static void test_cipher_nego(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* server key is EC:secp384r1 - ECDHE-ECDSA */
str_check(create_worker(&server, true, "show=ciphers", SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1,
"ciphers=AESGCM",
"host=server1.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=secp384r1",
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384");
/* server key is RSA - ECDHE-RSA */
str_check(create_worker(&server, true, "show=ciphers", SERVER2, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=AESGCM",
"host=server2.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384");
/* server key is RSA - DHE-RSA */
str_check(create_worker(&server, true, SERVER2,
"show=ciphers",
"dheparams=auto",
NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=EDH+AESGCM",
"host=server2.com",
NULL), "OK");
str_check(run_case(client, server), "TLSv1.2/DHE-RSA-AES256-GCM-SHA384/DH=2048");
/* server key is RSA - ECDHE-RSA */
str_check(create_worker(&server, true, SERVER2,
"show=ciphers",
NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=EECDH+AES",
"host=server2.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384");
end:;
}
static void test_clientcert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* ok: server checks client cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* fail: server rejects invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_any3(run_case(client, server),
"C:tlsv1 alert unknown ca - S:no certificate returned",
"C:tlsv1 alert unknown ca,C:shutdown while in init - S:certificate verify failed",
"C:tlsv1 alert unknown ca - S:certificate verify failed");
/* noverifycert: server allow invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"noverifycert=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* verify-client: don't allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_any2(run_case(client, server),
"C:sslv3 alert handshake failure - S:peer did not return a certificate",
"C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate");
/* verify-client-optional: allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client-optional=1",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
