1 1.1 christos #! /usr/bin/env perl 2 1.1 christos # Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos # 4 1.1 christos # Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos # this file except in compliance with the License. You can obtain a copy 6 1.1 christos # in the file LICENSE in the source distribution or at 7 1.1 christos # https://www.openssl.org/source/license.html 8 1.1 christos 9 1.1 christos use strict; 10 1.1 christos use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11 1.1 christos use OpenSSL::Test::Utils; 12 1.1 christos use File::Temp qw(tempfile); 13 1.1 christos use TLSProxy::Proxy; 14 1.1 christos use checkhandshake qw(checkhandshake @handmessages @extensions); 15 1.1 christos 16 1.1 christos my $test_name = "test_sslmessages"; 17 1.1 christos setup($test_name); 18 1.1 christos 19 1.1 christos plan skip_all => "TLSProxy isn't usable on $^O" 20 1.1 christos if $^O =~ /^(VMS)$/; 21 1.1 christos 22 1.1 christos plan skip_all => "$test_name needs the dynamic engine feature enabled" 23 1.1 christos if disabled("engine") || disabled("dynamic-engine"); 24 1.1 christos 25 1.1 christos plan skip_all => "$test_name needs the sock feature enabled" 26 1.1 christos if disabled("sock"); 27 1.1 christos 28 1.1 christos plan skip_all => "$test_name needs TLS enabled" 29 1.1 christos if alldisabled(available_protocols("tls")) 30 1.1 christos || (!disabled("tls1_3") && disabled("tls1_2")); 31 1.1 christos 32 1.1 christos my $proxy = TLSProxy::Proxy->new( 33 1.1 christos undef, 34 1.1 christos cmdstr(app(["openssl"]), display => 1), 35 1.1 christos srctop_file("apps", "server.pem"), 36 1.1 christos (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 37 1.1 christos ); 38 1.1 christos 39 1.1 christos @handmessages = ( 40 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, 41 1.1 christos checkhandshake::ALL_HANDSHAKES], 42 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, 43 1.1 christos checkhandshake::ALL_HANDSHAKES], 44 1.1 christos [TLSProxy::Message::MT_CERTIFICATE, 45 1.1 christos checkhandshake::ALL_HANDSHAKES 46 1.1 christos & ~checkhandshake::RESUME_HANDSHAKE], 47 1.1 christos (disabled("ec") ? () : 48 1.1 christos [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE, 49 1.1 christos checkhandshake::EC_HANDSHAKE]), 50 1.1 christos [TLSProxy::Message::MT_CERTIFICATE_STATUS, 51 1.1 christos checkhandshake::OCSP_HANDSHAKE], 52 1.1 christos #ServerKeyExchange handshakes not currently supported by TLSProxy 53 1.1 christos [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 54 1.1 christos checkhandshake::CLIENT_AUTH_HANDSHAKE], 55 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO_DONE, 56 1.1 christos checkhandshake::ALL_HANDSHAKES 57 1.1 christos & ~checkhandshake::RESUME_HANDSHAKE], 58 1.1 christos [TLSProxy::Message::MT_CERTIFICATE, 59 1.1 christos checkhandshake::CLIENT_AUTH_HANDSHAKE], 60 1.1 christos [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, 61 1.1 christos checkhandshake::ALL_HANDSHAKES 62 1.1 christos & ~checkhandshake::RESUME_HANDSHAKE], 63 1.1 christos [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 64 1.1 christos checkhandshake::CLIENT_AUTH_HANDSHAKE], 65 1.1 christos [TLSProxy::Message::MT_NEXT_PROTO, 66 1.1 christos checkhandshake::NPN_HANDSHAKE], 67 1.1 christos [TLSProxy::Message::MT_FINISHED, 68 1.1 christos checkhandshake::ALL_HANDSHAKES], 69 1.1 christos [TLSProxy::Message::MT_NEW_SESSION_TICKET, 70 1.1 christos checkhandshake::ALL_HANDSHAKES 71 1.1 christos & ~checkhandshake::RESUME_HANDSHAKE], 72 1.1 christos [TLSProxy::Message::MT_FINISHED, 73 1.1 christos checkhandshake::ALL_HANDSHAKES], 74 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, 75 1.1 christos checkhandshake::RENEG_HANDSHAKE], 76 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, 77 1.1 christos checkhandshake::RENEG_HANDSHAKE], 78 1.1 christos [TLSProxy::Message::MT_CERTIFICATE, 79 1.1 christos checkhandshake::RENEG_HANDSHAKE], 80 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO_DONE, 81 1.1 christos checkhandshake::RENEG_HANDSHAKE], 82 1.1 christos [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, 83 1.1 christos checkhandshake::RENEG_HANDSHAKE], 84 1.1 christos [TLSProxy::Message::MT_FINISHED, 85 1.1 christos checkhandshake::RENEG_HANDSHAKE], 86 1.1 christos [TLSProxy::Message::MT_NEW_SESSION_TICKET, 87 1.1 christos checkhandshake::RENEG_HANDSHAKE], 88 1.1 christos [TLSProxy::Message::MT_FINISHED, 89 1.1 christos checkhandshake::RENEG_HANDSHAKE], 90 1.1 christos [0, 0] 91 1.1 christos ); 92 1.1 christos 93 1.1 christos @extensions = ( 94 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 95 1.1 christos TLSProxy::Message::CLIENT, 96 1.1 christos checkhandshake::SERVER_NAME_CLI_EXTENSION], 97 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 98 1.1 christos TLSProxy::Message::CLIENT, 99 1.1 christos checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 100 1.1 christos (disabled("ec") ? () : 101 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, 102 1.1 christos TLSProxy::Message::EXT_SUPPORTED_GROUPS, 103 1.1 christos TLSProxy::Message::CLIENT, 104 1.1 christos checkhandshake::DEFAULT_EXTENSIONS]), 105 1.1 christos (disabled("ec") ? () : 106 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, 107 1.1 christos TLSProxy::Message::EXT_EC_POINT_FORMATS, 108 1.1 christos TLSProxy::Message::CLIENT, 109 1.1 christos checkhandshake::DEFAULT_EXTENSIONS]), 110 1.1 christos (disabled("tls1_2") ? () : 111 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 112 1.1 christos TLSProxy::Message::CLIENT, 113 1.1 christos checkhandshake::DEFAULT_EXTENSIONS]), 114 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 115 1.1 christos TLSProxy::Message::CLIENT, 116 1.1 christos checkhandshake::ALPN_CLI_EXTENSION], 117 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 118 1.1 christos TLSProxy::Message::CLIENT, 119 1.1 christos checkhandshake::SCT_CLI_EXTENSION], 120 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 121 1.1 christos TLSProxy::Message::CLIENT, 122 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 123 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 124 1.1 christos TLSProxy::Message::CLIENT, 125 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 126 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 127 1.1 christos TLSProxy::Message::CLIENT, 128 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 129 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 130 1.1 christos TLSProxy::Message::CLIENT, 131 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 132 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN, 133 1.1 christos TLSProxy::Message::CLIENT, 134 1.1 christos checkhandshake::NPN_CLI_EXTENSION], 135 1.1 christos [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP, 136 1.1 christos TLSProxy::Message::CLIENT, 137 1.1 christos checkhandshake::SRP_CLI_EXTENSION], 138 1.1 christos 139 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 140 1.1 christos TLSProxy::Message::SERVER, 141 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 142 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 143 1.1 christos TLSProxy::Message::SERVER, 144 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 145 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 146 1.1 christos TLSProxy::Message::SERVER, 147 1.1 christos checkhandshake::DEFAULT_EXTENSIONS], 148 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 149 1.1 christos TLSProxy::Message::SERVER, 150 1.1 christos checkhandshake::SESSION_TICKET_SRV_EXTENSION], 151 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 152 1.1 christos TLSProxy::Message::SERVER, 153 1.1 christos checkhandshake::SERVER_NAME_SRV_EXTENSION], 154 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 155 1.1 christos TLSProxy::Message::SERVER, 156 1.1 christos checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 157 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, 158 1.1 christos TLSProxy::Message::SERVER, 159 1.1 christos checkhandshake::ALPN_SRV_EXTENSION], 160 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT, 161 1.1 christos TLSProxy::Message::SERVER, 162 1.1 christos checkhandshake::SCT_SRV_EXTENSION], 163 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN, 164 1.1 christos TLSProxy::Message::SERVER, 165 1.1 christos checkhandshake::NPN_SRV_EXTENSION], 166 1.1 christos [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 167 1.1 christos TLSProxy::Message::SERVER, 168 1.1 christos checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION], 169 1.1 christos [0,0,0,0] 170 1.1 christos ); 171 1.1 christos 172 1.1 christos #Test 1: Check we get all the right messages for a default handshake 173 1.1 christos (undef, my $session) = tempfile(); 174 1.1 christos $proxy->serverconnects(2); 175 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 176 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_out ".