diff options
author | Ingela Anderton Andin <[email protected]> | 2019-08-27 15:42:20 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2019-08-27 15:42:20 +0200 |
commit | ad127c1a8478df4269bee848f8680454cc975d6d (patch) | |
tree | 8b8f592c55cfb5b574d979d49bd96e1178ca4b7e | |
parent | 689c3a5bed74bc80ae999e06983810f9543a8cd7 (diff) | |
parent | 3688631813c890c3713589c654d56b6949fb935d (diff) | |
download | otp-ad127c1a8478df4269bee848f8680454cc975d6d.tar.gz otp-ad127c1a8478df4269bee848f8680454cc975d6d.tar.bz2 otp-ad127c1a8478df4269bee848f8680454cc975d6d.zip |
Merge branch 'maint'master
-rw-r--r-- | lib/ssl/test/Makefile | 1 | ||||
-rw-r--r-- | lib/ssl/test/ssl_cert_SUITE.erl | 391 | ||||
-rw-r--r-- | lib/ssl/test/ssl_certificate_verify_SUITE.erl | 608 |
3 files changed, 375 insertions, 625 deletions
diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index 0925c0facc..ec0addac59 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -60,7 +60,6 @@ MODULES = \ ssl_cert_SUITE\ openssl_server_cert_SUITE\ openssl_client_cert_SUITE\ - ssl_certificate_verify_SUITE\ ssl_crl_SUITE\ ssl_dist_SUITE \ ssl_dist_bench_SUITE \ diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl index fb1695f38a..d5ca9bcf02 100644 --- a/lib/ssl/test/ssl_cert_SUITE.erl +++ b/lib/ssl/test/ssl_cert_SUITE.erl @@ -44,17 +44,16 @@ all() -> groups() -> [ {'tlsv1.3', [], tls_1_3_protocol_groups()}, - {'tlsv1.2', [], pre_tls_1_3_protocol_groups()}, - {'tlsv1.1', [], pre_tls_1_3_protocol_groups()}, - {'tlsv1', [], pre_tls_1_3_protocol_groups()}, + {'tlsv1.2', [], tls_1_2_protocol_groups()}, + {'tlsv1.1', [], ssl_protocol_groups()}, + {'tlsv1', [], ssl_protocol_groups()}, {'sslv3', [], ssl_protocol_groups()}, - {'dtlsv1.2', [], pre_tls_1_3_protocol_groups()}, - {'dtlsv1', [], pre_tls_1_3_protocol_groups()}, - {rsa, [], all_version_tests()}, + {'dtlsv1.2', [], tls_1_2_protocol_groups()}, + {'dtlsv1', [], ssl_protocol_groups()}, + {rsa, [], all_version_tests() ++ rsa_tests() ++ pre_tls_1_3_rsa_tests()}, {ecdsa, [], all_version_tests()}, {dsa, [], all_version_tests()}, - {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth, - unsupported_sign_algo_cert_client_auth]}, + {rsa_1_3, [], all_version_tests() ++ rsa_tests() ++ tls_1_3_tests() ++ tls_1_3_rsa_tests()}, {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} ]. @@ -62,7 +61,7 @@ ssl_protocol_groups() -> [{group, rsa}, {group, dsa}]. -pre_tls_1_3_protocol_groups() -> +tls_1_2_protocol_groups() -> [{group, rsa}, {group, ecdsa}, {group, dsa}]. @@ -80,6 +79,22 @@ tls_1_3_tests() -> hello_retry_client_auth_empty_cert_rejected ]. +pre_tls_1_3_rsa_tests() -> + [ + key_auth_ext_sign_only + ]. + +rsa_tests() -> + [ + longer_chain + ]. + +tls_1_3_rsa_tests() -> + [ + unsupported_sign_algo_client_auth, + unsupported_sign_algo_cert_client_auth + ]. + all_version_tests() -> [ no_auth, @@ -96,8 +111,18 @@ all_version_tests() -> missing_root_cert_auth_user_verify_fun_reject, verify_fun_always_run_client, verify_fun_always_run_server, - incomplete_chain_auth - %%invalid_signature_client + incomplete_chain_auth, + invalid_signature_client, + invalid_signature_server, + critical_extension_auth, + critical_extension_client_auth, + critical_extension_no_auth, + extended_key_usage_auth, + extended_key_usage_client_auth, + cert_expired, + client_auth_once, + no_auth_key_identifier_ext, + no_auth_key_identifier_ext_keyEncipherment ]. init_per_suite(Config) -> @@ -352,7 +377,8 @@ incomplete_chain_auth(Config) when is_list(Config) -> %%-------------------------------------------------------------------- verify_fun_always_run_client() -> - [{doc,"Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"}]. + [{doc,"Verify that user verify_fun is always run (for valid and " + "valid_peer not only unknown_extension)"}]. verify_fun_always_run_client(Config) when is_list(Config) -> ClientOpts = ssl_test_lib:ssl_options(client_cert_opts, Config), @@ -392,7 +418,8 @@ verify_fun_always_run_client(Config) when is_list(Config) -> %%-------------------------------------------------------------------- verify_fun_always_run_server() -> - [{doc,"Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"}]. + [{doc,"Verify that user verify_fun is always run (for valid and " + "valid_peer not only unknown_extension)"}]. verify_fun_always_run_server(Config) when is_list(Config) -> ClientOpts = ssl_test_lib:ssl_options(client_cert_opts, Config), ServerOpts = ssl_test_lib:ssl_options(server_cert_opts, Config), @@ -434,12 +461,318 @@ verify_fun_always_run_server(Config) when is_list(Config) -> invalid_signature_client() -> ssl_cert_tests:invalid_signature_client(). invalid_signature_client(Config) when