Home | History | Annotate | only in /src/crypto/external/bsd/openssl.old/dist/test
Up to higher level directory
NameDateSize
aborttest.c18-Apr-2023464
afalgtest.c18-Apr-20234.2K
asn1_decode_test.c18-Apr-20236.3K
asn1_encode_test.c18-Apr-202329.7K
asn1_internal_test.c18-Apr-20233.7K
asn1_string_table_test.c18-Apr-20231.9K
asn1_time_test.c18-Apr-202315.9K
asynciotest.c18-Apr-202312.1K
asynctest.c18-Apr-20238.7K
bad_dtls_test.c18-Apr-202319.4K
bftest.c18-Apr-202315.4K
bio_callback_test.c18-Apr-20236.4K
bio_enc_test.c18-Apr-20236.7K
bio_memleak_test.c18-Apr-20237.5K
bioprinttest.c18-Apr-202311.3K
bntest.c18-Apr-202392K
bntests.pl18-Apr-20234.5K
build.info18-Apr-202320.4K
CAss.cnf18-Apr-20232.2K
CAssdh.cnf03-Feb-2018728
CAssdsa.cnf03-Feb-2018729
CAssrsa.cnf03-Feb-2018708
casttest.c18-Apr-20233.1K
CAtsa.cnf18-Apr-20234.9K
certs/25-Feb-2026
chacha_internal_test.c18-Apr-20238K
cipher_overhead_test.c18-Apr-20231.1K
cipherbytes_test.c18-Apr-20234.4K
cipherlist_test.c18-Apr-20237.1K
ciphername_test.c18-Apr-202320.6K
clienthellotest.c18-Apr-20238.3K
cmactest.c18-Apr-20235.9K
cms-examples.pl18-Apr-20238.7K
cmsapitest.c18-Apr-20232.2K
conf_include_test.c18-Apr-20235.4K
constant_time_test.c18-Apr-202312.3K
crltest.c18-Apr-202314.7K
ct/25-Feb-2026
ct_test.c18-Apr-202315.9K
ctype_internal_test.c18-Apr-20232.6K
curve448_internal_test.c18-Apr-202334.8K
d2i-tests/25-Feb-2026
d2i_test.c18-Apr-20234K
dane-cross.in18-Apr-20236.9K
danetest.c18-Apr-202311.1K
danetest.in18-Apr-202387.6K
danetest.pem18-Apr-2023652
data.bin18-Apr-2023128
destest.c18-Apr-202325.5K
dhtest.c18-Apr-202327.5K
drbg_cavs_data.c18-Apr-20237.9M
drbg_cavs_data.h18-Apr-20231.8K
drbg_cavs_test.c18-Apr-20237.5K
drbgtest.c18-Apr-202330K
drbgtest.h18-Apr-202325.9K
dsa_no_digest_size_test.c18-Apr-20238.4K
dsatest.c18-Apr-20233.7K
dtls_mtu_test.c18-Apr-20237.1K
dtlstest.c18-Apr-202313.5K
dtlsv1listentest.c18-Apr-202312.3K
ec_internal_test.c18-Apr-202312.2K
ecdsatest.c18-Apr-202311.2K
ecdsatest.h18-Apr-2023673.6K
ecstresstest.c18-Apr-20233.9K
ectest.c18-Apr-202390.8K
enginetest.c18-Apr-202310.7K
errtest.c18-Apr-2023941
evp_extra_test.c18-Apr-202370.7K
evp_test.c18-Apr-202372.6K
evp_test.h18-Apr-2023413
exdatatest.c18-Apr-20236.7K
exptest.c18-Apr-20236.1K
fatalerrtest.c18-Apr-20232.7K
generate_buildtest.pl18-Apr-2023793
generate_ssl_tests.pl18-Apr-20234.4K
gmdifftest.c18-Apr-20231.8K
gosttest.c18-Apr-20233.1K
handshake_helper.c18-Apr-202359.5K
handshake_helper.h18-Apr-20232.9K
hmactest.c18-Apr-20237.2K
ideatest.c18-Apr-20233.7K
igetest.c18-Apr-202316.2K
lhash_test.c18-Apr-20235.5K
md2test.c18-Apr-20231.6K
mdc2_internal_test.c18-Apr-20231.6K
mdc2test.c18-Apr-20232K
memleaktest.c18-Apr-20231.6K
