1-client]
 CipherString = ECDHE
-Curves = sect571r1
+Curves = secp384r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-13]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect571r1
+ExpectedTmpKeyType = secp384r1
 
 
 # ===========================================================
 
-[14-curve-secp160k1]
-ssl_conf = 14-curve-secp160k1-ssl
+[14-curve-secp521r1]
+ssl_conf = 14-curve-secp521r1-ssl
 
-[14-curve-secp160k1-ssl]
-server = 14-curve-secp160k1-server
-client = 14-curve-secp160k1-client
+[14-curve-secp521r1-ssl]
+server = 14-curve-secp521r1-server
+client = 14-curve-secp521r1-client
 
-[14-curve-secp160k1-server]
+[14-curve-secp521r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp160k1
+Curves = secp521r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[14-curve-secp160k1-client]
+[14-curve-secp521r1-client]
 CipherString = ECDHE
-Curves = secp160k1
+Curves = secp521r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-14]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp160k1
+ExpectedTmpKeyType = secp521r1
 
 
 # ===========================================================
 
-[15-curve-secp160r1]
-ssl_conf = 15-curve-secp160r1-ssl
+[15-curve-X25519]
+ssl_conf = 15-curve-X25519-ssl
 
-[15-curve-secp160r1-ssl]
-server = 15-curve-secp160r1-server
-client = 15-curve-secp160r1-client
+[15-curve-X25519-ssl]
+server = 15-curve-X25519-server
+client = 15-curve-X25519-client
 
-[15-curve-secp160r1-server]
+[15-curve-X25519-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp160r1
+Curves = X25519
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[15-curve-secp160r1-client]
+[15-curve-X25519-client]
 CipherString = ECDHE
-Curves = secp160r1
+Curves = X25519
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-15]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp160r1
+ExpectedTmpKeyType = X25519
 
 
 # ===========================================================
 
-[16-curve-secp160r2]
-ssl_conf = 16-curve-secp160r2-ssl
+[16-curve-X448]
+ssl_conf = 16-curve-X448-ssl
 
-[16-curve-secp160r2-ssl]
-server = 16-curve-secp160r2-server
-client = 16-curve-secp160r2-client
+[16-curve-X448-ssl]
+server = 16-curve-X448-server
+client = 16-curve-X448-client
 
-[16-curve-secp160r2-server]
+[16-curve-X448-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp160r2
+Curves = X448
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[16-curve-secp160r2-client]
+[16-curve-X448-client]
 CipherString = ECDHE
-Curves = secp160r2
+Curves = X448
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-16]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp160r2
+ExpectedTmpKeyType = X448
 
 
 # ===========================================================
 
-[17-curve-secp192k1]
-ssl_conf = 17-curve-secp192k1-ssl
+[17-curve-sect163r1]
+ssl_conf = 17-curve-sect163r1-ssl
 
-[17-curve-secp192k1-ssl]
-server = 17-curve-secp192k1-server
-client = 17-curve-secp192k1-client
+[17-curve-sect163r1-ssl]
+server = 17-curve-sect163r1-server
+client = 17-curve-sect163r1-client
 
-[17-curve-secp192k1-server]
+[17-curve-sect163r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp192k1
+Curves = sect163r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[17-curve-secp192k1-client]
+[17-curve-sect163r1-client]
 CipherString = ECDHE
-Curves = secp192k1
+Curves = sect163r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-17]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp192k1
+ExpectedTmpKeyType = sect163r1
 
 
 # ===========================================================
 
-[18-curve-prime192v1]
-ssl_conf = 18-curve-prime192v1-ssl
+[18-curve-sect193r1]
+ssl_conf = 18-curve-sect193r1-ssl
 
-[18-curve-prime192v1-ssl]
-server = 18-curve-prime192v1-server
-client = 18-curve-prime192v1-client
+[18-curve-sect193r1-ssl]
+server = 18-curve-sect193r1-server
+client = 18-curve-sect193r1-client
 
-[18-curve-prime192v1-server]
+[18-curve-sect193r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = prime192v1
+Curves = sect193r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[18-curve-prime192v1-client]
+[18-curve-sect193r1-client]
 CipherString = ECDHE
-Curves = prime192v1
+Curves = sect193r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-18]
 ExpectedResult = Success
-ExpectedTmpKeyType = prime192v1
+ExpectedTmpKeyType = sect193r1
 
 
 # ===========================================================
 
-[19-curve-secp224k1]
-ssl_conf = 19-curve-secp224k1-ssl
+[19-curve-sect193r2]
+ssl_conf = 19-curve-sect193r2-ssl
 
-[19-curve-secp224k1-ssl]
-server = 19-curve-secp224k1-server
-client = 19-curve-secp224k1-client
+[19-curve-sect193r2-ssl]
+server = 19-curve-sect193r2-server
+client = 19-curve-sect193r2-client
 
-[19-curve-secp224k1-server]
+[19-curve-sect193r2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp224k1
+Curves = sect193r2
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[19-curve-secp224k1-client]
+[19-curve-sect193r2-client]
 CipherString = ECDHE
-Curves = secp224k1
+Curves = sect193r2
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-19]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp224k1
+ExpectedTmpKeyType = sect193r2
 
 
 # ===========================================================
 
-[20-curve-secp224r1]
-ssl_conf = 20-curve-secp224r1-ssl
+[20-curve-sect239k1]
+ssl_conf = 20-curve-sect239k1-ssl
 
-[20-curve-secp224r1-ssl]
-server = 20-curve-secp224r1-server
-client = 20-curve-secp224r1-client
+[20-curve-sect239k1-ssl]
+server = 20-curve-sect239k1-server
+client = 20-curve-sect239k1-client
 
-[20-curve-secp224r1-server]
+[20-curve-sect239k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp224r1
+Curves = sect239k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[20-curve-secp224r1-client]
+[20-curve-sect239k1-client]
 CipherString = ECDHE
-Curves = secp224r1
+Curves = sect239k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-20]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp224r1
+ExpectedTmpKeyType = sect239k1
 
 
 # ===========================================================
 
-[21-curve-secp256k1]
-ssl_conf = 21-curve-secp256k1-ssl
+[21-curve-secp160k1]
+ssl_conf = 21-curve-secp160k1-ssl
 
-[21-curve-secp256k1-ssl]
-server = 21-curve-secp256k1-server
-client = 21-curve-secp256k1-client
+[21-curve-secp160k1-ssl]
+server = 21-curve-secp160k1-server
+client = 21-curve-secp160k1-client
 
-[21-curve-secp256k1-server]
+[21-curve-secp160k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp256k1
+Curves = secp160k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[21-curve-secp256k1-client]
+[21-curve-secp160k1-client]
 CipherString = ECDHE
-Curves = secp256k1
+Curves = secp160k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-21]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp256k1
+ExpectedTmpKeyType = secp160k1
 
 
 # ===========================================================
 
-[22-curve-prime256v1]
-ssl_conf = 22-curve-prime256v1-ssl
+[22-curve-secp160r1]
+ssl_conf = 22-curve-secp160r1-ssl
 
-[22-curve-prime256v1-ssl]
-server = 22-curve-prime256v1-server
-client = 22-curve-prime256v1-client
+[22-curve-secp160r1-ssl]
+server = 22-curve-secp160r1-server
+client = 22-curve-secp160r1-client
 
-[22-curve-prime256v1-server]
+[22-curve-secp160r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = prime256v1
+Curves = secp160r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[22-curve-prime256v1-client]
+[22-curve-secp160r1-client]
 CipherString = ECDHE
-Curves = prime256v1
+Curves = secp160r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-22]
 ExpectedResult = Success
-ExpectedTmpKeyType = prime256v1
+ExpectedTmpKeyType = secp160r1
 
 
 # ===========================================================
 
-[23-curve-secp384r1]
-ssl_conf = 23-curve-secp384r1-ssl
+[23-curve-secp160r2]
+ssl_conf = 23-curve-secp160r2-ssl
 
-[23-curve-secp384r1-ssl]
-server = 23-curve-secp384r1-server
-client = 23-curve-secp384r1-client
+[23-curve-secp160r2-ssl]
+server = 23-curve-secp160r2-server
+client = 23-curve-secp160r2-client
 
-[23-curve-secp384r1-server]
+[23-curve-secp160r2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp384r1
+Curves = secp160r2
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[23-curve-secp384r1-client]
+[23-curve-secp160r2-client]
 CipherString = ECDHE
-Curves = secp384r1
+Curves = secp160r2
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-23]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp384r1
+ExpectedTmpKeyType = secp160r2
 
 
 # ===========================================================
 
-[24-curve-secp521r1]
-ssl_conf = 24-curve-secp521r1-ssl
+[24-curve-secp192k1]
+ssl_conf = 24-curve-secp192k1-ssl
 
-[24-curve-secp521r1-ssl]
-server = 24-curve-secp521r1-server
-client = 24-curve-secp521r1-client
+[24-curve-secp192k1-ssl]
+server = 24-curve-secp192k1-server
+client = 24-curve-secp192k1-client
 
-[24-curve-secp521r1-server]
+[24-curve-secp192k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp521r1
+Curves = secp192k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[24-curve-secp521r1-client]
+[24-curve-secp192k1-client]
 CipherString = ECDHE
-Curves = secp521r1
+Curves = secp192k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-24]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp521r1
+ExpectedTmpKeyType = secp192k1
 
 
 # ===========================================================
 
-[25-curve-brainpoolP256r1]
-ssl_conf = 25-curve-brainpoolP256r1-ssl
+[25-curve-secp224k1]
+ssl_conf = 25-curve-secp224k1-ssl
 
-[25-curve-brainpoolP256r1-ssl]
-server = 25-curve-brainpoolP256r1-server
-client = 25-curve-brainpoolP256r1-client
+[25-curve-secp224k1-ssl]
+server = 25-curve-secp224k1-server
+client = 25-curve-secp224k1-client
 
-[25-curve-brainpoolP256r1-server]
+[25-curve-secp224k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = brainpoolP256r1
+Curves = secp224k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[25-curve-brainpoolP256r1-client]
+[25-curve-secp224k1-client]
 CipherString = ECDHE
-Curves = brainpoolP256r1
+Curves = secp224k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-25]
 ExpectedResult = Success
-ExpectedTmpKeyType = brainpoolP256r1
+ExpectedTmpKeyType = secp224k1
 
 
 # ===========================================================
 
-[26-curve-brainpoolP384r1]
-ssl_conf = 26-curve-brainpoolP384r1-ssl
+[26-curve-secp256k1]
+ssl_conf = 26-curve-secp256k1-ssl
 
-[26-curve-brainpoolP384r1-ssl]
-server = 26-curve-brainpoolP384r1-server
-client = 26-curve-brainpoolP384r1-client
+[26-curve-secp256k1-ssl]
+server = 26-curve-secp256k1-server
+client = 26-curve-secp256k1-client
 
