test_ssl_new: X448, X25519, and EdDSA are supported with fips

Removed the related TODOs. Also adjusted the DH parameters used for the DH test to be acceptable for FIPS as that now allows only known safe prime parameters. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14367)
2025-04-06 20:20:50 +08:00 · 2021-02-26 14:42:57 +01:00 · 2021-02-26 14:42:57 +01:00 · 5e2f580d4a
commit 5e2f580d4a
parent 21b7dfa8ad
4 changed files with 185 additions and 199 deletions
--- a/test/certs/dhp2048.pem
+++ b/test/certs/dhp2048.pem
@ -1,8 +1,8 @@
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAoI0V5HKAcsG4LlAnVJhYnnl2ErOcdvz7WN4n+LoSkZVkfPcPExAF
-uXnT6v16rYfxCgZDPB/tSYaRhOxpJgaAHGA9PrfwprM4xQm9HLIWtidyIGtkgynQ
-rrtxaCculbPOMxc1od7V0jw8/Sj4pdKjijmdvY3VsvuQPu6Lo7qV94u3pYN+WSP9
-ESPcY0lvIV0s0eYxzU5LOU7FZRv6gpe658yxnpaQf13M3sFBqcQEnw+vIjNyaBBK
-Nm4jVFeKCN3aIz+yJL8y14HEnV/tnhtIrr33MAJvsG1qFBY7iFvbvlx/gKDW7qyk
-V0/iN2uElrJZIGxD2uPMZNXO+dci+EriMwIBAg==
+MIIBDAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAgICB/8=
 -----END DH PARAMETERS-----
--- a/test/ssl-tests/20-cert-select.cnf
+++ b/test/ssl-tests/20-cert-select.cnf
@ -17,14 +17,14 @@ test-11 = 11-RSA-PSS Signature Algorithm Selection
 test-12 = 12-RSA key exchange with all RSA certificate types
 test-13 = 13-Suite B P-256 Hash Algorithm Selection
 test-14 = 14-Suite B P-384 Hash Algorithm Selection
-test-15 = 15-ECDSA Signature Algorithm Selection SHA1
-test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection
-test-17 = 17-Ed448 CipherString and Signature Algorithm Selection
-test-18 = 18-ECDSA with brainpool
-test-19 = 19-Ed25519 CipherString and Curves Selection
-test-20 = 20-Ed448 CipherString and Curves Selection
-test-21 = 21-TLS 1.2 Ed25519 Client Auth
-test-22 = 22-TLS 1.2 Ed448 Client Auth
+test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection
+test-16 = 16-Ed448 CipherString and Signature Algorithm Selection
+test-17 = 17-Ed25519 CipherString and Curves Selection
+test-18 = 18-Ed448 CipherString and Curves Selection
+test-19 = 19-TLS 1.2 Ed25519 Client Auth
+test-20 = 20-TLS 1.2 Ed448 Client Auth
+test-21 = 21-ECDSA Signature Algorithm Selection SHA1
+test-22 = 22-ECDSA with brainpool
 test-23 = 23-RSA-PSS Certificate CipherString Selection
 test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection
 test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection
@ -529,48 +529,14 @@ ExpectedServerSignType = EC

 # ===========================================================

-[15-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 15-ECDSA Signature Algorithm Selection SHA1-ssl
+[15-Ed25519 CipherString and Signature Algorithm Selection]
+ssl_conf = 15-Ed25519 CipherString and Signature Algorithm Selection-ssl

-[15-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 15-ECDSA Signature Algorithm Selection SHA1-server
-client = 15-ECDSA Signature Algorithm Selection SHA1-client
+[15-Ed25519 CipherString and Signature Algorithm Selection-ssl]
+server = 15-Ed25519 CipherString and Signature Algorithm Selection-server
+client = 15-Ed25519 CipherString and Signature Algorithm Selection-client