modes_internal_test.c18-Apr-202329K
ocsp-tests/25-Feb-2026
ocspapitest.c18-Apr-20235.9K
ossl_shim/25-Feb-2026
P1ss.cnf18-Apr-20231,000
P2ss.cnf18-Apr-20231.1K
packettest.c18-Apr-202315K
pbelutest.c18-Apr-20231.4K
pemtest.c18-Apr-20233.4K
pkcs7-1.pem03-Feb-2018851
pkcs7.pem03-Feb-20183.7K
pkey_meth_kdf_test.c18-Apr-20235.2K
pkey_meth_test.c18-Apr-20232.2K
pkits-test.pl18-Apr-202331.2K
poly1305_internal_test.c18-Apr-202356.2K
rc2test.c18-Apr-20232K
rc4test.c18-Apr-20233.9K
rc5test.c18-Apr-20238.8K
rdrand_sanitytest.c18-Apr-20233.4K
README18-Apr-20234.4K
README.external18-Apr-20234.6K
README.ssltest.md18-Apr-202310.1K
recipes/25-Feb-2026
recordlentest.c18-Apr-20235.1K
rsa_complex.c18-Apr-2023787
rsa_mp_test.c18-Apr-20239.5K
rsa_test.c18-Apr-202312.7K
run_tests.pl18-Apr-20234K
sanitytest.c18-Apr-20233K
secmemtest.c18-Apr-20235.9K
serverinfo.pem03-Feb-2018740
serverinfo2.pem18-Apr-2023412
servername_test.c18-Apr-20236.7K
session.pem18-Apr-20231.9K
shibboleth.pfx18-Apr-20232.5K
shlibloadtest.c18-Apr-20239.1K
siphash_internal_test.c18-Apr-202317K
sm2_internal_test.c18-Apr-202313.2K
sm4_internal_test.c18-Apr-20232.3K
smcont.txt18-Apr-202383
smime-certs/25-Feb-2026
srptest.c18-Apr-20238K
ssl-tests/25-Feb-2026
ssl_cert_table_internal_test.c18-Apr-20232.3K
ssl_ctx_test.c18-Apr-20232.2K
ssl_test.c18-Apr-202318.3K
ssl_test.tmpl18-Apr-20234.3K
ssl_test_ctx.c18-Apr-202328.6K
ssl_test_ctx.h18-Apr-20238.5K
ssl_test_ctx_test.c18-Apr-20239K
ssl_test_ctx_test.conf18-Apr-20232K
sslapitest.c18-Apr-2023249.3K
sslbuffertest.c18-Apr-20235.2K
sslcorrupttest.c18-Apr-20237K
ssltest_old.c18-Apr-2023102.9K
ssltestlib.c18-Apr-202328.9K
ssltestlib.h18-Apr-20232K
Sssdsa.cnf03-Feb-2018821
Sssrsa.cnf03-Feb-2018798
stack_test.c18-Apr-20239.2K
sysdefault.cnf18-Apr-2023241
sysdefaulttest.c18-Apr-20231.1K
test.cnf18-Apr-20232.6K
test_test.c18-Apr-202317.8K
testcrl.pem03-Feb-2018938
testdsa.pem18-Apr-2023672
testdsapub.pem18-Apr-2023654
testec-p256.pem18-Apr-2023227
testecpub-p256.pem18-Apr-2023178
tested25519.pem18-Apr-2023119
tested25519pub.pem18-Apr-2023113
tested448.pem18-Apr-2023156
tested448pub.pem18-Apr-2023146
testp7.pem03-Feb-20182.8K
testreq2.pem03-Feb-2018371
testrsa.pem03-Feb-2018497
testrsa_withattrs.der18-Apr-20231.2K
testrsa_withattrs.pem18-Apr-20231.7K
testrsapub.pem18-Apr-2023182
testsid.pem18-Apr-20232.3K
testutil/25-Feb-2026
testutil.h18-Apr-202319.4K
testx509.pem03-Feb-2018530
threadstest.c18-Apr-20233.9K
time_offset_test.c18-Apr-20233.2K
tls13ccstest.c18-Apr-202314.9K
tls13encryptiontest.c18-Apr-202313.9K
tls13secretstest.c18-Apr-202311.3K
uitest.c18-Apr-20232.3K
Uss.cnf18-Apr-20231,018
v3-cert1.pem03-Feb-2018944
v3-cert2.pem03-Feb-2018940
v3ext.c18-Apr-202311.3K
