]>
Commit | Line | Data |
---|---|---|
0bfe166b | 1 | #! /usr/bin/env perl |
33388b44 | 2 | # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. |
0bfe166b | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
0bfe166b MC |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
f50306c2 | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; |
0bfe166b MC |
11 | use OpenSSL::Test::Utils; |
12 | use File::Temp qw(tempfile); | |
13 | use TLSProxy::Proxy; | |
1e566129 | 14 | use checkhandshake qw(checkhandshake @handmessages @extensions); |
f50306c2 | 15 | |
1e566129 MC |
16 | my $test_name = "test_sslmessages"; |
17 | setup($test_name); | |
f50306c2 | 18 | |
0bfe166b | 19 | plan skip_all => "TLSProxy isn't usable on $^O" |
c5856878 | 20 | if $^O =~ /^(VMS)$/; |
0bfe166b MC |
21 | |
22 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
23 | if disabled("engine") || disabled("dynamic-engine"); | |
24 | ||
25 | plan skip_all => "$test_name needs the sock feature enabled" | |
26 | if disabled("sock"); | |
27 | ||
28 | plan skip_all => "$test_name needs TLS enabled" | |
c423ecaa MC |
29 | if alldisabled(available_protocols("tls")) |
30 | || (!disabled("tls1_3") && disabled("tls1_2")); | |
0bfe166b MC |
31 | |
32 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
433deaff | 33 | $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf"); |
6ca94f10 | 34 | |
0bfe166b MC |
35 | my $proxy = TLSProxy::Proxy->new( |
36 | undef, | |
37 | cmdstr(app(["openssl"]), display => 1), | |
38 | srctop_file("apps", "server.pem"), | |
39 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
40 | ); | |
41 | ||
f50306c2 MC |
42 | @handmessages = ( |
43 | [TLSProxy::Message::MT_CLIENT_HELLO, | |
1e566129 | 44 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 45 | [TLSProxy::Message::MT_SERVER_HELLO, |
1e566129 | 46 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 47 | [TLSProxy::Message::MT_CERTIFICATE, |
1e566129 MC |
48 | checkhandshake::ALL_HANDSHAKES |
49 | & ~checkhandshake::RESUME_HANDSHAKE], | |
397f4f78 MC |
50 | (disabled("ec") ? () : |
51 | [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE, | |
52 | checkhandshake::EC_HANDSHAKE]), | |
f50306c2 | 53 | [TLSProxy::Message::MT_CERTIFICATE_STATUS, |
1e566129 | 54 | checkhandshake::OCSP_HANDSHAKE], |
f50306c2 MC |
55 | #ServerKeyExchange handshakes not currently supported by TLSProxy |
56 | [TLSProxy::Message::MT_CERTIFICATE_REQUEST, | |
1e566129 | 57 | checkhandshake::CLIENT_AUTH_HANDSHAKE], |
f50306c2 | 58 | [TLSProxy::Message::MT_SERVER_HELLO_DONE, |
1e566129 MC |
59 | checkhandshake::ALL_HANDSHAKES |
60 | & ~checkhandshake::RESUME_HANDSHAKE], | |
f50306c2 | 61 | [TLSProxy::Message::MT_CERTIFICATE, |
1e566129 | 62 | checkhandshake::CLIENT_AUTH_HANDSHAKE], |
f50306c2 | 63 | [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, |
1e566129 MC |
64 | checkhandshake::ALL_HANDSHAKES |
65 | & ~checkhandshake::RESUME_HANDSHAKE], | |
f50306c2 | 66 | [TLSProxy::Message::MT_CERTIFICATE_VERIFY, |
1e566129 | 67 | checkhandshake::CLIENT_AUTH_HANDSHAKE], |
60ea0034 | 68 | [TLSProxy::Message::MT_NEXT_PROTO, |
1e566129 | 69 | checkhandshake::NPN_HANDSHAKE], |
f50306c2 | 70 | [TLSProxy::Message::MT_FINISHED, |
1e566129 | 71 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 72 | [TLSProxy::Message::MT_NEW_SESSION_TICKET, |
1e566129 MC |
73 | checkhandshake::ALL_HANDSHAKES |
74 | & ~checkhandshake::RESUME_HANDSHAKE], | |
f50306c2 | 75 | [TLSProxy::Message::MT_FINISHED, |
1e566129 | 76 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 77 | [TLSProxy::Message::MT_CLIENT_HELLO, |
1e566129 | 78 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 79 | [TLSProxy::Message::MT_SERVER_HELLO, |
1e566129 | 80 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 81 | [TLSProxy::Message::MT_CERTIFICATE, |
1e566129 | 82 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 83 | [TLSProxy::Message::MT_SERVER_HELLO_DONE, |
1e566129 | 84 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 85 | [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, |