-[15-ECDSA Signature Algorithm Selection SHA1-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT:@SECLEVEL=0
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[15-ECDSA Signature Algorithm Selection SHA1-client]
-CipherString = DEFAULT:@SECLEVEL=0
-SignatureAlgorithms = ECDSA+SHA1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-15]
-ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA1
-ExpectedServerSignType = EC
-
-
-# ===========================================================
-
-[16-Ed25519 CipherString and Signature Algorithm Selection]
-ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl
-
-[16-Ed25519 CipherString and Signature Algorithm Selection-ssl]
-server = 16-Ed25519 CipherString and Signature Algorithm Selection-server
-client = 16-Ed25519 CipherString and Signature Algorithm Selection-client
-
-[16-Ed25519 CipherString and Signature Algorithm Selection-server]
+[15-Ed25519 CipherString and Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@ -582,7 +548,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[16-Ed25519 CipherString and Signature Algorithm Selection-client]
+[15-Ed25519 CipherString and Signature Algorithm Selection-client]
 CipherString = aECDSA
 MaxProtocol = TLSv1.2
 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
@ -590,7 +556,7 @@ SignatureAlgorithms = ed25519:ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-16]
+[test-15]
 ExpectedResult = Success
 ExpectedServerCANames = empty
 ExpectedServerCertType = Ed25519
@ -599,14 +565,14 @@ ExpectedServerSignType = Ed25519

 # ===========================================================

-[17-Ed448 CipherString and Signature Algorithm Selection]
-ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl
+[16-Ed448 CipherString and Signature Algorithm Selection]
+ssl_conf = 16-Ed448 CipherString and Signature Algorithm Selection-ssl

-[17-Ed448 CipherString and Signature Algorithm Selection-ssl]
-server = 17-Ed448 CipherString and Signature Algorithm Selection-server
-client = 17-Ed448 CipherString and Signature Algorithm Selection-client
+[16-Ed448 CipherString and Signature Algorithm Selection-ssl]
+server = 16-Ed448 CipherString and Signature Algorithm Selection-server
+client = 16-Ed448 CipherString and Signature Algorithm Selection-client

-[17-Ed448 CipherString and Signature Algorithm Selection-server]
+[16-Ed448 CipherString and Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@ -618,7 +584,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[17-Ed448 CipherString and Signature Algorithm Selection-client]
+[16-Ed448 CipherString and Signature Algorithm Selection-client]
 CipherString = aECDSA
 MaxProtocol = TLSv1.2
 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
@ -626,7 +592,7 @@ SignatureAlgorithms = ed448:ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer

-[test-17]
+[test-16]
 ExpectedResult = Success
 ExpectedServerCANames = empty
 ExpectedServerCertType = Ed448
@ -635,43 +601,14 @@ ExpectedServerSignType = Ed448

 # ===========================================================

-[18-ECDSA with brainpool]
-ssl_conf = 18-ECDSA with brainpool-ssl
+[17-Ed25519 CipherString and Curves Selection]
+ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl

-[18-ECDSA with brainpool-ssl]
-server = 18-ECDSA with brainpool-server
-client = 18-ECDSA with brainpool-client
+[17-Ed25519 CipherString and Curves Selection-ssl]
+server = 17-Ed25519 CipherString and Curves Selection-server
+client = 17-Ed25519 CipherString and Curves Selection-client

-[18-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-
-[18-ECDSA with brainpool-client]
-CipherString = aECDSA
-Groups = brainpoolP256r1
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-18]
-ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = brainpoolP256r1
-ExpectedServerSignType = EC
-
-
-# ===========================================================
-
-[19-Ed25519 CipherString and Curves Selection]
-ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl
-
-[19-Ed25519 CipherString and Curves Selection-ssl]
-server = 19-Ed25519 CipherString and Curves Selection-server
-client = 19-Ed25519 CipherString and Curves Selection-client
-
-[19-Ed25519 CipherString and Curves Selection-server]
+[17-Ed25519 CipherString and Curves Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@ -683,7 +620,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[19-Ed25519 CipherString and Curves Selection-client]
+[17-Ed25519 CipherString and Curves Selection-client]
 CipherString = aECDSA
 Curves = X25519
 MaxProtocol = TLSv1.2
@ -691,7 +628,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-19]
+[test-17]
 ExpectedResult = Success
 ExpectedServerCertType = Ed25519
 ExpectedServerSignType = Ed25519
@ -699,14 +636,14 @@ ExpectedServerSignType = Ed25519

 # ===========================================================

-[20-Ed448 CipherString and Curves Selection]
-ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl
+[18-Ed448 CipherString and Curves Selection]
+ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl

-[20-Ed448 CipherString and Curves Selection-ssl]
-server = 20-Ed448 CipherString and Curves Selection-server
-client = 20-Ed448 CipherString and Curves Selection-client
+[18-Ed448 CipherString and Curves Selection-ssl]
+server = 18-Ed448 CipherString and Curves Selection-server
+client = 18-Ed448 CipherString and Curves Selection-client

