1 files changed, 104 insertions, 32 deletions
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index da744f7368..ed4bd86665 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -226,6 +226,17 @@ run_client(Opts) ->
 		    ct:log("~p:~p~nClient faild several times: connection failed: ~p ~n", [?MODULE,?LINE, Reason]),
 		    Pid ! {self(), {error, Reason}}
 	    end;
+	{error, econnreset = Reason} ->
+	      case get(retries) of
+		N when N < 5 ->
+		    ct:log("~p:~p~neconnreset retries=~p sleep ~p",[?MODULE,?LINE, N,?SLEEP]),
+		    put(retries, N+1),
+		    ct:sleep(?SLEEP),
+		    run_client(Opts);
+	       _ ->
+		    ct:log("~p:~p~nClient faild several times: connection failed: ~p ~n", [?MODULE,?LINE, Reason]),
+		    Pid ! {self(), {error, Reason}}
+	    end;
 	{error, Reason} ->
 	    ct:log("~p:~p~nClient: connection failed: ~p ~n", [?MODULE,?LINE, Reason]),
 	    Pid ! {connect_failed, Reason};
@@ -241,7 +252,21 @@ close(Pid) ->
     receive
 	{'DOWN', Monitor, process, Pid, Reason} ->
 	    erlang:demonitor(Monitor),
-	    ct:log("~p:~p~nPid: ~p down due to:~p ~n", [?MODULE,?LINE, Pid, Reason])
+	    ct:log("~p:~p~nPid: ~p down due to:~p ~n", [?MODULE,?LINE, Pid, Reason]) 
+		
+    end.
+
+close(Pid, Timeout) ->
+    ct:log("~p:~p~n Close ~p ~n", [?MODULE,?LINE, Pid]),
+    Monitor = erlang:monitor(process, Pid),
+    Pid ! close,
+    receive
+	{'DOWN', Monitor, process, Pid, Reason} ->
+	    erlang:demonitor(Monitor),
+	    ct:log("~p:~p~nPid: ~p down due to:~p ~n", [?MODULE,?LINE, Pid, Reason]) 
+    after 
+	Timeout ->
+	    exit(Pid, kill)
     end.
 
 check_result(Server, ServerMsg, Client, ClientMsg) -> 
@@ -360,7 +385,7 @@ cert_options(Config) ->
     SNIServerAKeyFile = filename:join([?config(priv_dir, Config), "a.server", "key.pem"]),
     SNIServerBCertFile = filename:join([?config(priv_dir, Config), "b.server", "cert.pem"]),
     SNIServerBKeyFile = filename:join([?config(priv_dir, Config), "b.server", "key.pem"]),
-    [{client_opts, [{ssl_imp, new},{reuseaddr, true}]}, 
+    [{client_opts, []}, 
      {client_verification_opts, [{cacertfile, ClientCaCertFile}, 
 				{certfile, ClientCertFile},  
 				{keyfile, ClientKeyFile},
@@ -793,7 +818,17 @@ rsa_suites(CounterPart) ->
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+                 common_ciphers(CounterPart)).
+
+common_ciphers(crypto) ->
+    ssl:cipher_suites();
+common_ciphers(openssl) ->
+    OpenSslSuites =
+        string:tokens(string:strip(os:cmd("openssl ciphers"), right, $\n), ":"),
+    [ssl_cipher:erl_suite_definition(S)
+     || S <- ssl_cipher:suites(tls_record:highest_protocol_version([])),
+        lists:member(ssl_cipher:openssl_suite_name(S), OpenSslSuites)
+    ].
 
 rsa_non_signed_suites() ->
     lists:filter(fun({rsa, _, _}) ->
@@ -870,8 +905,8 @@ anonymous_suites() ->
 	 {dh_anon, '3des_ede_cbc', sha},
 	 {dh_anon, aes_128_cbc, sha},
 	 {dh_anon, aes_256_cbc, sha},
-	 {dh_anon, aes_128_gcm, null},
-	 {dh_anon, aes_256_gcm, null},
+	 {dh_anon, aes_128_gcm, null, sha256},
+	 {dh_anon, aes_256_gcm, null, sha384},
 	 {ecdh_anon,rc4_128,sha},
 	 {ecdh_anon,'3des_ede_cbc',sha},
 	 {ecdh_anon,aes_128_cbc,sha},
@@ -898,12 +933,12 @@ psk_suites() ->
 	 {rsa_psk, aes_256_cbc, sha},
 	 {rsa_psk, aes_128_cbc, sha256},
 	 {rsa_psk, aes_256_cbc, sha384},
-	 {psk, aes_128_gcm, null},
-	 {psk, aes_256_gcm, null},
-	 {dhe_psk, aes_128_gcm, null},
-	 {dhe_psk, aes_256_gcm, null},
-	 {rsa_psk, aes_128_gcm, null},
-	 {rsa_psk, aes_256_gcm, null}],
+	 {psk, aes_128_gcm, null, sha256},
+	 {psk, aes_256_gcm, null, sha384},
+	 {dhe_psk, aes_128_gcm, null, sha256},
+	 {dhe_psk, aes_256_gcm, null, sha384},
+	 {rsa_psk, aes_128_gcm, null, sha256},
+	 {rsa_psk, aes_256_gcm, null, sha384}],
     ssl_cipher:filter_suites(Suites).
 
 psk_anon_suites() ->
@@ -1076,6 +1111,9 @@ is_sane_ecc(openssl) ->
 	"OpenSSL 1.0.0" ++ _ ->  % Known bug in openssl
 	    %% manifests as SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
 	    false;
+	"OpenSSL 1.0.1l" ++ _ ->  
+	    %% Breaks signature verification 
+	    false;
 	"OpenSSL 0.9.8" ++ _ -> % Does not support ECC
 	    false;
 	"OpenSSL 0.9.7" ++ _ -> % Does not support ECC
@@ -1130,23 +1168,27 @@ cipher_restriction(Config0) ->
     end.
 
 check_sane_openssl_version(Version) ->
-    case {Version, os:cmd("openssl version")} of
-	{_, "OpenSSL 1.0.2" ++ _} ->
-	    true;
-	{_, "OpenSSL 1.0.1" ++ _} ->
-	    true;
-	{'tlsv1.2', "OpenSSL 1.0" ++ _} ->
-	    false;
-	{'tlsv1.1', "OpenSSL 1.0" ++ _} ->
-	    false;
-	{'tlsv1.2', "OpenSSL 0" ++ _} ->
-	    false;
-	{'tlsv1.1', "OpenSSL 0" ++ _} ->
-	    false;
-	{_, _} ->
-	    true
+    case supports_ssl_tls_version(Version) of 
+	true ->
+	    case {Version, os:cmd("openssl version")} of
+		{_, "OpenSSL 1.0.2" ++ _} ->
+		    true;
+		{_, "OpenSSL 1.0.1" ++ _} ->
+		    true;
+		{'tlsv1.2', "OpenSSL 1.0" ++ _} ->
+		    false;
+		{'tlsv1.1', "OpenSSL 1.0" ++ _} ->
+		    false;
+		{'tlsv1.2', "OpenSSL 0" ++ _} ->
+		    false;
+		{'tlsv1.1', "OpenSSL 0" ++ _} ->
+		    false;
+		{_, _} ->
+		    true
+	    end;
+	false ->
+	    false
     end.
-
 enough_openssl_crl_support("OpenSSL 0." ++ _) -> false;
 enough_openssl_crl_support(_) -> true.
 
@@ -1164,13 +1206,15 @@ wait_for_openssl_server(Port, N) ->
     end.
 
 version_flag(tlsv1) ->
-    " -tls1 ";
+    "-tls1";
 version_flag('tlsv1.1') ->
-    " -tls1_1 ";
+    "-tls1_1";
 version_flag('tlsv1.2') ->
-    " -tls1_2 ";
+    "-tls1_2";
 version_flag(sslv3) ->
-    " -ssl3 ".
+    "-ssl3";
+version_flag(sslv2) ->
+    "-ssl2".
 
 filter_suites(Ciphers0) ->
     Version = tls_record:highest_protocol_version([]),
@@ -1180,7 +1224,7 @@ filter_suites(Ciphers0) ->
 	++ ssl_cipher:srp_suites() 
 	++ ssl_cipher:rc4_suites(Version),
     Supported1 = ssl_cipher:filter_suites(Supported0),
-    Supported2 = [ssl:suite_definition(S) || S <- Supported1],
+    Supported2 = [ssl_cipher:erl_suite_definition(S) || S <- Supported1],
     [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported2)].
 
 -define(OPENSSL_QUIT, "Q\n").
@@ -1215,3 +1259,31 @@ close_loop(Port, Time, SentClose) ->
 		    ct:log("Timeout~n",[])
 	    end
     end.
+
+portable_open_port(Exe, Args) ->
+    AbsPath = os:find_executable(Exe),
+    ct:pal("open_port({spawn_executable, ~p}, [{args, ~p}, stderr_to_stdout]).", [AbsPath, Args]),
+    open_port({spawn_executable, AbsPath}, 
+	      [{args, Args}, stderr_to_stdout]). 
+
+supports_ssl_tls_version(Version) ->
+    VersionFlag = version_flag(Version),
+    Exe = "openssl",
+    Args = ["s_client", VersionFlag],
+    Port = ssl_test_lib:portable_open_port(Exe, Args),
+    do_supports_ssl_tls_version(Port).
+
+do_supports_ssl_tls_version(Port) ->
+    receive 
+	{Port, {data, "unknown option"  ++ _}} -> 
+	    false;
+	{Port, {data, Data}} ->
+	    case lists:member("error", string:tokens(Data, ":")) of
+		true ->
+		    false;
+		false ->
+		    do_supports_ssl_tls_version(Port)
+	    end
+    after 500 ->
+	    true
+    end.