Merge branch 'ingela/ssl/test-enhancment' into maint

* ingela/ssl/test-enhancment: ssl: Extend tests ssl: Fix better OpenSSL support in test framework ssl: Avoid broken ALPN/NPN renegotiation in OpenSSL
author: Ingela Anderton Andin <[email protected]> 2019-07-31 10:56:15 +0200
committer: Ingela Anderton Andin <[email protected]> 2019-07-31 10:56:15 +0200
commit: ddaf348ba205842e4f2735bf7f62da342a60a894 (patch)
tree: 611f6e0ba91d24d718cbfa4844db287bf69e39ec
parent: b3244adc38777adbb4474a1e34e098eecda370af (diff)
parent: 674e88190b5b47ca04e179ecb314f21a707f25a0 (diff)
download: otp-ddaf348ba205842e4f2735bf7f62da342a60a894.tar.gz
otp-ddaf348ba205842e4f2735bf7f62da342a60a894.tar.bz2
otp-ddaf348ba205842e4f2735bf7f62da342a60a894.zip
7 files changed, 205 insertions, 65 deletions
diff --git a/lib/ssl/test/openssl_alpn_SUITE.erl b/lib/ssl/test/openssl_alpn_SUITE.erl
index 1e8912be7d..5008dba922 100644
--- a/lib/ssl/test/openssl_alpn_SUITE.erl
+++ b/lib/ssl/test/openssl_alpn_SUITE.erl
@@ -36,7 +36,7 @@
 
 all() ->
     %% Note: ALPN not supported in sslv3
-    case ssl_test_lib:openssl_sane_dtls() of 
+    case ssl_test_lib:openssl_sane_dtls_alpn() of 
         true ->
             [
              {group, 'tlsv1.3'},
@@ -52,7 +52,7 @@ all() ->
     end.
 
 groups() ->
-    case ssl_test_lib:openssl_sane_dtls() of 
+    case ssl_test_lib:openssl_sane_dtls_alpn() of 
         true ->             
             [
              {'tlsv1.3', [], alpn_tests()},
@@ -85,9 +85,13 @@ alpn_npn_coexist() ->
      erlang_server_alpn_npn_openssl_client_alpn_npn  
     ].
 rengotiation_tests() ->
-     [erlang_client_alpn_openssl_server_alpn_renegotiate,
-      erlang_server_alpn_openssl_client_alpn_renegotiate].
-
+    case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of
+        true ->
+            [erlang_client_alpn_openssl_server_alpn_renegotiate,
+             erlang_server_alpn_openssl_client_alpn_renegotiate];
+        false ->
+            []
+    end.
 init_per_suite(Config0) ->
     case os:find_executable("openssl") of
         false ->
diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 4844f06672..b327988744 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -47,7 +47,8 @@ groups() ->
      {rsa, [], all_version_tests()},
      {ecdsa, [], all_version_tests()},
      {dsa, [], all_version_tests()},
-     {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
+     {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth,
+                                                              unsupported_sign_algo_cert_client_auth]},
      {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
     ].
 
@@ -225,7 +226,21 @@ end_per_group(GroupName, Config) ->
         false ->
             Config
     end.
-
+init_per_testcase(TestCase, Config) when 
+      TestCase == client_auth_empty_cert_accepted;
+      TestCase == client_auth_empty_cert_rejected ->
+    Version = proplists:get_value(version,Config),
+    case Version of
+        sslv3 ->
+            %% Openssl client sends "No Certificate Reserved" warning ALERT
+            %% instead of sending EMPTY cert message in SSL-3.0 so empty cert test are not
+            %% relevant
+            {skip, openssl_behaves_differently};
+        _ -> 
+            ssl_test_lib:ct_log_supported_protocol_versions(Config),
+            ct:timetrap({seconds, 10}),
+            Config
+    end;
 init_per_testcase(_TestCase, Config) ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
     ct:timetrap({seconds, 10}),
@@ -314,6 +329,10 @@ unsupported_sign_algo_cert_client_auth() ->
  ssl_cert_tests:unsupported_sign_algo_cert_client_auth().
 unsupported_sign_algo_cert_client_auth(Config) ->
     ssl_cert_tests:unsupported_sign_algo_cert_client_auth(Config).
+unsupported_sign_algo_client_auth() ->
+ ssl_cert_tests:unsupported_sign_algo_client_auth().
+unsupported_sign_algo_client_auth(Config) ->
+    ssl_cert_tests:unsupported_sign_algo_client_auth(Config).
 %%--------------------------------------------------------------------
 hello_retry_client_auth() ->
  ssl_cert_tests:hello_retry_client_auth().
diff --git a/lib/ssl/test/openssl_npn_SUITE.erl b/lib/ssl/test/openssl_npn_SUITE.erl
index f249ba47c2..0294f4997f 100644
--- a/lib/ssl/test/openssl_npn_SUITE.erl
+++ b/lib/ssl/test/openssl_npn_SUITE.erl
@@ -41,21 +41,28 @@ all() ->
      {group, 'tlsv1'}].
 
