leviathan
/
openssl
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Reduce the security bits for MD5 and SHA1 based signatures in TLS

Browse Source 
This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer supported at the
default security level of 1, and that you need to set the security
level to 0 to use TLS < 1.2.

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787
master
Kurt Roeckx 3 years ago
parent 526f1f1aca
commit aba03ae571
21 changed files with 1915 additions and 1822 deletions
Show Stats Download Patch File Download Diff File

8
CHANGES.md
Unescape View File

@ -119,6 +119,14 @@ OpenSSL 3.0
*Paul Dale*
* The security strength of SHA1 and MD5 based signatures in TLS has been
reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
working at the default security level of 1 and instead requires security
level 0. The security level can be changed either using the cipher string
with @SECLEVEL, or calling SSL_CTX_set_security_level().
*Kurt Roeckx*
* EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
internal keys, if they correspond to one of those built in types.

1
NEWS.md
Unescape View File

@ -63,6 +63,7 @@ OpenSSL 3.0
RC4, RC5 and SEED cipher functions have been deprecated.
* All of the low level DH, DSA, ECDH, ECDSA and RSA public key functions
have been deprecated.
* SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
OpenSSL 1.1.1
-------------

18
ssl/t1_lib.c
Unescape View File

@ -1413,8 +1413,26 @@ static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu)
return 0;
if (md != NULL)
{
int md_type = EVP_MD_type(md);
/* Security bits: half digest bits */
secbits = EVP_MD_size(md) * 4;
/*
* SHA1 and MD5 are known to be broken. Reduce security bits so that
* they're no longer accepted at security level 1. The real values don't
* really matter as long as they're lower than 80, which is our
* security level 1.
* https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for
* SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2
* https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
* puts a chosen-prefix attack for MD5 at 2^39.
*/
if (md_type == NID_sha1)
secbits = 64;
else if (md_type == NID_md5_sha1)
secbits = 67;
else if (md_type == NID_md5)
secbits = 39;
} else {
/* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
if (lu->sigalg == TLSEXT_SIGALG_ed25519)

3
test/recipes/70-test_renegotiation.t
Unescape View File

@ -56,7 +56,8 @@ SKIP: {
# handshake
$proxy->clear();
$proxy->filter(undef);
$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("DEFAULT:\@SECLEVEL=0");
$proxy->clientflags("-no_tls1_3 -cipher AES128-SHA:\@SECLEVEL=0");
$proxy->serverflags("-no_tls1_3 -no_tls1_2");
$proxy->reneg(1);
$proxy->start();

1
test/recipes/70-test_sslextension.t
Unescape View File

@ -206,6 +206,7 @@ SKIP: {
#Test 3: Sending a zero length extension block should pass
$proxy->clear();
$proxy->filter(\&extension_filter);
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success, "Zero extension length test");

13
test/recipes/70-test_sslrecords.t
Unescape View File

@ -82,11 +82,17 @@ use constant {
FRAGMENTED_IN_SSLV2 => 3,
ALERT_BEFORE_SSLV2 => 4
};
# The TLSv1.2 in SSLv2 ClientHello need to run at security level 0
# because in a SSLv2 ClientHello we can't send extentions to indicate
# which signature algorithm we want to use, and the default is SHA1.
#Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello
my $sslv2testtype = TLSV1_2_IN_SSLV2;
$proxy->clear();
$proxy->filter(\&add_sslv2_filter);
$proxy->serverflags("-tls1_2");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
@ -96,6 +102,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
$sslv2testtype = SSLV2_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test");
@ -105,6 +112,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test");
$sslv2testtype = FRAGMENTED_IN_TLSV1_2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
@ -113,6 +121,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
$sslv2testtype = FRAGMENTED_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
@ -121,6 +130,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
$sslv2testtype = ALERT_BEFORE_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
@ -140,7 +150,8 @@ SKIP: {
#Test 11: Sending an unrecognised record type in TLS1.1 should fail
$fatal_alert = 0;
$proxy->clear();
$proxy->clientflags("-tls1_1");
$proxy->clientflags("-tls1_1 -cipher DEFAULT:\@SECLEVEL=0");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok($fatal_alert, "Unrecognised record type in TLS1.1");
}

