test-altchains.conf 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418
  1. # Tests using a longer certificate chain (with intermediate CA's)
  2. # The tests with chains have the CRL checking disabled
  3. # CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted
  4. # For these tests we are loading root and sending intermediate and peer certs
  5. # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
  6. -v 3
  7. -l DHE-RSA-AES128-GCM-SHA256
  8. -A ./certs/ca-cert.pem
  9. -k ./certs/server-key.pem
  10. -c ./certs/intermediate/server-chain.pem
  11. -V
  12. # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
  13. -v 3
  14. -l DHE-RSA-AES128-GCM-SHA256
  15. -A ./certs/ca-cert.pem
  16. -k ./certs/client-key.pem
  17. -c ./certs/intermediate/client-chain.pem
  18. -C
  19. # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Chain
  20. -v 3
  21. -l ECDHE-RSA-AES128-GCM-SHA256
  22. -A ./certs/ca-cert.pem
  23. -k ./certs/server-key.pem
  24. -c ./certs/intermediate/server-chain.pem
  25. -V
  26. # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Chain
  27. -v 3
  28. -l ECDHE-RSA-AES128-GCM-SHA256
  29. -A ./certs/ca-cert.pem
  30. -k ./certs/client-key.pem
  31. -c ./certs/intermediate/client-chain.pem
  32. -C
  33. # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Chain
  34. -v 3
  35. -l ECDHE-ECDSA-AES128-GCM-SHA256
  36. -A ./certs/ca-ecc-cert.pem
  37. -k ./certs/ecc-key.pem
  38. -c ./certs/intermediate/server-chain-ecc.pem
  39. -V
  40. # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Chain
  41. -v 3
  42. -l ECDHE-ECDSA-AES128-GCM-SHA256
  43. -A ./certs/ca-ecc-cert.pem
  44. -k ./certs/ecc-client-key.pem
  45. -c ./certs/intermediate/client-chain-ecc.pem
  46. -C
  47. # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Chain
  48. -v 4
  49. -l TLS13-AES128-GCM-SHA256
  50. -A ./certs/ca-cert.pem
  51. -k ./certs/server-key.pem
  52. -c ./certs/intermediate/server-chain.pem
  53. -V
  54. # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Chain
  55. -v 4
  56. -l TLS13-AES128-GCM-SHA256
  57. -A ./certs/ca-cert.pem
  58. -k ./certs/client-key.pem
  59. -c ./certs/intermediate/client-chain.pem
  60. -C
  61. # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Chain
  62. -v 4
  63. -l TLS13-AES128-GCM-SHA256
  64. -A ./certs/ca-ecc-cert.pem
  65. -k ./certs/ecc-key.pem
  66. -c ./certs/intermediate/server-chain-ecc.pem
  67. -V
  68. # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Chain
  69. -v 4
  70. -l TLS13-AES128-GCM-SHA256
  71. -A ./certs/ca-ecc-cert.pem
  72. -k ./certs/ecc-client-key.pem
  73. -c ./certs/intermediate/client-chain-ecc.pem
  74. -C
  75. # Test will load intermediate CA as trusted and only present the peer cert (partial chain)
  76. # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
  77. -v 3
  78. -l DHE-RSA-AES128-GCM-SHA256
  79. -A ./certs/intermediate/ca-int2-cert.pem
  80. -k ./certs/server-key.pem
  81. -c ./certs/intermediate/server-int-cert.pem
  82. -V
  83. # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
  84. -v 3
  85. -l DHE-RSA-AES128-GCM-SHA256
  86. -A ./certs/intermediate/ca-int2-cert.pem
  87. -k ./certs/client-key.pem
  88. -c ./certs/intermediate/client-int-cert.pem
  89. -C
  90. # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
  91. -v 3
  92. -l ECDHE-RSA-AES128-GCM-SHA256
  93. -A ./certs/intermediate/ca-int2-cert.pem
  94. -k ./certs/server-key.pem
  95. -c ./certs/intermediate/server-int-cert.pem
  96. -V
  97. # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
  98. -v 3
  99. -l ECDHE-RSA-AES128-GCM-SHA256
  100. -A ./certs/intermediate/ca-int2-cert.pem
  101. -k ./certs/client-key.pem
  102. -c ./certs/intermediate/client-int-cert.pem
  103. -C
  104. # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
  105. -v 3
  106. -l ECDHE-ECDSA-AES128-GCM-SHA256
  107. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  108. -k ./certs/ecc-key.pem
  109. -c ./certs/intermediate/server-int-ecc-cert.pem
  110. -V
  111. # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
  112. -v 3
  113. -l ECDHE-ECDSA-AES128-GCM-SHA256
  114. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  115. -k ./certs/ecc-client-key.pem
  116. -c ./certs/intermediate/client-int-ecc-cert.pem
  117. -C
  118. # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
  119. -v 4
  120. -l TLS13-AES128-GCM-SHA256
  121. -A ./certs/intermediate/ca-int2-cert.pem
