diff options
author | Ingela Anderton Andin <[email protected]> | 2019-07-31 10:56:15 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2019-07-31 10:56:15 +0200 |
commit | ddaf348ba205842e4f2735bf7f62da342a60a894 (patch) | |
tree | 611f6e0ba91d24d718cbfa4844db287bf69e39ec | |
parent | b3244adc38777adbb4474a1e34e098eecda370af (diff) | |
parent | 674e88190b5b47ca04e179ecb314f21a707f25a0 (diff) | |
download | otp-ddaf348ba205842e4f2735bf7f62da342a60a894.tar.gz otp-ddaf348ba205842e4f2735bf7f62da342a60a894.tar.bz2 otp-ddaf348ba205842e4f2735bf7f62da342a60a894.zip |
Merge branch 'ingela/ssl/test-enhancment' into maint
* ingela/ssl/test-enhancment:
ssl: Extend tests
ssl: Fix better OpenSSL support in test framework
ssl: Avoid broken ALPN/NPN renegotiation in OpenSSL
-rw-r--r-- | lib/ssl/test/openssl_alpn_SUITE.erl | 14 | ||||
-rw-r--r-- | lib/ssl/test/openssl_client_cert_SUITE.erl | 23 | ||||
-rw-r--r-- | lib/ssl/test/openssl_npn_SUITE.erl | 17 | ||||
-rw-r--r-- | lib/ssl/test/openssl_server_cert_SUITE.erl | 21 | ||||
-rw-r--r-- | lib/ssl/test/ssl_cert_SUITE.erl | 28 | ||||
-rw-r--r-- | lib/ssl/test/ssl_cert_tests.erl | 19 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 148 |
7 files changed, 205 insertions, 65 deletions
diff --git a/lib/ssl/test/openssl_alpn_SUITE.erl b/lib/ssl/test/openssl_alpn_SUITE.erl index 1e8912be7d..5008dba922 100644 --- a/lib/ssl/test/openssl_alpn_SUITE.erl +++ b/lib/ssl/test/openssl_alpn_SUITE.erl @@ -36,7 +36,7 @@ all() -> %% Note: ALPN not supported in sslv3 - case ssl_test_lib:openssl_sane_dtls() of + case ssl_test_lib:openssl_sane_dtls_alpn() of true -> [ {group, 'tlsv1.3'}, @@ -52,7 +52,7 @@ all() -> end. groups() -> - case ssl_test_lib:openssl_sane_dtls() of + case ssl_test_lib:openssl_sane_dtls_alpn() of true -> [ {'tlsv1.3', [], alpn_tests()}, @@ -85,9 +85,13 @@ alpn_npn_coexist() -> erlang_server_alpn_npn_openssl_client_alpn_npn ]. rengotiation_tests() -> - [erlang_client_alpn_openssl_server_alpn_renegotiate, - erlang_server_alpn_openssl_client_alpn_renegotiate]. - + case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of + true -> + [erlang_client_alpn_openssl_server_alpn_renegotiate, + erlang_server_alpn_openssl_client_alpn_renegotiate]; + false -> + [] + end. init_per_suite(Config0) -> case os:find_executable("openssl") of false -> diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl index 4844f06672..b327988744 100644 --- a/lib/ssl/test/openssl_client_cert_SUITE.erl +++ b/lib/ssl/test/openssl_client_cert_SUITE.erl @@ -47,7 +47,8 @@ groups() -> {rsa, [], all_version_tests()}, {ecdsa, [], all_version_tests()}, {dsa, [], all_version_tests()}, - {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, + {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth, + unsupported_sign_algo_cert_client_auth]}, {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} ]. @@ -225,7 +226,21 @@ end_per_group(GroupName, Config) -> false -> Config end. - +init_per_testcase(TestCase, Config) when + TestCase == client_auth_empty_cert_accepted; + TestCase == client_auth_empty_cert_rejected -> + Version = proplists:get_value(version,Config), + case Version of + sslv3 -> + %% Openssl client sends "No Certificate Reserved" warning ALERT + %% instead of sending EMPTY cert message in SSL-3.0 so empty cert test are not + %% relevant + {skip, openssl_behaves_differently}; + _ -> + ssl_test_lib:ct_log_supported_protocol_versions(Config), + ct:timetrap({seconds, 10}), + Config + end; init_per_testcase(_TestCase, Config) -> ssl_test_lib:ct_log_supported_protocol_versions(Config), ct:timetrap({seconds, 10}), @@ -314,6 +329,10 @@ unsupported_sign_algo_cert_client_auth() -> ssl_cert_tests:unsupported_sign_algo_cert_client_auth(). unsupported_sign_algo_cert_client_auth(Config) -> ssl_cert_tests:unsupported_sign_algo_cert_client_auth(Config). +unsupported_sign_algo_client_auth() -> + ssl_cert_tests:unsupported_sign_algo_client_auth(). +unsupported_sign_algo_client_auth(Config) -> + ssl_cert_tests:unsupported_sign_algo_client_auth(Config). %%-------------------------------------------------------------------- hello_retry_client_auth() -> ssl_cert_tests:hello_retry_client_auth(). diff --git a/lib/ssl/test/openssl_npn_SUITE.erl b/lib/ssl/test/openssl_npn_SUITE.erl index f249ba47c2..0294f4997f 100644 --- a/lib/ssl/test/openssl_npn_SUITE.erl +++ b/lib/ssl/test/openssl_npn_SUITE.erl @@ -41,21 +41,28 @@ all() -> {group, 'tlsv1'}]. groups() -> - [{'tlsv1.2', [], npn_tests()}, - {'tlsv1.1', [], npn_tests()}, - {'tlsv1', [], npn_tests()} + [{'tlsv1.2', [], npn_tests() ++ npn_renegotiate_tests()}, + {'tlsv1.1', [], npn_tests() ++ npn_renegotiate_tests()}, + {'tlsv1', [], npn_tests() ++ npn_renegotiate_tests()} ]. npn_tests() -> [erlang_client_openssl_server_npn, erlang_server_openssl_client_npn, - erlang_server_openssl_client_npn_renegotiate, - erlang_client_openssl_server_npn_renegotiate, erlang_server_openssl_client_npn_only_client, erlang_server_openssl_client_npn_only_server, erlang_client_openssl_server_npn_only_client, erlang_client_openssl_server_npn_only_server]. +npn_renegotiate_tests() -> + case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of + true -> + [erlang_server_openssl_client_npn_renegotiate, + erlang_client_openssl_server_npn_renegotiate]; + false -> + [] + end. + init_per_suite(Config0) -> case os:find_executable("openssl") of false -> diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl index 83b0884f66..c2af864a92 100644 --- a/lib/ssl/test/openssl_server_cert_SUITE.erl +++ b/lib/ssl/test/openssl_server_cert_SUITE.erl @@ -46,7 +46,10 @@ groups() -> {rsa, [], all_version_tests()}, {ecdsa, [], all_version_tests()}, {dsa, [], all_version_tests()}, - {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, + {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}, + %% TODO: Create proper conf of openssl server + %%++ [unsupported_sign_algo_client_auth, + %% unsupported_sign_algo_cert_client_auth]}, {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} ]. @@ -342,18 +345,22 @@ hello_retry_request(Config) -> ssl_cert_tests:hello_retry_request(Config). %%-------------------------------------------------------------------- custom_groups() -> - ssl_cert_tests:custom_groups(). + ssl_cert_tests:custom_groups(). custom_groups(Config) -> - ssl_cert_tests:custom_groups(Config). + ssl_cert_tests:custom_groups(Config). unsupported_sign_algo_cert_client_auth() -> - ssl_cert_tests:unsupported_sign_algo_cert_client_auth(). + ssl_cert_tests:unsupported_sign_algo_cert_client_auth(). unsupported_sign_algo_cert_client_auth(Config) -> ssl_cert_tests:unsupported_sign_algo_cert_client_auth(Config). +unsupported_sign_algo_client_auth() -> + ssl_cert_tests:unsupported_sign_algo_client_auth(). +unsupported_sign_algo_client_auth(Config) -> + ssl_cert_tests:unsupported_sign_algo_client_auth(Config). %%-------------------------------------------------------------------- hello_retry_client_auth() -> - ssl_cert_tests:hello_retry_client_auth(). + ssl_cert_tests:hello_retry_client_auth(). hello_retry_client_auth(Config) -> - ssl_cert_tests:hello_retry_client_auth(Config). + ssl_cert_tests:hello_retry_client_auth(Config). %%-------------------------------------------------------------------- hello_retry_client_auth_empty_cert_accepted() -> ssl_cert_tests:hello_retry_client_auth_empty_cert_accepted(). @@ -363,4 +370,4 @@ hello_retry_client_auth_empty_cert_accepted(Config) -> hello_retry_client_auth_empty_cert_rejected() -> ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(). hello_retry_client_auth_empty_cert_rejected(Config) -> - ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(Config). + ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(Config). diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl index 571e7428ea..fb1695f38a 100644 --- a/lib/ssl/test/ssl_cert_SUITE.erl +++ b/lib/ssl/test/ssl_cert_SUITE.erl @@ -53,7 +53,8 @@ groups() -> {rsa, [], all_version_tests()}, {ecdsa, [], all_version_tests()}, {dsa, [], all_version_tests()}, - {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, + {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth, + unsupported_sign_algo_cert_client_auth]}, {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} ]. @@ -208,12 +209,12 @@ auth(Config) -> ssl_cert_tests:auth(Config). %%-------------------------------------------------------------------- client_auth_empty_cert_accepted() -> - ssl_cert_tests:client_auth_empty_cert_accepted(). + ssl_cert_tests:client_auth_empty_cert_accepted(). client_auth_empty_cert_accepted(Config) -> ssl_cert_tests:client_auth_empty_cert_accepted(Config). %%-------------------------------------------------------------------- client_auth_empty_cert_rejected() -> - ssl_cert_tests:client_auth_empty_cert_rejected(). + ssl_cert_tests:client_auth_empty_cert_rejected(). client_auth_empty_cert_rejected(Config) -> ssl_cert_tests:client_auth_empty_cert_rejected(Config). %%-------------------------------------------------------------------- @@ -239,7 +240,6 @@ client_auth_partial_chain_fun_fail() -> client_auth_partial_chain_fun_fail(Config) when is_list(Config) -> ssl_cert_tests:client_auth_partial_chain_fun_fail(Config). - %%-------------------------------------------------------------------- missing_root_cert_no_auth() -> ssl_cert_tests:missing_root_cert_no_auth(). @@ -484,11 +484,27 @@ unsupported_sign_algo_cert_client_auth(Config) -> ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config), ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer}, + {signature_algs, [rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256]}, + %% Skip rsa_pkcs1_sha256! + {signature_algs_cert, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]}, + {fail_if_no_peer_cert, true}|ServerOpts0], + ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0], + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required). + +%%-------------------------------------------------------------------- +unsupported_sign_algo_client_auth() -> + [{doc,"TLS 1.3: Test client authentication with unsupported signature_algorithm"}]. + +unsupported_sign_algo_client_auth(Config) -> + ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config), + ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config), + ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}, + {verify, verify_peer}, %% Skip rsa_pkcs1_sha256! - {signature_algs, [rsa_pkcs1_sha384, rsa_pss_rsae_sha256]}, + {signature_algs, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]}, {fail_if_no_peer_cert, true}|ServerOpts0], ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0], - ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, handshake_failure). + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security). %%-------------------------------------------------------------------- hello_retry_client_auth() -> [{doc, "TLS 1.3 (HelloRetryRequest): Test client authentication."}]. diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl index 1c73dac3f9..c88daa2185 100644 --- a/lib/ssl/test/ssl_cert_tests.erl +++ b/lib/ssl/test/ssl_cert_tests.erl @@ -262,11 +262,26 @@ unsupported_sign_algo_cert_client_auth(Config) -> ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config), ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer}, + {signature_algs, [rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256]}, %% Skip rsa_pkcs1_sha256! - {signature_algs, [rsa_pkcs1_sha384, rsa_pss_rsae_sha256]}, + {signature_algs_cert, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]}, {fail_if_no_peer_cert, true}|ServerOpts0], ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0], - ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, handshake_failure). + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required). +%%-------------------------------------------------------------------- +unsupported_sign_algo_client_auth() -> + [{doc,"TLS 1.3: Test client authentication with unsupported signature_algorithm"}]. + +unsupported_sign_algo_client_auth(Config) -> + ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config), + ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config), + ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}, + {verify, verify_peer}, + %% Skip rsa_pkcs1_sha256! + {signature_algs, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]}, + {fail_if_no_peer_cert, true}|ServerOpts0], + ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0], + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security). %%-------------------------------------------------------------------- hello_retry_client_auth() -> [{doc, "TLS 1.3 (HelloRetryRequest): Test client authentication."}]. diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 7009a628f1..7dd27fb5cb 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -648,8 +648,7 @@ cert_options(Config) -> "badcert.pem"]), BadKeyFile = filename:join([proplists:get_value(priv_dir, Config), "badkey.pem"]), - PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>, - + [{client_opts, [{cacertfile, ClientCaCertFile}, {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}, @@ -1227,6 +1226,11 @@ basic_test(COpts, SOpts, Config) -> stop(Server, Client). basic_alert(ClientOpts, ServerOpts, Config, Alert) -> + SType = proplists:get_value(server_type, Config), + CType = proplists:get_value(client_type, Config), + run_basic_alert(SType, CType, ClientOpts, ServerOpts, Config, Alert). + +run_basic_alert(erlang, erlang, ClientOpts, ServerOpts, Config, Alert) -> {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), Server = start_server_error([{node, ServerNode}, {port, 0}, @@ -1242,7 +1246,30 @@ basic_alert(ClientOpts, ServerOpts, Config, Alert) -> {mfa, {ssl_test_lib, no_result, []}}, {options, ClientOpts}]), - check_server_alert(Server, Client, Alert). + check_server_alert(Server, Client, Alert); +run_basic_alert(openssl = SType, erlang, ClientOpts, ServerOpts, Config, Alert) -> + {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), + {_Server, Port} = start_server(SType, ClientOpts, ServerOpts, Config), + ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), + Client = start_client_error([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, ClientOpts}]), + + check_client_alert(Client, Alert); +run_basic_alert(erlang, openssl = CType, ClientOpts, ServerOpts, Config, Alert) -> + {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + Server = start_server_error([{node, ServerNode}, {port, 0}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, ServerOpts}]), + Port = inet_port(Server), + start_client(CType, Port, ClientOpts, Config), + + check_server_alert(Server, Alert). + ecc_test(Expect, COpts, SOpts, CECCOpts, SECCOpts, Config) -> {Server, Port} = start_server_ecc(erlang, SOpts, Expect, SECCOpts, Config), @@ -1285,32 +1312,23 @@ start_basic_client(openssl, Version, Port, ClientOpts) -> OpenSslPort. start_client(openssl, Port, ClientOpts, Config) -> - Cert = proplists:get_value(certfile, ClientOpts), - Key = proplists:get_value(keyfile, ClientOpts), - CA = proplists:get_value(cacertfile, ClientOpts), Version = ssl_test_lib:protocol_version(Config), Exe = "openssl", + Ciphers = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)), Groups0 = proplists:get_value(groups, ClientOpts), + CertArgs = openssl_cert_options(ClientOpts, client), Exe = "openssl", - Args0 = ["s_client", "-verify", "2", "-port", integer_to_list(Port), - ssl_test_lib:version_flag(Version), - "-CAfile", CA, "-host", "localhost", "-msg", "-debug"], - Args1 = - case Groups0 of - undefined -> - Args0; - G -> - Args0 ++ ["-groups", G] - end, - Args2 = - case {Cert, Key} of - {C, K} when C =:= undefined orelse - K =:= undefined -> - Args1; - {C, K} -> - Args1 ++ ["-cert", C, "-key", K] - end, - Args = maybe_force_ipv4(Args2), + Args0 = case Groups0 of + undefined -> + ["s_client", "-verify", "2", "-port", integer_to_list(Port), cipher_flag(Version), + ciphers(Ciphers, Version), + ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"]; + Group -> + ["s_client", "-verify", "2", "-port", integer_to_list(Port), cipher_flag(Version), + ciphers(Ciphers, Version), "-groups", Group, + ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"] + end, + Args = maybe_force_ipv4(Args0), OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args), true = port_command(OpenSslPort, "Hello world"), OpenSslPort; @@ -1361,11 +1379,19 @@ start_server(openssl, ClientOpts, ServerOpts, Config) -> Port = inet_port(node()), Version = protocol_version(Config), Exe = "openssl", - CertArgs = openssl_cert_options(ServerOpts), - [Cipher|_] = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)), - Args = ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version), - ssl_cipher_format:suite_map_to_openssl_str(Cipher), - ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"], + CertArgs = openssl_cert_options(ServerOpts, server), + Ciphers = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)), + Groups0 = proplists:get_value(groups, ServerOpts), + Args = case Groups0 of + undefined -> + ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version), + ciphers(Ciphers, Version), + ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"]; + Group -> + ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version), + ciphers(Ciphers, Version), "-groups", Group, + ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"] + end, OpenSslPort = portable_open_port(Exe, Args), true = port_command(OpenSslPort, "Hello world"), {OpenSslPort, Port}; @@ -1380,12 +1406,28 @@ start_server(erlang, _, ServerOpts, Config) -> [KeyEx]}}, {options, [{verify, verify_peer}, {versions, Versions} | ServerOpts]}]), {Server, inet_port(Server)}. - + cipher_flag('tlsv1.3') -> - "-ciphersuites"; + "-ciphersuites"; cipher_flag(_) -> "-cipher". +ciphers(Ciphers, Version) -> + Strs = [ssl_cipher_format:suite_map_to_openssl_str(Cipher) || Cipher <- Ciphers], + ciphers_concat(Version, Strs, ""). + +ciphers_concat(_, [], [":" | Acc]) -> + lists:append(lists:reverse(Acc)); +ciphers_concat('tlsv1.3' = Version, [Head| Tail], Acc) -> + case Head of + "TLS" ++ _ -> + ciphers_concat(Version, Tail, [":", Head | Acc]); + _ -> + ciphers_concat(Version, Tail, Acc) + end; +ciphers_concat(Version, [Head| Tail], Acc) -> + ciphers_concat(Version, Tail, [":", Head | Acc]). + start_server_with_raw_key(erlang, ServerOpts, Config) -> {_, ServerNode, _} = ssl_test_lib:run_where(Config), Server = start_server([{node, ServerNode}, {port, 0}, @@ -1439,23 +1481,31 @@ stop(Client, Server) -> close(Client). -openssl_cert_options(ServerOpts) -> - Cert = proplists:get_value(certfile, ServerOpts, undefined), - Key = proplists:get_value(keyfile, ServerOpts, undefined), - CA = proplists:get_value(cacertfile, ServerOpts, undefined), +openssl_cert_options(Opts, Role) -> + Cert = proplists:get_value(certfile, Opts, undefined), + Key = proplists:get_value(keyfile, Opts, undefined), + CA = proplists:get_value(cacertfile, Opts, undefined), case CA of undefined -> case cert_option("-cert", Cert) ++ cert_option("-key", Key) of - [] -> + [] when Role == server -> ["-nocert"]; Other -> Other end; _ -> cert_option("-cert", Cert) ++ cert_option("-CAfile", CA) ++ - cert_option("-key", Key) ++ ["-verify", "2"] + cert_option("-key", Key) ++ openssl_verify(Opts) ++ ["2"] end. +openssl_verify(Opts) -> + case proplists:get_value(fail_if_no_peer_cert, Opts, undefined) of + true -> + ["-Verify"]; + _ -> + ["-verify"] + end. + cert_option(_, undefined) -> []; cert_option(Opt, Value) -> @@ -2716,3 +2766,25 @@ new_config(PrivDir, ServerOpts0) -> [{cacertfile, NewCaCertFile}, {certfile, NewCertFile}, {keyfile, NewKeyFile} | ServerOpts]. + +sane_openssl_alpn_npn_renegotiate() -> + case os:cmd("openssl version") of + "LibreSSL 2.9.1" ++ _ -> + false; + "LibreSSL 2.6.4" ++ _ -> + false; + "OpenSSL 1.1.1a-freebsd" ++ _ -> + false; + _ -> + true + end. + +openssl_sane_dtls_alpn() -> + case os:cmd("openssl version") of + "OpenSSL 1.1.0g" ++ _ -> + false; + "OpenSSL 1.1.1a" ++ _ -> + false; + _-> + openssl_sane_dtls() + end. |