1
0

ocsp-stapling.test 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530
  1. #!/usr/bin/env bash
  2. # ocsp-stapling.test
  3. # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
  4. # Note, this script makes connection(s) to the public Internet.
  5. SCRIPT_DIR="$(dirname "$0")"
  6. if [[ -z "${RETRIES_REMAINING-}" ]]; then
  7. export RETRIES_REMAINING=2
  8. fi
  9. if test "$WOLFSSL_EXTERNAL_TEST" == "0"; then
  10. echo 'skipping oscp-stapling.test because WOLFSSL_EXTERNAL_TEST is \
  11. defined to the value 0.'
  12. exit 77
  13. fi
  14. if ! ./examples/client/client -V | grep -q 3; then
  15. echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
  16. exit 77
  17. fi
  18. if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then
  19. echo 'skipping oscp-stapling.test because WOLFSSL_SNIFFER defined.'
  20. exit 77
  21. fi
  22. if ./examples/client/client -V | grep -q 4; then
  23. tls13=yes
  24. fi
  25. if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
  26. dtls13=yes
  27. fi
  28. ./examples/client/client '-?' 2>&1 | grep -- 'Perform multi OCSP stapling for TLS13'
  29. if [ $? -eq 0 ]; then
  30. tls13multi=yes
  31. else
  32. tls13multi=no
  33. fi
  34. if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
  35. IPV6_SUPPORTED=yes
  36. else
  37. IPV6_SUPPORTED=no
  38. fi
  39. if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
  40. if [[ "$IPV6_SUPPORTED" == "no" ]]; then
  41. echo 'Skipping IPV6 test in environment lacking IPV6 support.'
  42. exit 77
  43. fi
  44. LOCALHOST='[::1]'
  45. LOCALHOST_FOR_NC='::1'
  46. V4V6=6
  47. V4V6_FLAG=-6
  48. else
  49. LOCALHOST='127.0.0.1'
  50. LOCALHOST_FOR_NC='127.0.0.1'
  51. if [[ "$IPV6_SUPPORTED" == "yes" ]]; then
  52. V4V6_FLAG=-4
  53. else
  54. V4V6_FLAG=
  55. fi
  56. V4V6=4
  57. fi
  58. PARENTDIR="$PWD"
  59. # create a unique workspace directory ending in PID for the script instance ($$)
  60. # to make this instance orthogonal to any others running, even on same repo.
  61. # TCP ports are also carefully formed below from the PID, to minimize conflicts.
  62. WORKSPACE="${PARENTDIR}/workspace.pid$$"
  63. mkdir "${WORKSPACE}" || exit $?
  64. cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
  65. cd "$WORKSPACE" || exit $?
  66. ln -s ../examples
  67. CERT_DIR="./certs/ocsp"
  68. ready_file="$WORKSPACE"/wolf_ocsp_s1_readyF$$
  69. ready_file2="$WORKSPACE"/wolf_ocsp_s1_readyF2$$
  70. printf '%s\n' "ready file: \"$ready_file\""
  71. test_cnf="ocsp_s1.cnf"
  72. wait_for_readyFile(){
  73. counter=0
  74. while [ ! -s "$1" -a "$counter" -lt 20 ]; do
  75. if [[ -n "${2-}" ]]; then
  76. if ! kill -0 $2 2>&-; then
  77. echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
  78. exit 1
  79. fi
  80. fi
  81. echo -e "waiting for ready file..."
  82. sleep 0.1
  83. counter=$((counter+ 1))
  84. done
  85. if test -e "$1"; then
  86. echo -e "found ready file, starting client..."
  87. else
  88. echo -e "NO ready file at \"$1\" -- ending test..."