v3nametest.c18-Apr-202319.8K
verify_extra_test.c18-Apr-20238.6K
versions.c18-Apr-2023645
wpackettest.c18-Apr-202314.8K
x509_check_cert_pkey_test.c18-Apr-20233K
x509_dup_cert_test.c18-Apr-20231.3K
x509_internal_test.c18-Apr-20233.1K
x509_time_test.c18-Apr-202313.6K
x509aux.c18-Apr-20235.1K

README

      1 How to add recipes
      2 ==================
      3 
      4 For any test that you want to perform, you write a script located in
      5 test/recipes/, named {nn}-test_{name}.t, where {nn} is a two digit number and
      6 {name} is a unique name of your choice.
      7 
      8 Please note that if a test involves a new testing executable, you will need to
      9 do some additions in test/Makefile.  More on this later.
     10 
     11 
     12 Naming conventions
     13 =================
     14 
     15 A test executable is named test/{name}test.c
     16 
     17 A test recipe is named test/recipes/{nn}-test_{name}.t, where {nn} is a two
     18 digit number and {name} is a unique name of your choice.
     19 
     20 The number {nn} is (somewhat loosely) grouped as follows:
     21 
     22 00-04  sanity, internal and essential API tests
     23 05-09  individual symmetric cipher algorithms
     24 10-14  math (bignum)
     25 15-19  individual asymmetric cipher algorithms
     26 20-24  openssl commands (some otherwise not tested)
     27 25-29  certificate forms, generation and verification
     28 30-35  engine and evp
     29 60-79  APIs
     30    70  PACKET layer
     31 80-89  "larger" protocols (CA, CMS, OCSP, SSL, TSA)
     32 90-98  misc
     33 99     most time consuming tests [such as test_fuzz]
     34 
     35 
     36 A recipe that just runs a test executable
     37 =========================================
     38 
     39 A script that just runs a program looks like this:
     40 
     41     #! /usr/bin/perl
     42 
     43     use OpenSSL::Test::Simple;
     44 
     45     simple_test("test_{name}", "{name}test", "{name}");
     46 
     47 {name} is the unique name you have chosen for your test.
     48 
     49 The second argument to `simple_test' is the test executable, and `simple_test'
     50 expects it to be located in test/
     51 
     52 For documentation on OpenSSL::Test::Simple, do
     53 `perldoc util/perl/OpenSSL/Test/Simple.pm'.
     54 
     55 
     56 A recipe that runs a more complex test
     57 ======================================
     58 
     59 For more complex tests, you will need to read up on Test::More and
     60 OpenSSL::Test.  Test::More is normally preinstalled, do `man Test::More' for
     61 documentation.  For OpenSSL::Test, do `perldoc util/perl/OpenSSL/Test.pm'.