 groups() ->
-    [{'tlsv1.2', [], npn_tests()},
-     {'tlsv1.1', [], npn_tests()},
-     {'tlsv1', [], npn_tests()}
+    [{'tlsv1.2', [], npn_tests() ++ npn_renegotiate_tests()},
+     {'tlsv1.1', [], npn_tests() ++ npn_renegotiate_tests()},
+     {'tlsv1', [], npn_tests() ++ npn_renegotiate_tests()}
     ].
  
 npn_tests() ->
     [erlang_client_openssl_server_npn,
      erlang_server_openssl_client_npn,
-     erlang_server_openssl_client_npn_renegotiate,
-     erlang_client_openssl_server_npn_renegotiate,
      erlang_server_openssl_client_npn_only_client,
      erlang_server_openssl_client_npn_only_server,
      erlang_client_openssl_server_npn_only_client,
      erlang_client_openssl_server_npn_only_server].
 
+npn_renegotiate_tests() ->
+   case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of
+        true ->
+           [erlang_server_openssl_client_npn_renegotiate,
+            erlang_client_openssl_server_npn_renegotiate];
+        false ->
+            []
+    end.
+
 init_per_suite(Config0) ->
     case os:find_executable("openssl") of
         false ->
diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl
index 83b0884f66..c2af864a92 100644
--- a/lib/ssl/test/openssl_server_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_server_cert_SUITE.erl
@@ -46,7 +46,10 @@ groups() ->
      {rsa, [], all_version_tests()},
      {ecdsa, [], all_version_tests()},
      {dsa, [], all_version_tests()},
-     {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
+     {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests()},
+      %% TODO: Create proper conf of openssl server
+      %%++ [unsupported_sign_algo_client_auth,
+      %% unsupported_sign_algo_cert_client_auth]},
      {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
     ].
 
@@ -342,18 +345,22 @@ hello_retry_request(Config) ->
     ssl_cert_tests:hello_retry_request(Config).
 %%--------------------------------------------------------------------
 custom_groups() ->
- ssl_cert_tests:custom_groups().
+    ssl_cert_tests:custom_groups().
 custom_groups(Config) ->
-  ssl_cert_tests:custom_groups(Config).
+    ssl_cert_tests:custom_groups(Config).
 unsupported_sign_algo_cert_client_auth() ->
- ssl_cert_tests:unsupported_sign_algo_cert_client_auth().
+    ssl_cert_tests:unsupported_sign_algo_cert_client_auth().
 unsupported_sign_algo_cert_client_auth(Config) ->
     ssl_cert_tests:unsupported_sign_algo_cert_client_auth(Config).
+unsupported_sign_algo_client_auth() ->
+    ssl_cert_tests:unsupported_sign_algo_client_auth().
+unsupported_sign_algo_client_auth(Config) ->
+    ssl_cert_tests:unsupported_sign_algo_client_auth(Config).
 %%--------------------------------------------------------------------
 hello_retry_client_auth() ->
- ssl_cert_tests:hello_retry_client_auth().
+    ssl_cert_tests:hello_retry_client_auth().
 hello_retry_client_auth(Config) ->
-  ssl_cert_tests:hello_retry_client_auth(Config).
+    ssl_cert_tests:hello_retry_client_auth(Config).
 %%--------------------------------------------------------------------
 hello_retry_client_auth_empty_cert_accepted() ->
     ssl_cert_tests:hello_retry_client_auth_empty_cert_accepted().
@@ -363,4 +370,4 @@ hello_retry_client_auth_empty_cert_accepted(Config) ->
 hello_retry_client_auth_empty_cert_rejected() ->
     ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected().
 hello_retry_client_auth_empty_cert_rejected(Config) ->
-   ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(Config).
+    ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(Config).
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index 571e7428ea..fb1695f38a 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -53,7 +53,8 @@ groups() ->
      {rsa, [], all_version_tests()},
      {ecdsa, [], all_version_tests()},
      {dsa, [], all_version_tests()},
-     {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
+     {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth,
+                                                              unsupported_sign_algo_cert_client_auth]},
      {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
     ].
 