$session); 177 1.1 christos $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 178 1.1 christos plan tests => 21; 179 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 180 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 181 1.1 christos "Default handshake test"); 182 1.1 christos 183 1.1 christos #Test 2: Resumption handshake 184 1.1 christos $proxy->clearClient(); 185 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 186 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_in ".$session); 187 1.1 christos $proxy->clientstart(); 188 1.1 christos checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, 189 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 190 1.1 christos & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION, 191 1.1 christos "Resumption handshake test"); 192 1.1 christos unlink $session; 193 1.1 christos 194 1.1 christos SKIP: { 195 1.1 christos skip "No OCSP support in this OpenSSL build", 3 196 1.1 christos if disabled("ocsp"); 197 1.1 christos 198 1.1 christos #Test 3: A status_request handshake (client request only) 199 1.1 christos $proxy->clear(); 200 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 201 1.1 christos $proxy->clientflags("-no_tls1_3 -status"); 202 1.1 christos $proxy->start(); 203 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 204 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 205 1.1 christos | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, 206 1.1 christos "status_request handshake test (client)"); 207 1.1 christos 208 1.1 christos #Test 4: A status_request handshake (server support only) 209 1.1 christos $proxy->clear(); 210 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 211 1.1 christos $proxy->clientflags("-no_tls1_3"); 212 1.1 christos $proxy->serverflags("-status_file " 213 1.1 christos .srctop_file("test", "recipes", "ocsp-response.der")); 214 1.1 christos $proxy->start(); 215 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 216 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 217 1.1 christos "status_request handshake test (server)"); 218 1.1 christos 219 1.1 christos #Test 5: A status_request handshake (client and server) 220 1.1 christos $proxy->clear(); 221 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 222 1.1 christos $proxy->clientflags("-no_tls1_3 -status"); 223 1.1 christos $proxy->serverflags("-status_file " 224 1.1 christos .srctop_file("test", "recipes", "ocsp-response.der")); 225 1.1 christos $proxy->start(); 226 1.1 christos checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, 227 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 228 1.1 christos | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 229 1.1 christos | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 230 1.1 christos "status_request handshake test"); 231 1.1 christos } 232 1.1 christos 233 1.1 christos #Test 6: A client auth handshake 234 1.1 christos $proxy->clear(); 235 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 236 1.1 christos $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem")); 237 1.1 christos $proxy->serverflags("-Verify 5"); 238 1.1 christos $proxy->start(); 239 1.1 christos checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 240 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 241 1.1 christos "Client auth handshake test"); 242 1.1 christos 243 1.1 christos #Test 7: A handshake with a renegotiation 244 1.1 christos $proxy->clear(); 245 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 246 1.1 christos $proxy->clientflags("-no_tls1_3"); 247 1.1 christos $proxy->serverflags("-client_renegotiation"); 248 1.1 christos $proxy->reneg(1); 249 1.1 christos $proxy->start(); 250 1.1 christos checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE, 251 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 252 1.1 christos "Renegotiation handshake test"); 253 1.1 christos 254 1.1 christos #Test 8: Server name handshake (no client request) 255 1.1 christos $proxy->clear(); 256 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 257 1.1 christos $proxy->clientflags("-no_tls1_3 -noservername"); 258 1.1 christos $proxy->start(); 259 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 260 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 261 1.1 christos & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 262 1.1 christos "Server name handshake test (client)"); 263 1.1 christos 264 1.1 christos #Test 9: Server name handshake (server support only) 265 1.1 christos $proxy->clear(); 266 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 267 1.1 christos $proxy->clientflags("-no_tls1_3 -noservername"); 268 1.1 christos $proxy->serverflags("-servername testhost"); 269 1.1 christos $proxy->start(); 270 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 271 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 272 1.1 christos & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 273 1.1 christos "Server name handshake test (server)"); 274 1.1 christos 275 1.1 christos #Test 10: Server name handshake (client and server) 276 1.1 christos $proxy->clear(); 277 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 278 1.1 christos $proxy->clientflags("-no_tls1_3 -servername testhost"); 279 1.1 christos $proxy->serverflags("-servername testhost"); 280 1.1 christos $proxy->start(); 281 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 282 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 283 1.1 christos | checkhandshake::SERVER_NAME_SRV_EXTENSION, 284 1.1 christos "Server name handshake test"); 285 1.1 christos 286 1.1 christos #Test 11: ALPN handshake (client request only) 287 1.1 christos $proxy->clear(); 288 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 289 1.1 christos $proxy->clientflags("-no_tls1_3 -alpn test"); 290 1.1 christos $proxy->start(); 291 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 292 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 293 1.1 christos | checkhandshake::ALPN_CLI_EXTENSION, 294 1.1 christos "ALPN handshake test (client)"); 295 1.1 christos 296 1.1 christos #Test 12: ALPN handshake (server support only) 297 1.1 christos $proxy->clear(); 298 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 299 1.1 christos $proxy->clientflags("-no_tls1_3"); 300 1.1 christos $proxy->serverflags("-alpn test"); 301 1.1 christos $proxy->start(); 302 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 303 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 304 1.1 christos "ALPN handshake test (server)"); 305 1.1 christos 306 1.1 christos #Test 13: ALPN handshake (client and server) 307 1.1 christos $proxy->clear(); 308 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 309 1.1 christos $proxy->clientflags("-no_tls1_3 -alpn test"); 310 1.1 christos $proxy->serverflags("-alpn test"); 311 1.1 christos $proxy->start(); 312 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 313 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 314 1.1 christos | checkhandshake::ALPN_CLI_EXTENSION 315 1.1 christos | checkhandshake::ALPN_SRV_EXTENSION, 316 1.1 christos "ALPN handshake test"); 317 1.1 christos 318 1.1 christos SKIP: { 319 1.1 christos skip "No CT, EC or OCSP support in this OpenSSL build", 1 320 1.1 christos if disabled("ct") || disabled("ec") || disabled("ocsp"); 321 1.1 christos 322 1.1 christos #Test 14: SCT handshake (client request only) 323 1.1 christos $proxy->clear(); 324 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 325 1.1 christos #Note: -ct also sends status_request 326 1.1 christos $proxy->clientflags("-no_tls1_3 -ct"); 327 1.1 christos $proxy->serverflags("-status_file " 328 1.1 christos .srctop_file("test", "recipes", "ocsp-response.der")); 329 1.1 christos $proxy->start(); 330 1.1 christos checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, 331 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 332 1.1 christos | checkhandshake::SCT_CLI_EXTENSION 333 1.1 christos | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 334 1.1 christos | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 335 1.1 christos "SCT handshake test (client)"); 336 1.1 christos } 337 1.1 christos 338 1.1 christos SKIP: { 339 1.1 christos skip "No OCSP support in this OpenSSL build", 1 340 1.1 christos if disabled("ocsp"); 341 1.1 christos 342 1.1 christos #Test 15: SCT handshake (server support only) 343 1.1 christos $proxy->clear(); 344 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 345 1.1 christos #Note: -ct also sends status_request 346 1.1 christos $proxy->clientflags("-no_tls1_3"); 347 1.1 christos $proxy->serverflags("-status_file " 348 1.1 christos .srctop_file("test", "recipes", "ocsp-response.der")); 349 1.1 christos $proxy->start(); 350 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 351 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 352 1.1 christos "SCT handshake test (server)"); 353 1.1 christos } 354 1.1 christos 355 1.1 christos SKIP: { 356 1.1 christos skip "No CT, EC or OCSP support in this OpenSSL build", 1 357 1.1 christos if disabled("ct") || disabled("ec") || disabled("ocsp"); 358 1.1 christos 359 1.1 christos #Test 16: SCT handshake (client and server) 360 1.1 christos #There is no built-in server side support for this so we are actually also 361 1.1 christos #testing custom extensions here 362 1.1 christos $proxy->clear(); 363 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 364 1.1 christos #Note: -ct also sends status_request 365 1.1 christos $proxy->clientflags("-no_tls1_3 -ct"); 366 1.1 christos $proxy->serverflags("-status_file " 367 1.1 christos .srctop_file("test", "recipes", "ocsp-response.der") 368 1.1 christos ." -serverinfo ".srctop_file("test", "serverinfo.pem")); 369 1.1 christos $proxy->start(); 370 1.1 christos checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, 371 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 372 1.1 christos | checkhandshake::SCT_CLI_EXTENSION 373 1.1 christos | checkhandshake::SCT_SRV_EXTENSION 374 1.1 christos | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 375 1.1 christos | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 376 1.1 christos "SCT handshake test"); 377 1.1 christos } 378 1.1 christos 379 1.1 christos 380 1.1 christos SKIP: { 381 1.1 christos skip "No NPN support in this OpenSSL build", 3 382 1.1 christos if disabled("nextprotoneg"); 383 1.1 christos 384 1.1 christos #Test 17: NPN handshake (client request only) 385 1.1 christos $proxy->clear(); 386 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 387 1.1 christos $proxy->clientflags("-no_tls1_3 -nextprotoneg test"); 388 1.1 christos $proxy->start(); 389 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 390 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 391 1.1 christos | checkhandshake::NPN_CLI_EXTENSION, 392 1.1 christos "NPN handshake test (client)"); 393 1.1 christos 394 1.1 christos #Test 18: NPN handshake (server support only) 395 1.1 christos $proxy->clear(); 396 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 397 1.1 christos $proxy->clientflags("-no_tls1_3"); 398 1.1 christos $proxy->serverflags("-nextprotoneg test"); 399 1.1 christos $proxy->start(); 400 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 401 1.1 christos checkhandshake::DEFAULT_EXTENSIONS, 402 1.1 christos "NPN handshake test (server)"); 403 1.1 christos 404 1.1 christos #Test 19: NPN handshake (client and server) 405 1.1 christos $proxy->clear(); 406 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 407 1.1 christos $proxy->clientflags("-no_tls1_3 -nextprotoneg test"); 408 1.1 christos $proxy->serverflags("-nextprotoneg test"); 409 1.1 christos $proxy->start(); 410 1.1 christos checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE, 411 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 412 1.1 christos | checkhandshake::NPN_CLI_EXTENSION 413 1.1 christos | checkhandshake::NPN_SRV_EXTENSION, 414 1.1 christos "NPN handshake test"); 415 1.1 christos } 416 1.1 christos 417 1.1 christos SKIP: { 418 1.1 christos skip "No SRP support in this OpenSSL build", 1 419 1.1 christos if disabled("srp"); 420 1.1 christos 421 1.1 christos #Test 20: SRP extension 422 1.1 christos #Note: We are not actually going to perform an SRP handshake (TLSProxy 423 1.1 christos #does not support it). However it is sufficient for us to check that the 424 1.1 christos #SRP extension gets added on the client side. There is no SRP extension 425 1.1 christos #generated on the server side anyway. 426 1.1 christos $proxy->clear(); 427 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 428 1.1 christos $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass"); 429 1.1 christos $proxy->start(); 430 1.1 christos checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 431 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 432 1.1 christos | checkhandshake::SRP_CLI_EXTENSION, 433 1.1 christos "SRP extension test"); 434 1.1 christos } 435 1.1 christos 436 1.1 christos #Test 21: EC handshake 437 1.1 christos SKIP: { 438 1.1 christos skip "No EC support in this OpenSSL build", 1 if disabled("ec"); 439 1.1 christos $proxy->clear(); 440 1.1 christos $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 441 1.1 christos $proxy->clientflags("-no_tls1_3"); 442 1.1 christos $proxy->serverflags("-no_tls1_3"); 443 1.1 christos $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 444 1.1 christos $proxy->start(); 445 1.1 christos checkhandshake($proxy, checkhandshake::EC_HANDSHAKE, 446 1.1 christos checkhandshake::DEFAULT_EXTENSIONS 447 1.1 christos | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION, 448 1.1 christos "EC handshake test"); 449 1.1 christos } 450
Indexes created Sat Feb 28 05:31:39 UTC 2026