aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/ssl.erl3
-rw-r--r--lib/ssl/test/openssl_alpn_SUITE.erl18
-rw-r--r--lib/ssl/test/openssl_client_cert_SUITE.erl31
-rw-r--r--lib/ssl/test/openssl_npn_SUITE.erl51
-rw-r--r--lib/ssl/test/openssl_server_cert_SUITE.erl79
-rw-r--r--lib/ssl/test/ssl_cert_SUITE.erl28
-rw-r--r--lib/ssl/test/ssl_cert_tests.erl54
-rw-r--r--lib/ssl/test/ssl_test_lib.erl149
8 files changed, 300 insertions, 113 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index ce639e8fde..7ff9aed8ea 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -982,7 +982,8 @@ cipher_suites(all) ->
%% Description: Returns all default and all supported cipher suites for a
%% TLS/DTLS version
%%--------------------------------------------------------------------
-cipher_suites(Base, Version) when Version == 'tlsv1.2';
+cipher_suites(Base, Version) when Version == 'tlsv1.3';
+ Version == 'tlsv1.2';
Version == 'tlsv1.1';
Version == tlsv1;
Version == sslv3 ->
diff --git a/lib/ssl/test/openssl_alpn_SUITE.erl b/lib/ssl/test/openssl_alpn_SUITE.erl
index fa095b4bdb..5008dba922 100644
--- a/lib/ssl/test/openssl_alpn_SUITE.erl
+++ b/lib/ssl/test/openssl_alpn_SUITE.erl
@@ -36,7 +36,7 @@
all() ->
%% Note: ALPN not supported in sslv3
- case ssl_test_lib:openssl_sane_dtls() of
+ case ssl_test_lib:openssl_sane_dtls_alpn() of
true ->
[
{group, 'tlsv1.3'},
@@ -52,15 +52,15 @@ all() ->
end.
groups() ->
- case ssl_test_lib:openssl_sane_dtls() of
+ case ssl_test_lib:openssl_sane_dtls_alpn() of
true ->
[
{'tlsv1.3', [], alpn_tests()},
{'tlsv1.2', [], alpn_tests() ++ alpn_npn_coexist() ++ rengotiation_tests()},
{'tlsv1.1', [], alpn_tests() ++ alpn_npn_coexist() ++ rengotiation_tests()},
{'tlsv1', [], alpn_tests() ++ alpn_npn_coexist() ++ rengotiation_tests()},
- {'dtlsv1.2', [], alpn_tests() ++ alpn_npn_coexist()},
- {'dtlsv1', [], alpn_tests() ++ alpn_npn_coexist()}
+ {'dtlsv1.2', [], alpn_tests()},
+ {'dtlsv1', [], alpn_tests()}
];
false ->
[
@@ -85,9 +85,13 @@ alpn_npn_coexist() ->
erlang_server_alpn_npn_openssl_client_alpn_npn
].
rengotiation_tests() ->
- [erlang_client_alpn_openssl_server_alpn_renegotiate,
- erlang_server_alpn_openssl_client_alpn_renegotiate].
-
+ case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of
+ true ->
+ [erlang_client_alpn_openssl_server_alpn_renegotiate,
+ erlang_server_alpn_openssl_client_alpn_renegotiate];
+ false ->
+ []
+ end.
init_per_suite(Config0) ->
case os:find_executable("openssl") of
false ->
diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 08c1534eb0..b327988744 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -37,7 +37,7 @@ all() ->
groups() ->
[
{openssl_client, [], protocol_groups()},
- %%{'tlsv1.3', [], tls_1_3_protocol_groups()},
+ {'tlsv1.3', [], tls_1_3_protocol_groups()},
{'tlsv1.2', [], pre_tls_1_3_protocol_groups()},
{'tlsv1.1', [], pre_tls_1_3_protocol_groups()},
{'tlsv1', [], pre_tls_1_3_protocol_groups()},
@@ -46,13 +46,14 @@ groups() ->
{'dtlsv1', [], pre_tls_1_3_protocol_groups()},
{rsa, [], all_version_tests()},
{ecdsa, [], all_version_tests()},
- {dsa, [], all_version_tests()}
- %%{rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
- %%{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
+ {dsa, [], all_version_tests()},
+ {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth,
+ unsupported_sign_algo_cert_client_auth]},
+ {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
].
protocol_groups() ->
- [%%{group, 'tlsv1.3'},
+ [{group, 'tlsv1.3'},
{group, 'tlsv1.2'},
{group, 'tlsv1.1'},
{group, 'tlsv1'},
@@ -225,7 +226,21 @@ end_per_group(GroupName, Config) ->
false ->
Config
end.
