26-tls13_client_auth.cnf 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488
  1. # Generated with generate_ssl_tests.pl
  2. num_tests = 14
  3. test-0 = 0-server-auth-TLSv1.3
  4. test-1 = 1-client-auth-TLSv1.3-request
  5. test-2 = 2-client-auth-TLSv1.3-require-fail
  6. test-3 = 3-client-auth-TLSv1.3-require
  7. test-4 = 4-client-auth-TLSv1.3-require-non-empty-names
  8. test-5 = 5-client-auth-TLSv1.3-noroot
  9. test-6 = 6-client-auth-TLSv1.3-request-post-handshake
  10. test-7 = 7-client-auth-TLSv1.3-require-fail-post-handshake
  11. test-8 = 8-client-auth-TLSv1.3-require-post-handshake
  12. test-9 = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake
  13. test-10 = 10-client-auth-TLSv1.3-noroot-post-handshake
  14. test-11 = 11-client-auth-TLSv1.3-request-force-client-post-handshake
  15. test-12 = 12-client-auth-TLSv1.3-request-force-server-post-handshake
  16. test-13 = 13-client-auth-TLSv1.3-request-force-both-post-handshake
  17. # ===========================================================
  18. [0-server-auth-TLSv1.3]
  19. ssl_conf = 0-server-auth-TLSv1.3-ssl
  20. [0-server-auth-TLSv1.3-ssl]
  21. server = 0-server-auth-TLSv1.3-server
  22. client = 0-server-auth-TLSv1.3-client
  23. [0-server-auth-TLSv1.3-server]
  24. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  25. CipherString = DEFAULT
  26. MaxProtocol = TLSv1.3
  27. MinProtocol = TLSv1.3
  28. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  29. [0-server-auth-TLSv1.3-client]
  30. CipherString = DEFAULT
  31. MaxProtocol = TLSv1.3
  32. MinProtocol = TLSv1.3
  33. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  34. VerifyMode = Peer
  35. [test-0]
  36. ExpectedResult = Success
  37. # ===========================================================
  38. [1-client-auth-TLSv1.3-request]
  39. ssl_conf = 1-client-auth-TLSv1.3-request-ssl
  40. [1-client-auth-TLSv1.3-request-ssl]
  41. server = 1-client-auth-TLSv1.3-request-server
  42. client = 1-client-auth-TLSv1.3-request-client
  43. [1-client-auth-TLSv1.3-request-server]
  44. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  45. CipherString = DEFAULT
  46. MaxProtocol = TLSv1.3
  47. MinProtocol = TLSv1.3
  48. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  49. VerifyMode = Request
  50. [1-client-auth-TLSv1.3-request-client]
  51. CipherString = DEFAULT
  52. MaxProtocol = TLSv1.3
  53. MinProtocol = TLSv1.3
  54. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  55. VerifyMode = Peer
  56. [test-1]
  57. ExpectedResult = Success
  58. # ===========================================================
  59. [2-client-auth-TLSv1.3-require-fail]
  60. ssl_conf = 2-client-auth-TLSv1.3-require-fail-ssl
  61. [2-client-auth-TLSv1.3-require-fail-ssl]
  62. server = 2-client-auth-TLSv1.3-require-fail-server
  63. client = 2-client-auth-TLSv1.3-require-fail-client
  64. [2-client-auth-TLSv1.3-require-fail-server]
  65. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  66. CipherString = DEFAULT
  67. MaxProtocol = TLSv1.3
  68. MinProtocol = TLSv1.3
  69. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  70. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  71. VerifyMode = Require
  72. [2-client-auth-TLSv1.3-require-fail-client]
  73. CipherString = DEFAULT
  74. MaxProtocol = TLSv1.3
  75. MinProtocol = TLSv1.3
  76. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  77. VerifyMode = Peer
  78. [test-2]
  79. ExpectedResult = ServerFail
  80. ExpectedServerAlert = CertificateRequired
  81. # ===========================================================
  82. [3-client-auth-TLSv1.3-require]
  83. ssl_conf = 3-client-auth-TLSv1.3-require-ssl
  84. [3-client-auth-TLSv1.3-require-ssl]
  85. server = 3-client-auth-TLSv1.3-require-server
  86. client = 3-client-auth-TLSv1.3-require-client
  87. [3-client-auth-TLSv1.3-require-server]
  88. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  89. CipherString = DEFAULT
  90. ClientSignatureAlgorithms = PSS+SHA256
  91. MaxProtocol = TLSv1.3
  92. MinProtocol = TLSv1.3
  93. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  94. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  95. VerifyMode = Request
  96. [3-client-auth-TLSv1.3-require-client]
  97. Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
  98. CipherString = DEFAULT
  99. MaxProtocol = TLSv1.3
  100. MinProtocol = TLSv1.3
  101. PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
  102. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  103. VerifyMode = Peer