-[26-curve-brainpoolP384r1-server]
+[26-curve-secp256k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = brainpoolP384r1
+Curves = secp256k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[26-curve-brainpoolP384r1-client]
+[26-curve-secp256k1-client]
 CipherString = ECDHE
-Curves = brainpoolP384r1
+Curves = secp256k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-26]
 ExpectedResult = Success
-ExpectedTmpKeyType = brainpoolP384r1
+ExpectedTmpKeyType = secp256k1
 
 
 # ===========================================================
 
-[27-curve-brainpoolP512r1]
-ssl_conf = 27-curve-brainpoolP512r1-ssl
+[27-curve-brainpoolP256r1]
+ssl_conf = 27-curve-brainpoolP256r1-ssl
 
-[27-curve-brainpoolP512r1-ssl]
-server = 27-curve-brainpoolP512r1-server
-client = 27-curve-brainpoolP512r1-client
+[27-curve-brainpoolP256r1-ssl]
+server = 27-curve-brainpoolP256r1-server
+client = 27-curve-brainpoolP256r1-client
 
-[27-curve-brainpoolP512r1-server]
+[27-curve-brainpoolP256r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = brainpoolP512r1
+Curves = brainpoolP256r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[27-curve-brainpoolP512r1-client]
+[27-curve-brainpoolP256r1-client]
 CipherString = ECDHE
-Curves = brainpoolP512r1
+Curves = brainpoolP256r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-27]
 ExpectedResult = Success
-ExpectedTmpKeyType = brainpoolP512r1
+ExpectedTmpKeyType = brainpoolP256r1
 
 
 # ===========================================================
 
-[28-curve-X25519]
-ssl_conf = 28-curve-X25519-ssl
+[28-curve-brainpoolP384r1]
+ssl_conf = 28-curve-brainpoolP384r1-ssl
 
-[28-curve-X25519-ssl]
-server = 28-curve-X25519-server
-client = 28-curve-X25519-client
+[28-curve-brainpoolP384r1-ssl]
+server = 28-curve-brainpoolP384r1-server
+client = 28-curve-brainpoolP384r1-client
 
-[28-curve-X25519-server]
+[28-curve-brainpoolP384r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = X25519
+Curves = brainpoolP384r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[28-curve-X25519-client]
+[28-curve-brainpoolP384r1-client]
 CipherString = ECDHE
-Curves = X25519
+Curves = brainpoolP384r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-28]
 ExpectedResult = Success
-ExpectedTmpKeyType = X25519
+ExpectedTmpKeyType = brainpoolP384r1
 
 
 # ===========================================================
 
-[29-curve-X448]
-ssl_conf = 29-curve-X448-ssl
+[29-curve-brainpoolP512r1]
+ssl_conf = 29-curve-brainpoolP512r1-ssl
 
-[29-curve-X448-ssl]
-server = 29-curve-X448-server
-client = 29-curve-X448-client
+[29-curve-brainpoolP512r1-ssl]
+server = 29-curve-brainpoolP512r1-server
+client = 29-curve-brainpoolP512r1-client
 
-[29-curve-X448-server]
+[29-curve-brainpoolP512r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = X448
+Curves = brainpoolP512r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[29-curve-X448-client]
+[29-curve-brainpoolP512r1-client]
 CipherString = ECDHE
-Curves = X448
+Curves = brainpoolP512r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-29]
 ExpectedResult = Success
-ExpectedTmpKeyType = X448
+ExpectedTmpKeyType = brainpoolP512r1
 
 
diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in
index 2f8077c44a..d074e561c9 100644
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
@@ -10,14 +10,20 @@ use warnings;
 use OpenSSL::Test;
 use OpenSSL::Test::Utils qw(anydisabled);
 
-my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1",
-              "sect193r2", "sect233k1", "sect233r1", "sect239k1",
+our $fips_mode;
+
+my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1",
               "sect283k1", "sect283r1", "sect409k1", "sect409r1",
-              "sect571k1", "sect571r1", "secp160k1", "secp160r1",
-              "secp160r2", "secp192k1", "prime192v1", "secp224k1",
-              "secp224r1", "secp256k1", "prime256v1", "secp384r1",
-              "secp521r1", "brainpoolP256r1", "brainpoolP384r1",
-              "brainpoolP512r1", "X25519", "X448");
+              "sect571k1", "sect571r1", "prime192v1", "secp224r1",
+              "prime256v1", "secp384r1", "secp521r1", "X25519",
+              "X448");
+
+my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1",
+                       "secp160k1", "secp160r1", "secp160r2", "secp192k1",
+                       "secp224k1",  "secp256k1", "brainpoolP256r1",
+                       "brainpoolP384r1", "brainpoolP512r1");
+
+push @curves, @curves_non_fips if !$fips_mode;
 
 our @tests = ();
 
diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf
index 757b973e57..f788069f56 100644
--- a/test/ssl-tests/20-cert-select.cnf
+++ b/test/ssl-tests/20-cert-select.cnf
@@ -5,37 +5,37 @@ num_tests = 56
 test-0 = 0-ECDSA CipherString Selection
 test-1 = 1-ECDSA CipherString Selection
 test-2 = 2-ECDSA CipherString Selection
-test-3 = 3-Ed25519 CipherString and Signature Algorithm Selection
-test-4 = 4-Ed448 CipherString and Signature Algorithm Selection
-test-5 = 5-ECDSA with brainpool
-test-6 = 6-RSA CipherString Selection
-test-7 = 7-RSA-PSS Certificate CipherString Selection
-test-8 = 8-P-256 CipherString and Signature Algorithm Selection
-test-9 = 9-Ed25519 CipherString and Curves Selection
-test-10 = 10-Ed448 CipherString and Curves Selection
-test-11 = 11-ECDSA CipherString Selection, no ECDSA certificate
-test-12 = 12-ECDSA Signature Algorithm Selection
-test-13 = 13-ECDSA Signature Algorithm Selection SHA384
-test-14 = 14-ECDSA Signature Algorithm Selection SHA1
-test-15 = 15-ECDSA Signature Algorithm Selection compressed point
-test-16 = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate
-test-17 = 17-RSA Signature Algorithm Selection
-test-18 = 18-RSA-PSS Signature Algorithm Selection
-test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection
-test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection
-test-21 = 21-Only RSA-PSS Certificate
-test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms
-test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms
-test-24 = 24-Only RSA-PSS Restricted Certificate
-test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms
-test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm
-test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms
-test-28 = 28-RSA key exchange with all RSA certificate types
-test-29 = 29-RSA key exchange with only RSA-PSS certificate
-test-30 = 30-Suite B P-256 Hash Algorithm Selection
-test-31 = 31-Suite B P-384 Hash Algorithm Selection
-test-32 = 32-TLS 1.2 Ed25519 Client Auth
-test-33 = 33-TLS 1.2 Ed448 Client Auth
+test-3 = 3-RSA CipherString Selection
+test-4 = 4-P-256 CipherString and Signature Algorithm Selection
+test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate
+test-6 = 6-ECDSA Signature Algorithm Selection
+test-7 = 7-ECDSA Signature Algorithm Selection SHA384
+test-8 = 8-ECDSA Signature Algorithm Selection SHA1
+test-9 = 9-ECDSA Signature Algorithm Selection compressed point
+test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-11 = 11-RSA Signature Algorithm Selection
+test-12 = 12-RSA-PSS Signature Algorithm Selection
+test-13 = 13-RSA key exchange with all RSA certificate types
+test-14 = 14-Suite B P-256 Hash Algorithm Selection
+test-15 = 15-Suite B P-384 Hash Algorithm Selection
+test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection
+test-17 = 17-Ed448 CipherString and Signature Algorithm Selection
+test-18 = 18-ECDSA with brainpool
+test-19 = 19-Ed25519 CipherString and Curves Selection
+test-20 = 20-Ed448 CipherString and Curves Selection
+test-21 = 21-TLS 1.2 Ed25519 Client Auth
+test-22 = 22-TLS 1.2 Ed448 Client Auth
+test-23 = 23-RSA-PSS Certificate CipherString Selection
+test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection
+test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection
+test-26 = 26-Only RSA-PSS Certificate
+test-27 = 27-Only RSA-PSS Certificate Valid Signature Algorithms
+test-28 = 28-RSA-PSS Certificate, no PSS signature algorithms
+test-29 = 29-Only RSA-PSS Restricted Certificate
+test-30 = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms
+test-31 = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm
+test-32 = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms
+test-33 = 33-RSA key exchange with only RSA-PSS certificate
 test-34 = 34-Only RSA-PSS Certificate, TLS v1.1
 test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection
 test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point
@@ -45,13 +45,13 @@ test-39 = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS
 test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate
 test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS
 test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection
-test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection
-test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection
-test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection
-test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection
-test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection
-test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
-test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
+test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection
+test-44 = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
+test-45 = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
+test-46 = 46-TLS 1.3 Ed25519 Signature Algorithm Selection
+test-47 = 47-TLS 1.3 Ed448 Signature Algorithm Selection
+test-48 = 48-TLS 1.3 Ed25519 CipherString and Groups Selection
+test-49 = 49-TLS 1.3 Ed448 CipherString and Groups Selection
 test-50 = 50-TLS 1.3 Ed25519 Client Auth
 test-51 = 51-TLS 1.3 Ed448 Client Auth
 test-52 = 52-TLS 1.3 ECDSA with brainpool
@@ -158,14 +158,14 @@ ExpectedResult = ServerFail
 
 # ===========================================================
 
-[3-Ed25519 CipherString and Signature Algorithm Selection]
-ssl_conf = 3-Ed25519 CipherString and Signature Algorithm Selection-ssl
+[3-RSA CipherString Selection]
+ssl_conf = 3-RSA CipherString Selection-ssl
 
-[3-Ed25519 CipherString and Signature Algorithm Selection-ssl]
-server = 3-Ed25519 CipherString and Signature Algorithm Selection-server
-client = 3-Ed25519 CipherString and Signature Algorithm Selection-client
+[3-RSA CipherString Selection-ssl]
+server = 3-RSA CipherString Selection-server
+client = 3-RSA CipherString Selection-client
 
-[3-Ed25519 CipherString and Signature Algorithm Selection-server]
+[3-RSA CipherString Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -177,31 +177,28 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[3-Ed25519 CipherString and Signature Algorithm Selection-client]
-CipherString = aECDSA
+[3-RSA CipherString Selection-client]
+CipherString = aRSA
 MaxProtocol = TLSv1.2
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-SignatureAlgorithms = ed25519:ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-3]
 ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
+ExpectedServerCertType = RSA
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[4-Ed448 CipherString and Signature Algorithm Selection]
-ssl_conf = 4-Ed448 CipherString and Signature Algorithm Selection-ssl
+[4-P-256 CipherString and Signature Algorithm Selection]
+ssl_conf = 4-P-256 CipherString and Signature Algorithm Selection-ssl
 
-[4-Ed448 CipherString and Signature Algorithm Selection-ssl]
-server = 4-Ed448 CipherString and Signature Algorithm Selection-server
-client = 4-Ed448 CipherString and Signature Algorithm Selection-client
+[4-P-256 CipherString and Signature Algorithm Selection-ssl]
+server = 4-P-256 CipherString and Signature Algorithm Selection-server
+client = 4-P-256 CipherString and Signature Algorithm Selection-client
 