-
+init_per_testcase(TestCase, Config) when
+ TestCase == client_auth_empty_cert_accepted;
+ TestCase == client_auth_empty_cert_rejected ->
+ Version = proplists:get_value(version,Config),
+ case Version of
+ sslv3 ->
+ %% Openssl client sends "No Certificate Reserved" warning ALERT
+ %% instead of sending EMPTY cert message in SSL-3.0 so empty cert test are not
+ %% relevant
+ {skip, openssl_behaves_differently};
+ _ ->
+ ssl_test_lib:ct_log_supported_protocol_versions(Config),
+ ct:timetrap({seconds, 10}),
+ Config
+ end;
init_per_testcase(_TestCase, Config) ->
ssl_test_lib:ct_log_supported_protocol_versions(Config),
ct:timetrap({seconds, 10}),
@@ -314,6 +329,10 @@ unsupported_sign_algo_cert_client_auth() ->
ssl_cert_tests:unsupported_sign_algo_cert_client_auth().
unsupported_sign_algo_cert_client_auth(Config) ->
ssl_cert_tests:unsupported_sign_algo_cert_client_auth(Config).
+unsupported_sign_algo_client_auth() ->
+ ssl_cert_tests:unsupported_sign_algo_client_auth().
+unsupported_sign_algo_client_auth(Config) ->
+ ssl_cert_tests:unsupported_sign_algo_client_auth(Config).
%%--------------------------------------------------------------------
hello_retry_client_auth() ->
ssl_cert_tests:hello_retry_client_auth().
diff --git a/lib/ssl/test/openssl_npn_SUITE.erl b/lib/ssl/test/openssl_npn_SUITE.erl
index 9bd11f05d6..0294f4997f 100644
--- a/lib/ssl/test/openssl_npn_SUITE.erl
+++ b/lib/ssl/test/openssl_npn_SUITE.erl
@@ -33,51 +33,36 @@
%%--------------------------------------------------------------------
%% Common Test interface functions -----------------------------------
%%--------------------------------------------------------------------
-
all() ->
- %% Note: NPN not supported in sslv3
- case ssl_test_lib:openssl_sane_dtls() of
- true ->
- [{group, 'tlsv1.2'},
- {group, 'tlsv1.1'},
- {group, 'tlsv1'},
- {group, 'dtlsv1.2'},
- {group, 'dtlsv1'}];
- false ->
- [{group, 'tlsv1.2'},
- {group, 'tlsv1.1'},
- {group, 'tlsv1'}]
- end.
+ %% NPN is not supported in TLS-1.3 (replaced by ALPN and deprecated in TLS 1.2)
+ %% OpenSSL DTLS support for NPN is either not there or broken.
+ [{group, 'tlsv1.2'},
+ {group, 'tlsv1.1'},
+ {group, 'tlsv1'}].
groups() ->
- case ssl_test_lib:openssl_sane_dtls() of
- true ->
- [{'tlsv1.2', [], npn_tests()},
- {'tlsv1.1', [], npn_tests()},
- {'tlsv1', [], npn_tests()},
- {'dtlsv1.2', [], npn_tests() -- [erlang_server_openssl_client_npn_renegotiate,
- erlang_client_openssl_server_npn_renegotiate]},
- {'dtlsv1', [], npn_tests() -- [erlang_server_openssl_client_npn_renegotiate,
- erlang_client_openssl_server_npn_renegotiate]
- }
- ];
- false ->
- [{'tlsv1.2', [], npn_tests()},
- {'tlsv1.1', [], npn_tests()},
- {'tlsv1', [], npn_tests()}
- ]
- end.