     62 
     63 A script to start from could be this:
     64 
     65     #! /usr/bin/perl
     66 
     67     use strict;
     68     use warnings;
     69     use OpenSSL::Test;
     70 
     71     setup("test_{name}");
     72 
     73     plan tests => 2;                # The number of tests being performed
     74 
     75     ok(test1, "test1");
     76     ok(test2, "test1");
     77 
     78     sub test1
     79     {
     80         # test feature 1
     81     }
     82 
     83     sub test2
     84     {
     85         # test feature 2
     86     }
     87 
     88 
     89 Changes to test/build.info
     90 ==========================
     91 
     92 Whenever a new test involves a new test executable you need to do the
     93 following (at all times, replace {NAME} and {name} with the name of your
     94 test):
     95 
     96 * add {name} to the list of programs under PROGRAMS_NO_INST
     97 
     98 * create a three line description of how to build the test, you will have
     99 to modify the include paths and source files if you don't want to use the
    100 basic test framework:
    101 
    102     SOURCE[{name}]={name}.c
    103     INCLUDE[{name}]=.. ../include
    104     DEPEND[{name}]=../libcrypto libtestutil.a
    105 
    106 Generic form of C test executables
    107 ==================================
    108 
    109     #include "testutil.h"
    110 
    111     static int my_test(void)
    112     {
    113         int testresult = 0;                 /* Assume the test will fail    */
    114         int observed;
    115 
    116         observed = function();              /* Call the code under test     */
    117         if (!TEST_int_eq(observed, 2))      /* Check the result is correct  */
    118             goto end;                       /* Exit on failure - optional   */
    119 
    120         testresult = 1;                     /* Mark the test case a success */
    121     end:
    122         cleanup();                          /* Any cleanup you require      */
    123         return testresult;
    124     }
    125 
    126     int setup_tests(void)
    127     {
    128         ADD_TEST(my_test);                  /* Add each test separately     */
    129         return 1;                           /* Indicate success             */
    130     }
    131 
    132 You should use the TEST_xxx macros provided by testutil.h to test all failure
    133 conditions.  These macros produce an error message in a standard format if the
    134 condition is not met (and nothing if the condition is met).  Additional
    135 information can be presented with the TEST_info macro that takes a printf
    136 format string and arguments.  TEST_error is useful for complicated conditions,
    137 it also takes a printf format string and argument.  In all cases the TEST_xxx
    138 macros are guaranteed to evaluate their arguments exactly once.  This means
    139 that expressions with side effects are allowed as parameters.  Thus,
    140 
    141     if (!TEST_ptr(ptr = OPENSSL_malloc(..)))
    142 
    143 works fine and can be used in place of:
    144 
    145     ptr = OPENSSL_malloc(..);
    146     if (!TEST_ptr(ptr))
    147 
    148 The former produces a more meaningful message on failure than the latter.
    149 
    150 

README.external

      1 Running external test suites with OpenSSL
      2 =========================================
      3 
      4 It is possible to integrate external test suites into OpenSSL's "make test".
      5 This capability is considered a developer option and does not work on all
      6 platforms.
      7 
      8 
      9 
     10 The BoringSSL test suite
     11 ========================
     12 
     13 In order to run the BoringSSL tests with OpenSSL, first checkout the BoringSSL
     14 source code into an appropriate directory. This can be done in two ways:
     15 
     16 1) Separately from the OpenSSL checkout using:
     17 
     18   $ git clone https://boringssl.googlesource.com/boringssl boringssl
     19 
     20   The BoringSSL tests are only confirmed to work at a specific commit in the
     21   BoringSSL repository. Later commits may or may not pass the test suite:
     22 
     23   $ cd boringssl
     24   $ git checkout 490469f850e
     25 
     26 2) Using the already configured submodule settings in OpenSSL:
     27 
     28   $ git submodule update --init
     29 
     30 Configure the OpenSSL source code to enable the external tests:
     31 
     32 $ cd ../openssl
     33 $ ./config enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers \
     34   enable-external-tests
     35 
     36 Note that using other config options than those given above may cause the tests
     37 to fail.