is_list(Config) -> + ssl:clear_pem_cache(), ssl_cert_tests:invalid_signature_client(Config). %%-------------------------------------------------------------------- invalid_signature_server() -> - ssl_cert_tests:invalid_signature_client(). + ssl_cert_tests:invalid_signature_server(). invalid_signature_server(Config) when is_list(Config) -> - ssl_cert_tests:invalid_signature_client(Config). + ssl:clear_pem_cache(), + ssl_cert_tests:invalid_signature_server(Config). + +%%-------------------------------------------------------------------- +critical_extension_auth() -> + [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}]. + +critical_extension_auth(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{server_chain, + [[],[],[{extensions, Ext}]]}, + {client_chain, DefaultCertConf}]), + ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), + ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server_error( + [{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, [{verify, verify_none} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client_error( + [{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, [{verify, verify_peer} | ClientOpts]}]), + + ssl_test_lib:check_client_alert(Server, Client, unsupported_certificate). + +%%-------------------------------------------------------------------- +critical_extension_client_auth() -> + [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}]. + +critical_extension_client_auth(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{client_chain, + [[],[],[{extensions, Ext}]]}, + {server_chain, DefaultCertConf}]), + ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), + ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server_error( + [{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, [{verify, verify_peer} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client_error( + [{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, [{verify, verify_none} | ClientOpts]}]), + + %% This certificate has a critical extension that we don't + %% understand. Therefore, verification should fail. + ssl_test_lib:check_server_alert(Server, Client, unsupported_certificate). + +%%-------------------------------------------------------------------- +critical_extension_no_auth() -> + [{doc,"Test cert that has a critical unknown extension in verify_none mode"}]. + +critical_extension_no_auth(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{server_chain, + [[],[], [{extensions, Ext}]]}, + {client_chain, DefaultCertConf}]), + ClientOpts = [{verify, verify_none} | ssl_test_lib:ssl_options(ClientOpts0, Config)], + ServerOpts = [{verify, verify_none} | ssl_test_lib:ssl_options(ServerOpts0, Config)], + + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + + +%%-------------------------------------------------------------------- +extended_key_usage_auth() -> + [{doc,"Test cert that has a critical extended_key_usage extension in server cert"}]. + +extended_key_usage_auth(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + Ext = x509_test:extensions([{?'id-ce-extKeyUsage', + [?'id-kp-serverAuth'], true}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{server_chain, + [[],[], [{extensions, Ext}]]}, + {client_chain, DefaultCertConf} + ]), + ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), + ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{verify, verify_none} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{verify, verify_peer} | + ClientOpts]}]), + + ssl_test_lib:check_result(Server, ok, Client, ok), + + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). + +%%-------------------------------------------------------------------- +extended_key_usage_client_auth() -> + [{doc,"Test cert that has a critical extended_key_usage extension in client and server cert"}]. + +extended_key_usage_client_auth(Config) when is_list(Config) -> + ServerExt = x509_test:extensions([{?'id-ce-extKeyUsage', + [?'id-kp-serverAuth'], true}]), + ClientExt = x509_test:extensions([{?'id-ce-extKeyUsage', + [?'id-kp-clientAuth'], true}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{client_chain, [[],[],[{extensions, ClientExt}]]}, + {server_chain, [[],[],[{extensions, ServerExt}]]}]), + ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), + ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{verify, verify_peer} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{verify, verify_peer} | ClientOpts]}]), + + ssl_test_lib:check_result(Server, ok, Client, ok), + + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). + +%%-------------------------------------------------------------------- +cert_expired() -> + [{doc,"Test server with expired certificate"}]. + +cert_expired(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + {Year, Month, Day} = date(), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{server_chain, + [[], + [{validity, {{Year-2, Month, Day}, + {Year-1, Month, Day}}}], + [] + ]}, + {client_chain, DefaultCertConf}]), + ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), + ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, + {from, self()}, + {options, ServerOpts}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {options, [{verify, verify_peer} | ClientOpts]}]), + + ssl_test_lib:check_client_alert(Server, Client, certificate_expired). + +%%-------------------------------------------------------------------- +client_auth_once() -> + [{doc,"Test server option verify_client_once"}]. + +client_auth_once(Config) when is_list(Config) -> + ClientOpts = ssl_test_lib:ssl_options(client_cert_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_cert_opts, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{verify, verify_peer}, + {verify_client_once, true} + | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, ClientOpts}]), + + ssl_test_lib:check_result(Server, ok, Client0, ok), + Server ! {listen, {mfa, {ssl_test_lib, send_recv_result_active, []}}}, + ssl_test_lib:close(Client0), + Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, ClientOpts}]), + + ssl_test_lib:check_result(Client1, ok, Server, ok), + ssl_test_lib:close(Server), + ssl_test_lib:close(Client1). + +%%-------------------------------------------------------------------- +no_auth_key_identifier_ext() -> + [{doc, "Test cert that does not have authorityKeyIdentifier extension"}]. + +no_auth_key_identifier_ext(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = + ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{client_chain, DefaultCertConf}, + {server_chain, DefaultCertConf}]), + ClientOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(ClientOpts0, Config)], + ServerOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(ServerOpts0, Config)], + + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + +%%-------------------------------------------------------------------- +no_auth_key_identifier_ext_keyEncipherment() -> + [{doc, "Test cert with keyEncipherment key_usage an no" + " authorityKeyIdentifier extension"}]. + +no_auth_key_identifier_ext_keyEncipherment(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + ClientExt = x509_test:extensions([{key_usage, [digitalSignature, keyEncipherment]}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = + ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{client_chain, + [[],[],[{extensions, ClientExt}]]}, + {server_chain, DefaultCertConf} + ]), + ClientOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(ClientOpts0, Config)], + ServerOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(ServerOpts0, Config)], + + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + +%%-------------------------------------------------------------------- +key_auth_ext_sign_only() -> + [{doc, "Test that client with a certificate without keyEncipherment usage " + " extension can connect to a server with restricted cipher suites "}]. +key_auth_ext_sign_only(Config) when is_list(Config) -> + DefaultCertConf = ssl_test_lib:default_cert_chain_conf(), + ClientExt = x509_test:extensions([{key_usage, [digitalSignature]}]), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = + ssl_test_lib:make_cert_chains_der(proplists:get_value(cert_key_alg, Config), + [{client_chain, + [[],[],[{extensions, ClientExt}]]}, + {server_chain, DefaultCertConf} + ]), + Version = proplists:get_value(version, Config), + ClientOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(ClientOpts0, Config)], + ServerOpts = [{verify, verify_peer}, {ciphers, + ssl_test_lib:rsa_non_signed_suites(n_version(Version))} + | ssl_test_lib:ssl_options(ServerOpts0, Config)], + + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + +%%-------------------------------------------------------------------- +longer_chain() -> + [{doc,"Test depth option"}]. +longer_chain(Config) when is_list(Config) -> + #{server_config := ServerOpts0, + client_config := ClientOpts0} = + public_key:pkix_test_data(#{server_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}], + intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}], + [{key, ssl_test_lib:hardcode_rsa_key(3)}], + [{key, ssl_test_lib:hardcode_rsa_key(4)}]], + peer => [{key, ssl_test_lib:hardcode_rsa_key(5)}]}, + client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}], + intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}]], + peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}), + [ServerRoot| _] = ServerCas = proplists:get_value(cacerts, ServerOpts0), + ClientCas = proplists:get_value(cacerts, ClientOpts0), + + ServerOpts = ssl_test_lib:ssl_options([{verify, verify_peer}, {cacerts, [ServerRoot]} | + proplists:delete(cacerts, ServerOpts0)], Config), + ClientOpts = ssl_test_lib:ssl_options([{verify, verify_peer}, + {depth, 5}, + {cacerts, ServerCas ++ ClientCas} | + proplists:delete(cacerts, ClientOpts0)], Config), + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- %% TLS 1.3 Test cases ----------------------------------------------- @@ -454,7 +787,7 @@ hello_retry_request(Config) -> ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}, {supported_groups, [x448, x25519]}|ServerOpts0], ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}, - {supported_groups, [secp256r1, x25519]}|ClientOpts0], + {supported_groups, [secp256r1, x25519]} | ClientOpts0], ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- custom_groups() -> @@ -561,3 +894,29 @@ hello_retry_client_auth_empty_cert_rejected(Config) -> {supported_groups, [secp256r1, x25519]}|ClientOpts2], ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required). + +%%-------------------------------------------------------------------- +%% Internal functions ----------------------------------------------- +%%-------------------------------------------------------------------- +two_digits_str(N) when N < 10 -> + lists:flatten(io_lib:format("0~p", [N])); +two_digits_str(N) -> + lists:flatten(io_lib:format("~p", [N])). + +delete_authority_key_extension([], Acc) -> + lists:reverse(Acc); +delete_authority_key_extension([#'Extension'{extnID = ?'id-ce-authorityKeyIdentifier'} | Rest], + Acc) -> + delete_authority_key_extension(Rest, Acc); +delete_authority_key_extension([Head | Rest], Acc) -> + delete_authority_key_extension(Rest, [Head | Acc]). + +n_version(Version) when Version == 'tlsv1.2'; + Version == 'tlsv1.1'; + Version == 'tlsv1'; + Version == 'sslv3' + -> + tls_record:protocol_version(Version); +n_version(Version) when Version == 'dtlsv1.2'; + Version == 'dtlsv1' -> + dtls_record:protocol_version(Version). diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl deleted file mode 100644 index f38858e0bf..0000000000 --- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl +++ /dev/null @@ -1,608 +0,0 @@ -%% -%% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2012-2018. All Rights Reserved. -%% -%% Licensed under the Apache License, Version 2.0 (the "License"); -%% you may not use this file except in compliance with the License. -%% You may obtain a copy of the License at -%% -%% http://www.apache.org/licenses/LICENSE-2.0 -%% -%% Unless required by applicable law or agreed to in writing, software -%% distributed under the License is distributed on an "AS IS" BASIS, -%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -%% See the License for the specific language governing permissions and -%% limitations under the License. -%% -%% %CopyrightEnd% -%% - -%% --module(ssl_certificate_verify_SUITE). - -%% Note: This directive should only be used in test suites. --compile(export_all). - --include_lib("common_test/include/ct.hrl"). --include_lib("public_key/include/public_key.hrl"). - --include("ssl_internal.hrl"). --include("ssl_alert.hrl"). --include("ssl_internal.hrl"). --include("tls_record.hrl"). --include("tls_handshake.hrl"). - --define(LONG_TIMEOUT, 600000). - -%%-------------------------------------------------------------------- -%% Common Test interface functions ----------------------------------- -%%-------------------------------------------------------------------- -all() -> - [ - {group, 'tlsv1.3'}, - {group, 'tlsv1.2'}, - {group, 'tlsv1.1'}, - {group, 'tlsv1'}, - {group, 'sslv3'}, - {group, 'dtlsv1.2'}, - {group, 'dtlsv1'} - ]. - -groups() -> - [ - {'tlsv1.3', [], all_protocol_groups()}, - {'tlsv1.2', [], all_protocol_groups()}, - {'tlsv1.1', [], all_protocol_groups()}, - {'tlsv1', [], all_protocol_groups()}, - {'sslv3', [], all_protocol_groups()}, - {'dtlsv1.2', [], all_protocol_groups()}, - {'dtlsv1', [], all_protocol_groups()}, - {active, [], tests()}, - {active_once, [], tests()}, - {passive, [], tests()}, - {error_handling, [],error_handling_tests()} - ]. - -all_protocol_groups() -> - [{group, active}, - {group, passive}, - {group, active_once}, - {group, error_handling}]. - -tests() -> - [cert_expired, - %invalid_signature_client, - %%invalid_signature_server, - extended_key_usage_verify_both, - extended_key_usage_verify_server, - critical_extension_verify_client, - critical_extension_verify_server, - critical_extension_verify_none, - long_chain - ]. - -error_handling_tests()-> - [client_with_cert_cipher_suites_handshake, - %%unknown_server_ca_accept_backwardscompatibility, - no_authority_key_identifier, - no_authority_key_identifier_keyEncipherment]. - -init_per_suite(Config) -> - catch crypto:stop(), - try crypto:start() of - ok -> - ssl_test_lib:clean_start(), - ssl_test_lib:make_rsa_cert(Config) - catch _:_ -> - {skip, "Crypto did not