+ [{'tlsv1.2', [], npn_tests() ++ npn_renegotiate_tests()},
+ {'tlsv1.1', [], npn_tests() ++ npn_renegotiate_tests()},
+ {'tlsv1', [], npn_tests() ++ npn_renegotiate_tests()}
+ ].
npn_tests() ->
[erlang_client_openssl_server_npn,
erlang_server_openssl_client_npn,
- erlang_server_openssl_client_npn_renegotiate,
- erlang_client_openssl_server_npn_renegotiate,
erlang_server_openssl_client_npn_only_client,
erlang_server_openssl_client_npn_only_server,
erlang_client_openssl_server_npn_only_client,
erlang_client_openssl_server_npn_only_server].
+npn_renegotiate_tests() ->
+ case ssl_test_lib:sane_openssl_alpn_npn_renegotiate() of
+ true ->
+ [erlang_server_openssl_client_npn_renegotiate,
+ erlang_client_openssl_server_npn_renegotiate];
+ false ->
+ []
+ end.
+
init_per_suite(Config0) ->
case os:find_executable("openssl") of
false ->
diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl
index abac2647a9..c2af864a92 100644
--- a/lib/ssl/test/openssl_server_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_server_cert_SUITE.erl
@@ -36,7 +36,7 @@ all() ->
groups() ->
[
{openssl_server, [], protocol_groups()},
- %%{'tlsv1.3', [], tls_1_3_protocol_groups()},
+ {'tlsv1.3', [], tls_1_3_protocol_groups()},
{'tlsv1.2', [], pre_tls_1_3_protocol_groups()},
{'tlsv1.1', [], pre_tls_1_3_protocol_groups()},
{'tlsv1', [], pre_tls_1_3_protocol_groups()},
@@ -45,13 +45,16 @@ groups() ->
{'dtlsv1', [], pre_tls_1_3_protocol_groups()},
{rsa, [], all_version_tests()},
{ecdsa, [], all_version_tests()},
- {dsa, [], all_version_tests()}
- %%{rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
- %%{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
+ {dsa, [], all_version_tests()},
+ {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests()},
+ %% TODO: Create proper conf of openssl server
+ %%++ [unsupported_sign_algo_client_auth,
+ %% unsupported_sign_algo_cert_client_auth]},
+ {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
].
protocol_groups() ->
- [%%{group, 'tlsv1.3'},
+ [{group, 'tlsv1.3'},
{group, 'tlsv1.2'},
{group, 'tlsv1.1'},
{group, 'tlsv1'},
@@ -108,8 +111,7 @@ end_per_suite(_Config) ->
init_per_group(openssl_server, Config0) ->
Config = proplists:delete(server_type, proplists:delete(client_type, Config0)),
[{client_type, erlang}, {server_type, openssl} | Config];
-init_per_group(Group, Config0) when Group == rsa;
- Group == rsa_1_3 ->
+init_per_group(rsa = Group, Config0) ->
Config = ssl_test_lib:make_rsa_cert(Config0),
COpts = proplists:get_value(client_rsa_opts, Config),
SOpts = proplists:get_value(server_rsa_opts, Config),
@@ -133,8 +135,25 @@ init_per_group(Group, Config0) when Group == rsa;
[] ->
{skip, {no_sup, Group, Version}}
end;
-init_per_group(Group, Config0) when Group == ecdsa;
- Group == ecdsa_1_3 ->
+init_per_group(rsa_1_3 = Group, Config0) ->
+ Config = ssl_test_lib:make_rsa_cert(Config0),
+ COpts = proplists:get_value(client_rsa_opts, Config),
+ SOpts = proplists:get_value(server_rsa_opts, Config),
+ %% Make sure _rsa* suite is choosen by ssl_test_lib:start_server
+ Version = proplists:get_value(version,Config),
+ Ciphers = ssl_cert_tests:test_ciphers(undefined, Version),
+ case Ciphers of
+ [_|_] ->
+ [{cert_key_alg, rsa} |
+ lists:delete(cert_key_alg,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, SOpts} |
+ lists:delete(server_cert_opts,
+ lists:delete(client_cert_opts, Config))])];
+ [] ->
+ {skip, {no_sup, Group, Version}}
+ end;
+init_per_group(ecdsa = Group, Config0) ->