     38 
     39 Run the OpenSSL tests by providing the path to the BoringSSL test runner in the
     40 BORING_RUNNER_DIR environment variable:
     41 
     42 $ BORING_RUNNER_DIR=/path/to/boringssl/ssl/test/runner make test
     43 
     44 Note that the test suite may change directory while running so the path provided
     45 should be absolute and not relative to the current working directory.
     46 
     47 To see more detailed output you can run just the BoringSSL tests with the
     48 verbose option:
     49 
     50 $ VERBOSE=1 BORING_RUNNER_DIR=/path/to/boringssl/ssl/test/runner make \
     51   TESTS="test_external_boringssl" test
     52 
     53 
     54 Test failures and suppressions
     55 ------------------------------
     56 
     57 A large number of the BoringSSL tests are known to fail. A test could fail
     58 because of many possible reasons. For example:
     59 
     60 - A bug in OpenSSL
     61 - Different interpretations of standards
     62 - Assumptions about the way BoringSSL works that do not apply to OpenSSL
     63 - The test uses APIs added to BoringSSL that are not present in OpenSSL
     64 - etc
     65 
     66 In order to provide a "clean" baseline run with all the tests passing a config
     67 file has been provided that suppresses the running of tests that are known to
     68 fail. These suppressions are held in the file "test/ossl_shim/ossl_config.json"
     69 within the OpenSSL source code.
     70 
     71 The community is encouraged to contribute patches which reduce the number of
     72 suppressions that are currently present.
     73 
     74 
     75 Python PYCA/Cryptography test suite
     76 ===================================
     77 
     78 This python test suite runs cryptographic tests with a local OpenSSL build as
     79 the implementation.
     80 
     81 First checkout the PYCA/Cryptography module into ./pyca-cryptography using:
     82 
     83 $ git submodule update --init
     84 
     85 Then configure/build OpenSSL compatible with the python module:
     86 
     87 $ ./config shared enable-external-tests
     88 $ make
     89 
     90 The tests will run in a python virtual environment which requires virtualenv
     91 to be installed.
     92 
     93 $ make test VERBOSE=1 TESTS=test_external_pyca
     94 
     95 Test failures and suppressions
     96 ------------------------------
     97 
     98 Some tests target older (<=1.0.2) versions so will not run. Other tests target
     99 other crypto implementations so are not relevant. Currently no tests fail.
    100 
    101 
    102 krb5 test suite
    103 ===============
    104 
    105 Much like the PYCA/Cryptography test suite, this builds and runs the krb5
    106 tests against the local OpenSSL build.
    107 
    108 You will need a git checkout of krb5 at the top level:
    109 
    110 $ git clone https://github.com/krb5/krb5
    111 
    112 krb5's master has to pass this same CI, but a known-good version is
    113 krb5-1.15.1-final if you want to be sure.
    114 
    115 $ cd krb5
    116 $ git checkout krb5-1.15.1-final
    117 $ cd ..
    118 
    119 OpenSSL must be built with external tests enabled:
    120 
    121 $ ./config enable-external-tests
    122 $ make
    123 
    124 krb5's tests will then be run as part of the rest of the suite, or can be
    125 explicitly run (with more debugging):
    126 
    127 $ VERBOSE=1 make TESTS=test_external_krb5 test
    128 
    129 Test-failures suppressions
    130 --------------------------
    131 
    132 krb5 will automatically adapt its test suite to account for the configuration
    133 of your system.  Certain tests may require more installed packages to run.  No
    134 tests are expected to fail.
    135 
    136 
    137 Updating test suites
    138 ====================
    139 
    140 To update the commit for any of the above test suites:
    141 
    142 - Make sure the submodules are cloned locally:
    143 
    144   $ git submodule update --init --recursive
    145 
    146 - Enter subdirectory and pull from the repository (use a specific branch/tag if required):
    147 
    148   $ cd <submodule-dir>
    149   $ git pull origin master
    150 
    151 - Go to root directory, there should be a new git status:
    152 
    153   $ cd ../
    154   $ git status
    155   ...