start"} - end. - -end_per_suite(_Config) -> - ssl:stop(), - application:stop(crypto). - -init_per_group(active, Config) -> - [{active, true}, {receive_function, send_recv_result_active} | Config]; -init_per_group(active_once, Config) -> - [{active, once}, {receive_function, send_recv_result_active_once} | Config]; -init_per_group(passive, Config) -> - [{active, false}, {receive_function, send_recv_result} | Config]; -init_per_group(error_handling, Config) -> - [{active, false}, {receive_function, send_recv_result} | Config]; -init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:sufficient_crypto_support(GroupName) of - true -> - [{version, GroupName} | ssl_test_lib:init_tls_version(GroupName, Config)]; - false -> - {skip, "Missing crypto support"} - end - end. - -end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. - -init_per_testcase(_TestCase, Config) -> - ssl:stop(), - ssl:start(), - ssl_test_lib:ct_log_supported_protocol_versions(Config), - ct:pal(" ~p", [ dtls_record:supported_protocol_versions()]), - ct:timetrap({seconds, 10}), - Config. - -end_per_testcase(_TestCase, Config) -> - Config. - -%%-------------------------------------------------------------------- -%% Test Cases -------------------------------------------------------- -%%-------------------------------------------------------------------- -server_verify_client_once() -> - [{doc,"Test server option verify_client_once"}]. - -server_verify_client_once(Config) when is_list(Config) -> - ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, []), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{active, Active}, {verify, verify_peer}, - {verify_client_once, true} - | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{active, Active} | ClientOpts]}]), - - ssl_test_lib:check_result(Server, ok, Client0, ok), - Server ! {listen, {mfa, {ssl_test_lib, no_result, []}}}, - ssl_test_lib:close(Client0), - Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {?MODULE, result_ok, []}}, - {options, [{active, Active} | ClientOpts]}]), - - ssl_test_lib:check_result(Client1, ok), - ssl_test_lib:close(Server), - ssl_test_lib:close(Client1). - -%%-------------------------------------------------------------------- - -cert_expired() -> - [{doc,"Test server with expired certificate"}]. - -cert_expired(Config) when is_list(Config) -> - {Year, Month, Day} = date(), - Active = proplists:get_value(active, Config), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[], - [{validity, {{Year-2, Month, Day}, - {Year-1, Month, Day}}}], - [] - ]}], - Config, "_expired"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, - {from, self()}, - {options, [{active, Active}| ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {options, [{verify, verify_peer}, {active, Active} | ClientOpts]}]), - - ssl_test_lib:check_client_alert(Server, Client, certificate_expired). - -two_digits_str(N) when N < 10 -> - lists:flatten(io_lib:format("0~p", [N])); -two_digits_str(N) -> - lists:flatten(io_lib:format("~p", [N])). - -%%-------------------------------------------------------------------- -extended_key_usage_verify_server() -> - [{doc,"Test cert that has a critical extended_key_usage extension in server cert"}]. - -extended_key_usage_verify_server(Config) when is_list(Config) -> - Ext = x509_test:extensions([{?'id-ce-extKeyUsage', - [?'id-kp-serverAuth'], true}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[],[], [{extensions, Ext}]]}], Config, - "_keyusage_server"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_none}, {active, Active} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_peer}, {active, Active} | - ClientOpts]}]), - - ssl_test_lib:check_result(Server, ok, Client, ok), - - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - -%%-------------------------------------------------------------------- -extended_key_usage_verify_both() -> - [{doc,"Test cert that has a critical extended_key_usage extension in client verify_peer mode"}]. - -extended_key_usage_verify_both(Config) when is_list(Config) -> - ServerExt = x509_test:extensions([{?'id-ce-extKeyUsage', - [?'id-kp-serverAuth'], true}]), - ClientExt = x509_test:extensions([{?'id-ce-extKeyUsage', - [?'id-kp-clientAuth'], true}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_chain, [[],[],[{extensions, ClientExt}]]}, - {server_chain, [[],[],[{extensions, ServerExt}]]}], - Config, "_keyusage_both"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_peer}, {active, Active} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_peer}, {active, Active} | ClientOpts]}]), - - ssl_test_lib:check_result(Server, ok, Client, ok), - - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - -%%-------------------------------------------------------------------- -critical_extension_verify_server() -> - [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}]. - -critical_extension_verify_server(Config) when