openssl/test/ssl-tests/20-cert-select.conf.in
Matt Caswell aafec89c63 Add a ciphersuite config sanity check for clients
Ensure that there are ciphersuites enabled for the maximum supported
version we are claiming in the ClientHello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3316)
2017-04-26 14:31:00 +01:00

425 lines
13 KiB
Perl

# -*- mode: perl; -*-
## SSL test configurations
use strict;
use warnings;
package ssltests;
use OpenSSL::Test::Utils;
my $server = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
our @tests = (
{
name => "ECDSA CipherString Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"RequestCAFile" => test_pem("root-cert.pem"),
},
test => {
"ExpectedServerCertType" =>, "P-256",
"ExpectedServerSignType" =>, "EC",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "RSA CipherString Selection",
server => $server,
client => {
"CipherString" => "aRSA",
"MaxProtocol" => "TLSv1.2",
},
test => {
"ExpectedServerCertType" =>, "RSA",
"ExpectedServerSignType" =>, "RSA-PSS",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA CipherString Selection, no ECDSA certificate",
server => {
"MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2"
},
test => {
"ExpectedResult" => "ServerFail"
},
},
{
name => "ECDSA Signature Algorithm Selection",
server => $server,
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA Signature Algorithm Selection SHA384",
server => $server,
client => {
"SignatureAlgorithms" => "ECDSA+SHA384",
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA384",
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA Signature Algorithm Selection SHA1",
server => $server,
client => {
"SignatureAlgorithms" => "ECDSA+SHA1",
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA1",
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA Signature Algorithm Selection compressed point",
server => {
"ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
"MaxProtocol" => "TLSv1.2"
},
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
server => {
"MaxProtocol" => "TLSv1.2"
},
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
"ExpectedResult" => "ServerFail"
},
},
{
name => "RSA Signature Algorithm Selection",
server => $server,
client => {
"SignatureAlgorithms" => "RSA+SHA256",
},
test => {
"ExpectedServerCertType" => "RSA",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "RSA",
"ExpectedResult" => "Success"
},
},
{
name => "RSA-PSS Signature Algorithm Selection",
server => $server,
client => {
"SignatureAlgorithms" => "RSA-PSS+SHA256",
},
test => {
"ExpectedServerCertType" => "RSA",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "RSA-PSS",
"ExpectedResult" => "Success"
},
},
{
name => "Suite B P-256 Hash Algorithm Selection",
server => {
"ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
"ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
"MaxProtocol" => "TLSv1.2",
"CipherString" => "SUITEB128"
},
client => {
"VerifyCAFile" => test_pem("p384-root.pem"),
"SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "Suite B P-384 Hash Algorithm Selection",
server => {
"ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
"ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
"MaxProtocol" => "TLSv1.2",
"CipherString" => "SUITEB128"
},
client => {
"VerifyCAFile" => test_pem("p384-root.pem"),
"SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
},
test => {
"ExpectedServerCertType" => "P-384",
"ExpectedServerSignHash" => "SHA384",
"ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
}
);
my $server_tls_1_3 = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
my $client_tls_1_3 = {
"RSA.Certificate" => test_pem("ee-client-chain.pem"),
"RSA.PrivateKey" => test_pem("ee-key.pem"),
"ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
"ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
my @tests_tls_1_3 = (
{
name => "TLS 1.3 ECDSA Signature Algorithm Selection",
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
"ExpectedServerCANames" => "empty",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
server => {
"ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
},
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
"ExpectedResult" => "ServerFail"
},
},
{
name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "ECDSA+SHA1",
},
test => {
"ExpectedResult" => "ServerFail"
},
},
{
name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
"RequestCAFile" => test_pem("root-cert.pem"),
},
test => {
"ExpectedServerCertType" => "P-256",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "EC",
"ExpectedServerCANames" => test_pem("root-cert.pem"),
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
},
test => {
"ExpectedServerCertType" => "RSA",
"ExpectedServerSignHash" => "SHA384",
"ExpectedServerSignType" => "RSA-PSS",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
},
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
"ExpectedResult" => "ServerFail"
},
},
{
name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "RSA+SHA256",
},
test => {
"ExpectedResult" => "ServerFail"
},
},
{
name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
server => $server_tls_1_3,
client => {
"SignatureAlgorithms" => "RSA-PSS+SHA256",
},
test => {
"ExpectedServerCertType" => "RSA",
"ExpectedServerSignHash" => "SHA256",
"ExpectedServerSignType" => "RSA-PSS",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientCANames" => "empty",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"RequestCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientCANames" => test_pem("root-cert.pem"),
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "ECDSA+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "P-256",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms",
server => {
"ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Request"
},
client => {},
test => {
"ExpectedResult" => "ServerFail"
},
},
);
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
my @tests_dsa_tls_1_2 = (
{
name => "TLS 1.2 DSA Certificate Test",
server => {
"DSA.Certificate" => test_pem("server-dsa-cert.pem"),
"DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
"DHParameters" => test_pem("dhp2048.pem"),
"MinProtocol" => "TLSv1.2",
"MaxProtocol" => "TLSv1.2",
"CipherString" => "ALL",
},
client => {
"SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
"CipherString" => "ALL",
},
test => {
"ExpectedResult" => "Success"
},
},
);
my @tests_dsa_tls_1_3 = (
{
name => "TLS 1.3 DSA Certificate Test",
server => {
"DSA.Certificate" => test_pem("server-dsa-cert.pem"),
"DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"CipherString" => "ALL",
},
client => {
"SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256",
"CipherString" => "ALL",
},
test => {
"ExpectedResult" => "ServerFail"
},
},
);
if (!disabled("dsa")) {
push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
}