    156   #       modified:   <submodule-dir> (new commits)
    157   ...
    158 
    159 - Add/commit/push the update
    160 
    161   git add <submodule-dir>
    162   git commit -m "Updated <submodule> to latest commit"
    163   git push
    164 
    165 

README.ssltest.md

      1 # SSL tests
      2 
      3 SSL testcases are configured in the `ssl-tests` directory.
      4 
      5 Each `ssl_*.conf.in` file contains a number of test configurations. These files
      6 are used to generate testcases in the OpenSSL CONF format.
      7 
      8 The precise test output can be dependent on the library configuration. The test
      9 harness generates the output files on the fly.
     10 
     11 However, for verification, we also include checked-in configuration outputs
     12 corresponding to the default configuration. These testcases live in
     13 `test/ssl-tests/*.conf` files.
     14 
     15 For more details, see `ssl-tests/01-simple.conf.in` for an example.
     16 
     17 ## Configuring the test
     18 
     19 First, give your test a name. The names do not have to be unique.
     20 
     21 An example test input looks like this:
     22 
     23 ```
     24     {
     25         name => "test-default",
     26         server => { "CipherString" => "DEFAULT" },
     27         client => { "CipherString" => "DEFAULT" },
     28         test   => { "ExpectedResult" => "Success" },
     29     }
     30 ```
     31 
     32 The test section supports the following options
     33 
     34 ### Test mode
     35 
     36 * Method - the method to test. One of DTLS or TLS.
     37 
     38 * HandshakeMode - which handshake flavour to test:
     39   - Simple - plain handshake (default)
     40   - Resume - test resumption
     41   - RenegotiateServer - test server initiated renegotiation
     42   - RenegotiateClient - test client initiated renegotiation
     43 
     44 When HandshakeMode is Resume or Renegotiate, the original handshake is expected
     45 to succeed. All configured test expectations are verified against the second
     46 handshake.
     47 
     48 * ApplicationData - amount of application data bytes to send (integer, defaults
     49   to 256 bytes). Applies to both client and server. Application data is sent in
     50   64kB chunks (but limited by MaxFragmentSize and available parallelization, see
     51   below).
     52 
     53 * MaxFragmentSize - maximum send fragment size (integer, defaults to 512 in
     54   tests - see `SSL_CTX_set_max_send_fragment` for documentation). Applies to
     55   both client and server. Lowering the fragment size will split handshake and
     56   application data up between more `SSL_write` calls, thus allowing to exercise
     57   different code paths. In particular, if the buffer size (64kB) is at least
     58   four times as large as the maximum fragment, interleaved multi-buffer crypto
     59   implementations may be used on some platforms.
     60 
     61 ### Test expectations
     62 
     63 * ExpectedResult - expected handshake outcome. One of
     64   - Success - handshake success
     65   - ServerFail - serverside handshake failure
     66   - ClientFail - clientside handshake failure
     67   - InternalError - some other error
     68 
     69 * ExpectedClientAlert, ExpectedServerAlert - expected alert. See
     70   `ssl_test_ctx.c` for known values. Note: the expected alert is currently
     71   matched against the _last_ received alert (i.e., a fatal alert or a
     72   `close_notify`). Warning alert expectations are not yet supported. (A warning
     73   alert will not be correctly matched, if followed by a `close_notify` or
     74   another alert.)
     75 
     76 * ExpectedProtocol - expected negotiated protocol. One of
     77   SSLv3, TLSv1, TLSv1.1, TLSv1.2.
     78 
     79 * SessionTicketExpected - whether or not a session ticket is expected
     80   - Ignore - do not check for a session ticket (default)
     81   - Yes - a session ticket is expected
     82   - No - a session ticket is not expected
     83 
     84 * SessionIdExpected - whether or not a session id is expected
     85   - Ignore - do not check for a session id (default)
     86   - Yes - a session id is expected
     87   - No - a session id is not expected
     88 
     89 * ResumptionExpected - whether or not resumption is expected (Resume mode only)
     90   - Yes - resumed handshake
     91   - No - full handshake (default)
     92 
     93 * ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations.