1e566129 | 86 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 87 | [TLSProxy::Message::MT_FINISHED, |
1e566129 | 88 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 89 | [TLSProxy::Message::MT_NEW_SESSION_TICKET, |
1e566129 | 90 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 | 91 | [TLSProxy::Message::MT_FINISHED, |
1e566129 | 92 | checkhandshake::RENEG_HANDSHAKE], |
f50306c2 MC |
93 | [0, 0] |
94 | ); | |
95 | ||
96 | @extensions = ( | |
97 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, | |
dc5bcb88 | 98 | TLSProxy::Message::CLIENT, |
1e566129 | 99 | checkhandshake::SERVER_NAME_CLI_EXTENSION], |
f50306c2 | 100 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, |
dc5bcb88 | 101 | TLSProxy::Message::CLIENT, |
1e566129 | 102 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION], |
397f4f78 MC |
103 | (disabled("ec") ? () : |
104 | [TLSProxy::Message::MT_CLIENT_HELLO, | |
105 | TLSProxy::Message::EXT_SUPPORTED_GROUPS, | |
dc5bcb88 | 106 | TLSProxy::Message::CLIENT, |
397f4f78 MC |
107 | checkhandshake::DEFAULT_EXTENSIONS]), |
108 | (disabled("ec") ? () : | |
109 | [TLSProxy::Message::MT_CLIENT_HELLO, | |
110 | TLSProxy::Message::EXT_EC_POINT_FORMATS, | |
dc5bcb88 | 111 | TLSProxy::Message::CLIENT, |
397f4f78 | 112 | checkhandshake::DEFAULT_EXTENSIONS]), |
f6e752c0 RL |
113 | (disabled("tls1_2") ? () : |
114 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, | |
dc5bcb88 | 115 | TLSProxy::Message::CLIENT, |
f6e752c0 | 116 | checkhandshake::DEFAULT_EXTENSIONS]), |
f50306c2 | 117 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, |
dc5bcb88 | 118 | TLSProxy::Message::CLIENT, |
1e566129 | 119 | checkhandshake::ALPN_CLI_EXTENSION], |
f50306c2 | 120 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, |
dc5bcb88 | 121 | TLSProxy::Message::CLIENT, |
1e566129 | 122 | checkhandshake::SCT_CLI_EXTENSION], |
f50306c2 | 123 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, |
dc5bcb88 | 124 | TLSProxy::Message::CLIENT, |
1e566129 | 125 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 126 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, |
dc5bcb88 | 127 | TLSProxy::Message::CLIENT, |
1e566129 | 128 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 129 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, |
dc5bcb88 | 130 | TLSProxy::Message::CLIENT, |
1e566129 | 131 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 132 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, |
dc5bcb88 | 133 | TLSProxy::Message::CLIENT, |
1e566129 | 134 | checkhandshake::RENEGOTIATE_CLI_EXTENSION], |
60ea0034 | 135 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN, |
dc5bcb88 | 136 | TLSProxy::Message::CLIENT, |
1e566129 | 137 | checkhandshake::NPN_CLI_EXTENSION], |
60ea0034 | 138 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP, |
dc5bcb88 | 139 | TLSProxy::Message::CLIENT, |
1e566129 | 140 | checkhandshake::SRP_CLI_EXTENSION], |
f50306c2 MC |
141 | |
142 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, | |
dc5bcb88 | 143 | TLSProxy::Message::SERVER, |
1e566129 | 144 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 145 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, |
dc5bcb88 | 146 | TLSProxy::Message::SERVER, |
1e566129 | 147 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 148 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, |
dc5bcb88 | 149 | TLSProxy::Message::SERVER, |
1e566129 | 150 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 151 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, |
dc5bcb88 | 152 | TLSProxy::Message::SERVER, |
1e566129 | 153 | checkhandshake::SESSION_TICKET_SRV_EXTENSION], |
f50306c2 | 154 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, |
dc5bcb88 | 155 | TLSProxy::Message::SERVER, |
1e566129 | 156 | checkhandshake::SERVER_NAME_SRV_EXTENSION], |
f50306c2 | 157 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, |
dc5bcb88 | 158 | TLSProxy::Message::SERVER, |
1e566129 | 159 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION], |
f50306c2 | 160 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, |