is_list(Config) -> - Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_chain, - [[],[], [{extensions, Ext}]]}], - Config, "_client_unknown_extension"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server_error( - [{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_peer}, {active, Active} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client_error( - [{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_none}, {active, Active} | ClientOpts]}]), - - %% This certificate has a critical extension that we don't - %% understand. Therefore, verification should fail. - ssl_test_lib:check_server_alert(Server, Client, unsupported_certificate). -%%-------------------------------------------------------------------- - -critical_extension_verify_client() -> - [{doc,"Test cert that has a critical unknown extension in verify_peer mode"}]. - -critical_extension_verify_client(Config) when is_list(Config) -> - Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[],[],[{extensions, Ext}]]}], - Config, "_server_unknown_extensions"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server_error( - [{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_none}, {active, Active} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client_error( - [{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_peer}, {active, Active} | ClientOpts]}]), - - ssl_test_lib:check_client_alert(Server, Client, unsupported_certificate). - -%%-------------------------------------------------------------------- -critical_extension_verify_none() -> - [{doc,"Test cert that has a critical unknown extension in verify_none mode"}]. - -critical_extension_verify_none(Config) when is_list(Config) -> - Ext = x509_test:extensions([{{2,16,840,1,113730,1,1}, <<3,2,6,192>>, true}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[],[], [{extensions, Ext}]]}], - Config, "_unknown_extensions"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server( - [{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_none}, {active, Active} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client( - [{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{verify, verify_none}, {active, Active} | ClientOpts]}]), - - %% This certificate has a critical extension that we don't - %% understand. But we're using `verify_none', so verification - %% shouldn't fail. - ssl_test_lib:check_result(Server, ok, Client, ok), - - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - -%%-------------------------------------------------------------------- -no_authority_key_identifier() -> - [{doc, "Test cert that does not have authorityKeyIdentifier extension" - " but are present in trusted certs db."}]. - -no_authority_key_identifier(Config) when is_list(Config) -> - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([], Config, "_peer_no_auth_key_id"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, ServerOpts}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, [{verify, verify_peer} | ClientOpts]}]), - - ssl_test_lib:check_result(Server, ok, Client, ok), - - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - -delete_authority_key_extension([], Acc) -> - lists:reverse(Acc); -delete_authority_key_extension([#'Extension'{extnID = ?'id-ce-authorityKeyIdentifier'} | Rest], - Acc) -> - delete_authority_key_extension(Rest, Acc); -delete_authority_key_extension([Head | Rest], Acc) -> - delete_authority_key_extension(Rest, [Head | Acc]). - -%%-------------------------------------------------------------------- - -no_authority_key_identifier_keyEncipherment() -> - [{doc, "Test cert with keyEncipherment key_usage an no" - " authorityKeyIdentifier extension, but are present in trusted certs db."}]. - -no_authority_key_identifier_keyEncipherment(Config) when is_list(Config) -> - ClientExt = x509_test:extensions([{key_usage, [digitalSignature, keyEncipherment]}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_chain, - [[],[],[{extensions, ClientExt}]]}], - Config, "_peer_keyEncipherment"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, - send_recv_result_active, []}}, - {options, [{active, true} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, - send_recv_result_active, []}}, - {options, [{verify, verify_peer} | ClientOpts]}]), - ssl_test_lib:check_result(Server, ok, Client, ok), - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - - -%%-------------------------------------------------------------------- - -invalid_signature_server() -> - [{doc,"Test client with invalid signature"}]. - -invalid_signature_server(Config) when is_list(Config) -> - ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), - PrivDir = proplists:get_value(priv_dir, Config), - - KeyFile = proplists:get_value(keyfile, ServerOpts), - [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), - Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - - ServerCertFile = proplists:get_value(certfile, ServerOpts), - NewServerCertFile = filename:join(PrivDir, "server_invalid_cert.pem"), - [{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile), - ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp), - ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate, - NewServerDerCert = public_key:pkix_sign(ServerOTPTbsCert, Key), - ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]), - NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)], - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, - {from, self()}, - {options, NewServerOpts}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {options, [{verify, verify_peer} | ClientOpts]}]), - ssl_test_lib:check_server_alert(Server, Client, unknown_ca). - -%%-------------------------------------------------------------------- - -invalid_signature_client() -> - [{doc,"Test server with invalid signature"}]. - -invalid_signature_client(Config) when is_list(Config) -> - ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), - PrivDir = proplists:get_value(priv_dir, Config), - - KeyFile = proplists:get_value(keyfile, ClientOpts), - [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile), - Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)), - - ClientCertFile = proplists:get_value(certfile, ClientOpts), - NewClientCertFile = filename:join(PrivDir, "client_invalid_cert.pem"), - [{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile), - ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp), - ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate, - NewClientDerCert = public_key:pkix_sign(ClientOTPTbsCert, Key), - ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]), - NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)], - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, - {from, self()}, - {options, [{verify, verify_peer} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {options, NewClientOpts}]), - - ssl_test_lib:check_client_alert(Server, Client, unknown_ca). - -%%-------------------------------------------------------------------- - -client_with_cert_cipher_suites_handshake() -> - [{doc, "Test that client with a certificate without keyEncipherment usage " - " extension can connect to a server with restricted cipher suites "}]. -client_with_cert_cipher_suites_handshake(Config) when is_list(Config) -> - Ext = x509_test:extensions([{key_usage, [digitalSignature]}]), - {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{client_chain, - [[], [], [{extensions, Ext}]]}], - Config, "_sign_only_extensions"), - ClientOpts = ssl_test_lib:ssl_options(ClientOpts0, Config), - ServerOpts = ssl_test_lib:ssl_options(ServerOpts0, Config), - TLSVersion = ssl_test_lib:protocol_version(Config, tuple), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, - send_recv_result_active, []}}, - {options, [{active, true}, - {ciphers, - ssl_test_lib:rsa_non_signed_suites(TLSVersion)} - | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, - send_recv_result_active, []}}, - {options, [{active, true} - | ClientOpts]}]), - - ssl_test_lib:check_result(Server, ok, Client, ok), - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - -%%-------------------------------------------------------------------- - - -long_chain() -> - [{doc,"Test option verify_peer"}]. -long_chain(Config) when is_list(Config) -> - #{server_config := ServerConf, - client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}], - intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}], - [{key, ssl_test_lib:hardcode_rsa_key(3)}], - [{key, ssl_test_lib:hardcode_rsa_key(4)}]], - peer => [{key, ssl_test_lib:hardcode_rsa_key(5)}]}, - client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}], - intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}]], - peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}), - [ServerRoot| _] = ServerCas = proplists:get_value(cacerts, ServerConf), - ClientCas = proplists:get_value(cacerts, ClientConf), - - Active = proplists:get_value(active, Config), - ReceiveFunction = proplists:get_value(receive_function, Config), - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{active, Active}, {verify, verify_peer}, - {cacerts, [ServerRoot]} | - proplists:delete(cacerts, ServerConf)]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, ReceiveFunction, []}}, - {options, [{active, Active}, - {verify, verify_peer}, - {depth, 5}, - {cacerts, ServerCas ++ ClientCas} | - proplists:delete(cacerts, ClientConf)]}]), - ssl_test_lib:check_result(Server, ok, Client, ok), - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - - -%%-------------------------------------------------------------------- -%% Internal functions ------------------------------------------------ -%%-------------------------------------------------------------------- - |