  122. -k ./certs/server-key.pem
  123. -c ./certs/intermediate/server-int-cert.pem
  124. -V
  125. # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
  126. -v 4
  127. -l TLS13-AES128-GCM-SHA256
  128. -A ./certs/intermediate/ca-int2-cert.pem
  129. -k ./certs/client-key.pem
  130. -c ./certs/intermediate/client-int-cert.pem
  131. -C
  132. # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
  133. -v 4
  134. -l TLS13-AES128-GCM-SHA256
  135. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  136. -k ./certs/ecc-key.pem
  137. -c ./certs/intermediate/server-int-ecc-cert.pem
  138. -V
  139. # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
  140. -v 4
  141. -l TLS13-AES128-GCM-SHA256
  142. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  143. -k ./certs/ecc-client-key.pem
  144. -c ./certs/intermediate/client-int-ecc-cert.pem
  145. -C
  146. # Test will use alternate chain where chain contains extra cert
  147. # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
  148. -v 3
  149. -l DHE-RSA-AES128-GCM-SHA256
  150. -A ./certs/ca-cert.pem
  151. -k ./certs/server-key.pem
  152. -c ./certs/intermediate/server-chain-alt.pem
  153. -V
  154. # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
  155. -v 3
  156. -l DHE-RSA-AES128-GCM-SHA256
  157. -A ./certs/ca-cert.pem
  158. -k ./certs/client-key.pem
  159. -c ./certs/intermediate/client-chain-alt.pem
  160. -C
  161. # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
  162. -v 3
  163. -l ECDHE-RSA-AES128-GCM-SHA256
  164. -A ./certs/ca-cert.pem
  165. -k ./certs/server-key.pem
  166. -c ./certs/intermediate/server-chain-alt.pem
  167. -V
  168. # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
  169. -v 3
  170. -l ECDHE-RSA-AES128-GCM-SHA256
  171. -A ./certs/ca-cert.pem
  172. -k ./certs/client-key.pem
  173. -c ./certs/intermediate/client-chain-alt.pem
  174. -C
  175. # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Alt Chain
  176. -v 3
  177. -l ECDHE-ECDSA-AES128-GCM-SHA256
  178. -A ./certs/ca-ecc-cert.pem
  179. -k ./certs/ecc-key.pem
  180. -c ./certs/intermediate/server-chain-alt-ecc.pem
  181. -V
  182. # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Alt Chain
  183. -v 3
  184. -l ECDHE-ECDSA-AES128-GCM-SHA256
  185. -A ./certs/ca-ecc-cert.pem
  186. -k ./certs/ecc-client-key.pem
  187. -c ./certs/intermediate/client-chain-alt-ecc.pem
  188. -C
  189. # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Alt Chain
  190. -v 4
  191. -l TLS13-AES128-GCM-SHA256
  192. -A ./certs/ca-cert.pem
  193. -k ./certs/server-key.pem
  194. -c ./certs/intermediate/server-chain-alt.pem
  195. -V
  196. # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Alt Chain
  197. -v 4
  198. -l TLS13-AES128-GCM-SHA256
  199. -A ./certs/ca-cert.pem
  200. -k ./certs/client-key.pem
  201. -c ./certs/intermediate/client-chain-alt.pem
  202. -C
  203. # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Alt Chain
  204. -v 4
  205. -l TLS13-AES128-GCM-SHA256
  206. -A ./certs/ca-ecc-cert.pem
  207. -k ./certs/ecc-key.pem
  208. -c ./certs/intermediate/server-chain-alt-ecc.pem
  209. -V
  210. # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Alt Chain
  211. -v 4
  212. -l TLS13-AES128-GCM-SHA256
  213. -A ./certs/ca-ecc-cert.pem
  214. -k ./certs/ecc-client-key.pem
  215. -c ./certs/intermediate/client-chain-alt-ecc.pem
  216. -C
  217. # Test will load intermediate2 CA as trusted and present full chain (where intermediate CA is not trusted)
  218. # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  219. -v 3
  220. -l DHE-RSA-AES128-GCM-SHA256
  221. -A ./certs/intermediate/ca-int2-cert.pem
  222. -k ./certs/server-key.pem
  223. -c ./certs/intermediate/server-chain.pem
  224. -V
  225. # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  226. -v 3
  227. -l DHE-RSA-AES128-GCM-SHA256
  228. -A ./certs/intermediate/ca-int2-cert.pem
  229. -k ./certs/client-key.pem
  230. -c ./certs/intermediate/client-chain.pem
  231. -C
  232. # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  233. -v 3
  234. -l ECDHE-RSA-AES128-GCM-SHA256
  235. -A ./certs/intermediate/ca-int2-cert.pem
  236. -k ./certs/server-key.pem
  237. -c ./certs/intermediate/server-chain.pem
  238. -V
  239. # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  240. -v 3
  241. -l ECDHE-RSA-AES128-GCM-SHA256
  242. -A ./certs/intermediate/ca-int2-cert.pem
  243. -k ./certs/client-key.pem