  104. [test-3]
  105. ExpectedClientCANames = empty
  106. ExpectedClientCertType = RSA
  107. ExpectedClientSignHash = SHA256
  108. ExpectedClientSignType = RSA-PSS
  109. ExpectedResult = Success
  110. # ===========================================================
  111. [4-client-auth-TLSv1.3-require-non-empty-names]
  112. ssl_conf = 4-client-auth-TLSv1.3-require-non-empty-names-ssl
  113. [4-client-auth-TLSv1.3-require-non-empty-names-ssl]
  114. server = 4-client-auth-TLSv1.3-require-non-empty-names-server
  115. client = 4-client-auth-TLSv1.3-require-non-empty-names-client
  116. [4-client-auth-TLSv1.3-require-non-empty-names-server]
  117. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  118. CipherString = DEFAULT
  119. ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  120. ClientSignatureAlgorithms = PSS+SHA256
  121. MaxProtocol = TLSv1.3
  122. MinProtocol = TLSv1.3
  123. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  124. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  125. VerifyMode = Request
  126. [4-client-auth-TLSv1.3-require-non-empty-names-client]
  127. Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
  128. CipherString = DEFAULT
  129. MaxProtocol = TLSv1.3
  130. MinProtocol = TLSv1.3
  131. PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
  132. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  133. VerifyMode = Peer
  134. [test-4]
  135. ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  136. ExpectedClientCertType = RSA
  137. ExpectedClientSignHash = SHA256
  138. ExpectedClientSignType = RSA-PSS
  139. ExpectedResult = Success
  140. # ===========================================================
  141. [5-client-auth-TLSv1.3-noroot]
  142. ssl_conf = 5-client-auth-TLSv1.3-noroot-ssl
  143. [5-client-auth-TLSv1.3-noroot-ssl]
  144. server = 5-client-auth-TLSv1.3-noroot-server
  145. client = 5-client-auth-TLSv1.3-noroot-client
  146. [5-client-auth-TLSv1.3-noroot-server]
  147. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  148. CipherString = DEFAULT
  149. MaxProtocol = TLSv1.3
  150. MinProtocol = TLSv1.3
  151. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  152. VerifyMode = Require
  153. [5-client-auth-TLSv1.3-noroot-client]
  154. Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
  155. CipherString = DEFAULT
  156. MaxProtocol = TLSv1.3
  157. MinProtocol = TLSv1.3
  158. PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
  159. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  160. VerifyMode = Peer
  161. [test-5]
  162. ExpectedResult = ServerFail
  163. ExpectedServerAlert = UnknownCA
  164. # ===========================================================
  165. [6-client-auth-TLSv1.3-request-post-handshake]
  166. ssl_conf = 6-client-auth-TLSv1.3-request-post-handshake-ssl
  167. [6-client-auth-TLSv1.3-request-post-handshake-ssl]
  168. server = 6-client-auth-TLSv1.3-request-post-handshake-server
  169. client = 6-client-auth-TLSv1.3-request-post-handshake-client
  170. [6-client-auth-TLSv1.3-request-post-handshake-server]
  171. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  172. CipherString = DEFAULT
  173. MaxProtocol = TLSv1.3
  174. MinProtocol = TLSv1.3
  175. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  176. VerifyMode = RequestPostHandshake
  177. [6-client-auth-TLSv1.3-request-post-handshake-client]
  178. CipherString = DEFAULT
  179. MaxProtocol = TLSv1.3
  180. MinProtocol = TLSv1.3
  181. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  182. VerifyMode = Peer
  183. [test-6]
  184. ExpectedResult = ServerFail
  185. HandshakeMode = PostHandshakeAuth
  186. # ===========================================================
  187. [7-client-auth-TLSv1.3-require-fail-post-handshake]
  188. ssl_conf = 7-client-auth-TLSv1.3-require-fail-post-handshake-ssl
  189. [7-client-auth-TLSv1.3-require-fail-post-handshake-ssl]
  190. server = 7-client-auth-TLSv1.3-require-fail-post-handshake-server
  191. client = 7-client-auth-TLSv1.3-require-fail-post-handshake-client
  192. [7-client-auth-TLSv1.3-require-fail-post-handshake-server]
  193. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  194. CipherString = DEFAULT
  195. MaxProtocol = TLSv1.3
  196. MinProtocol = TLSv1.3
  197. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  198. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  199. VerifyMode = RequirePostHandshake
  200. [7-client-auth-TLSv1.3-require-fail-post-handshake-client]
  201. CipherString = DEFAULT
  202. MaxProtocol = TLSv1.3
  203. MinProtocol = TLSv1.3
  204. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  205. VerifyMode = Peer
  206. [test-7]
  207. ExpectedResult = ServerFail
  208. HandshakeMode = PostHandshakeAuth
  209. # ===========================================================
  210. [8-client-auth-TLSv1.3-require-post-handshake]
  211. ssl_conf = 8-client-auth-TLSv1.3-require-post-handshake-ssl
  212. [8-client-auth-TLSv1.3-require-post-handshake-ssl]
  213. server = 8-client-auth-TLSv1.3-require-post-handshake-server
  214. client = 8-client-auth-TLSv1.3-require-post-handshake-client
  215. [8-client-auth-TLSv1.3-require-post-handshake-server]
  216. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  217. CipherString = DEFAULT
  218. ClientSignatureAlgorithms = PSS+SHA256
  219. MaxProtocol = TLSv1.3
  220. MinProtocol = TLSv1.3
  221. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  222. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  223. VerifyMode = RequestPostHandshake
  224. [8-client-auth-TLSv1.3-require-post-handshake-client]
  225. Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
  226. CipherString = DEFAULT
  227. MaxProtocol = TLSv1.3
  228. MinProtocol = TLSv1.3
  229. PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
  230. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  231. VerifyMode = Peer
  232. [test-8]
  233. ExpectedClientCANames = empty
  234. ExpectedClientCertType = RSA
  235. ExpectedClientSignHash = SHA256
  236. ExpectedClientSignType = RSA-PSS
  237. ExpectedResult = Success
  238. HandshakeMode = PostHandshakeAuth
  239. client = 8-client-auth-TLSv1.3-require-post-handshake-client-extra
  240. [8-client-auth-TLSv1.3-require-post-handshake-client-extra]
  241. EnablePHA = Yes
  242. # ===========================================================
  243. [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake]
  244. ssl_conf = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-ssl
  245. [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-ssl]
  246. server = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-server
  247. client = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client
  248. [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-server]
  249. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  250. CipherString = DEFAULT
  251. ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  252. ClientSignatureAlgorithms = PSS+SHA256
  253. MaxProtocol = TLSv1.3
  254. MinProtocol = TLSv1.3
  255. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  256. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  257. VerifyMode = RequestPostHandshake
  258. [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client]
  259. Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
  260. CipherString = DEFAULT
  261. MaxProtocol = TLSv1.3
  262. MinProtocol = TLSv1.3
  263. PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
  264. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  265. VerifyMode = Peer
  266. [test-9]
  267. ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
  268. ExpectedClientCertType = RSA
  269. ExpectedClientSignHash = SHA256
  270. ExpectedClientSignType = RSA-PSS
  271. ExpectedResult = Success
  272. HandshakeMode = PostHandshakeAuth
  273. client = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client-extra
  274. [9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client-extra]
  275. EnablePHA = Yes
  276. # ===========================================================
  277. [10-client-auth-TLSv1.3-noroot-post-handshake]
  278. ssl_conf = 10-client-auth-TLSv1.3-noroot-post-handshake-ssl
  279. [10-client-auth-TLSv1.3-noroot-post-handshake-ssl]
  280. server = 10-client-auth-TLSv1.3-noroot-post-handshake-server
  281. client = 10-client-auth-TLSv1.3-noroot-post-handshake-client
  282. [10-client-auth-TLSv1.3-noroot-post-handshake-server]
  283. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  284. CipherString = DEFAULT
  285. MaxProtocol = TLSv1.3
  286. MinProtocol = TLSv1.3
  287. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  288. VerifyMode = RequirePostHandshake
  289. [10-client-auth-TLSv1.3-noroot-post-handshake-client]
  290. Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
  291. CipherString = DEFAULT
  292. MaxProtocol = TLSv1.3
  293. MinProtocol = TLSv1.3