@@ -208,12 +209,12 @@ auth(Config) ->
     ssl_cert_tests:auth(Config).
 %%--------------------------------------------------------------------
 client_auth_empty_cert_accepted() ->
-     ssl_cert_tests:client_auth_empty_cert_accepted().
+    ssl_cert_tests:client_auth_empty_cert_accepted().
 client_auth_empty_cert_accepted(Config) ->
     ssl_cert_tests:client_auth_empty_cert_accepted(Config).
 %%--------------------------------------------------------------------
 client_auth_empty_cert_rejected() ->
-      ssl_cert_tests:client_auth_empty_cert_rejected().
+    ssl_cert_tests:client_auth_empty_cert_rejected().
 client_auth_empty_cert_rejected(Config) ->
     ssl_cert_tests:client_auth_empty_cert_rejected(Config).
 %%--------------------------------------------------------------------
@@ -239,7 +240,6 @@ client_auth_partial_chain_fun_fail() ->
 client_auth_partial_chain_fun_fail(Config) when is_list(Config) ->
     ssl_cert_tests:client_auth_partial_chain_fun_fail(Config).
 
-
 %%--------------------------------------------------------------------
 missing_root_cert_no_auth() ->
    ssl_cert_tests:missing_root_cert_no_auth().
@@ -484,11 +484,27 @@ unsupported_sign_algo_cert_client_auth(Config) ->
     ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
     ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
                   {verify, verify_peer},
+                  {signature_algs, [rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+                  %% Skip rsa_pkcs1_sha256!
+                  {signature_algs_cert, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
+                  {fail_if_no_peer_cert, true}|ServerOpts0],
+    ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required).
+
+%%--------------------------------------------------------------------
+unsupported_sign_algo_client_auth() ->
+     [{doc,"TLS 1.3: Test client authentication with unsupported signature_algorithm"}].
+
+unsupported_sign_algo_client_auth(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
+    ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+                  {verify, verify_peer},
                   %% Skip rsa_pkcs1_sha256!
-                  {signature_algs, [rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+                  {signature_algs, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
                   {fail_if_no_peer_cert, true}|ServerOpts0],
     ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
-    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, handshake_failure).
+    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security).
 %%--------------------------------------------------------------------
 hello_retry_client_auth() ->
     [{doc, "TLS 1.3 (HelloRetryRequest): Test client authentication."}].
diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl
index 1c73dac3f9..c88daa2185 100644
--- a/lib/ssl/test/ssl_cert_tests.erl
+++ b/lib/ssl/test/ssl_cert_tests.erl
@@ -262,11 +262,26 @@ unsupported_sign_algo_cert_client_auth(Config) ->
     ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
     ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
                   {verify, verify_peer},
+                  {signature_algs, [rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
                   %% Skip rsa_pkcs1_sha256!
-                  {signature_algs, [rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+                  {signature_algs_cert, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
                   {fail_if_no_peer_cert, true}|ServerOpts0],
     ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
-    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, handshake_failure).
+    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required).
+%%--------------------------------------------------------------------
+unsupported_sign_algo_client_auth() ->
+     [{doc,"TLS 1.3: Test client authentication with unsupported signature_algorithm"}].
+
+unsupported_sign_algo_client_auth(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
+    ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+                  {verify, verify_peer},
+                  %% Skip rsa_pkcs1_sha256!
+                  {signature_algs, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
+                  {fail_if_no_peer_cert, true}|ServerOpts0],
+    ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security).
 %%--------------------------------------------------------------------
 hello_retry_client_auth() ->
     [{doc, "TLS 1.3 (HelloRetryRequest): Test client authentication."}].
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 7009a628f1..7dd27fb5cb 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -648,8 +648,7 @@ cert_options(Config) ->
 				   "badcert.pem"]),
     BadKeyFile = filename:join([proplists:get_value(priv_dir, Config), 
 			      "badkey.pem"]),
-    PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>,
-
+    
     [{client_opts, [{cacertfile, ClientCaCertFile}, 
 		    {certfile, ClientCertFile},  
 		    {keyfile, ClientKeyFile}]}, 
@@ -1227,6 +1226,11 @@ basic_test(COpts, SOpts, Config) ->
     stop(Server, Client).    
 
 basic_alert(ClientOpts, ServerOpts, Config, Alert) ->
+    SType = proplists:get_value(server_type, Config),
+    CType = proplists:get_value(client_type, Config),
+    run_basic_alert(SType, CType, ClientOpts, ServerOpts, Config, Alert).
+
+run_basic_alert(erlang, erlang, ClientOpts, ServerOpts, Config, Alert) ->
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     
     Server = start_server_error([{node, ServerNode}, {port, 0},
@@ -1242,7 +1246,30 @@ basic_alert(ClientOpts, ServerOpts, Config, Alert) ->
                                               {mfa, {ssl_test_lib, no_result, []}},
 					      {options, ClientOpts}]),
 