  89. exit 1
  90. fi
  91. }
  92. remove_single_rF(){
  93. if test -e "$1"; then
  94. printf '%s\n' "removing ready file: \"$1\""
  95. rm "$1"
  96. fi
  97. }
  98. #create a configure file for cert generation with the port 0 solution
  99. create_new_cnf() {
  100. printf '%s\n' "Random Port Selected: $1"
  101. printf '%s\n' "#" > $test_cnf
  102. printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
  103. printf '%s\n' "#" >> $test_cnf
  104. printf '%s\n' "" >> $test_cnf
  105. printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
  106. printf '%s\n' "[ v3_req1 ]" >> $test_cnf
  107. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  108. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  109. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  110. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  111. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
  112. printf '%s\n' "" >> $test_cnf
  113. printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
  114. printf '%s\n' "[ v3_req2 ]" >> $test_cnf
  115. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  116. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  117. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  118. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  119. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
  120. printf '%s\n' "" >> $test_cnf
  121. printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
  122. printf '%s\n' "[ v3_req3 ]" >> $test_cnf
  123. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  124. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  125. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  126. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  127. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
  128. printf '%s\n' "" >> $test_cnf
  129. printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
  130. printf '%s\n' "[ v3_ca ]" >> $test_cnf
  131. printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
  132. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  133. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  134. printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
  135. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
  136. printf '%s\n' "" >> $test_cnf
  137. printf '%s\n' "# OCSP extensions." >> $test_cnf
  138. printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
  139. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  140. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  141. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  142. printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
  143. mv $test_cnf $CERT_DIR/$test_cnf
  144. cd $CERT_DIR
  145. CURR_LOC="$PWD"
  146. printf '%s\n' "echo now in $CURR_LOC"
  147. ./renewcerts-for-test.sh $test_cnf
  148. cd "$WORKSPACE"
  149. }
  150. remove_ready_file() {
  151. if test -e "$ready_file"; then
  152. printf '%s\n' "removing ready file"
  153. rm "$ready_file"
  154. fi
  155. if test -e "$ready_file2"; then
  156. printf '%s\n' "removing ready file: \"$ready_file2\""
  157. rm "$ready_file2"
  158. fi
  159. }
  160. cleanup()
  161. {
  162. exit_status=$?
  163. for i in $(jobs -pr)
  164. do
  165. kill -s KILL "$i"
  166. done
  167. remove_ready_file
  168. rm $CERT_DIR/$test_cnf
  169. cd "$PARENTDIR" || return 1
  170. rm -r "$WORKSPACE" || return 1
  171. if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
  172. echo "retrying..."
  173. RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
  174. exec $0 "$@"
  175. fi
  176. }
  177. trap cleanup EXIT INT TERM HUP
  178. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  179. ./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
  180. if [ $? -eq 0 ]; then
  181. exit 0
  182. fi
  183. # check if supported key size is large enough to handle 4096 bit RSA
  184. size="$(./examples/client/client '-?' | grep "Max RSA key")"
  185. size="${size//[^0-9]/}"
  186. if [ ! -z "$size" ]; then
  187. printf 'check on max key size of %d ...' $size
  188. if [ $size -lt 4096 ]; then
  189. printf '%s\n' "4096 bit RSA keys not supported"
  190. exit 0
  191. fi
  192. printf 'OK\n'
  193. fi
  194. # choose consecutive ports based on the PID, skipping any that are
  195. # already bound, to avoid the birthday problem in case other
  196. # instances are sharing this host.
  197. get_first_free_port() {
  198. local ret="$1"
  199. while :; do
  200. if [[ "$ret" -ge 65536 ]]; then
  201. ret=1024
  202. fi
  203. if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then
  204. break
  205. fi
  206. ret=$((ret+1))
  207. done
  208. echo "$ret"
  209. return 0
  210. }
  211. base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
  212. port1=$(get_first_free_port $base_port)
  213. port2=$(get_first_free_port $((port1 + 1)))
  214. port3=$(get_first_free_port $((port2 + 1)))
  215. # test interop fail case
  216. ready_file=$PWD/wolf_ocsp_readyF$$
  217. printf '%s\n' "ready file: \"$ready_file\""
  218. ./examples/server/server -b -p $port1 -o -R "$ready_file" &
  219. wolf_pid=$!
  220. wait_for_readyFile "$ready_file" $wolf_pid $port1
  221. if [ ! -f "$ready_file" ]; then
  222. printf '%s\n' "Failed to create ready file: \"$ready_file\""
  223. exit 1
  224. else
  225. # should fail if ocspstapling is also enabled
  226. OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status $V4V6_FLAG -legacy_renegotiation -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1)
  227. OPENSSL_RESULT=$?
  228. echo "$OPENSSL_OUTPUT"
  229. fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
  230. FGREP1_RESULT=$?
  231. fgrep -q 'self-signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
  232. FGREP2_RESULT=$?
  233. if [ $OPENSSL_RESULT -eq 0 -a $FGREP1_RESULT -ne 0 -a $FGREP2_RESULT -ne 0 ]; then
  234. printf '%s\n' "Expected verification error from s_client is missing."
