From 843f5bb06cb921bf104e23533242ef5f374dbe13 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 23 Aug 2019 17:17:09 +0100 Subject: [PATCH] ssl-opt.sh: Configure trusted CA explicitly ssl_client2 and ssl_server2 either allow loading specific CRTs and CAs from files, or to leave them unspecified, in which case they're automatically picked from the test certificates. The test certificates should be chosen in a way that when not specifying any CRT or CA parameters, the automatically chosen ones match - but if one of them is specified but not the other, one should not expect tests to succeed. With the recent switch to Secp256r1-based test certificates, the default test certificates have changed, which breaks some ssl-opt.sh tests which specify the server CRT explicitly but not the client trusted CAs. This commit fixes this by specifying the client's trusted CA explicitly in accordance with the explicitly specified server CRT. --- tests/ssl-opt.sh | 214 +++++++++++++++++++++++++++++++---------------- 1 file changed, 142 insertions(+), 72 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5ad73d693..3fd1f3973 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1139,14 +1139,14 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ "$G_SRV"\ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ "$G_SRV"\ - "$P_CLI force_version=tls1" \ + "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \ 0 # Tests for SHA-1 support @@ -2187,7 +2187,7 @@ run_test "Fallback SCSV: enabled, max version" \ requires_openssl_with_fallback_scsv run_test "Fallback SCSV: default, openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ + "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \ 0 \ -C "adding FALLBACK_SCSV" \ -C "is a fatal alert message (msg 86)" @@ -2195,7 +2195,7 @@ run_test "Fallback SCSV: default, openssl server" \ requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ + "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "adding FALLBACK_SCSV" \ -c "is a fatal alert message (msg 86)" @@ -2426,7 +2426,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ + "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding session ticket extension" \ -c "found session_ticket extension" \ @@ -2517,7 +2517,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding session ticket extension" \ -c "found session_ticket extension" \ @@ -2658,7 +2658,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ + "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found session_ticket extension" \ -C "parse new session ticket" \ @@ -2784,7 +2784,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found session_ticket extension" \ -C "parse new session ticket" \ @@ -2893,7 +2893,7 @@ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ "$G_SRV" \ - "$P_CLI debug_level=3 max_frag_len=4096" \ + "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \ 0 \ -c "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ @@ -3235,7 +3235,7 @@ run_test "Renegotiation: nbio, server-initiated" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3248,7 +3248,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3261,7 +3261,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "client hello, adding renegotiation extension" \ -C "found renegotiation extension" \ @@ -3274,7 +3274,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \ allow_legacy=0" \ 1 \ -c "client hello, adding renegotiation extension" \ @@ -3288,7 +3288,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \ allow_legacy=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -3345,7 +3345,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ - "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3359,7 +3359,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ requires_gnutls run_test "Renego ext: gnutls server strict, client default" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ + "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found renegotiation extension" \ -C "error" \ @@ -3368,7 +3368,7 @@ run_test "Renego ext: gnutls server strict, client default" \ requires_gnutls run_test "Renego ext: gnutls server unsafe, client default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ + "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found renegotiation extension" \ -C "error" \ @@ -3385,7 +3385,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \ requires_gnutls run_test "Renego ext: gnutls client strict, server default" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3393,7 +3393,7 @@ run_test "Renego ext: gnutls client strict, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server default" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3401,7 +3401,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server break legacy" \ - "$P_SRV debug_level=3 allow_legacy=-1" \ + "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 1 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3550,7 +3550,7 @@ run_test "Authentication: server badcert, client none" \ -C "X509 - Certificate verification failed" run_test "Authentication: client SHA256, server required" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ @@ -3558,7 +3558,7 @@ run_test "Authentication: client SHA256, server required" \ -c "Supported Signature Algorithm found: 5," run_test "Authentication: client SHA384, server required" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3692,7 +3692,7 @@ run_test "Authentication: client no cert, server optional" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Authentication: openssl client no cert, server optional" \ - "$P_SRV debug_level=3 auth_mode=optional" \ + "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \ "$O_CLI" \ 0 \ -S "skip write certificate request" \ @@ -3703,7 +3703,7 @@ run_test "Authentication: openssl client no cert, server optional" \ run_test "Authentication: client no cert, openssl server optional" \ "$O_SRV -verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ + "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \ 0 \ -C "skip parse certificate request" \ -c "got a certificate request" \ @@ -3713,7 +3713,7 @@ run_test "Authentication: client no cert, openssl server optional" \ run_test "Authentication: client no cert, openssl server required" \ "$O_SRV -Verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ + "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \ 1 \ -C "skip parse certificate request" \ -c "got a certificate request" \ @@ -3827,14 +3827,14 @@ run_test "Authentication: client max_int chain, server required" \ # Tests for CA list in CertificateRequest messages run_test "Authentication: send CA list in CertificateRequest (default)" \ - "$P_SRV debug_level=3 auth_mode=required" \ + "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI crt_file=data_files/server6.crt \ key_file=data_files/server6.key" \ 0 \ -s "requested DN" run_test "Authentication: do not send CA list in CertificateRequest" \ - "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ + "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \ "$P_CLI crt_file=data_files/server6.crt \ key_file=data_files/server6.key" \ 0 \ @@ -3861,7 +3861,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_2" \ + "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" @@ -3872,7 +3872,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" @@ -3883,7 +3883,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1" \ + "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" @@ -3894,7 +3894,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ key_file=data_files/server5.key \ crt_file2=data_files/server6.crt \ key_file2=data_files/server6.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "serial number.*09" \ -c "signed using.*ECDSA with SHA256" \ @@ -3906,7 +3906,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ key_file=data_files/server6.key \ crt_file2=data_files/server5.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "serial number.*0A" \ -c "signed using.*ECDSA with SHA256" \ @@ -3918,7 +3918,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost" \ + "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \ 0 \ -S "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -3929,7 +3929,7 @@ run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost" \ + "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4060,7 +4060,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost dtls=1" \ + "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \ 0 \ -S "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -4071,7 +4071,7 @@ run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost dtls=1" \ + "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4082,7 +4082,7 @@ run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=polarssl.example dtls=1" \ + "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4552,7 +4552,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ds.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" @@ -4560,14 +4560,14 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 \ -c "Ciphersuite is TLS-ECDH-" run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ke.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 1 \ -C "Ciphersuite is " @@ -4706,25 +4706,25 @@ run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ run_test "extKeyUsage srv: serverAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cs_any.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: codeSign -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cli.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 1 # Tests for extendedKeyUsage, part 2: client-side checking of server cert @@ -4732,7 +4732,7 @@ run_test "extKeyUsage srv: codeSign -> fail" \ run_test "extKeyUsage cli: serverAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4741,7 +4741,7 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4750,7 +4750,7 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4759,7 +4759,7 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ run_test "extKeyUsage cli: codeSign -> fail" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ @@ -4800,7 +4800,7 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ -S "Processing of the Certificate handshake message failed" run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ + "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \ "$O_CLI -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ 1 \ @@ -6166,7 +6166,7 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, default" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1" \ @@ -6178,7 +6178,7 @@ run_test "EC restart: TLS, default" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=0" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=0" \ @@ -6190,7 +6190,7 @@ run_test "EC restart: TLS, max_ops=0" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=65535" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=65535" \ @@ -6202,7 +6202,7 @@ run_test "EC restart: TLS, max_ops=65535" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=1000" \ @@ -6215,11 +6215,11 @@ run_test "EC restart: TLS, max_ops=1000" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "EC restart: TLS, max_ops=1000, badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ debug_level=1 ec_max_ops=1000" \ 1 \ -c "x509_verify_cert.