-[20-Ed448 CipherString and Curves Selection-server]
+[18-Ed448 CipherString and Curves Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@ -718,7 +655,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[20-Ed448 CipherString and Curves Selection-client]
+[18-Ed448 CipherString and Curves Selection-client]
 CipherString = aECDSA
 Curves = X448
 MaxProtocol = TLSv1.2
@ -726,7 +663,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed448
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer

-[test-20]
+[test-18]
 ExpectedResult = Success
 ExpectedServerCertType = Ed448
 ExpectedServerSignType = Ed448
@ -734,21 +671,21 @@ ExpectedServerSignType = Ed448

 # ===========================================================

-[21-TLS 1.2 Ed25519 Client Auth]
-ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl
+[19-TLS 1.2 Ed25519 Client Auth]
+ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl

-[21-TLS 1.2 Ed25519 Client Auth-ssl]
-server = 21-TLS 1.2 Ed25519 Client Auth-server
-client = 21-TLS 1.2 Ed25519 Client Auth-client
+[19-TLS 1.2 Ed25519 Client Auth-ssl]
+server = 19-TLS 1.2 Ed25519 Client Auth-server
+client = 19-TLS 1.2 Ed25519 Client Auth-client

-[21-TLS 1.2 Ed25519 Client Auth-server]
+[19-TLS 1.2 Ed25519 Client Auth-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require

-[21-TLS 1.2 Ed25519 Client Auth-client]
+[19-TLS 1.2 Ed25519 Client Auth-client]
 CipherString = DEFAULT
 Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
 Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
@ -757,7 +694,7 @@ MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-21]
+[test-19]
 ExpectedClientCertType = Ed25519
 ExpectedClientSignType = Ed25519
 ExpectedResult = Success
@ -765,21 +702,21 @@ ExpectedResult = Success

 # ===========================================================

-[22-TLS 1.2 Ed448 Client Auth]
-ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl
+[20-TLS 1.2 Ed448 Client Auth]
+ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl

-[22-TLS 1.2 Ed448 Client Auth-ssl]
-server = 22-TLS 1.2 Ed448 Client Auth-server
-client = 22-TLS 1.2 Ed448 Client Auth-client
+[20-TLS 1.2 Ed448 Client Auth-ssl]
+server = 20-TLS 1.2 Ed448 Client Auth-server
+client = 20-TLS 1.2 Ed448 Client Auth-client

-[22-TLS 1.2 Ed448 Client Auth-server]
+[20-TLS 1.2 Ed448 Client Auth-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require

-[22-TLS 1.2 Ed448 Client Auth-client]
+[20-TLS 1.2 Ed448 Client Auth-client]
 CipherString = DEFAULT
 Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
 Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
@ -788,12 +725,75 @@ MinProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-22]
+[test-20]
 ExpectedClientCertType = Ed448
 ExpectedClientSignType = Ed448
 ExpectedResult = Success


+# ===========================================================
+
+[21-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl
+
+[21-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 21-ECDSA Signature Algorithm Selection SHA1-server
+client = 21-ECDSA Signature Algorithm Selection SHA1-client
+
+[21-ECDSA Signature Algorithm Selection SHA1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=0
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[21-ECDSA Signature Algorithm Selection SHA1-client]
+CipherString = DEFAULT:@SECLEVEL=0
+SignatureAlgorithms = ECDSA+SHA1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-21]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA1
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[22-ECDSA with brainpool]
+ssl_conf = 22-ECDSA with brainpool-ssl
+
+[22-ECDSA with brainpool-ssl]
+server = 22-ECDSA with brainpool-server
+client = 22-ECDSA with brainpool-client
+
+[22-ECDSA with brainpool-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+CipherString = DEFAULT
+Groups = brainpoolP256r1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+
+[22-ECDSA with brainpool-client]
+CipherString = aECDSA
+Groups = brainpoolP256r1
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-22]
+ExpectedResult = Success
+ExpectedServerCANames = empty
+ExpectedServerCertType = brainpoolP256r1
+ExpectedServerSignType = EC
+
+
 # ===========================================================

 [23-RSA-PSS Certificate CipherString Selection]
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@ -12,26 +12,15 @@ use OpenSSL::Test::Utils;
 our $fips_mode;
 our $no_deflt_libctx;