-[4-Ed448 CipherString and Signature Algorithm Selection-server]
+[4-P-256 CipherString and Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -213,60 +210,55 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[4-Ed448 CipherString and Signature Algorithm Selection-client]
+[4-P-256 CipherString and Signature Algorithm Selection-client]
 CipherString = aECDSA
 MaxProtocol = TLSv1.2
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
-SignatureAlgorithms = ed448:ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+SignatureAlgorithms = ECDSA+SHA256:ed25519
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-4]
 ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[5-ECDSA with brainpool]
-ssl_conf = 5-ECDSA with brainpool-ssl
+[5-ECDSA CipherString Selection, no ECDSA certificate]
+ssl_conf = 5-ECDSA CipherString Selection, no ECDSA certificate-ssl
 
-[5-ECDSA with brainpool-ssl]
-server = 5-ECDSA with brainpool-server
-client = 5-ECDSA with brainpool-client
+[5-ECDSA CipherString Selection, no ECDSA certificate-ssl]
+server = 5-ECDSA CipherString Selection, no ECDSA certificate-server
+client = 5-ECDSA CipherString Selection, no ECDSA certificate-client
 
-[5-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+[5-ECDSA CipherString Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[5-ECDSA with brainpool-client]
+[5-ECDSA CipherString Selection, no ECDSA certificate-client]
 CipherString = aECDSA
-Groups = brainpoolP256r1
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-5]
-ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = brainpoolP256r1
-ExpectedServerSignType = EC
+ExpectedResult = ServerFail
 
 
 # ===========================================================
 
-[6-RSA CipherString Selection]
-ssl_conf = 6-RSA CipherString Selection-ssl
+[6-ECDSA Signature Algorithm Selection]
+ssl_conf = 6-ECDSA Signature Algorithm Selection-ssl
 
-[6-RSA CipherString Selection-ssl]
-server = 6-RSA CipherString Selection-server
-client = 6-RSA CipherString Selection-client
+[6-ECDSA Signature Algorithm Selection-ssl]
+server = 6-ECDSA Signature Algorithm Selection-server
+client = 6-ECDSA Signature Algorithm Selection-client
 
-[6-RSA CipherString Selection-server]
+[6-ECDSA Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -278,28 +270,29 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[6-RSA CipherString Selection-client]
-CipherString = aRSA
-MaxProtocol = TLSv1.2
+[6-ECDSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-6]
 ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[7-RSA-PSS Certificate CipherString Selection]
-ssl_conf = 7-RSA-PSS Certificate CipherString Selection-ssl
+[7-ECDSA Signature Algorithm Selection SHA384]
+ssl_conf = 7-ECDSA Signature Algorithm Selection SHA384-ssl
 
-[7-RSA-PSS Certificate CipherString Selection-ssl]
-server = 7-RSA-PSS Certificate CipherString Selection-server
-client = 7-RSA-PSS Certificate CipherString Selection-client
+[7-ECDSA Signature Algorithm Selection SHA384-ssl]
+server = 7-ECDSA Signature Algorithm Selection SHA384-server
+client = 7-ECDSA Signature Algorithm Selection SHA384-client
 
-[7-RSA-PSS Certificate CipherString Selection-server]
+[7-ECDSA Signature Algorithm Selection SHA384-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -309,32 +302,31 @@ Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
 Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
 Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
-PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
-PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[7-RSA-PSS Certificate CipherString Selection-client]
-CipherString = aRSA
-MaxProtocol = TLSv1.2
+[7-ECDSA Signature Algorithm Selection SHA384-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA384
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-7]
 ExpectedResult = Success
-ExpectedServerCertType = RSA-PSS
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA384
+ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[8-P-256 CipherString and Signature Algorithm Selection]
-ssl_conf = 8-P-256 CipherString and Signature Algorithm Selection-ssl
+[8-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl
 
-[8-P-256 CipherString and Signature Algorithm Selection-ssl]
-server = 8-P-256 CipherString and Signature Algorithm Selection-server
-client = 8-P-256 CipherString and Signature Algorithm Selection-client
+[8-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 8-ECDSA Signature Algorithm Selection SHA1-server
+client = 8-ECDSA Signature Algorithm Selection SHA1-client
 
-[8-P-256 CipherString and Signature Algorithm Selection-server]
+[8-ECDSA Signature Algorithm Selection SHA1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -346,125 +338,118 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[8-P-256 CipherString and Signature Algorithm Selection-client]
-CipherString = aECDSA
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed25519
+[8-ECDSA Signature Algorithm Selection SHA1-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA1
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-8]
 ExpectedResult = Success
 ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA256
+ExpectedServerSignHash = SHA1
 ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[9-Ed25519 CipherString and Curves Selection]
-ssl_conf = 9-Ed25519 CipherString and Curves Selection-ssl
+[9-ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl
 
-[9-Ed25519 CipherString and Curves Selection-ssl]
-server = 9-Ed25519 CipherString and Curves Selection-server
-client = 9-Ed25519 CipherString and Curves Selection-client
+[9-ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 9-ECDSA Signature Algorithm Selection compressed point-server
+client = 9-ECDSA Signature Algorithm Selection compressed point-client
 
-[9-Ed25519 CipherString and Curves Selection-server]
+[9-ECDSA Signature Algorithm Selection compressed point-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[9-Ed25519 CipherString and Curves Selection-client]
-CipherString = aECDSA
-Curves = X25519
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed25519
+[9-ECDSA Signature Algorithm Selection compressed point-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-9]
 ExpectedResult = Success
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[10-Ed448 CipherString and Curves Selection]
-ssl_conf = 10-Ed448 CipherString and Curves Selection-ssl
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
 
-[10-Ed448 CipherString and Curves Selection-ssl]
-server = 10-Ed448 CipherString and Curves Selection-server
-client = 10-Ed448 CipherString and Curves Selection-client
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
 
-[10-Ed448 CipherString and Curves Selection-server]
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[10-Ed448 CipherString and Curves Selection-client]
-CipherString = aECDSA
-Curves = X448
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-10]
-ExpectedResult = Success
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
+ExpectedResult = ServerFail
 
 
 # ===========================================================
 
-[11-ECDSA CipherString Selection, no ECDSA certificate]
-ssl_conf = 11-ECDSA CipherString Selection, no ECDSA certificate-ssl
+[11-RSA Signature Algorithm Selection]
+ssl_conf = 11-RSA Signature Algorithm Selection-ssl
 
-[11-ECDSA CipherString Selection, no ECDSA certificate-ssl]
-server = 11-ECDSA CipherString Selection, no ECDSA certificate-server
-client = 11-ECDSA CipherString Selection, no ECDSA certificate-client
+[11-RSA Signature Algorithm Selection-ssl]
+server = 11-RSA Signature Algorithm Selection-server
+client = 11-RSA Signature Algorithm Selection-client
 
-[11-ECDSA CipherString Selection, no ECDSA certificate-server]
+[11-RSA Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[11-ECDSA CipherString Selection, no ECDSA certificate-client]
-CipherString = aECDSA
-MaxProtocol = TLSv1.2
+[11-RSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-11]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCertType = RSA
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA
 
 
 # ===========================================================
 
-[12-ECDSA Signature Algorithm Selection]
-ssl_conf = 12-ECDSA Signature Algorithm Selection-ssl
+[12-RSA-PSS Signature Algorithm Selection]
+ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl
 
-[12-ECDSA Signature Algorithm Selection-ssl]
-server = 12-ECDSA Signature Algorithm Selection-server
-client = 12-ECDSA Signature Algorithm Selection-client
+[12-RSA-PSS Signature Algorithm Selection-ssl]
+server = 12-RSA-PSS Signature Algorithm Selection-server
+client = 12-RSA-PSS Signature Algorithm Selection-client
 
-[12-ECDSA Signature Algorithm Selection-server]
+[12-RSA-PSS Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -476,152 +461,152 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[12-ECDSA Signature Algorithm Selection-client]
+[12-RSA-PSS Signature Algorithm Selection-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
+SignatureAlgorithms = RSA-PSS+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-12]
 ExpectedResult = Success
-ExpectedServerCertType = P-256
+ExpectedServerCertType = RSA
 ExpectedServerSignHash = SHA256
-ExpectedServerSignType = EC
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[13-ECDSA Signature Algorithm Selection SHA384]
-ssl_conf = 13-ECDSA Signature Algorithm Selection SHA384-ssl
+[13-RSA key exchange with all RSA certificate types]
+ssl_conf = 13-RSA key exchange with all RSA certificate types-ssl
 
-[13-ECDSA Signature Algorithm Selection SHA384-ssl]
-server = 13-ECDSA Signature Algorithm Selection SHA384-server
-client = 13-ECDSA Signature Algorithm Selection SHA384-client
+[13-RSA key exchange with all RSA certificate types-ssl]
+server = 13-RSA key exchange with all RSA certificate types-server
+client = 13-RSA key exchange with all RSA certificate types-client
 
-[13-ECDSA Signature Algorithm Selection SHA384-server]
+[13-RSA key exchange with all RSA certificate types-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[13-ECDSA Signature Algorithm Selection SHA384-client]
-CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA384
+[13-RSA key exchange with all RSA certificate types-client]
+CipherString = kRSA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-13]
 ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA384
-ExpectedServerSignType = EC
+ExpectedServerCertType = RSA
 
 
 # ===========================================================
 
-[14-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 14-ECDSA Signature Algorithm Selection SHA1-ssl
+[14-Suite B P-256 Hash Algorithm Selection]
+ssl_conf = 14-Suite B P-256 Hash Algorithm Selection-ssl
 
-[14-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 14-ECDSA Signature Algorithm Selection SHA1-server
-client = 14-ECDSA Signature Algorithm Selection SHA1-client
+[14-Suite B P-256 Hash Algorithm Selection-ssl]
+server = 14-Suite B P-256 Hash Algorithm Selection-server
+client = 14-Suite B P-256 Hash Algorithm Selection-client
 
-[14-ECDSA Signature Algorithm Selection SHA1-server]
+[14-Suite B P-256 Hash Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+CipherString = SUITEB128
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[14-ECDSA Signature Algorithm Selection SHA1-client]
+[14-Suite B P-256 Hash Algorithm Selection-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
 VerifyMode = Peer
 
 [test-14]
 ExpectedResult = Success
 ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA1
+ExpectedServerSignHash = SHA256
 ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[15-ECDSA Signature Algorithm Selection compressed point]
-ssl_conf = 15-ECDSA Signature Algorithm Selection compressed point-ssl
+[15-Suite B P-384 Hash Algorithm Selection]
+ssl_conf = 15-Suite B P-384 Hash Algorithm Selection-ssl
 
-[15-ECDSA Signature Algorithm Selection compressed point-ssl]
-server = 15-ECDSA Signature Algorithm Selection compressed point-server
-client = 15-ECDSA Signature Algorithm Selection compressed point-client
+[15-Suite B P-384 Hash Algorithm Selection-ssl]
+server = 15-Suite B P-384 Hash Algorithm Selection-server
+client = 15-Suite B P-384 Hash Algorithm Selection-client
 