  244. -c ./certs/intermediate/client-chain.pem
  245. -C
  246. # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
  247. -v 3
  248. -l ECDHE-ECDSA-AES128-GCM-SHA256
  249. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  250. -k ./certs/ecc-key.pem
  251. -c ./certs/intermediate/server-chain-ecc.pem
  252. -V
  253. # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
  254. -v 3
  255. -l ECDHE-ECDSA-AES128-GCM-SHA256
  256. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  257. -k ./certs/ecc-client-key.pem
  258. -c ./certs/intermediate/client-chain-ecc.pem
  259. -C
  260. # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
  261. -v 4
  262. -l TLS13-AES128-GCM-SHA256
  263. -A ./certs/intermediate/ca-int2-cert.pem
  264. -k ./certs/server-key.pem
  265. -c ./certs/intermediate/server-chain.pem
  266. -V
  267. # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
  268. -v 4
  269. -l TLS13-AES128-GCM-SHA256
  270. -A ./certs/intermediate/ca-int2-cert.pem
  271. -k ./certs/client-key.pem
  272. -c ./certs/intermediate/client-chain.pem
  273. -C
  274. # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
  275. -v 4
  276. -l TLS13-AES128-GCM-SHA256
  277. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  278. -k ./certs/ecc-key.pem
  279. -c ./certs/intermediate/server-chain-ecc.pem
  280. -V
  281. # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
  282. -v 4
  283. -l TLS13-AES128-GCM-SHA256
  284. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  285. -k ./certs/ecc-client-key.pem
  286. -c ./certs/intermediate/client-chain-ecc.pem
  287. -C
  288. # Test will load intermediate2 CA as trusted and present full chain (where intermediate CA is not trusted)
  289. # These tests use the verify callback, but pass the preverify as result in myVerify callback
  290. # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  291. -v 3
  292. -l DHE-RSA-AES128-GCM-SHA256
  293. -A ./certs/intermediate/ca-int2-cert.pem
  294. -k ./certs/server-key.pem
  295. -c ./certs/intermediate/server-chain.pem
  296. -V
  297. # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  298. -v 3
  299. -l DHE-RSA-AES128-GCM-SHA256
  300. -A ./certs/intermediate/ca-int2-cert.pem
  301. -k ./certs/client-key.pem
  302. -c ./certs/intermediate/client-chain.pem
  303. -C
  304. -H verifyInfo
  305. # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  306. -v 3
  307. -l ECDHE-RSA-AES128-GCM-SHA256
  308. -A ./certs/intermediate/ca-int2-cert.pem
  309. -k ./certs/server-key.pem
  310. -c ./certs/intermediate/server-chain.pem
  311. -V
  312. # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
  313. -v 3
  314. -l ECDHE-RSA-AES128-GCM-SHA256
  315. -A ./certs/intermediate/ca-int2-cert.pem
  316. -k ./certs/client-key.pem
  317. -c ./certs/intermediate/client-chain.pem
  318. -C
  319. -H verifyInfo
  320. # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
  321. -v 3
  322. -l ECDHE-ECDSA-AES128-GCM-SHA256
  323. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  324. -k ./certs/ecc-key.pem
  325. -c ./certs/intermediate/server-chain-ecc.pem
  326. -V
  327. # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
  328. -v 3
  329. -l ECDHE-ECDSA-AES128-GCM-SHA256
  330. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  331. -k ./certs/ecc-client-key.pem
  332. -c ./certs/intermediate/client-chain-ecc.pem
  333. -C
  334. -H verifyInfo
  335. # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
  336. -v 4
  337. -l TLS13-AES128-GCM-SHA256
  338. -A ./certs/intermediate/ca-int2-cert.pem
  339. -k ./certs/server-key.pem
  340. -c ./certs/intermediate/server-chain.pem
  341. -V
  342. # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
  343. -v 4
  344. -l TLS13-AES128-GCM-SHA256
  345. -A ./certs/intermediate/ca-int2-cert.pem
  346. -k ./certs/client-key.pem
  347. -c ./certs/intermediate/client-chain.pem
  348. -C
  349. -H verifyInfo
  350. # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
  351. -v 4
  352. -l TLS13-AES128-GCM-SHA256
  353. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  354. -k ./certs/ecc-key.pem
  355. -c ./certs/intermediate/server-chain-ecc.pem
  356. -V
  357. # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
  358. -v 4
  359. -l TLS13-AES128-GCM-SHA256
  360. -A ./certs/intermediate/ca-int2-ecc-cert.pem
  361. -k ./certs/ecc-client-key.pem
  362. -c ./certs/intermediate/client-chain-ecc.pem
  363. -C
  364. -H verifyInfo