  294. PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
  295. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  296. VerifyMode = Peer
  297. [test-10]
  298. ExpectedResult = ServerFail
  299. ExpectedServerAlert = UnknownCA
  300. HandshakeMode = PostHandshakeAuth
  301. client = 10-client-auth-TLSv1.3-noroot-post-handshake-client-extra
  302. [10-client-auth-TLSv1.3-noroot-post-handshake-client-extra]
  303. EnablePHA = Yes
  304. # ===========================================================
  305. [11-client-auth-TLSv1.3-request-force-client-post-handshake]
  306. ssl_conf = 11-client-auth-TLSv1.3-request-force-client-post-handshake-ssl
  307. [11-client-auth-TLSv1.3-request-force-client-post-handshake-ssl]
  308. server = 11-client-auth-TLSv1.3-request-force-client-post-handshake-server
  309. client = 11-client-auth-TLSv1.3-request-force-client-post-handshake-client
  310. [11-client-auth-TLSv1.3-request-force-client-post-handshake-server]
  311. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  312. CipherString = DEFAULT
  313. MaxProtocol = TLSv1.3
  314. MinProtocol = TLSv1.3
  315. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  316. VerifyMode = RequestPostHandshake
  317. [11-client-auth-TLSv1.3-request-force-client-post-handshake-client]
  318. CipherString = DEFAULT
  319. MaxProtocol = TLSv1.3
  320. MinProtocol = TLSv1.3
  321. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  322. VerifyMode = Peer
  323. [test-11]
  324. ExpectedResult = Success
  325. HandshakeMode = PostHandshakeAuth
  326. client = 11-client-auth-TLSv1.3-request-force-client-post-handshake-client-extra
  327. [11-client-auth-TLSv1.3-request-force-client-post-handshake-client-extra]
  328. EnablePHA = Yes
  329. # ===========================================================
  330. [12-client-auth-TLSv1.3-request-force-server-post-handshake]
  331. ssl_conf = 12-client-auth-TLSv1.3-request-force-server-post-handshake-ssl
  332. [12-client-auth-TLSv1.3-request-force-server-post-handshake-ssl]
  333. server = 12-client-auth-TLSv1.3-request-force-server-post-handshake-server
  334. client = 12-client-auth-TLSv1.3-request-force-server-post-handshake-client
  335. [12-client-auth-TLSv1.3-request-force-server-post-handshake-server]
  336. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  337. CipherString = DEFAULT
  338. MaxProtocol = TLSv1.3
  339. MinProtocol = TLSv1.3
  340. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  341. VerifyMode = RequestPostHandshake
  342. [12-client-auth-TLSv1.3-request-force-server-post-handshake-client]
  343. CipherString = DEFAULT
  344. MaxProtocol = TLSv1.3
  345. MinProtocol = TLSv1.3
  346. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  347. VerifyMode = Peer
  348. [test-12]
  349. ExpectedResult = ClientFail
  350. HandshakeMode = PostHandshakeAuth
  351. server = 12-client-auth-TLSv1.3-request-force-server-post-handshake-server-extra
  352. [12-client-auth-TLSv1.3-request-force-server-post-handshake-server-extra]
  353. ForcePHA = Yes
  354. # ===========================================================
  355. [13-client-auth-TLSv1.3-request-force-both-post-handshake]
  356. ssl_conf = 13-client-auth-TLSv1.3-request-force-both-post-handshake-ssl
  357. [13-client-auth-TLSv1.3-request-force-both-post-handshake-ssl]
  358. server = 13-client-auth-TLSv1.3-request-force-both-post-handshake-server
  359. client = 13-client-auth-TLSv1.3-request-force-both-post-handshake-client
  360. [13-client-auth-TLSv1.3-request-force-both-post-handshake-server]
  361. Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  362. CipherString = DEFAULT
  363. MaxProtocol = TLSv1.3
  364. MinProtocol = TLSv1.3
  365. PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  366. VerifyMode = RequestPostHandshake
  367. [13-client-auth-TLSv1.3-request-force-both-post-handshake-client]
  368. CipherString = DEFAULT
  369. MaxProtocol = TLSv1.3
  370. MinProtocol = TLSv1.3
  371. VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  372. VerifyMode = Peer
  373. [test-13]
  374. ExpectedResult = Success
  375. HandshakeMode = PostHandshakeAuth
  376. server = 13-client-auth-TLSv1.3-request-force-both-post-handshake-server-extra
  377. client = 13-client-auth-TLSv1.3-request-force-both-post-handshake-client-extra
  378. [13-client-auth-TLSv1.3-request-force-both-post-handshake-server-extra]
  379. ForcePHA = Yes
  380. [13-client-auth-TLSv1.3-request-force-both-post-handshake-client-extra]
  381. EnablePHA = Yes