-[15-ECDSA Signature Algorithm Selection compressed point-server]
+[15-Suite B P-384 Hash Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
+CipherString = SUITEB128
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[15-ECDSA Signature Algorithm Selection compressed point-client]
+[15-Suite B P-384 Hash Algorithm Selection-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
 VerifyMode = Peer
 
 [test-15]
 ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA256
+ExpectedServerCertType = P-384
+ExpectedServerSignHash = SHA384
 ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[16-ECDSA Signature Algorithm Selection, no ECDSA certificate]
-ssl_conf = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+[16-Ed25519 CipherString and Signature Algorithm Selection]
+ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl
 
-[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
-server = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
-client = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+[16-Ed25519 CipherString and Signature Algorithm Selection-ssl]
+server = 16-Ed25519 CipherString and Signature Algorithm Selection-server
+client = 16-Ed25519 CipherString and Signature Algorithm Selection-client
 
-[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+[16-Ed25519 CipherString and Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
-CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
+[16-Ed25519 CipherString and Signature Algorithm Selection-client]
+CipherString = aECDSA
+MaxProtocol = TLSv1.2
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+SignatureAlgorithms = ed25519:ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-16]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCANames = empty
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
 
 
 # ===========================================================
 
-[17-RSA Signature Algorithm Selection]
-ssl_conf = 17-RSA Signature Algorithm Selection-ssl
+[17-Ed448 CipherString and Signature Algorithm Selection]
+ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl
 
-[17-RSA Signature Algorithm Selection-ssl]
-server = 17-RSA Signature Algorithm Selection-server
-client = 17-RSA Signature Algorithm Selection-client
+[17-Ed448 CipherString and Signature Algorithm Selection-ssl]
+server = 17-Ed448 CipherString and Signature Algorithm Selection-server
+client = 17-Ed448 CipherString and Signature Algorithm Selection-client
 
-[17-RSA Signature Algorithm Selection-server]
+[17-Ed448 CipherString and Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -633,63 +618,60 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[17-RSA Signature Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = RSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[17-Ed448 CipherString and Signature Algorithm Selection-client]
+CipherString = aECDSA
+MaxProtocol = TLSv1.2
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+SignatureAlgorithms = ed448:ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-17]
 ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA
+ExpectedServerCANames = empty
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
 
 
 # ===========================================================
 
-[18-RSA-PSS Signature Algorithm Selection]
-ssl_conf = 18-RSA-PSS Signature Algorithm Selection-ssl
+[18-ECDSA with brainpool]
+ssl_conf = 18-ECDSA with brainpool-ssl
 
-[18-RSA-PSS Signature Algorithm Selection-ssl]
-server = 18-RSA-PSS Signature Algorithm Selection-server
-client = 18-RSA-PSS Signature Algorithm Selection-client
+[18-ECDSA with brainpool-ssl]
+server = 18-ECDSA with brainpool-server
+client = 18-ECDSA with brainpool-client
 
-[18-RSA-PSS Signature Algorithm Selection-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[18-ECDSA with brainpool-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Groups = brainpoolP256r1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
 
-[18-RSA-PSS Signature Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = RSA-PSS+SHA256
+[18-ECDSA with brainpool-client]
+CipherString = aECDSA
+Groups = brainpoolP256r1
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-18]
 ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCANames = empty
+ExpectedServerCertType = brainpoolP256r1
+ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[19-RSA-PSS Certificate Legacy Signature Algorithm Selection]
-ssl_conf = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl
+[19-Ed25519 CipherString and Curves Selection]
+ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl
 
-[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl]
-server = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-server
-client = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-client
+[19-Ed25519 CipherString and Curves Selection-ssl]
+server = 19-Ed25519 CipherString and Curves Selection-server
+client = 19-Ed25519 CipherString and Curves Selection-client
 
-[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-server]
+[19-Ed25519 CipherString and Curves Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -699,33 +681,32 @@ Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
 Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
 Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
-PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
-PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = RSA-PSS+SHA256
+[19-Ed25519 CipherString and Curves Selection-client]
+CipherString = aECDSA
+Curves = X25519
+MaxProtocol = TLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ed25519
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-19]
 ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
 
 
 # ===========================================================
 
-[20-RSA-PSS Certificate Unified Signature Algorithm Selection]
-ssl_conf = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl
+[20-Ed448 CipherString and Curves Selection]
+ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl
 
-[20-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl]
-server = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-server
-client = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-client
+[20-Ed448 CipherString and Curves Selection-ssl]
+server = 20-Ed448 CipherString and Curves Selection-server
+client = 20-Ed448 CipherString and Curves Selection-client
 
-[20-RSA-PSS Certificate Unified Signature Algorithm Selection-server]
+[20-Ed448 CipherString and Curves Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -735,143 +716,181 @@ Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
 Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
 Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
-PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
-PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[20-RSA-PSS Certificate Unified Signature Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = rsa_pss_pss_sha256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[20-Ed448 CipherString and Curves Selection-client]
+CipherString = aECDSA
+Curves = X448
+MaxProtocol = TLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ed448
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-20]
 ExpectedResult = Success
-ExpectedServerCertType = RSA-PSS
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
 
 
 # ===========================================================
 
-[21-Only RSA-PSS Certificate]
-ssl_conf = 21-Only RSA-PSS Certificate-ssl
+[21-TLS 1.2 Ed25519 Client Auth]
+ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl
 
-[21-Only RSA-PSS Certificate-ssl]
-server = 21-Only RSA-PSS Certificate-server
-client = 21-Only RSA-PSS Certificate-client
+[21-TLS 1.2 Ed25519 Client Auth-ssl]
+server = 21-TLS 1.2 Ed25519 Client Auth-server
+client = 21-TLS 1.2 Ed25519 Client Auth-client
 
-[21-Only RSA-PSS Certificate-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+[21-TLS 1.2 Ed25519 Client Auth-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
 
-[21-Only RSA-PSS Certificate-client]
+[21-TLS 1.2 Ed25519 Client Auth-client]
 CipherString = DEFAULT
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-21]
+ExpectedClientCertType = Ed25519
+ExpectedClientSignType = Ed25519
 ExpectedResult = Success
-ExpectedServerCertType = RSA-PSS
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[22-Only RSA-PSS Certificate Valid Signature Algorithms]
-ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl
+[22-TLS 1.2 Ed448 Client Auth]
+ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl
 
-[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl]
-server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server
-client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client
+[22-TLS 1.2 Ed448 Client Auth-ssl]
+server = 22-TLS 1.2 Ed448 Client Auth-server
+client = 22-TLS 1.2 Ed448 Client Auth-client
 
-[22-Only RSA-PSS Certificate Valid Signature Algorithms-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+[22-TLS 1.2 Ed448 Client Auth-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
 
-[22-Only RSA-PSS Certificate Valid Signature Algorithms-client]
+[22-TLS 1.2 Ed448 Client Auth-client]
 CipherString = DEFAULT
-SignatureAlgorithms = rsa_pss_pss_sha512
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-22]
+ExpectedClientCertType = Ed448
+ExpectedClientSignType = Ed448
 ExpectedResult = Success
-ExpectedServerCertType = RSA-PSS
-ExpectedServerSignHash = SHA512
-ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[23-RSA-PSS Certificate, no PSS signature algorithms]
-ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl
+[23-RSA-PSS Certificate CipherString Selection]
+ssl_conf = 23-RSA-PSS Certificate CipherString Selection-ssl
 
-[23-RSA-PSS Certificate, no PSS signature algorithms-ssl]
-server = 23-RSA-PSS Certificate, no PSS signature algorithms-server
-client = 23-RSA-PSS Certificate, no PSS signature algorithms-client
+[23-RSA-PSS Certificate CipherString Selection-ssl]
+server = 23-RSA-PSS Certificate CipherString Selection-server
+client = 23-RSA-PSS Certificate CipherString Selection-client
 
-[23-RSA-PSS Certificate, no PSS signature algorithms-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+[23-RSA-PSS Certificate CipherString Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[23-RSA-PSS Certificate, no PSS signature algorithms-client]
-CipherString = DEFAULT
-SignatureAlgorithms = RSA+SHA256
+[23-RSA-PSS Certificate CipherString Selection-client]
+CipherString = aRSA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-23]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[24-Only RSA-PSS Restricted Certificate]
-ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl
+[24-RSA-PSS Certificate Legacy Signature Algorithm Selection]
+ssl_conf = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl
 
-[24-Only RSA-PSS Restricted Certificate-ssl]
-server = 24-Only RSA-PSS Restricted Certificate-server
-client = 24-Only RSA-PSS Restricted Certificate-client
+[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl]
+server = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-server
+client = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-client
 
-[24-Only RSA-PSS Restricted Certificate-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[24-Only RSA-PSS Restricted Certificate-client]
+[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-client]
 CipherString = DEFAULT
+SignatureAlgorithms = RSA-PSS+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-24]
 ExpectedResult = Success
-ExpectedServerCertType = RSA-PSS
+ExpectedServerCertType = RSA
 ExpectedServerSignHash = SHA256
 ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[25-RSA-PSS Restricted Certificate Valid Signature Algorithms]
-ssl_conf = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl
+[25-RSA-PSS Certificate Unified Signature Algorithm Selection]
+ssl_conf = 25-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl
 
-[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl]
-server = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server
-client = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client
+[25-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl]
+server = 25-RSA-PSS Certificate Unified Signature Algorithm Selection-server
+client = 25-RSA-PSS Certificate Unified Signature Algorithm Selection-client
 
-[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+[25-RSA-PSS Certificate Unified Signature Algorithm Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client]
+[25-RSA-PSS Certificate Unified Signature Algorithm Selection-client]
 CipherString = DEFAULT
-SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512
+SignatureAlgorithms = rsa_pss_pss_sha256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -884,21 +903,20 @@ ExpectedServerSignType = RSA-PSS
 
 # ===========================================================
 
-[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm]
-ssl_conf = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl
+[26-Only RSA-PSS Certificate]
+ssl_conf = 26-Only RSA-PSS Certificate-ssl
 
-[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl]
-server = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server
-client = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client
+[26-Only RSA-PSS Certificate-ssl]
+server = 26-Only RSA-PSS Certificate-server
+client = 26-Only RSA-PSS Certificate-client
 
-[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+[26-Only RSA-PSS Certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 
-[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client]
+[26-Only RSA-PSS Certificate-client]
 CipherString = DEFAULT
-SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -911,199 +929,181 @@ ExpectedServerSignType = RSA-PSS
 
 # ===========================================================
 
-[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms]
-ssl_conf = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl
+[27-Only RSA-PSS Certificate Valid Signature Algorithms]
+ssl_conf = 27-Only RSA-PSS Certificate Valid Signature Algorithms-ssl
 
-[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl]
-server = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server
-client = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client
+[27-Only RSA-PSS Certificate Valid Signature Algorithms-ssl]
+server = 27-Only RSA-PSS Certificate Valid Signature Algorithms-server
+client = 27-Only RSA-PSS Certificate Valid Signature Algorithms-client
 