PKAlg = crypto:supports(public_keys),
case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse
lists:member(dh, PKAlg)) of
@@ -166,6 +185,32 @@ init_per_group(Group, Config0) when Group == ecdsa;
false ->
{skip, "Missing EC crypto support"}
end;
+init_per_group(ecdsa_1_3 = Group, Config0) ->
+ PKAlg = crypto:supports(public_keys),
+ case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse
+ lists:member(dh, PKAlg)) of
+ true ->
+ Config = ssl_test_lib:make_ecdsa_cert(Config0),
+ COpts = proplists:get_value(client_ecdsa_opts, Config),
+ SOpts = proplists:get_value(server_ecdsa_opts, Config),
+ %% Make sure ecdh* suite is choosen by ssl_test_lib:start_server
+ Version = proplists:get_value(version,Config),
+ Ciphers = ssl_cert_tests:test_ciphers(undefined, Version),
+ case Ciphers of
+ [_|_] ->
+ [{cert_key_alg, ecdsa} |
+ lists:delete(cert_key_alg,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, SOpts} |
+ lists:delete(server_cert_opts,
+ lists:delete(client_cert_opts, Config))]
+ )];
+ [] ->
+ {skip, {no_sup, Group, Version}}
+ end;
+ false ->
+ {skip, "Missing EC crypto support"}
+ end;
init_per_group(Group, Config0) when Group == dsa ->
PKAlg = crypto:supports(public_keys),
case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg) of
@@ -300,18 +345,22 @@ hello_retry_request(Config) ->
ssl_cert_tests:hello_retry_request(Config).
%%--------------------------------------------------------------------
custom_groups() ->
- ssl_cert_tests:custom_groups().
+ ssl_cert_tests:custom_groups().
custom_groups(Config) ->
- ssl_cert_tests:custom_groups(Config).
+ ssl_cert_tests:custom_groups(Config).
unsupported_sign_algo_cert_client_auth() ->
- ssl_cert_tests:unsupported_sign_algo_cert_client_auth().
+ ssl_cert_tests:unsupported_sign_algo_cert_client_auth().
unsupported_sign_algo_cert_client_auth(Config) ->
ssl_cert_tests:unsupported_sign_algo_cert_client_auth(Config).
+unsupported_sign_algo_client_auth() ->
+ ssl_cert_tests:unsupported_sign_algo_client_auth().
+unsupported_sign_algo_client_auth(Config) ->
+ ssl_cert_tests:unsupported_sign_algo_client_auth(Config).
%%--------------------------------------------------------------------
hello_retry_client_auth() ->
- ssl_cert_tests:hello_retry_client_auth().
+ ssl_cert_tests:hello_retry_client_auth().
hello_retry_client_auth(Config) ->
- ssl_cert_tests:hello_retry_client_auth(Config).
+ ssl_cert_tests:hello_retry_client_auth(Config).
%%--------------------------------------------------------------------
hello_retry_client_auth_empty_cert_accepted() ->
ssl_cert_tests:hello_retry_client_auth_empty_cert_accepted().
@@ -321,4 +370,4 @@ hello_retry_client_auth_empty_cert_accepted(Config) ->
hello_retry_client_auth_empty_cert_rejected() ->
ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected().
hello_retry_client_auth_empty_cert_rejected(Config) ->
- ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(Config).
+ ssl_cert_tests:hello_retry_client_auth_empty_cert_rejected(Config).
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index 571e7428ea..fb1695f38a 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -53,7 +53,8 @@ groups() ->
{rsa, [], all_version_tests()},
{ecdsa, [], all_version_tests()},
{dsa, [], all_version_tests()},
- {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
+ {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth,
+ unsupported_sign_algo_cert_client_auth]},
{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
].