-my $server;
-
-if ($fips_mode) {
-    #TODO(3.0): No EdDSA support in FIPS mode at the moment
-    $server = {
-        "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-        "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-        "MaxProtocol" => "TLSv1.2"
-    };
-} else {
-    $server = {
-        "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-        "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-        "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-        "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-        "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-        "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
-        "MaxProtocol" => "TLSv1.2"
-    };
-}
+my $server = {
+    "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+    "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+    "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+    "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+    "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+    "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+    "MaxProtocol" => "TLSv1.2"
+};

 my $server_pss = {
    "PSS.Certificate" => test_pem("server-pss-cert.pem"),
@ -304,33 +293,6 @@ our @tests = (
            "ExpectedResult" => "Success"
        },
    },
-);
-
-my @tests_non_fips = (
-    {
-        name => "ECDSA Signature Algorithm Selection SHA1",
-        server => {
-            "CipherString" => "DEFAULT:\@SECLEVEL=0",
-            "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-            "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-            "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-            "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-            "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
-            "MaxProtocol" => "TLSv1.2"
-        },
-        client => {
-            "CipherString" => "DEFAULT:\@SECLEVEL=0",
-            "SignatureAlgorithms" => "ECDSA+SHA1",
-        },
-        test   => {
-            "ExpectedServerCertType" => "P-256",
-            "ExpectedServerSignHash" => "SHA1",
-            "ExpectedServerSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
-    # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
    {
        name => "Ed25519 CipherString and Signature Algorithm Selection",
        server => $server,
@ -366,28 +328,6 @@ my @tests_non_fips = (
            "ExpectedResult" => "Success"
        },
    },
-    {
-        name => "ECDSA with brainpool",
-        server =>  {
-            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
-            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
-            "Groups" => "brainpoolP256r1",
-        },
-        client => {
-            #We don't restrict this to TLSv1.2, although use of brainpool
-            #should force this anyway so that this should succeed
-            "CipherString" => "aECDSA",
-            "RequestCAFile" => test_pem("root-cert.pem"),
-            "Groups" => "brainpoolP256r1",
-        },
-        test   => {
-            "ExpectedServerCertType" =>, "brainpoolP256r1",
-            "ExpectedServerSignType" =>, "EC",
-            # Note: certificate_authorities not sent for TLS < 1.3
-            "ExpectedServerCANames" =>, "empty",
-            "ExpectedResult" => "Success"
-        },
-    },
    {
        name => "Ed25519 CipherString and Curves Selection",
        server => $server,
@ -461,6 +401,54 @@ my @tests_non_fips = (
    },
 );

+my @tests_non_fips = (
+    {
+        name => "ECDSA Signature Algorithm Selection SHA1",
+        server => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+            "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+            "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+            "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+            "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+            "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+            "MaxProtocol" => "TLSv1.2"
+        },
+        client => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+            "SignatureAlgorithms" => "ECDSA+SHA1",
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA1",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "ECDSA with brainpool",
+        server =>  {
+            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+            "Groups" => "brainpoolP256r1",
+        },
+        client => {
+            #We don't restrict this to TLSv1.2, although use of brainpool
+            #should force this anyway so that this should succeed
+            "CipherString" => "aECDSA",
+            "RequestCAFile" => test_pem("root-cert.pem"),
+            "Groups" => "brainpoolP256r1",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "brainpoolP256r1",
+            "ExpectedServerSignType" =>, "EC",
+            # Note: certificate_authorities not sent for TLS < 1.3
+            "ExpectedServerCANames" =>, "empty",
+            "ExpectedResult" => "Success"
+        },
+    },
+);
+
 my @tests_pss = (
    {
        name => "RSA-PSS Certificate CipherString Selection",
@ -980,7 +968,6 @@ my @tests_dsa_tls_1_3 = (
 );

 if (!disabled("dsa")) {
-    #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
-    push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
+    push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
    push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 }
--- a/test/ssl-tests/28-seclevel.cnf.in
+++ b/test/ssl-tests/28-seclevel.cnf.in
@ -81,6 +81,5 @@ our @tests_tls1_2 = (
    },
 );

-#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
-push @tests, @tests_ec unless disabled("ec") || $fips_mode;
-push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;
+push @tests, @tests_ec unless disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");