  235. remove_single_rF "$ready_file"
  236. exit 1
  237. fi
  238. remove_single_rF "$ready_file"
  239. wait $wolf_pid
  240. if [ $? -ne 0 ]; then
  241. printf '%s\n' "wolfSSL server unexpected fail"
  242. exit 1
  243. fi
  244. fi
  245. # create a port to use with openssl ocsp responder
  246. ./examples/server/server -b -p $port2 -R "$ready_file" &
  247. wolf_pid2=$!
  248. wait_for_readyFile "$ready_file" $wolf_pid2 $port2
  249. if [ ! -f "$ready_file" ]; then
  250. printf '%s\n' "Failed to create ready file: \"$ready_file\""
  251. exit 1
  252. else
  253. printf '%s\n' "Random port selected: $port2"
  254. # Use client connection to shutdown the server cleanly
  255. ./examples/client/client -p $port2
  256. create_new_cnf $port2
  257. fi
  258. sleep 0.1
  259. # is our desired server there? - login.live.com doesn't answers PING
  260. #./scripts/ping.test $server 2
  261. # client test against the server
  262. server=login.live.com
  263. #ca=certs/external/baltimore-cybertrust-root.pem
  264. ca=./certs/external/ca_collection.pem
  265. if [[ "$V4V6" == "4" ]]; then
  266. ./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
  267. RESULT=$?
  268. [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
  269. else
  270. echo "Skipping OCSP test on $server (IPv6 test client)"
  271. fi
  272. # Test with example server
  273. ./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
  274. if [ $? -eq 0 ]; then
  275. exit 0
  276. fi
  277. # setup ocsp responder
  278. # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
  279. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  280. # purposes!
  281. openssl ocsp -port $port2 -nmin 1 \
  282. -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
  283. -rsigner certs/ocsp/ocsp-responder-cert.pem \
  284. -rkey certs/ocsp/ocsp-responder-key.pem \
  285. -CA certs/ocsp/intermediate1-ca-cert.pem \
  286. "$@" &
  287. sleep 0.1
  288. # "jobs" is not portable for posix. Must use bash interpreter!
  289. [ $(jobs -r | wc -l) -ne 1 ] && \
  290. printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
  291. printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
  292. # client test against our own server - GOOD CERT
  293. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  294. -k certs/ocsp/server1-key.pem -p $port3 &
  295. wolf_pid3=$!
  296. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  297. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
  298. RESULT=$?
  299. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
  300. printf '%s\n\n' "Test PASSED!"
  301. printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
  302. # client test against our own server - REVOKED CERT
  303. remove_single_rF "$ready_file2"
  304. ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
  305. -k certs/ocsp/server2-key.pem -p $port3 &
  306. wolf_pid3=$!
  307. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  308. sleep 0.1
  309. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
  310. RESULT=$?
  311. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \
  312. && exit 1
  313. printf '%s\n\n' "Test successfully REVOKED!"
  314. if [[ ("$tls13" == "yes") && ("$tls13multi" == "no") ]]; then
  315. printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
  316. # client test against our own server - GOOD CERT
  317. remove_single_rF "$ready_file2"
  318. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  319. -k certs/ocsp/server1-key.pem -v 4 \
  320. -p $port3 &
  321. wolf_pid3=$!
  322. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  323. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
  324. -p $port3
  325. RESULT=$?
  326. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
  327. printf '%s\n\n' "Test PASSED!"
  328. printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------"
  329. # client test against our own server, must staple - GOOD CERT
  330. remove_single_rF "$ready_file2"
  331. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  332. -k certs/ocsp/server1-key.pem -v 4 \
  333. -p $port3 &
  334. wolf_pid3=$!
  335. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  336. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \
  337. -p $port3
  338. RESULT=$?
  339. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1
  340. printf '%s\n\n' "Test PASSED!"
  341. printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------"
  342. # client test against our own server - REVOKED CERT
  343. remove_single_rF "$ready_file2"
  344. ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
  345. -k certs/ocsp/server2-key.pem -v 4 \
  346. -p $port3 &
  347. wolf_pid3=$!