-    check_server_alert(Server, Client, Alert).
+    check_server_alert(Server, Client, Alert);
+run_basic_alert(openssl = SType, erlang, ClientOpts, ServerOpts, Config, Alert) ->
+    {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),
+    {_Server, Port} = start_server(SType, ClientOpts, ServerOpts, Config),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
+    Client = start_client_error([{node, ClientNode}, {port, Port},
+                                 {host, Hostname},
+                                 {from, self()},
+                                 {mfa, {ssl_test_lib, no_result, []}},
+					      {options, ClientOpts}]),
+    
+    check_client_alert(Client, Alert);
+run_basic_alert(erlang, openssl = CType, ClientOpts, ServerOpts, Config, Alert) ->
+    {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = start_server_error([{node, ServerNode}, {port, 0},
+                                 {host, Hostname},
+                                 {from, self()},
+                                 {mfa, {ssl_test_lib, no_result, []}},
+                                 {options, ServerOpts}]),
+    Port  = inet_port(Server),
+    start_client(CType, Port, ClientOpts, Config),
+
+    check_server_alert(Server, Alert).
+    
 
 ecc_test(Expect, COpts, SOpts, CECCOpts, SECCOpts, Config) ->
     {Server, Port} = start_server_ecc(erlang, SOpts, Expect, SECCOpts, Config),
@@ -1285,32 +1312,23 @@ start_basic_client(openssl, Version, Port, ClientOpts) ->
     OpenSslPort.
 
 start_client(openssl, Port, ClientOpts, Config) ->
-    Cert = proplists:get_value(certfile, ClientOpts),
-    Key = proplists:get_value(keyfile, ClientOpts),
-    CA = proplists:get_value(cacertfile, ClientOpts),
     Version = ssl_test_lib:protocol_version(Config),
     Exe = "openssl",
+    Ciphers = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
     Groups0 = proplists:get_value(groups, ClientOpts),
+    CertArgs = openssl_cert_options(ClientOpts, client),
     Exe = "openssl",
-    Args0 = ["s_client", "-verify", "2", "-port", integer_to_list(Port),
-	    ssl_test_lib:version_flag(Version),
-	    "-CAfile", CA, "-host", "localhost", "-msg", "-debug"],
-    Args1 =
-       case Groups0 of
-           undefined ->
-               Args0;
-           G ->
-               Args0 ++ ["-groups", G]
-       end,
-    Args2 =
-       case {Cert, Key} of
-           {C, K} when C =:= undefined orelse
-                       K =:= undefined ->
-               Args1;
-           {C, K} ->
-               Args1 ++ ["-cert", C, "-key", K]
-       end,
-    Args = maybe_force_ipv4(Args2),
+    Args0 =  case Groups0 of
+                undefined ->
+                    ["s_client", "-verify", "2", "-port", integer_to_list(Port), cipher_flag(Version),
+                     ciphers(Ciphers, Version),
+                     ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"];
+                Group ->
+                    ["s_client", "-verify", "2", "-port", integer_to_list(Port), cipher_flag(Version),
+                     ciphers(Ciphers, Version), "-groups", Group, 
+                     ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"]
+            end,
+    Args = maybe_force_ipv4(Args0),
     OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args), 
     true = port_command(OpenSslPort, "Hello world"),
     OpenSslPort;
@@ -1361,11 +1379,19 @@ start_server(openssl, ClientOpts, ServerOpts, Config) ->
     Port = inet_port(node()),
     Version = protocol_version(Config),
     Exe = "openssl",
-    CertArgs = openssl_cert_options(ServerOpts),
-    [Cipher|_] = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
-    Args = ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version),
-            ssl_cipher_format:suite_map_to_openssl_str(Cipher),
-            ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"],
+    CertArgs = openssl_cert_options(ServerOpts, server),
+    Ciphers = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
+    Groups0 = proplists:get_value(groups, ServerOpts),
+    Args =  case Groups0 of
+                undefined ->
+                    ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version),
+                     ciphers(Ciphers, Version),
+                     ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"];
+                Group ->
+                       ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version),
+                        ciphers(Ciphers, Version), "-groups", Group, 
+                        ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"]
+            end,
     OpenSslPort = portable_open_port(Exe, Args),
     true = port_command(OpenSslPort, "Hello world"),
     {OpenSslPort, Port};
@@ -1380,12 +1406,28 @@ start_server(erlang, _, ServerOpts, Config) ->
                                   [KeyEx]}},
                            {options, [{verify, verify_peer}, {versions, Versions} | ServerOpts]}]),
     {Server, inet_port(Server)}.
-
+ 
 cipher_flag('tlsv1.3') ->
-    "-ciphersuites";
+     "-ciphersuites";
 cipher_flag(_) ->
     "-cipher".
 