*4b00" \ @@ -6233,11 +6233,12 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ + ca_file=data_files/test-ca2.crt \ debug_level=1 ec_max_ops=1000 auth_mode=optional" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -6251,10 +6252,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ + ca_file=data_files/test-ca2.crt \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=none" \ 0 \ @@ -6268,7 +6270,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: DTLS, max_ops=1000" \ - "$P_SRV auth_mode=required dtls=1" \ + "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ dtls=1 debug_level=1 ec_max_ops=1000" \ @@ -6433,7 +6435,7 @@ run_test "SSL async private: slot 0 used with key1" \ async_operations=s async_private_delay1=1 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ + "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Async sign callback: using key slot 0," \ -s "Async resume (slot 0): call 0 more times." \ @@ -6836,7 +6838,7 @@ run_test "DTLS wrong PSK: badmac alert" \ requires_gnutls run_test "DTLS reassembly: no fragmentation (gnutls server)" \ "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found fragmented DTLS handshake message" \ -C "error" @@ -6844,7 +6846,7 @@ run_test "DTLS reassembly: no fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: some fragmentation (gnutls server)" \ "$G_SRV -u --mtu 512" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6852,7 +6854,7 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: more fragmentation (gnutls server)" \ "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6860,7 +6862,7 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6869,7 +6871,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -c "client hello, adding renegotiation extension" \ @@ -6883,7 +6885,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -c "client hello, adding renegotiation extension" \ @@ -6895,28 +6897,28 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ run_test "DTLS reassembly: no fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: some fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: more fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6941,11 +6943,13 @@ run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -6961,11 +6965,13 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ 0 \ @@ -6985,11 +6991,13 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -7005,11 +7013,13 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7033,11 +7043,13 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7053,11 +7065,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7081,11 +7095,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7100,11 +7116,13 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=4096" \ 0 \ @@ -7119,11 +7137,13 @@ run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=3500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=3500-60000 \ mtu=1024" \ 0 \ @@ -7138,11 +7158,13 @@ run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=2048" \ 0 \ @@ -7158,11 +7180,13 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=1024" \ 0 \ @@ -7183,11 +7207,13 @@ run_test "DTLS fragmenting: both (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=2500-60000 \ mtu=512" \ @@ -7214,10 +7240,12 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=400-3200" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=400-3200" \ 0 \ @@ -7238,10 +7266,12 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000" \ 0 \ @@ -7261,11 +7291,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ mtu=1024" \ 0 \ @@ -7290,11 +7322,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512" \ @@ -7313,11 +7347,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ 0 \ @@ -7339,11 +7375,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ @@ -7375,11 +7413,13 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1450" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ mtu=1450 reconnect=1 reco_delay=1" \ @@ -7404,12 +7444,14 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -7436,12 +7478,14 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -7468,6 +7512,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ hs_timeout=10000-60000 \ @@ -7475,6 +7520,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7501,6 +7547,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ hs_timeout=10000-60000 \ @@ -7508,6 +7555,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7533,6 +7581,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \ hs_timeout=10000-60000 \ @@ -7540,6 +7589,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7562,10 +7612,12 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000 mtu=512" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512" \ 0 \ @@ -7586,10 +7638,12 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000 mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512 nbio=2" \ 0 \ @@ -7611,6 +7665,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7626,6 +7681,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7648,6 +7704,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7664,6 +7721,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7678,6 +7736,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7692,6 +7751,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7705,6 +7765,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ "$O_CLI -dtls1_2" \ 0 \ @@ -7718,6 +7779,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ "$O_CLI -dtls1" \ 0 \ @@ -7739,6 +7801,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7756,6 +7819,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7772,6 +7836,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7788,6 +7853,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7810,6 +7876,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7827,6 +7894,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7843,6 +7911,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ "$O_CLI -dtls1_2" \ 0 \ @@ -7861,6 +7930,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ "$O_CLI -nbio -dtls1" \ 0 \ @@ -8364,7 +8434,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" @@ -8375,7 +8445,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" @@ -8386,7 +8456,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:"