@@ -208,12 +209,12 @@ auth(Config) ->
ssl_cert_tests:auth(Config).
%%--------------------------------------------------------------------
client_auth_empty_cert_accepted() ->
- ssl_cert_tests:client_auth_empty_cert_accepted().
+ ssl_cert_tests:client_auth_empty_cert_accepted().
client_auth_empty_cert_accepted(Config) ->
ssl_cert_tests:client_auth_empty_cert_accepted(Config).
%%--------------------------------------------------------------------
client_auth_empty_cert_rejected() ->
- ssl_cert_tests:client_auth_empty_cert_rejected().
+ ssl_cert_tests:client_auth_empty_cert_rejected().
client_auth_empty_cert_rejected(Config) ->
ssl_cert_tests:client_auth_empty_cert_rejected(Config).
%%--------------------------------------------------------------------
@@ -239,7 +240,6 @@ client_auth_partial_chain_fun_fail() ->
client_auth_partial_chain_fun_fail(Config) when is_list(Config) ->
ssl_cert_tests:client_auth_partial_chain_fun_fail(Config).
-
%%--------------------------------------------------------------------
missing_root_cert_no_auth() ->
ssl_cert_tests:missing_root_cert_no_auth().
@@ -484,11 +484,27 @@ unsupported_sign_algo_cert_client_auth(Config) ->
ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
{verify, verify_peer},
+ {signature_algs, [rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+ %% Skip rsa_pkcs1_sha256!
+ {signature_algs_cert, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
+ {fail_if_no_peer_cert, true}|ServerOpts0],
+ ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+ ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required).
+
+%%--------------------------------------------------------------------
+unsupported_sign_algo_client_auth() ->
+ [{doc,"TLS 1.3: Test client authentication with unsupported signature_algorithm"}].
+
+unsupported_sign_algo_client_auth(Config) ->
+ ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
+ ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
+ ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+ {verify, verify_peer},
%% Skip rsa_pkcs1_sha256!
- {signature_algs, [rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+ {signature_algs, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
{fail_if_no_peer_cert, true}|ServerOpts0],
ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
- ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, handshake_failure).
+ ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security).
%%--------------------------------------------------------------------
hello_retry_client_auth() ->
[{doc, "TLS 1.3 (HelloRetryRequest): Test client authentication."}].
diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl
index f330c716bc..c88daa2185 100644
--- a/lib/ssl/test/ssl_cert_tests.erl
+++ b/lib/ssl/test/ssl_cert_tests.erl
@@ -243,9 +243,9 @@ custom_groups(Config) ->
ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
- {ServerOpts, ClientOpts} = group_config(Config,
- [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0],
- [{versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0]),
+ {ServerOpts, ClientOpts} = group_config_custom(Config,
+ [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0],
+ [{versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0]),
ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
@@ -262,11 +262,26 @@ unsupported_sign_algo_cert_client_auth(Config) ->
ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
{verify, verify_peer},
+ {signature_algs, [rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+ %% Skip rsa_pkcs1_sha256!
+ {signature_algs_cert, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
+ {fail_if_no_peer_cert, true}|ServerOpts0],
+ ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+ ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required).
+%%--------------------------------------------------------------------
+unsupported_sign_algo_client_auth() ->
+ [{doc,"TLS 1.3: Test client authentication with unsupported signature_algorithm"}].
+
+unsupported_sign_algo_client_auth(Config) ->
+ ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
+ ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
+ ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+ {verify, verify_peer},
%% Skip rsa_pkcs1_sha256!
- {signature_algs, [rsa_pkcs1_sha384, rsa_pss_rsae_sha256]},
+ {signature_algs, [rsa_pkcs1_sha384, rsa_pkcs1_sha512]},
{fail_if_no_peer_cert, true}|ServerOpts0],
ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
- ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, handshake_failure).
+ ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security).
%%--------------------------------------------------------------------
hello_retry_client_auth() ->
[{doc, "TLS 1.3 (HelloRetryRequest): Test client authentication."}].