dc5bcb88 | 161 | TLSProxy::Message::SERVER, |
1e566129 | 162 | checkhandshake::ALPN_SRV_EXTENSION], |
60ea0034 | 163 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT, |
dc5bcb88 | 164 | TLSProxy::Message::SERVER, |
1e566129 | 165 | checkhandshake::SCT_SRV_EXTENSION], |
60ea0034 | 166 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN, |
dc5bcb88 | 167 | TLSProxy::Message::SERVER, |
1e566129 | 168 | checkhandshake::NPN_SRV_EXTENSION], |
397f4f78 | 169 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, |
dc5bcb88 | 170 | TLSProxy::Message::SERVER, |
397f4f78 | 171 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION], |
dc5bcb88 | 172 | [0,0,0,0] |
f50306c2 | 173 | ); |
0bfe166b MC |
174 | |
175 | #Test 1: Check we get all the right messages for a default handshake | |
176 | (undef, my $session) = tempfile(); | |
177 | $proxy->serverconnects(2); | |
178 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); | |
179 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
397f4f78 | 180 | plan tests => 21; |
1e566129 MC |
181 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
182 | checkhandshake::DEFAULT_EXTENSIONS, | |
f50306c2 | 183 | "Default handshake test"); |
0bfe166b MC |
184 | |
185 | #Test 2: Resumption handshake | |
186 | $proxy->clearClient(); | |
187 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); | |
188 | $proxy->clientstart(); | |
1e566129 MC |
189 | checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, |
190 | checkhandshake::DEFAULT_EXTENSIONS | |
b510b740 | 191 | & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION, |
f50306c2 | 192 | "Resumption handshake test"); |
0bfe166b MC |
193 | unlink $session; |
194 | ||
aec23ece RL |
195 | SKIP: { |
196 | skip "No OCSP support in this OpenSSL build", 3 | |
197 | if disabled("ocsp"); | |
60ea0034 | 198 | |
aec23ece RL |
199 | #Test 3: A status_request handshake (client request only) |
200 | $proxy->clear(); | |
201 | $proxy->clientflags("-no_tls1_3 -status"); | |
202 | $proxy->start(); | |
203 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
204 | checkhandshake::DEFAULT_EXTENSIONS | |
205 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, | |
206 | "status_request handshake test (client)"); | |
60ea0034 | 207 | |
aec23ece RL |
208 | #Test 4: A status_request handshake (server support only) |
209 | $proxy->clear(); | |
210 | $proxy->clientflags("-no_tls1_3"); | |
211 | $proxy->serverflags("-status_file " | |
212 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
213 | $proxy->start(); | |
214 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
215 | checkhandshake::DEFAULT_EXTENSIONS, | |
216 | "status_request handshake test (server)"); | |
217 | ||
218 | #Test 5: A status_request handshake (client and server) | |
219 | $proxy->clear(); | |
220 | $proxy->clientflags("-no_tls1_3 -status"); | |
221 | $proxy->serverflags("-status_file " | |
222 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
223 | $proxy->start(); | |
224 | checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, | |
225 | checkhandshake::DEFAULT_EXTENSIONS | |
226 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
227 | | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
228 | "status_request handshake test"); | |
229 | } | |
0bfe166b | 230 | |
60ea0034 | 231 | #Test 6: A client auth handshake |
0bfe166b MC |
232 | $proxy->clear(); |
233 | $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem")); | |
234 | $proxy->serverflags("-Verify 5"); | |
235 | $proxy->start(); | |
1e566129 MC |
236 | checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, |
237 | checkhandshake::DEFAULT_EXTENSIONS, | |
f50306c2 | 238 | "Client auth handshake test"); |
0bfe166b | 239 | |
60ea0034 | 240 | #Test 7: A handshake with a renegotiation |
0bfe166b MC |
241 | $proxy->clear(); |
242 | $proxy->clientflags("-no_tls1_3"); | |
243 | $proxy->reneg(1); | |
244 | $proxy->start(); | |
1e566129 MC |
245 | checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE, |
246 | checkhandshake::DEFAULT_EXTENSIONS, | |
46f4e1be | 247 | "Renegotiation handshake test"); |