-[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+[27-Only RSA-PSS Certificate Valid Signature Algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 
-[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client]
+[27-Only RSA-PSS Certificate Valid Signature Algorithms-client]
 CipherString = DEFAULT
 SignatureAlgorithms = rsa_pss_pss_sha512
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-27]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA512
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[28-RSA key exchange with all RSA certificate types]
-ssl_conf = 28-RSA key exchange with all RSA certificate types-ssl
+[28-RSA-PSS Certificate, no PSS signature algorithms]
+ssl_conf = 28-RSA-PSS Certificate, no PSS signature algorithms-ssl
 
-[28-RSA key exchange with all RSA certificate types-ssl]
-server = 28-RSA key exchange with all RSA certificate types-server
-client = 28-RSA key exchange with all RSA certificate types-client
+[28-RSA-PSS Certificate, no PSS signature algorithms-ssl]
+server = 28-RSA-PSS Certificate, no PSS signature algorithms-server
+client = 28-RSA-PSS Certificate, no PSS signature algorithms-client
 
-[28-RSA key exchange with all RSA certificate types-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[28-RSA-PSS Certificate, no PSS signature algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
 CipherString = DEFAULT
-PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
-PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 
-[28-RSA key exchange with all RSA certificate types-client]
-CipherString = kRSA
-MaxProtocol = TLSv1.2
+[28-RSA-PSS Certificate, no PSS signature algorithms-client]
+CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-28]
-ExpectedResult = Success
-ExpectedServerCertType = RSA
+ExpectedResult = ServerFail
 
 
 # ===========================================================
 
-[29-RSA key exchange with only RSA-PSS certificate]
-ssl_conf = 29-RSA key exchange with only RSA-PSS certificate-ssl
+[29-Only RSA-PSS Restricted Certificate]
+ssl_conf = 29-Only RSA-PSS Restricted Certificate-ssl
 
-[29-RSA key exchange with only RSA-PSS certificate-ssl]
-server = 29-RSA key exchange with only RSA-PSS certificate-server
-client = 29-RSA key exchange with only RSA-PSS certificate-client
+[29-Only RSA-PSS Restricted Certificate-ssl]
+server = 29-Only RSA-PSS Restricted Certificate-server
+client = 29-Only RSA-PSS Restricted Certificate-client
 
-[29-RSA key exchange with only RSA-PSS certificate-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+[29-Only RSA-PSS Restricted Certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
 
-[29-RSA key exchange with only RSA-PSS certificate-client]
-CipherString = kRSA
-MaxProtocol = TLSv1.2
+[29-Only RSA-PSS Restricted Certificate-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-29]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[30-Suite B P-256 Hash Algorithm Selection]
-ssl_conf = 30-Suite B P-256 Hash Algorithm Selection-ssl
+[30-RSA-PSS Restricted Certificate Valid Signature Algorithms]
+ssl_conf = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl
 
-[30-Suite B P-256 Hash Algorithm Selection-ssl]
-server = 30-Suite B P-256 Hash Algorithm Selection-server
-client = 30-Suite B P-256 Hash Algorithm Selection-client
+[30-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl]
+server = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms-server
+client = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms-client
 
-[30-Suite B P-256 Hash Algorithm Selection-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = SUITEB128
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+[30-RSA-PSS Restricted Certificate Valid Signature Algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
 
-[30-Suite B P-256 Hash Algorithm Selection-client]
+[30-RSA-PSS Restricted Certificate Valid Signature Algorithms-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-30]
 ExpectedResult = Success
-ExpectedServerCertType = P-256
+ExpectedServerCertType = RSA-PSS
 ExpectedServerSignHash = SHA256
-ExpectedServerSignType = EC
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[31-Suite B P-384 Hash Algorithm Selection]
-ssl_conf = 31-Suite B P-384 Hash Algorithm Selection-ssl
+[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm]
+ssl_conf = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl
 
-[31-Suite B P-384 Hash Algorithm Selection-ssl]
-server = 31-Suite B P-384 Hash Algorithm Selection-server
-client = 31-Suite B P-384 Hash Algorithm Selection-client
+[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl]
+server = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server
+client = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client
 
-[31-Suite B P-384 Hash Algorithm Selection-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = SUITEB128
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
 
-[31-Suite B P-384 Hash Algorithm Selection-client]
+[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-31]
 ExpectedResult = Success
-ExpectedServerCertType = P-384
-ExpectedServerSignHash = SHA384
-ExpectedServerSignType = EC
+ExpectedServerCertType = RSA-PSS
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
 
 
 # ===========================================================
 
-[32-TLS 1.2 Ed25519 Client Auth]
-ssl_conf = 32-TLS 1.2 Ed25519 Client Auth-ssl
+[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms]
+ssl_conf = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl
 
-[32-TLS 1.2 Ed25519 Client Auth-ssl]
-server = 32-TLS 1.2 Ed25519 Client Auth-server
-client = 32-TLS 1.2 Ed25519 Client Auth-client
+[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl]
+server = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server
+client = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client
 
-[32-TLS 1.2 Ed25519 Client Auth-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem
 
-[32-TLS 1.2 Ed25519 Client Auth-client]
+[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client]
 CipherString = DEFAULT
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
-MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
+SignatureAlgorithms = rsa_pss_pss_sha512
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-32]
-ExpectedClientCertType = Ed25519
-ExpectedClientSignType = Ed25519
-ExpectedResult = Success
+ExpectedResult = ServerFail
 
 
 # ===========================================================
 
-[33-TLS 1.2 Ed448 Client Auth]
-ssl_conf = 33-TLS 1.2 Ed448 Client Auth-ssl
+[33-RSA key exchange with only RSA-PSS certificate]
+ssl_conf = 33-RSA key exchange with only RSA-PSS certificate-ssl
 
-[33-TLS 1.2 Ed448 Client Auth-ssl]
-server = 33-TLS 1.2 Ed448 Client Auth-server
-client = 33-TLS 1.2 Ed448 Client Auth-client
+[33-RSA key exchange with only RSA-PSS certificate-ssl]
+server = 33-RSA key exchange with only RSA-PSS certificate-server
+client = 33-RSA key exchange with only RSA-PSS certificate-client
 
-[33-TLS 1.2 Ed448 Client Auth-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[33-RSA key exchange with only RSA-PSS certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
 CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 
-[33-TLS 1.2 Ed448 Client Auth-client]
-CipherString = DEFAULT
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
+[33-RSA key exchange with only RSA-PSS certificate-client]
+CipherString = kRSA
 MaxProtocol = TLSv1.2
-MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-33]
-ExpectedClientCertType = Ed448
-ExpectedClientSignType = Ed448
-ExpectedResult = Success
+ExpectedResult = ServerFail
 
 
 # ===========================================================
@@ -1397,117 +1397,122 @@ ExpectedServerSignType = RSA-PSS
 
 # ===========================================================
 
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection]
-ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
+ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
 
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
-server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server
-client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
+server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
+client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
 
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
+ClientSignatureAlgorithms = PSS+SHA256
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
 
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ed25519
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-43]
+ExpectedClientCANames = empty
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA-PSS
 ExpectedResult = Success
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
 
 
 # ===========================================================
 
-[44-TLS 1.3 Ed448 Signature Algorithm Selection]
-ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
+ssl_conf = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
 
-[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl]
-server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server
-client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
+server = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
+client = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
 
-[44-TLS 1.3 Ed448 Signature Algorithm Selection-server]
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
+ClientSignatureAlgorithms = PSS+SHA256
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
 
-[44-TLS 1.3 Ed448 Signature Algorithm Selection-client]
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
 CipherString = DEFAULT
-SignatureAlgorithms = ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-44]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA-PSS
 ExpectedResult = Success
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
 
 
 # ===========================================================
 
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection]
-ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
+ssl_conf = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
 
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
-server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server
-client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
+server = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
+client = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
 
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
+ClientSignatureAlgorithms = ECDSA+SHA256
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
 
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
 CipherString = DEFAULT
-Groups = X25519
-SignatureAlgorithms = ECDSA+SHA256:ed25519
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-45]
+ExpectedClientCertType = P-256
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = EC
 ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[46-TLS 1.3 Ed448 CipherString and Groups Selection]
-ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection]
+ssl_conf = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
 
-[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl]
-server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server
-client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
+server = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-server
+client = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-client
 
-[46-TLS 1.3 Ed448 CipherString and Groups Selection-server]
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -1520,125 +1525,120 @@ MaxProtocol = TLSv1.3
 MinProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[46-TLS 1.3 Ed448 CipherString and Groups Selection-client]
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
 CipherString = DEFAULT
-Groups = X448
-SignatureAlgorithms = ECDSA+SHA256:ed448
+SignatureAlgorithms = ed25519
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-46]
 ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignType = EC
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
 
 
 # ===========================================================
 
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
-ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
+[47-TLS 1.3 Ed448 Signature Algorithm Selection]
+ssl_conf = 47-TLS 1.3 Ed448 Signature Algorithm Selection-ssl
 
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
-server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
-client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
+[47-TLS 1.3 Ed448 Signature Algorithm Selection-ssl]
+server = 47-TLS 1.3 Ed448 Signature Algorithm Selection-server
+client = 47-TLS 1.3 Ed448 Signature Algorithm Selection-client
 
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
+[47-TLS 1.3 Ed448 Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ClientSignatureAlgorithms = PSS+SHA256
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
 
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
+[47-TLS 1.3 Ed448 Signature Algorithm Selection-client]
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
-RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+SignatureAlgorithms = ed448
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-47]
-ExpectedClientCANames = empty
-ExpectedClientCertType = RSA
-ExpectedClientSignHash = SHA256
-ExpectedClientSignType = RSA-PSS
 ExpectedResult = Success
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
 
 
 # ===========================================================
 
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
-ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection]
+ssl_conf = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
 
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
-server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
-client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
+server = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-server
+client = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-client
 
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ClientSignatureAlgorithms = PSS+SHA256
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
 
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
-RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Groups = X25519
+SignatureAlgorithms = ECDSA+SHA256:ed25519
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-48]
-ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-ExpectedClientCertType = RSA
-ExpectedClientSignHash = SHA256
-ExpectedClientSignType = RSA-PSS
 ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignType = EC
 
 
 # ===========================================================
 
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
-ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
+[49-TLS 1.3 Ed448 CipherString and Groups Selection]
+ssl_conf = 49-TLS 1.3 Ed448 CipherString and Groups Selection-ssl
 
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
-server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
-client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
+[49-TLS 1.3 Ed448 CipherString and Groups Selection-ssl]
+server = 49-TLS 1.3 Ed448 CipherString and Groups Selection-server
+client = 49-TLS 1.3 Ed448 CipherString and Groups Selection-client
 
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
+[49-TLS 1.3 Ed448 CipherString and Groups Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-ClientSignatureAlgorithms = ECDSA+SHA256
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
 
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
+[49-TLS 1.3 Ed448 CipherString and Groups Selection-client]
 CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
-RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Groups = X448
+SignatureAlgorithms = ECDSA+SHA256:ed448
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-49]
-ExpectedClientCertType = P-256
-ExpectedClientSignHash = SHA256
-ExpectedClientSignType = EC
 ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignType = EC
 