@@ -278,14 +293,14 @@ hello_retry_client_auth(Config) ->
{ServerOpts, ClientOpts} = group_config(Config,
[{versions, ['tlsv1.2','tlsv1.3']},
{verify, verify_peer},
- {fail_if_no_peer_cert, false} | ServerOpts0],
+ {fail_if_no_peer_cert, true} | ServerOpts0],
[{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer} | ClientOpts0]),
ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
%%--------------------------------------------------------------------
hello_retry_client_auth_empty_cert_accepted() ->
[{doc,"TLS 1.3 (HelloRetryRequest): Test client authentication when client sends an empty "
- "certificate and fail_if_no_peer_cert is set to true."}].
+ "certificate and fail_if_no_peer_cert is set to false."}].
hello_retry_client_auth_empty_cert_accepted(Config) ->
ClientOpts0 = proplists:delete(keyfile,
@@ -314,7 +329,7 @@ hello_retry_client_auth_empty_cert_rejected(Config) ->
{ServerOpts, ClientOpts} = group_config(Config,
[{versions, ['tlsv1.2','tlsv1.3']},
{verify, verify_peer},
- {fail_if_no_peer_cert, false} | ServerOpts0],
+ {fail_if_no_peer_cert, true} | ServerOpts0],
[{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer} | ClientOpts0]),
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required).
@@ -324,16 +339,35 @@ hello_retry_client_auth_empty_cert_rejected(Config) ->
%% Internal functions -----------------------------------------------
%%--------------------------------------------------------------------
+group_config_custom(Config, ServerOpts, ClientOpts) ->
+ case proplists:get_value(client_type, Config) of
+ erlang ->
+ {[{groups,"X448:P-256:P-384"} | ServerOpts],
+ [{supported_groups, [secp384r1, secp256r1, x25519]} | ClientOpts]};
+ openssl ->
+ {[{supported_groups, [x448, secp256r1, secp384r1]} | ServerOpts],
+ [{groups,"P-384:P-256:X25519"} | ClientOpts]}
+ end.
+
group_config(Config, ServerOpts, ClientOpts) ->
case proplists:get_value(client_type, Config) of
erlang ->
- {[{groups,"P-256:X25519"} | ServerOpts],
+ {[{groups,"X448:X25519"} | ServerOpts],
[{supported_groups, [secp256r1, x25519]} | ClientOpts]};
openssl ->
{[{supported_groups, [x448, x25519]} | ServerOpts],
[{groups,"P-256:X25519"} | ClientOpts]}
end.
+test_ciphers(_, 'tlsv1.3' = Version) ->
+ Ciphers = ssl:cipher_suites(default, Version),
+ ct:log("Version ~p Testing ~p~n", [Version, Ciphers]),
+ OpenSSLCiphers = openssl_ciphers(),
+ ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]),
+ lists:filter(fun(C) ->
+ ct:log("Cipher ~p~n", [C]),
+ lists:member(ssl_cipher_format:suite_map_to_openssl_str(C), OpenSSLCiphers)
+ end, Ciphers);
test_ciphers(Kex, Version) ->
Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(default, Version),
[{key_exchange, Kex}]),
@@ -345,6 +379,8 @@ test_ciphers(Kex, Version) ->
lists:member(ssl_cipher_format:suite_map_to_openssl_str(C), OpenSSLCiphers)
end, Ciphers).
+
+
openssl_ciphers() ->
Str = os:cmd("openssl ciphers"),
string:split(string:strip(Str, right, $\n), ":", all).
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 5d0d09b33a..7dd27fb5cb 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -648,8 +648,7 @@ cert_options(Config) ->
"badcert.pem"]),
BadKeyFile = filename:join([proplists:get_value(priv_dir, Config),
"badkey.pem"]),
- PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>,
-
+
[{client_opts, [{cacertfile, ClientCaCertFile},
{certfile, ClientCertFile},
{keyfile, ClientKeyFile}]},
@@ -1227,6 +1226,11 @@ basic_test(COpts, SOpts, Config) ->
stop(Server, Client).
basic_alert(ClientOpts, ServerOpts, Config, Alert) ->
+ SType = proplists:get_value(server_type, Config),
+ CType = proplists:get_value(client_type, Config),
+ run_basic_alert(SType, CType, ClientOpts, ServerOpts, Config, Alert).