  348. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  349. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
  350. -p $port3
  351. RESULT=$?
  352. [ $RESULT -ne 1 ] && \
  353. printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \
  354. && exit 1
  355. printf '%s\n\n' "Test successfully REVOKED!"
  356. else
  357. echo 'skipping TLS1.3 stapling tests.' 1>&2
  358. fi
  359. # DTLS 1.2 and 1.3 cases
  360. if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then
  361. printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
  362. # client test against our own server, must staple - GOOD CERT
  363. echo $ready_file2
  364. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  365. -k certs/ocsp/server1-key.pem -u -v 3 \
  366. -p $port3 &
  367. wolf_pid3=$!
  368. sleep 0.2
  369. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 3 \
  370. -W 1 -p $port3
  371. RESULT=$?
  372. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
  373. printf '%s\n\n' "Test PASSED!"
  374. fi
  375. if [[ ("$dtls13" == "yes") && ("$tls13multi" == "no") ]]; then
  376. printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------"
  377. # client test against our own server, must staple - GOOD CERT
  378. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  379. -k certs/ocsp/server1-key.pem -u -v 4 \
  380. -p $port3 &
  381. wolf_pid3=$!
  382. sleep 0.2
  383. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 4 \
  384. -W 1 -p $port3
  385. RESULT=$?
  386. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
  387. printf '%s\n\n' "Test PASSED!"
  388. fi
  389. # need a unique port since may run the same time as testsuite
  390. generate_port() {
  391. #-------------------------------------------------------------------------#
  392. # Generate a random port number
  393. #-------------------------------------------------------------------------#
  394. if [[ "$OSTYPE" == "linux"* ]]; then
  395. port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
  396. elif [[ "$OSTYPE" == "darwin"* ]]; then
  397. port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
  398. else
  399. echo "Unknown OS TYPE"
  400. exit 1
  401. fi
  402. }
  403. # Start OpenSSL server that has no OCSP responses to return
  404. generate_port
  405. openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
  406. openssl_pid=$!
  407. MAX_TIMEOUT=10
  408. until nc -z localhost $port # Wait for openssl to be ready
  409. do
  410. sleep 0.05
  411. if [ "$MAX_TIMEOUT" == "0" ]; then
  412. break
  413. fi
  414. ((MAX_TIMEOUT--))
  415. done
  416. printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------"
  417. # client asks for OCSP staple but doesn't fail when none returned
  418. ./examples/client/client -p $port -g -v 3 -W 1
  419. RESULT=$?
  420. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1
  421. printf '%s\n\n' "Test PASSED!"
  422. printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------"
  423. # client asks for OCSP staple but doesn't fail when none returned
  424. ./examples/client/client -p $port -g -v 3 -W 1m
  425. RESULT=$?
  426. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \
  427. && exit 1
  428. printf '%s\n\n' "Test PASSED!"
  429. openssl ciphers -tls1_3
  430. openssl_tls13=$?
  431. ./examples/client/client -V | grep -q 4
  432. wolfssl_tls13=$?
  433. if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then
  434. printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------"
  435. # client asks for OCSP staple but doesn't fail when none returned
  436. ./examples/client/client -p $port -g -v 4 -W 1
  437. RESULT=$?
  438. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1
  439. printf '%s\n\n' "Test PASSED!"
  440. printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------"
  441. # client asks for OCSP staple but doesn't fail when none returned
  442. ./examples/client/client -p $port -g -v 4 -W 1m
  443. RESULT=$?
  444. [ $RESULT -ne 1 ] \
  445. && printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \
  446. && exit 1
  447. printf '%s\n\n' "Test PASSED!"
  448. else
  449. echo -n 'skipping TLS1.3 stapling interoperability test:' 1>&2
  450. if [ "$openssl_tls13" != "0" ]; then
  451. echo -n ' OpenSSL' 1>&2
  452. fi
  453. if [ "$wolfssl_tls13" != "0" ]; then
  454. if [ "$openssl_tls13" != "0" ]; then
  455. echo -n ' and' 1>&2
  456. fi
  457. echo -n ' wolfSSL' 1>&2
  458. fi
  459. echo -n ' missing TLS1.3 support.' 1>&2
  460. fi
  461. printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
  462. exit 0