 
 # ===========================================================
diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
index 24093548cd..fd3f09d7fb 100644
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@@ -9,15 +9,29 @@ use warnings;
 package ssltests;
 use OpenSSL::Test::Utils;
 
-my $server = {
-    "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-    "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-    "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-    "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-    "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-    "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
-    "MaxProtocol" => "TLSv1.2"
-};
+our $fips_mode;
+our $no_deflt_libctx;
+
+my $server;
+
+if ($fips_mode) {
+    #TODO(3.0): No EdDSA support in FIPS mode at the moment
+    $server = {
+        "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+        "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+        "MaxProtocol" => "TLSv1.2"
+    };
+} else {
+    $server = {
+        "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+        "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+        "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+        "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+        "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+        "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+        "MaxProtocol" => "TLSv1.2"
+    };
+}
 
 my $server_pss = {
     "PSS.Certificate" => test_pem("server-pss-cert.pem"),
@@ -41,13 +55,21 @@ my $server_pss_restrict_only = {
     "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
 };
 
+my $server_rsa_all;
 
-my $server_rsa_all = {
-    "PSS.Certificate" => test_pem("server-pss-cert.pem"),
-    "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
-    "Certificate" => test_pem("servercert.pem"),
-    "PrivateKey" => test_pem("serverkey.pem"),
-};
+if ($no_deflt_libctx) {
+    $server_rsa_all = {
+        "Certificate" => test_pem("servercert.pem"),
+        "PrivateKey" => test_pem("serverkey.pem"),
+    };
+} else {
+    $server_rsa_all = {
+        "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+        "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+        "Certificate" => test_pem("servercert.pem"),
+        "PrivateKey" => test_pem("serverkey.pem"),
+    };
+}
 
 our @tests = (
     {
@@ -111,95 +133,94 @@ our @tests = (
         },
     },
     {
-        name => "Ed25519 CipherString and Signature Algorithm Selection",
+        name => "RSA CipherString Selection",
         server => $server,
         client => {
-            "CipherString" => "aECDSA",
+            "CipherString" => "aRSA",
             "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
-            "RequestCAFile" => test_pem("root-cert.pem"),
         },
         test   => {
-            "ExpectedServerCertType" =>, "Ed25519",
-            "ExpectedServerSignType" =>, "Ed25519",
-            # Note: certificate_authorities not sent for TLS < 1.3
-            "ExpectedServerCANames" =>, "empty",
+            "ExpectedServerCertType" =>, "RSA",
+            "ExpectedServerSignType" =>, "RSA-PSS",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "Ed448 CipherString and Signature Algorithm Selection",
+        name => "P-256 CipherString and Signature Algorithm Selection",
         server => $server,
         client => {
             "CipherString" => "aECDSA",
             "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
-            "RequestCAFile" => test_pem("root-ed448-cert.pem"),
-            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
         },
         test   => {
-            "ExpectedServerCertType" =>, "Ed448",
-            "ExpectedServerSignType" =>, "Ed448",
-            # Note: certificate_authorities not sent for TLS < 1.3
-            "ExpectedServerCANames" =>, "empty",
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "EC",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "ECDSA with brainpool",
-        server =>  {
-            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
-            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
-            "Groups" => "brainpoolP256r1",
+        name => "ECDSA CipherString Selection, no ECDSA certificate",
+        server => {
+            "MaxProtocol" => "TLSv1.2"
         },
         client => {
-            #We don't restrict this to TLSv1.2, although use of brainpool
-            #should force this anyway so that this should succeed
             "CipherString" => "aECDSA",
-            "RequestCAFile" => test_pem("root-cert.pem"),
-            "Groups" => "brainpoolP256r1",
+            "MaxProtocol" => "TLSv1.2"
         },
         test   => {
-            "ExpectedServerCertType" =>, "brainpoolP256r1",
-            "ExpectedServerSignType" =>, "EC",
-            # Note: certificate_authorities not sent for TLS < 1.3
-            "ExpectedServerCANames" =>, "empty",
-            "ExpectedResult" => "Success"
+            "ExpectedResult" => "ServerFail"
         },
     },
     {
-        name => "RSA CipherString Selection",
+        name => "ECDSA Signature Algorithm Selection",
         server => $server,
         client => {
-            "CipherString" => "aRSA",
-            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256",
         },
         test   => {
-            "ExpectedServerCertType" =>, "RSA",
-            "ExpectedServerSignType" =>, "RSA-PSS",
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "EC",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "RSA-PSS Certificate CipherString Selection",
-        server => $server_pss,
+        name => "ECDSA Signature Algorithm Selection SHA384",
+        server => $server,
         client => {
-            "CipherString" => "aRSA",
-            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA384",
         },
         test   => {
-            "ExpectedServerCertType" =>, "RSA-PSS",
-            "ExpectedServerSignType" =>, "RSA-PSS",
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA384",
+            "ExpectedServerSignType" => "EC",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "P-256 CipherString and Signature Algorithm Selection",
+        name => "ECDSA Signature Algorithm Selection SHA1",
         server => $server,
         client => {
-            "CipherString" => "aECDSA",
-            "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            "SignatureAlgorithms" => "ECDSA+SHA1",
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA1",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "ECDSA Signature Algorithm Selection compressed point",
+        server => {
+            "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
+            "MaxProtocol" => "TLSv1.2"
+        },
+        client => {
+            "SignatureAlgorithms" => "ECDSA+SHA256",
         },
         test   => {
             "ExpectedServerCertType" => "P-256",
@@ -209,58 +230,66 @@ our @tests = (
         },
     },
     {
-        name => "Ed25519 CipherString and Curves Selection",
+        name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
+        server => {
+             "MaxProtocol" => "TLSv1.2"
+        },
+        client => {
+            "SignatureAlgorithms" => "ECDSA+SHA256",
+        },
+        test   => {
+            "ExpectedResult" => "ServerFail"
+        },
+    },
+    {
+        name => "RSA Signature Algorithm Selection",
         server => $server,
         client => {
-            "CipherString" => "aECDSA",
-            "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
-            # Excluding P-256 from the supported curves list means server
-            # certificate should be Ed25519 and not P-256
-            "Curves" => "X25519"
+            "SignatureAlgorithms" => "RSA+SHA256",
         },
         test   => {
-            "ExpectedServerCertType" =>, "Ed25519",
-            "ExpectedServerSignType" =>, "Ed25519",
+            "ExpectedServerCertType" => "RSA",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "RSA",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "Ed448 CipherString and Curves Selection",
+        name => "RSA-PSS Signature Algorithm Selection",
         server => $server,
         client => {
-            "CipherString" => "aECDSA",
-            "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
-            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
-            # Excluding P-256 from the supported curves list means server
-            # certificate should be Ed25519 and not P-256
-            "Curves" => "X448"
+            "SignatureAlgorithms" => "RSA-PSS+SHA256",
         },
         test   => {
-            "ExpectedServerCertType" =>, "Ed448",
-            "ExpectedServerSignType" =>, "Ed448",
+            "ExpectedServerCertType" => "RSA",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "RSA-PSS",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "ECDSA CipherString Selection, no ECDSA certificate",
-        server => {
-            "MaxProtocol" => "TLSv1.2"
-        },
+        name => "RSA key exchange with all RSA certificate types",
+        server => $server_rsa_all,
         client => {
-            "CipherString" => "aECDSA",
-            "MaxProtocol" => "TLSv1.2"
+            "CipherString" => "kRSA",
+            "MaxProtocol" => "TLSv1.2",
         },
         test   => {
-            "ExpectedResult" => "ServerFail"
+            "ExpectedServerCertType" =>, "RSA",
+            "ExpectedResult" => "Success"
         },
     },
     {
-        name => "ECDSA Signature Algorithm Selection",
-        server => $server,
+        name => "Suite B P-256 Hash Algorithm Selection",
+        server =>  {
+            "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
+            "MaxProtocol" => "TLSv1.2",
+            "CipherString" => "SUITEB128"
+        },
         client => {
-            "SignatureAlgorithms" => "ECDSA+SHA256",
+            "VerifyCAFile" => test_pem("p384-root.pem"),
+            "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
         },
         test   => {
             "ExpectedServerCertType" => "P-256",
@@ -270,83 +299,169 @@ our @tests = (
         },
     },
     {
-        name => "ECDSA Signature Algorithm Selection SHA384",
-        server => $server,
+        name => "Suite B P-384 Hash Algorithm Selection",
+        server =>  {
+            "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
+            "MaxProtocol" => "TLSv1.2",
+            "CipherString" => "SUITEB128"
+        },
         client => {
-            "SignatureAlgorithms" => "ECDSA+SHA384",
+            "VerifyCAFile" => test_pem("p384-root.pem"),
+            "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
         },
         test   => {
-            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerCertType" => "P-384",
             "ExpectedServerSignHash" => "SHA384",
             "ExpectedServerSignType" => "EC",
             "ExpectedResult" => "Success"
         },
     },
+);
+
+my @tests_non_fips = (
+    # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
     {
-        name => "ECDSA Signature Algorithm Selection SHA1",
+        name => "Ed25519 CipherString and Signature Algorithm Selection",
         server => $server,
         client => {
-            "SignatureAlgorithms" => "ECDSA+SHA1",
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
+            "RequestCAFile" => test_pem("root-cert.pem"),
         },
         test   => {
-            "ExpectedServerCertType" => "P-256",
-            "ExpectedServerSignHash" => "SHA1",
-            "ExpectedServerSignType" => "EC",
+            "ExpectedServerCertType" =>, "Ed25519",
+            "ExpectedServerSignType" =>, "Ed25519",
+            # Note: certificate_authorities not sent for TLS < 1.3
+            "ExpectedServerCANames" =>, "empty",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "ECDSA Signature Algorithm Selection compressed point",
-        server => {
-            "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
-            "MaxProtocol" => "TLSv1.2"
+        name => "Ed448 CipherString and Signature Algorithm Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
+            "RequestCAFile" => test_pem("root-ed448-cert.pem"),
+            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "Ed448",
+            "ExpectedServerSignType" =>, "Ed448",
+            # Note: certificate_authorities not sent for TLS < 1.3
+            "ExpectedServerCANames" =>, "empty",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "ECDSA with brainpool",
+        server =>  {
+            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+            "Groups" => "brainpoolP256r1",
         },
         client => {
-            "SignatureAlgorithms" => "ECDSA+SHA256",
+            #We don't restrict this to TLSv1.2, although use of brainpool
+            #should force this anyway so that this should succeed
+            "CipherString" => "aECDSA",
+            "RequestCAFile" => test_pem("root-cert.pem"),
+            "Groups" => "brainpoolP256r1",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "brainpoolP256r1",
+            "ExpectedServerSignType" =>, "EC",
+            # Note: certificate_authorities not sent for TLS < 1.3
+            "ExpectedServerCANames" =>, "empty",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Ed25519 CipherString and Curves Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            # Excluding P-256 from the supported curves list means server
+            # certificate should be Ed25519 and not P-256
+            "Curves" => "X25519"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "Ed25519",
+            "ExpectedServerSignType" =>, "Ed25519",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Ed448 CipherString and Curves Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
+            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
+            # Excluding P-256 from the supported curves list means server
+            # certificate should be Ed25519 and not P-256
+            "Curves" => "X448"
         },
         test   => {
-            "ExpectedServerCertType" => "P-256",
-            "ExpectedServerSignHash" => "SHA256",
-            "ExpectedServerSignType" => "EC",
+            "ExpectedServerCertType" =>, "Ed448",
+            "ExpectedServerSignType" =>, "Ed448",
             "ExpectedResult" => "Success"
         },
     },
     {
-        name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
+        name => "TLS 1.2 Ed25519 Client Auth",
         server => {
-             "MaxProtocol" => "TLSv1.2"
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
         },
         client => {
-            "SignatureAlgorithms" => "ECDSA+SHA256",
+            "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
+            "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
+            "MinProtocol" => "TLSv1.2",
+            "MaxProtocol" => "TLSv1.2"
         },
         test   => {
-            "ExpectedResult" => "ServerFail"
+            "ExpectedClientCertType" => "Ed25519",
+            "ExpectedClientSignType" => "Ed25519",
+            "ExpectedResult" => "Success"
         },
     },
     {
-        name => "RSA Signature Algorithm Selection",
-        server => $server,
+        name => "TLS 1.2 Ed448 Client Auth",
+        server => {
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
         client => {
-            "SignatureAlgorithms" => "RSA+SHA256",
+            "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
+            "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
+            "MinProtocol" => "TLSv1.2",
+            "MaxProtocol" => "TLSv1.2"
         },
         test   => {
-            "ExpectedServerCertType" => "RSA",
-            "ExpectedServerSignHash" => "SHA256",
-            "ExpectedServerSignType" => "RSA",
+            "ExpectedClientCertType" => "Ed448",
+            "ExpectedClientSignType" => "Ed448",
             "ExpectedResult" => "Success"
         },
     },
+);
+
+my @tests_pss = (
     {
-        name => "RSA-PSS Signature Algorithm Selection",
-        server => $server,
+        name => "RSA-PSS Certificate CipherString Selection",
+        server => $server_pss,
         client => {
-            "SignatureAlgorithms" => "RSA-PSS+SHA256",
+            "CipherString" => "aRSA",
+            "MaxProtocol" => "TLSv1.2",
         },
         test   => {
-            "ExpectedServerCertType" => "RSA",
-            "ExpectedServerSignHash" => "SHA256",
-            "ExpectedServerSignType" => "RSA-PSS",
+            "ExpectedServerCertType" =>, "RSA-PSS",
+            "ExpectedServerSignType" =>, "RSA-PSS",
             "ExpectedResult" => "Success"
         },
     },
@@ -457,18 +572,6 @@ our @tests = (
             "ExpectedResult" => "ServerFail"
         },
     },
-    {
-        name => "RSA key exchange with all RSA certificate types",
-        server => $server_rsa_all,
-        client => {
-            "CipherString" => "kRSA",
-            "MaxProtocol" => "TLSv1.2",
-        },
-        test   => {
-            "ExpectedServerCertType" =>, "RSA",
-            "ExpectedResult" => "Success"
-        },
-    },
     {
         name => "RSA key exchange with only RSA-PSS certificate",
         server => $server_pss_only,
@@ -480,80 +583,6 @@ our @tests = (
             "ExpectedResult" => "ServerFail"
         },
     },
-    {
-        name => "Suite B P-256 Hash Algorithm Selection",
-        server =>  {
-            "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
-            "MaxProtocol" => "TLSv1.2",
-            "CipherString" => "SUITEB128"
-        },
-        client => {
-            "VerifyCAFile" => test_pem("p384-root.pem"),
-            "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
-        },
-        test   => {
-            "ExpectedServerCertType" => "P-256",
-            "ExpectedServerSignHash" => "SHA256",
-            "ExpectedServerSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "Suite B P-384 Hash Algorithm Selection",
-        server =>  {
-            "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
-            "MaxProtocol" => "TLSv1.2",
-            "CipherString" => "SUITEB128"
-        },
-        client => {
-            "VerifyCAFile" => test_pem("p384-root.pem"),
-            "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
-        },
-        test   => {
-            "ExpectedServerCertType" => "P-384",
-            "ExpectedServerSignHash" => "SHA384",
-            "ExpectedServerSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "TLS 1.2 Ed25519 Client Auth",
-        server => {
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => {
-            "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
-            "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
-            "MinProtocol" => "TLSv1.2",
-            "MaxProtocol" => "TLSv1.2"
-        },
-        test   => {
-            "ExpectedClientCertType" => "Ed25519",
-            "ExpectedClientSignType" => "Ed25519",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "TLS 1.2 Ed448 Client Auth",
-        server => {
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => {
-            "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
-            "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
-            "MinProtocol" => "TLSv1.2",
-            "MaxProtocol" => "TLSv1.2"
-        },
-        test   => {
-            "ExpectedClientCertType" => "Ed448",
-            "ExpectedClientSignType" => "Ed448",
-            "ExpectedResult" => "Success"
-        },
-    },
 );
 
