static void test_cipher_nego(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* server key is EC:secp384r1 - ECDHE-ECDSA */ str_check(create_worker(&server, true, "show=ciphers", SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "ciphers=AESGCM", "host=server1.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=secp384r1", "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384"); /* server key is RSA - ECDHE-RSA */ str_check(create_worker(&server, true, "show=ciphers", SERVER2, NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=AESGCM", "host=server2.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384"); /* server key is RSA - DHE-RSA */ str_check(create_worker(&server, true, SERVER2, "show=ciphers", "dheparams=auto", NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=EDH+AESGCM", "host=server2.com", NULL), "OK"); str_check(run_case(client, server), "TLSv1.2/DHE-RSA-AES256-GCM-SHA384/DH=2048"); /* server key is RSA - ECDHE-RSA */ str_check(create_worker(&server, true, SERVER2, "show=ciphers", NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=EECDH+AES", "host=server2.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384"); end:; }
static void test_clientcert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* ok: server checks client cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* fail: server rejects invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_any3(run_case(client, server), "C:tlsv1 alert unknown ca - S:no certificate returned", "C:tlsv1 alert unknown ca,C:shutdown while in init - S:certificate verify failed", "C:tlsv1 alert unknown ca - S:certificate verify failed"); /* noverifycert: server allow invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* verify-client: don't allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_any2(run_case(client, server), "C:sslv3 alert handshake failure - S:peer did not return a certificate", "C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate"); /* verify-client-optional: allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client-optional=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }