28-seclevel.cnf.in 3.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. # -*- mode: perl; -*-
  2. # Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. ## SSL test configurations
  9. package ssltests;
  10. use OpenSSL::Test::Utils;
  11. our $fips_mode;
  12. our @tests = (
  13. {
  14. name => "SECLEVEL 3 with default key",
  15. server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
  16. client => { },
  17. test => { "ExpectedResult" => "ServerFail" },
  18. },
  19. );
  20. our @tests_ec = (
  21. {
  22. name => "SECLEVEL 4 with ED448 key",
  23. server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  24. "Certificate" => test_pem("server-ed448-cert.pem"),
  25. "PrivateKey" => test_pem("server-ed448-key.pem") },
  26. client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  27. "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  28. test => { "ExpectedResult" => "Success" },
  29. },
  30. {
  31. # The Ed488 signature algorithm will not be enabled.
  32. # Because of the config order, the certificate is first loaded, and
  33. # then the security level is chaged. If you try this with s_server
  34. # the order will be reversed and it will instead fail to load the key.
  35. name => "SECLEVEL 5 server with ED448 key",
  36. server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
  37. "Certificate" => test_pem("server-ed448-cert.pem"),
  38. "PrivateKey" => test_pem("server-ed448-key.pem") },
  39. client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  40. "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  41. test => { "ExpectedResult" => "ServerFail" },
  42. },
  43. {
  44. # The client will not sent the Ed488 signature algorithm, so the server
  45. # doesn't have a useable signature algorithm for the certificate.
  46. name => "SECLEVEL 5 client with ED448 key",
  47. server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  48. "Certificate" => test_pem("server-ed448-cert.pem"),
  49. "PrivateKey" => test_pem("server-ed448-key.pem") },
  50. client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
  51. "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  52. test => { "ExpectedResult" => "ServerFail" },
  53. },
  54. {
  55. name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
  56. server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
  57. "Certificate" => test_pem("p384-server-cert.pem"),
  58. "PrivateKey" => test_pem("p384-server-key.pem"),
  59. "Groups" => "X25519" },
  60. client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
  61. "VerifyCAFile" => test_pem("p384-root.pem") },
  62. test => { "ExpectedResult" => "Success" },
  63. },
  64. );
  65. our @tests_tls1_2 = (
  66. {
  67. name => "SECLEVEL 3 with ED448 key, TLSv1.2",
  68. server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
  69. "Certificate" => test_pem("server-ed448-cert.pem"),
  70. "PrivateKey" => test_pem("server-ed448-key.pem"),
  71. "MaxProtocol" => "TLSv1.2" },
  72. client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  73. test => { "ExpectedResult" => "Success" },
  74. },
  75. );
  76. #TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
  77. push @tests, @tests_ec unless disabled("ec") || $fips_mode;
  78. push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;