 my @tests_tls_1_1 = (
@@ -569,31 +598,34 @@ my @tests_tls_1_1 = (
     },
 );
 
-push @tests, @tests_tls_1_1 unless disabled("tls1_1");
+push @tests, @tests_non_fips unless $fips_mode;
 
-my $server_tls_1_3 = {
-    "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-    "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-    "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-    "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-    "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-    "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
-    "MinProtocol" => "TLSv1.3",
-    "MaxProtocol" => "TLSv1.3"
-};
+#TODO(3.0): Re-enable these PSS tests in a $no_deflt_libctx build once we have
+#           support for it
+push @tests, @tests_pss unless $no_deflt_libctx;
+push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx;
 
-my $server_tls_1_3_pss = {
-    "PSS.Certificate" => test_pem("server-pss-cert.pem"),
-    "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
-    "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-    "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-    "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-    "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-    "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-    "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
-    "MinProtocol" => "TLSv1.3",
-    "MaxProtocol" => "TLSv1.3"
-};
+my $server_tls_1_3;
+
+if ($fips_mode) {
+    $server_tls_1_3 = {
+        "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+        "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+        "MinProtocol" => "TLSv1.3",
+        "MaxProtocol" => "TLSv1.3"
+    };
+} else {
+    $server_tls_1_3 = {
+        "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+        "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+        "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+        "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+        "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+        "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+        "MinProtocol" => "TLSv1.3",
+        "MaxProtocol" => "TLSv1.3"
+    };
+}
 
 my $client_tls_1_3 = {
     "RSA.Certificate" => test_pem("ee-client-chain.pem"),
@@ -712,6 +744,57 @@ my @tests_tls_1_3 = (
             "ExpectedResult" => "Success"
         },
     },
+    {
+        name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
+        server => {
+            "ClientSignatureAlgorithms" => "PSS+SHA256",
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
+        client => $client_tls_1_3,
+        test   => {
+            "ExpectedClientCertType" => "RSA",
+            "ExpectedClientSignHash" => "SHA256",
+            "ExpectedClientSignType" => "RSA-PSS",
+            "ExpectedClientCANames" => "empty",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
+        server => {
+            "ClientSignatureAlgorithms" => "PSS+SHA256",
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "RequestCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
+        client => $client_tls_1_3,
+        test   => {
+            "ExpectedClientCertType" => "RSA",
+            "ExpectedClientSignHash" => "SHA256",
+            "ExpectedClientSignType" => "RSA-PSS",
+            "ExpectedClientCANames" => test_pem("root-cert.pem"),
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
+        server => {
+            "ClientSignatureAlgorithms" => "ECDSA+SHA256",
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
+        client => $client_tls_1_3,
+        test   => {
+            "ExpectedClientCertType" => "P-256",
+            "ExpectedClientSignHash" => "SHA256",
+            "ExpectedClientSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+);
+
+my @tests_tls_1_3_non_fips = (
     {
         name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
         server => $server_tls_1_3,
@@ -769,54 +852,6 @@ my @tests_tls_1_3 = (
             "ExpectedResult" => "Success"
         },
     },
-    {
-        name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
-        server => {
-            "ClientSignatureAlgorithms" => "PSS+SHA256",
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => $client_tls_1_3,
-        test   => {
-            "ExpectedClientCertType" => "RSA",
-            "ExpectedClientSignHash" => "SHA256",
-            "ExpectedClientSignType" => "RSA-PSS",
-            "ExpectedClientCANames" => "empty",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
-        server => {
-            "ClientSignatureAlgorithms" => "PSS+SHA256",
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "RequestCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => $client_tls_1_3,
-        test   => {
-            "ExpectedClientCertType" => "RSA",
-            "ExpectedClientSignHash" => "SHA256",
-            "ExpectedClientSignType" => "RSA-PSS",
-            "ExpectedClientCANames" => test_pem("root-cert.pem"),
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
-        server => {
-            "ClientSignatureAlgorithms" => "ECDSA+SHA256",
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => $client_tls_1_3,
-        test   => {
-            "ExpectedClientCertType" => "P-256",
-            "ExpectedClientSignHash" => "SHA256",
-            "ExpectedClientSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
     {
         name => "TLS 1.3 Ed25519 Client Auth",
         server => {
@@ -873,6 +908,7 @@ my @tests_tls_1_3 = (
 );
 
 push @tests, @tests_tls_1_3 unless disabled("tls1_3");
+push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode;
 
 my @tests_dsa_tls_1_2 = (
     {
@@ -928,6 +964,7 @@ my @tests_dsa_tls_1_3 = (
 );
 
 if (!disabled("dsa")) {
-    push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
+    #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
+    push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 }
diff --git a/test/ssl-tests/25-cipher.cnf.in b/test/ssl-tests/25-cipher.cnf.in
index c7bfc61c9e..6eb51faad7 100644
--- a/test/ssl-tests/25-cipher.cnf.in
+++ b/test/ssl-tests/25-cipher.cnf.in
@@ -15,6 +15,8 @@ use warnings;
 package ssltests;
 use OpenSSL::Test::Utils;
 
+our $fips_mode;
+
 our @tests = (
     {
         name => "cipher-server-1",
@@ -153,4 +155,5 @@ my @tests_poly1305 = (
     },
 );
 
-push @tests, @tests_poly1305 unless disabled("poly1305") || disabled("chacha");
+push @tests, @tests_poly1305
+    unless disabled("poly1305") || disabled("chacha") || $fips_mode;
diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in
index aba5007947..2bd92533a4 100644
--- a/test/ssl-tests/28-seclevel.cnf.in
+++ b/test/ssl-tests/28-seclevel.cnf.in
@@ -12,6 +12,8 @@
 package ssltests;
 use OpenSSL::Test::Utils;
 
+our $fips_mode;
+
 our @tests = (
     {
         name => "SECLEVEL 3 with default key",
@@ -79,5 +81,6 @@ our @tests_tls1_2 = (
     },
 );
 