+
+run_basic_alert(erlang, erlang, ClientOpts, ServerOpts, Config, Alert) ->
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
Server = start_server_error([{node, ServerNode}, {port, 0},
@@ -1242,7 +1246,30 @@ basic_alert(ClientOpts, ServerOpts, Config, Alert) ->
{mfa, {ssl_test_lib, no_result, []}},
{options, ClientOpts}]),
- check_server_alert(Server, Client, Alert).
+ check_server_alert(Server, Client, Alert);
+run_basic_alert(openssl = SType, erlang, ClientOpts, ServerOpts, Config, Alert) ->
+ {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),
+ {_Server, Port} = start_server(SType, ClientOpts, ServerOpts, Config),
+ ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
+ Client = start_client_error([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {ssl_test_lib, no_result, []}},
+ {options, ClientOpts}]),
+
+ check_client_alert(Client, Alert);
+run_basic_alert(erlang, openssl = CType, ClientOpts, ServerOpts, Config, Alert) ->
+ {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ Server = start_server_error([{node, ServerNode}, {port, 0},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {ssl_test_lib, no_result, []}},
+ {options, ServerOpts}]),
+ Port = inet_port(Server),
+ start_client(CType, Port, ClientOpts, Config),
+
+ check_server_alert(Server, Alert).
+
ecc_test(Expect, COpts, SOpts, CECCOpts, SECCOpts, Config) ->
{Server, Port} = start_server_ecc(erlang, SOpts, Expect, SECCOpts, Config),
@@ -1285,32 +1312,23 @@ start_basic_client(openssl, Version, Port, ClientOpts) ->
OpenSslPort.
start_client(openssl, Port, ClientOpts, Config) ->
- Cert = proplists:get_value(certfile, ClientOpts),
- Key = proplists:get_value(keyfile, ClientOpts),
- CA = proplists:get_value(cacertfile, ClientOpts),
Version = ssl_test_lib:protocol_version(Config),
Exe = "openssl",
+ Ciphers = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
Groups0 = proplists:get_value(groups, ClientOpts),
+ CertArgs = openssl_cert_options(ClientOpts, client),
Exe = "openssl",
- Args0 = ["s_client", "-verify", "2", "-port", integer_to_list(Port),
- ssl_test_lib:version_flag(Version),
- "-CAfile", CA, "-host", "localhost", "-msg", "-debug"],
- Args1 =
- case Groups0 of
- undefined ->
- Args0;
- G ->
- Args0 ++ ["-groups", G]
- end,
- Args2 =
- case {Cert, Key} of
- {C, K} when C =:= undefined orelse
- K =:= undefined ->
- Args1;
- {C, K} ->
- Args1 ++ ["-cert", C, "-key", K]
- end,
- Args = maybe_force_ipv4(Args2),
+ Args0 = case Groups0 of
+ undefined ->
+ ["s_client", "-verify", "2", "-port", integer_to_list(Port), cipher_flag(Version),
+ ciphers(Ciphers, Version),
+ ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"];
+ Group ->
+ ["s_client", "-verify", "2", "-port", integer_to_list(Port), cipher_flag(Version),
+ ciphers(Ciphers, Version), "-groups", Group,
+ ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"]
+ end,
+ Args = maybe_force_ipv4(Args0),
OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args),
true = port_command(OpenSslPort, "Hello world"),
OpenSslPort;
@@ -1361,11 +1379,19 @@ start_server(openssl, ClientOpts, ServerOpts, Config) ->
Port = inet_port(node()),
Version = protocol_version(Config),
Exe = "openssl",
- CertArgs = openssl_cert_options(ServerOpts),
- [Cipher|_] = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
- Args = ["s_server", "-accept", integer_to_list(Port), "-cipher",
- ssl_cipher_format:suite_map_to_openssl_str(Cipher),
- ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"],
+ CertArgs = openssl_cert_options(ServerOpts, server),
+ Ciphers = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
+ Groups0 = proplists:get_value(groups, ServerOpts),
+ Args = case Groups0 of
+ undefined ->
+ ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version),
+ ciphers(Ciphers, Version),
+ ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"];
+ Group ->
+ ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version),
+ ciphers(Ciphers, Version), "-groups", Group,
+ ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"]
+ end,
OpenSslPort = portable_open_port(Exe, Args),
true = port_command(OpenSslPort, "Hello world"),
{OpenSslPort, Port};
@@ -1380,6 +1406,27 @@ start_server(erlang, _, ServerOpts, Config) ->
[KeyEx]}},
{options, [{verify, verify_peer}, {versions, Versions} | ServerOpts]}]),
{Server, inet_port(Server)}.