+ciphers(Ciphers, Version) ->
+    Strs = [ssl_cipher_format:suite_map_to_openssl_str(Cipher) || Cipher <- Ciphers],
+    ciphers_concat(Version, Strs, "").
+
+ciphers_concat(_, [], [":" | Acc]) ->
+    lists:append(lists:reverse(Acc));
+ciphers_concat('tlsv1.3' = Version, [Head| Tail], Acc) ->
+    case Head of
+        "TLS" ++ _ ->
+            ciphers_concat(Version, Tail, [":", Head | Acc]);
+        _ ->
+            ciphers_concat(Version, Tail, Acc)
+    end;
+ciphers_concat(Version,  [Head| Tail], Acc) ->
+    ciphers_concat(Version, Tail, [":", Head | Acc]).
+
 start_server_with_raw_key(erlang, ServerOpts, Config) ->
     {_, ServerNode, _} = ssl_test_lib:run_where(Config),
     Server = start_server([{node, ServerNode}, {port, 0},
@@ -1439,23 +1481,31 @@ stop(Client, Server)  ->
     close(Client).
 
 
-openssl_cert_options(ServerOpts) ->
-    Cert = proplists:get_value(certfile, ServerOpts, undefined),
-    Key = proplists:get_value(keyfile, ServerOpts, undefined),
-    CA = proplists:get_value(cacertfile, ServerOpts, undefined),
+openssl_cert_options(Opts, Role) ->
+    Cert = proplists:get_value(certfile, Opts, undefined),
+    Key = proplists:get_value(keyfile, Opts, undefined),
+    CA = proplists:get_value(cacertfile, Opts, undefined),
     case CA of
         undefined ->
             case cert_option("-cert", Cert) ++ cert_option("-key", Key) of
-                [] ->
+                [] when Role == server ->
                     ["-nocert"];
                 Other ->
                     Other
             end;
         _ ->
             cert_option("-cert", Cert) ++  cert_option("-CAfile", CA) ++
-                cert_option("-key", Key) ++ ["-verify", "2"]
+                cert_option("-key", Key) ++ openssl_verify(Opts) ++ ["2"]
     end.
 
+openssl_verify(Opts) ->
+      case proplists:get_value(fail_if_no_peer_cert, Opts, undefined) of
+          true ->
+              ["-Verify"];
+          _ ->
+              ["-verify"]
+      end.
+    
 cert_option(_, undefined) ->
     [];
 cert_option(Opt, Value) ->
@@ -2716,3 +2766,25 @@ new_config(PrivDir, ServerOpts0) ->
 
     [{cacertfile, NewCaCertFile}, {certfile, NewCertFile},
      {keyfile, NewKeyFile} | ServerOpts].
+
+sane_openssl_alpn_npn_renegotiate() ->
+     case os:cmd("openssl version") of 
+         "LibreSSL 2.9.1" ++ _ ->
+             false;
+         "LibreSSL 2.6.4" ++ _ ->
+             false;
+         "OpenSSL 1.1.1a-freebsd" ++ _ ->
+             false;
+         _  ->
+             true
+     end.
+
+openssl_sane_dtls_alpn() ->
+    case os:cmd("openssl version") of
+        "OpenSSL 1.1.0g" ++ _ ->
+            false;
+        "OpenSSL 1.1.1a" ++ _ ->
+            false;
+        _->
+            openssl_sane_dtls()
+    end.
author	Ingela Anderton Andin <[email protected]>	2019-07-31 10:56:15 +0200
committer	Ingela Anderton Andin <[email protected]>	2019-07-31 10:56:15 +0200
commit	ddaf348ba205842e4f2735bf7f62da342a60a894 (patch)
tree	611f6e0ba91d24d718cbfa4844db287bf69e39ec
parent	b3244adc38777adbb4474a1e34e098eecda370af (diff)
parent	674e88190b5b47ca04e179ecb314f21a707f25a0 (diff)
download	otp-ddaf348ba205842e4f2735bf7f62da342a60a894.tar.gz otp-ddaf348ba205842e4f2735bf7f62da342a60a894.tar.bz2 otp-ddaf348ba205842e4f2735bf7f62da342a60a894.zip