     94 
     95 * ExpectedTmpKeyType - the expected algorithm or curve of server temp key
     96 
     97 * ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or
     98   curve of server or client certificate
     99 
    100 * ExpectedServerSignHash, ExpectedClientSignHash - the expected
    101   signing hash used by server or client certificate
    102 
    103 * ExpectedServerSignType, ExpectedClientSignType - the expected
    104   signature type used by server or client when signing messages
    105 
    106 * ExpectedClientCANames - for client auth list of CA names the server must
    107   send. If this is "empty" the list is expected to be empty otherwise it
    108   is a file of certificates whose subject names form the list.
    109 
    110 * ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only.
    111   If this is "empty" the list is expected to be empty otherwise it is a file
    112   of certificates whose subject names form the list.
    113 
    114 ## Configuring the client and server
    115 
    116 The client and server configurations can be any valid `SSL_CTX`
    117 configurations. For details, see the manpages for `SSL_CONF_cmd`.
    118 
    119 Give your configurations as a dictionary of CONF commands, e.g.
    120 
    121 ```
    122 server => {
    123     "CipherString" => "DEFAULT",
    124     "MinProtocol" => "TLSv1",
    125 }
    126 ```
    127 
    128 The following sections may optionally be defined:
    129 
    130 * server2 - this section configures a secondary context that is selected via the
    131   ServerName test option. This context is used whenever a ServerNameCallback is
    132   specified. If the server2 section is not present, then the configuration
    133   matches server.
    134 * resume_server - this section configures the client to resume its session
    135   against a different server. This context is used whenever HandshakeMode is
    136   Resume. If the resume_server section is not present, then the configuration
    137   matches server.
    138 * resume_client - this section configures the client to resume its session with
    139   a different configuration. In practice this may occur when, for example,
    140   upgraded clients reuse sessions persisted on disk.  This context is used
    141   whenever HandshakeMode is Resume. If the resume_client section is not present,
    142   then the configuration matches client.
    143 
    144 ### Configuring callbacks and additional options
    145 
    146 Additional handshake settings can be configured in the `extra` section of each
    147 client and server:
    148 
    149 ```
    150 client => {
    151     "CipherString" => "DEFAULT",
    152     extra => {
    153         "ServerName" => "server2",
    154     }
    155 }
    156 ```
    157 
    158 #### Supported client-side options
    159 
    160 * ClientVerifyCallback - the client's custom certificate verify callback.
    161   Used to test callback behaviour. One of
    162   - None - no custom callback (default)
    163   - AcceptAll - accepts all certificates.
    164   - RejectAll - rejects all certificates.
    165 
    166 * ServerName - the server the client should attempt to connect to. One of
    167   - None - do not use SNI (default)
    168   - server1 - the initial context
    169   - server2 - the secondary context
    170   - invalid - an unknown context
    171 
    172 * CTValidation - Certificate Transparency validation strategy. One of
    173   - None - no validation (default)
    174   - Permissive - SSL_CT_VALIDATION_PERMISSIVE
    175   - Strict - SSL_CT_VALIDATION_STRICT
    176 
    177 #### Supported server-side options
    178 
    179 * ServerNameCallback - the SNI switching callback to use
    180   - None - no callback (default)
    181   - IgnoreMismatch - continue the handshake on SNI mismatch
    182   - RejectMismatch - abort the handshake on SNI mismatch
    183 
    184 * BrokenSessionTicket - a special test case where the session ticket callback
    185   does not initialize crypto.