-push @tests, @tests_ec unless disabled("ec");
-push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
+#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
+push @tests, @tests_ec unless disabled("ec") || $fips_mode;
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;
diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index 6923e2120a..36d19db76f 100644
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -21,55 +21,82 @@ use OpenSSL::Test::Utils qw/anydisabled alldisabled disabled/;
 setup("no_test_here");
 
 my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
+my @tls_protocols_fips = ("TLSv1.2", "TLSv1.3");
 # undef stands for "no limit".
 my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
+my @min_tls_protocols_fips = (undef, "TLSv1.2", "TLSv1.3");
 my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", undef);
+my @max_tls_protocols_fips = ("TLSv1.2", "TLSv1.3", undef);
 
 my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
+my @is_tls_disabled_fips = anydisabled("tls1_2", "tls1_3");
 
 my $min_tls_enabled; my $max_tls_enabled;
+my $min_tls_enabled_fips; my $max_tls_enabled_fips;
 
 # Protocol configuration works in cascades, i.e.,
 # $no_tls1_1 disables TLSv1.1 and below.
 #
 # $min_enabled and $max_enabled will be correct if there is at least one
 # protocol enabled.
-foreach my $i (0..$#tls_protocols) {
-    if (!$is_tls_disabled[$i]) {
-        $min_tls_enabled = $i;
-        last;
+
+sub min_prot_enabled {
+    my $protref = shift;
+    my $disabledref = shift;
+    my @protocols = @{$protref};
+    my @is_disabled = @{$disabledref};
+    my $min_enabled;
+
+    foreach my $i (0..$#protocols) {
+        if (!$is_disabled[$i]) {
+            $min_enabled = $i;
+            last;
+        }
     }
+    return $min_enabled;
 }
 
-foreach my $i (0..$#tls_protocols) {
-    if (!$is_tls_disabled[$i]) {
-        $max_tls_enabled = $i;
+sub max_prot_enabled {
+    my $protref = shift;
+    my $disabledref = shift;
+    my @protocols = @{$protref};
+    my @is_disabled = @{$disabledref};
+    my $max_enabled;
+
+    foreach my $i (0..$#protocols) {
+        if (!$is_disabled[$i]) {
+            $max_enabled = $i;
+        }
     }
+    return $max_enabled;
 }
 
+$min_tls_enabled = min_prot_enabled(\@tls_protocols, \@is_tls_disabled);
+$max_tls_enabled = max_prot_enabled(\@tls_protocols, \@is_tls_disabled);
+$min_tls_enabled_fips = min_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
+$max_tls_enabled_fips = max_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
+
+
 my @dtls_protocols = ("DTLSv1", "DTLSv1.2");
+my @dtls_protocols_fips = ("DTLSv1.2");
 # undef stands for "no limit".
 my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2");
+my @min_dtls_protocols_fips = (undef, "DTLSv1.2");
 my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef);
+my @max_dtls_protocols_fips = ("DTLSv1.2", undef);
 
 my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2");
+my @is_dtls_disabled_fips = anydisabled("dtls1_2");
 
 my $min_dtls_enabled; my $max_dtls_enabled;
+my $min_dtls_enabled_fips; my $max_dtls_enabled_fips;
 
 # $min_enabled and $max_enabled will be correct if there is at least one
 # protocol enabled.
-foreach my $i (0..$#dtls_protocols) {
-    if (!$is_dtls_disabled[$i]) {
-        $min_dtls_enabled = $i;
-        last;
-    }
-}
-
-foreach my $i (0..$#dtls_protocols) {
-    if (!$is_dtls_disabled[$i]) {
-        $max_dtls_enabled = $i;
-    }
-}
+$min_dtls_enabled = min_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
+$max_dtls_enabled = max_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
+$min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
+$max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
 
 sub no_tests {
     my ($dtls) = @_;
@@ -78,17 +105,31 @@ sub no_tests {
 }
 
 sub generate_version_tests {
-    my ($method) = @_;
+    my $method = shift;
+    my $fips = shift;
 
     my $dtls = $method eq "DTLS";
     # Don't write the redundant "Method = TLS" into the configuration.
     undef $method if !$dtls;
 
-    my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
-    my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
-    my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
-    my $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
-    my $max_enabled  = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+    my @protocols;
+    my @min_protocols;
+    my @max_protocols;
+    my $min_enabled;
+    my $max_enabled;
+    if ($fips) {
+        @protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
+        @min_protocols = $dtls ? @min_dtls_protocols_fips : @min_tls_protocols_fips;
+        @max_protocols = $dtls ? @max_dtls_protocols_fips : @max_tls_protocols_fips;
+        $min_enabled  = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
+        $max_enabled  = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
+    } else {
+        @protocols = $dtls ? @dtls_protocols : @tls_protocols;
+        @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
+        @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
+        $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
+        $max_enabled  = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+    }
 
     if (no_tests($dtls)) {
         return;
@@ -166,15 +207,26 @@ sub generate_version_tests {
 }
 
 sub generate_resumption_tests {
-    my ($method) = @_;
+    my $method = shift;
+    my $fips = shift;
 
     my $dtls = $method eq "DTLS";
     # Don't write the redundant "Method = TLS" into the configuration.
     undef $method if !$dtls;
 
-    my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
-    my $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
-    my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+    my @protocols;
+    my $min_enabled;
+    my $max_enabled;
+
+    if ($fips) {
+        @protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
+        $min_enabled  = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
+        $max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
+    } else {
+        @protocols = $dtls ? @dtls_protocols : @tls_protocols;
+        $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
+        $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+    }
 
     if (no_tests($dtls)) {
         return;
diff --git a/test/ssl-tests/ssltests_base.pm b/test/ssl-tests/ssltests_base.pm
index c6004fa7b2..98c9a839ad 100644
--- a/test/ssl-tests/ssltests_base.pm
+++ b/test/ssl-tests/ssltests_base.pm
@@ -17,6 +17,9 @@ sub test_pem
     return "\${ENV::TEST_CERTS_DIR}" . $dir_sep . $file,
 }
 
+our $fips_mode = 0;
+our $no_deflt_libctx = 0;
+
 our %base_server = (
     "Certificate" => test_pem("servercert.pem"),
     "PrivateKey"  => test_pem("serverkey.pem"),
diff --git a/test/ssl_test.c b/test/ssl_test.c
index e6ce9a6741..d7fd9c273f 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -13,12 +13,15 @@
 #include <openssl/conf.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#include <openssl/provider.h>
 
 #include "handshake_helper.h"
 #include "ssl_test_ctx.h"
 #include "testutil.h"
 
 static CONF *conf = NULL;
+static OSSL_PROVIDER *defctxnull = NULL, *thisprov = NULL;
+static OPENSSL_CTX *libctx = NULL;
 
 /* Currently the section names are of the form test-<number>, e.g. test-15. */
 #define MAX_TESTCASE_NAME_LENGTH 100
@@ -405,22 +408,26 @@ static int test_handshake(int idx)
 
 #ifndef OPENSSL_NO_DTLS
     if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
-        server_ctx = SSL_CTX_new(DTLS_server_method());
+        server_ctx = SSL_CTX_new_with_libctx(libctx, NULL, DTLS_server_method());
         if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
             goto err;
         if (test_ctx->extra.server.servername_callback !=
             SSL_TEST_SERVERNAME_CB_NONE) {
-            if (!TEST_ptr(server2_ctx = SSL_CTX_new(DTLS_server_method())))
+            if (!TEST_ptr(server2_ctx =
+                            SSL_CTX_new_with_libctx(libctx, NULL,
+                                                    DTLS_server_method())))
                 goto err;
         }
-        client_ctx = SSL_CTX_new(DTLS_client_method());
+        client_ctx = SSL_CTX_new_with_libctx(libctx, NULL, DTLS_client_method());
         if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0)))
             goto err;
         if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
-            resume_server_ctx = SSL_CTX_new(DTLS_server_method());
+            resume_server_ctx = SSL_CTX_new_with_libctx(libctx, NULL,
+                                                        DTLS_server_method());
             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0)))
                 goto err;
-            resume_client_ctx = SSL_CTX_new(DTLS_client_method());
+            resume_client_ctx = SSL_CTX_new_with_libctx(libctx, NULL,
+                                                        DTLS_client_method());
             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0)))
                 goto err;
             if (!TEST_ptr(resume_server_ctx)
@@ -430,26 +437,30 @@ static int test_handshake(int idx)
     }
 #endif
     if (test_ctx->method == SSL_TEST_METHOD_TLS) {
-        server_ctx = SSL_CTX_new(TLS_server_method());
+        server_ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_server_method());
         if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
             goto err;
         /* SNI on resumption isn't supported/tested yet. */
         if (test_ctx->extra.server.servername_callback !=
             SSL_TEST_SERVERNAME_CB_NONE) {
-            if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
+            if (!TEST_ptr(server2_ctx =
+                            SSL_CTX_new_with_libctx(libctx, NULL,
+                                                    TLS_server_method())))
                 goto err;
             if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, 0)))
                 goto err;
         }
-        client_ctx = SSL_CTX_new(TLS_client_method());
+        client_ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method());
         if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0)))
             goto err;
 
         if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
-            resume_server_ctx = SSL_CTX_new(TLS_server_method());
+            resume_server_ctx = SSL_CTX_new_with_libctx(libctx, NULL,
+                                                        TLS_server_method());
             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0)))
                 goto err;
-            resume_client_ctx = SSL_CTX_new(TLS_client_method());
+            resume_client_ctx = SSL_CTX_new_with_libctx(libctx, NULL,
+                                                        TLS_client_method());
             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0)))
                 goto err;
             if (!TEST_ptr(resume_server_ctx)
@@ -500,11 +511,12 @@ err:
     return ret;
 }
 
-OPT_TEST_DECLARE_USAGE("conf_file\n")
+OPT_TEST_DECLARE_USAGE("conf_file modulename [fips_conf_file]\n")
 
 int setup_tests(void)
 {
     long num_tests;
+    const char *modulename;
 
     if (!test_skip_common_options()) {
         TEST_error("Error parsing test options\n");
@@ -518,6 +530,26 @@ int setup_tests(void)
                                                &num_tests), 0))
         return 0;
 
+    if (!TEST_ptr(modulename = test_get_argument(1)))
+        return 0;
+
+    if (strcmp(modulename, "none") != 0) {
+        const char *configfile = test_get_argument(2);
+
+        defctxnull = OSSL_PROVIDER_load(NULL, "null");
+        libctx = OPENSSL_CTX_new();
+        if (!TEST_ptr(libctx))
+            return 0;
+
+        if (configfile != NULL
+                && !TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
+            return 0;
+
+        thisprov = OSSL_PROVIDER_load(libctx, modulename);
+        if (!TEST_ptr(thisprov))
+            return 0;
+    }
+
     ADD_ALL_TESTS(test_handshake, (int)num_tests);
     return 1;
 }
@@ -525,4 +557,7 @@ int setup_tests(void)
 void cleanup_tests(void)
 {
     NCONF_free(conf);
+    OSSL_PROVIDER_unload(defctxnull);
+    OSSL_PROVIDER_unload(thisprov);
+    OPENSSL_CTX_free(libctx);
 }


More information about the openssl-commits mailing list