f50306c2 | 248 | |
11ba87f2 | 249 | #Test 8: Server name handshake (no client request) |
60ea0034 | 250 | $proxy->clear(); |
11ba87f2 | 251 | $proxy->clientflags("-no_tls1_3 -noservername"); |
60ea0034 | 252 | $proxy->start(); |
1e566129 MC |
253 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
254 | checkhandshake::DEFAULT_EXTENSIONS | |
11ba87f2 | 255 | & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, |
96153874 | 256 | "Server name handshake test (client)"); |
60ea0034 MC |
257 | |
258 | #Test 9: Server name handshake (server support only) | |
259 | $proxy->clear(); | |
11ba87f2 | 260 | $proxy->clientflags("-no_tls1_3 -noservername"); |
60ea0034 MC |
261 | $proxy->serverflags("-servername testhost"); |
262 | $proxy->start(); | |
1e566129 | 263 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
11ba87f2 MC |
264 | checkhandshake::DEFAULT_EXTENSIONS |
265 | & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, | |
96153874 | 266 | "Server name handshake test (server)"); |
60ea0034 MC |
267 | |
268 | #Test 10: Server name handshake (client and server) | |
269 | $proxy->clear(); | |
270 | $proxy->clientflags("-no_tls1_3 -servername testhost"); | |
271 | $proxy->serverflags("-servername testhost"); | |
272 | $proxy->start(); | |
1e566129 | 273 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
96153874 | 274 | checkhandshake::DEFAULT_EXTENSIONS |
96153874 MC |
275 | | checkhandshake::SERVER_NAME_SRV_EXTENSION, |
276 | "Server name handshake test"); | |
60ea0034 MC |
277 | |
278 | #Test 11: ALPN handshake (client request only) | |
279 | $proxy->clear(); | |
280 | $proxy->clientflags("-no_tls1_3 -alpn test"); | |
281 | $proxy->start(); | |
1e566129 MC |
282 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
283 | checkhandshake::DEFAULT_EXTENSIONS | |
284 | | checkhandshake::ALPN_CLI_EXTENSION, | |
96153874 | 285 | "ALPN handshake test (client)"); |
f50306c2 | 286 | |
60ea0034 MC |
287 | #Test 12: ALPN handshake (server support only) |
288 | $proxy->clear(); | |
289 | $proxy->clientflags("-no_tls1_3"); | |
290 | $proxy->serverflags("-alpn test"); | |
291 | $proxy->start(); | |
1e566129 MC |
292 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
293 | checkhandshake::DEFAULT_EXTENSIONS, | |
96153874 | 294 | "ALPN handshake test (server)"); |
a1448c26 | 295 | |
60ea0034 MC |
296 | #Test 13: ALPN handshake (client and server) |
297 | $proxy->clear(); | |
298 | $proxy->clientflags("-no_tls1_3 -alpn test"); | |
299 | $proxy->serverflags("-alpn test"); | |
300 | $proxy->start(); | |
1e566129 | 301 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
96153874 MC |
302 | checkhandshake::DEFAULT_EXTENSIONS |
303 | | checkhandshake::ALPN_CLI_EXTENSION | |
304 | | checkhandshake::ALPN_SRV_EXTENSION, | |
305 | "ALPN handshake test"); | |
60ea0034 | 306 | |
a05bed19 | 307 | SKIP: { |
aec23ece RL |
308 | skip "No CT, EC or OCSP support in this OpenSSL build", 1 |
309 | if disabled("ct") || disabled("ec") || disabled("ocsp"); | |
a05bed19 RL |
310 | |
311 | #Test 14: SCT handshake (client request only) | |
312 | $proxy->clear(); | |
313 | #Note: -ct also sends status_request | |
314 | $proxy->clientflags("-no_tls1_3 -ct"); | |
315 | $proxy->serverflags("-status_file " | |
316 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
317 | $proxy->start(); | |
318 | checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, | |
319 | checkhandshake::DEFAULT_EXTENSIONS | |
320 | | checkhandshake::SCT_CLI_EXTENSION | |
321 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
322 | | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
323 | "SCT handshake test (client)"); | |
324 | } | |
60ea0034 | 325 | |
aec23ece RL |
326 | SKIP: { |
327 | skip "No OCSP support in this OpenSSL build", 1 | |
328 | if disabled("ocsp"); | |
329 | ||
330 | #Test 15: SCT handshake (server support only) | |
331 | $proxy->clear(); | |
332 | #Note: -ct also sends status_request | |
333 | $proxy->clientflags("-no_tls1_3"); | |
334 | $proxy->serverflags("-status_file " | |
335 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