    186   - No (default)
    187   - Yes
    188 
    189 #### Mutually supported options
    190 
    191 * NPNProtocols, ALPNProtocols - NPN and ALPN settings. Server and client
    192   protocols can be specified as a comma-separated list, and a callback with the
    193   recommended behaviour will be installed automatically.
    194 
    195 * SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to
    196   connect as; for server, this is a known SRP user.
    197 
    198 ### Default server and client configurations
    199 
    200 The default server certificate and CA files are added to the configurations
    201 automatically. Server certificate verification is requested by default.
    202 
    203 You can override these options by redefining them:
    204 
    205 ```
    206 client => {
    207     "VerifyCAFile" => "/path/to/custom/file"
    208 }
    209 ```
    210 
    211 or by deleting them
    212 
    213 ```
    214 client => {
    215     "VerifyCAFile" => undef
    216 }
    217 ```
    218 
    219 ## Adding a test to the test harness
    220 
    221 1. Add a new test configuration to `test/ssl-tests`, following the examples of
    222    existing `*.conf.in` files (for example, `01-simple.conf.in`).
    223 
    224 2. Generate the generated `*.conf` test input file. You can do so by running
    225    `generate_ssl_tests.pl`:
    226 
    227 ```
    228 $ ./config
    229 $ cd test
    230 $ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/my.conf.in \
    231   > ssl-tests/my.conf
    232 ```
    233 
    234 where `my.conf.in` is your test input file.
    235 
    236 For example, to generate the test cases in `ssl-tests/01-simple.conf.in`, do
    237 
    238 ```
    239 $ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/01-simple.conf.in > ssl-tests/01-simple.conf
    240 ```
    241 
    242 Alternatively (hackish but simple), you can comment out
    243 
    244 ```
    245 unlink glob $tmp_file;
    246 ```
    247 
    248 in `test/recipes/80-test_ssl_new.t` and run
    249 
    250 ```
    251 $ make TESTS=test_ssl_new test
    252 ```
    253 
    254 This will save the generated output in a `*.tmp` file in the build directory.
    255 
    256 3. Update the number of tests planned in `test/recipes/80-test_ssl_new.t`. If
    257    the test suite has any skip conditions, update those too (see
    258    `test/recipes/80-test_ssl_new.t` for details).
    259 
    260 ## Running the tests with the test harness
    261 
    262 ```
    263 HARNESS_VERBOSE=yes make TESTS=test_ssl_new test
    264 ```
    265 
    266 ## Running a test manually
    267 
    268 These steps are only needed during development. End users should run `make test`
    269 or follow the instructions above to run the SSL test suite.
    270 
    271 To run an SSL test manually from the command line, the `TEST_CERTS_DIR`
    272 environment variable to point to the location of the certs. E.g., from the root
    273 OpenSSL directory, do
    274 
    275 ```
    276 $ CTLOG_FILE=test/ct/log_list.conf TEST_CERTS_DIR=test/certs test/ssl_test \
    277   test/ssl-tests/01-simple.conf
    278 ```
    279 
    280 or for shared builds
    281 
    282 ```
    283 $ CTLOG_FILE=test/ct/log_list.conf  TEST_CERTS_DIR=test/certs \
    284   util/shlib_wrap.sh test/ssl_test test/ssl-tests/01-simple.conf
    285 ```
    286 
    287 Note that the test expectations sometimes depend on the Configure settings. For
    288 example, the negotiated protocol depends on the set of available (enabled)
    289 protocols: a build with `enable-ssl3` has different test expectations than a
    290 build with `no-ssl3`.
    291 
    292 The Perl test harness automatically generates expected outputs, so users who
    293 just run `make test` do not need any extra steps.
    294 
    295 However, when running a test manually, keep in mind that the repository version
    296 of the generated `test/ssl-tests/*.conf` correspond to expected outputs in with
    297 the default Configure options. To run `ssl_test` manually from the command line
    298 in a build with a different configuration, you may need to generate the right
    299 `*.conf` file from the `*.conf.in` input first.
    300