+
+cipher_flag('tlsv1.3') ->
+ "-ciphersuites";
+cipher_flag(_) ->
+ "-cipher".
+
+ciphers(Ciphers, Version) ->
+ Strs = [ssl_cipher_format:suite_map_to_openssl_str(Cipher) || Cipher <- Ciphers],
+ ciphers_concat(Version, Strs, "").
+
+ciphers_concat(_, [], [":" | Acc]) ->
+ lists:append(lists:reverse(Acc));
+ciphers_concat('tlsv1.3' = Version, [Head| Tail], Acc) ->
+ case Head of
+ "TLS" ++ _ ->
+ ciphers_concat(Version, Tail, [":", Head | Acc]);
+ _ ->
+ ciphers_concat(Version, Tail, Acc)
+ end;
+ciphers_concat(Version, [Head| Tail], Acc) ->
+ ciphers_concat(Version, Tail, [":", Head | Acc]).
start_server_with_raw_key(erlang, ServerOpts, Config) ->
{_, ServerNode, _} = ssl_test_lib:run_where(Config),
@@ -1434,23 +1481,31 @@ stop(Client, Server) ->
close(Client).
-openssl_cert_options(ServerOpts) ->
- Cert = proplists:get_value(certfile, ServerOpts, undefined),
- Key = proplists:get_value(keyfile, ServerOpts, undefined),
- CA = proplists:get_value(cacertfile, ServerOpts, undefined),
+openssl_cert_options(Opts, Role) ->
+ Cert = proplists:get_value(certfile, Opts, undefined),
+ Key = proplists:get_value(keyfile, Opts, undefined),
+ CA = proplists:get_value(cacertfile, Opts, undefined),
case CA of
undefined ->
case cert_option("-cert", Cert) ++ cert_option("-key", Key) of
- [] ->
+ [] when Role == server ->
["-nocert"];
Other ->
Other
end;
_ ->
cert_option("-cert", Cert) ++ cert_option("-CAfile", CA) ++
- cert_option("-key", Key) ++ ["-verify", "2"]
+ cert_option("-key", Key) ++ openssl_verify(Opts) ++ ["2"]
end.
+openssl_verify(Opts) ->
+ case proplists:get_value(fail_if_no_peer_cert, Opts, undefined) of
+ true ->
+ ["-Verify"];
+ _ ->
+ ["-verify"]
+ end.
+
cert_option(_, undefined) ->
[];
cert_option(Opt, Value) ->
@@ -2711,3 +2766,25 @@ new_config(PrivDir, ServerOpts0) ->
[{cacertfile, NewCaCertFile}, {certfile, NewCertFile},
{keyfile, NewKeyFile} | ServerOpts].
+
+sane_openssl_alpn_npn_renegotiate() ->
+ case os:cmd("openssl version") of
+ "LibreSSL 2.9.1" ++ _ ->
+ false;
+ "LibreSSL 2.6.4" ++ _ ->
+ false;
+ "OpenSSL 1.1.1a-freebsd" ++ _ ->
+ false;
+ _ ->
+ true
+ end.
+
+openssl_sane_dtls_alpn() ->
+ case os:cmd("openssl version") of
+ "OpenSSL 1.1.0g" ++ _ ->
+ false;
+ "OpenSSL 1.1.1a" ++ _ ->
+ false;
+ _->
+ openssl_sane_dtls()
+ end.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-10 21:14:27 +0000