336 | $proxy->start(); | |
337 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
338 | checkhandshake::DEFAULT_EXTENSIONS, | |
339 | "SCT handshake test (server)"); | |
340 | } | |
60ea0034 | 341 | |
a05bed19 | 342 | SKIP: { |
aec23ece RL |
343 | skip "No CT, EC or OCSP support in this OpenSSL build", 1 |
344 | if disabled("ct") || disabled("ec") || disabled("ocsp"); | |
a05bed19 RL |
345 | |
346 | #Test 16: SCT handshake (client and server) | |
347 | #There is no built-in server side support for this so we are actually also | |
348 | #testing custom extensions here | |
349 | $proxy->clear(); | |
350 | #Note: -ct also sends status_request | |
351 | $proxy->clientflags("-no_tls1_3 -ct"); | |
352 | $proxy->serverflags("-status_file " | |
353 | .srctop_file("test", "recipes", "ocsp-response.der") | |
354 | ." -serverinfo ".srctop_file("test", "serverinfo.pem")); | |
355 | $proxy->start(); | |
356 | checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, | |
357 | checkhandshake::DEFAULT_EXTENSIONS | |
358 | | checkhandshake::SCT_CLI_EXTENSION | |
359 | | checkhandshake::SCT_SRV_EXTENSION | |
360 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
361 | | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
362 | "SCT handshake test"); | |
363 | } | |
60ea0034 MC |
364 | |
365 | ||
e0c47b2c RL |
366 | SKIP: { |
367 | skip "No NPN support in this OpenSSL build", 3 | |
368 | if disabled("nextprotoneg"); | |
60ea0034 | 369 | |
e0c47b2c RL |
370 | #Test 17: NPN handshake (client request only) |
371 | $proxy->clear(); | |
372 | $proxy->clientflags("-no_tls1_3 -nextprotoneg test"); | |
373 | $proxy->start(); | |
374 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
375 | checkhandshake::DEFAULT_EXTENSIONS | |
376 | | checkhandshake::NPN_CLI_EXTENSION, | |
377 | "NPN handshake test (client)"); | |
a1448c26 | 378 | |
e0c47b2c RL |
379 | #Test 18: NPN handshake (server support only) |
380 | $proxy->clear(); | |
381 | $proxy->clientflags("-no_tls1_3"); | |
382 | $proxy->serverflags("-nextprotoneg test"); | |
383 | $proxy->start(); | |
384 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
385 | checkhandshake::DEFAULT_EXTENSIONS, | |
386 | "NPN handshake test (server)"); | |
387 | ||
388 | #Test 19: NPN handshake (client and server) | |
389 | $proxy->clear(); | |
390 | $proxy->clientflags("-no_tls1_3 -nextprotoneg test"); | |
391 | $proxy->serverflags("-nextprotoneg test"); | |
392 | $proxy->start(); | |
393 | checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE, | |
394 | checkhandshake::DEFAULT_EXTENSIONS | |
395 | | checkhandshake::NPN_CLI_EXTENSION | |
396 | | checkhandshake::NPN_SRV_EXTENSION, | |
397 | "NPN handshake test"); | |
398 | } | |
60ea0034 | 399 | |
327d38d0 RL |
400 | SKIP: { |
401 | skip "No SRP support in this OpenSSL build", 1 | |
402 | if disabled("srp"); | |
403 | ||
404 | #Test 20: SRP extension | |
405 | #Note: We are not actually going to perform an SRP handshake (TLSProxy | |
406 | #does not support it). However it is sufficient for us to check that the | |
407 | #SRP extension gets added on the client side. There is no SRP extension | |
408 | #generated on the server side anyway. | |
409 | $proxy->clear(); | |
410 | $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass"); | |
411 | $proxy->start(); | |
412 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
413 | checkhandshake::DEFAULT_EXTENSIONS | |
414 | | checkhandshake::SRP_CLI_EXTENSION, | |
415 | "SRP extension test"); | |
416 | } | |
397f4f78 MC |
417 | |
418 | #Test 21: EC handshake | |
419 | SKIP: { | |
420 | skip "No EC support in this OpenSSL build", 1 if disabled("ec"); | |
421 | $proxy->clear(); | |
422 | $proxy->clientflags("-no_tls1_3"); | |
38a73150 | 423 | $proxy->serverflags("-no_tls1_3"); |
397f4f78 MC |
424 | $proxy->ciphers("ECDHE-RSA-AES128-SHA"); |
425 | $proxy->start(); | |
426 | checkhandshake($proxy, checkhandshake::EC_HANDSHAKE, | |
427 | checkhandshake::DEFAULT_EXTENSIONS | |
428 | | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION, | |
429 | "EC handshake test"); | |
430 | } |