40
test/recipes/70-test_sslsigalgs.t
Unescape View File

@ -138,32 +138,32 @@ SKIP: {
$proxy->filter(\&sigalgs_filter);
#Test 10: Sending no sig algs extension in TLSv1.2 should succeed at
# security level 1
#Test 10: Sending no sig algs extension in TLSv1.2 will make it use
# SHA1, which is only supported at security level 0.
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
$proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=1");
$proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0");
$proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1");
ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0");
#Test 11: Sending no sig algs extension in TLSv1.2 should fail at security
# level 2 since it will try to use SHA1. Testing client at level 1,
# server level 2.
# level 1 since it will try to use SHA1. Testing client at level 0,
# server level 1.
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
$proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1");
$proxy->ciphers("DEFAULT:\@SECLEVEL=2");
$proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0");
$proxy->ciphers("DEFAULT:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2");
ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1");
#Test 12: Sending no sig algs extension in TLSv1.2 should fail at security
# level 2 since it will try to use SHA1. Testing client at level 2,
# server level 1.
# level 1 since it will try to use SHA1. Testing client at level 1,
# server level 0.
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
$proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=2");
$proxy->ciphers("DEFAULT:\@SECLEVEL=1");
$proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1");
$proxy->ciphers("DEFAULT:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2");
@ -221,15 +221,16 @@ SKIP: {
ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
$proxy->filter(\&sigalgs_filter);
#Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed
#Test 19: No sig algs extension, ECDSA cert, will use SHA1,
# TLSv1.2 should succeed at security level 0
$proxy->clear();
$testtype = NO_SIG_ALGS_EXT;
$proxy->clientflags("-no_tls1_3");
$proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0");
$proxy->serverflags("-cert " . srctop_file("test", "certs",
"server-ecdsa-cert.pem") .
" -key " . srctop_file("test", "certs",
"server-ecdsa-key.pem")),
$proxy->ciphers("ECDHE-ECDSA-AES128-SHA");
$proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
}
@ -245,7 +246,7 @@ SKIP: {
$proxy->filter(\&modify_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"DSA/SHA2 sigalg sent for 1.3-only ClientHello");
"DSA and SHA1 sigalgs not sent for 1.3-only ClientHello");
#Test 21: signature_algorithms with backwards compatible ClientHello
SKIP: {
@ -253,10 +254,11 @@ SKIP: {
$testtype = COMPAT_SIGALGS;
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0");
$proxy->filter(\&modify_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"DSA sigalg not sent for compat ClientHello");
"backwards compatible sigalg sent for compat ClientHello");
}
}

2
test/recipes/70-test_sslversions.t
Unescape View File

@ -95,6 +95,8 @@ ok(TLSProxy::Message->success()
#Test 6: no TLSv1.3 or TLSv1.2 version in supported versions extension, but
#TLSv1.1 and TLSv1.0 are present. Should just use TLSv1.1 and succeed
$proxy->clear();
$proxy->clientflags("-cipher DEFAULT:\@SECLEVEL=0");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$testtype = TLS1_1_AND_1_0_ONLY;
$proxy->start();
$record = pop @{$proxy->record_list};

1
test/recipes/70-test_tls13downgrade.t
Unescape View File

@ -79,6 +79,7 @@ SKIP: {
$proxy->clear();
$proxy->filter(undef);
$proxy->clientflags("-no_tls1_2");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole");

2704
test/ssl-tests/02-protocol-version.cnf
View File

File diff suppressed because it is too large Load Diff

144
test/ssl-tests/04-client_auth.cnf
Unescape View File

@ -49,11 +49,11 @@ client = 0-server-auth-flex-client
[0-server-auth-flex-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-server-auth-flex-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -72,12 +72,12 @@ client = 1-client-auth-flex-request-client
[1-client-auth-flex-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[1-client-auth-flex-request-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -96,13 +96,13 @@ client = 2-client-auth-flex-require-fail-client
[2-client-auth-flex-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[2-client-auth-flex-require-fail-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -122,14 +122,14 @@ client = 3-client-auth-flex-require-client
[3-client-auth-flex-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Request
[3-client-auth-flex-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -151,7 +151,7 @@ client = 4-client-auth-flex-require-non-empty-names-client
[4-client-auth-flex-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
@ -159,7 +159,7 @@ VerifyMode = Request
[4-client-auth-flex-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -181,13 +181,13 @@ client = 5-client-auth-flex-noroot-client
[5-client-auth-flex-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Require
[5-client-auth-flex-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -208,13 +208,13 @@ client = 6-server-auth-TLSv1-client
[6-server-auth-TLSv1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-server-auth-TLSv1-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -235,14 +235,14 @@ client = 7-client-auth-TLSv1-request-client
[7-client-auth-TLSv1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[7-client-auth-TLSv1-request-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -263,7 +263,7 @@ client = 8-client-auth-TLSv1-require-fail-client
[8-client-auth-TLSv1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -271,7 +271,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[8-client-auth-TLSv1-require-fail-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -293,7 +293,7 @@ client = 9-client-auth-TLSv1-require-client
[9-client-auth-TLSv1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -302,7 +302,7 @@ VerifyMode = Request
[9-client-auth-TLSv1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -326,7 +326,7 @@ client = 10-client-auth-TLSv1-require-non-empty-names-client
[10-client-auth-TLSv1-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
MaxProtocol = TLSv1
MinProtocol = TLSv1
@ -336,7 +336,7 @@ VerifyMode = Request
[10-client-auth-TLSv1-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -360,7 +360,7 @@ client = 11-client-auth-TLSv1-noroot-client
[11-client-auth-TLSv1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -368,7 +368,7 @@ VerifyMode = Require
[11-client-auth-TLSv1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1
MinProtocol = TLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -391,13 +391,13 @@ client = 12-server-auth-TLSv1.1-client
[12-server-auth-TLSv1.1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[12-server-auth-TLSv1.1-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -418,14 +418,14 @@ client = 13-client-auth-TLSv1.1-request-client
[13-client-auth-TLSv1.1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[13-client-auth-TLSv1.1-request-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -446,7 +446,7 @@ client = 14-client-auth-TLSv1.1-require-fail-client
[14-client-auth-TLSv1.1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -454,7 +454,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[14-client-auth-TLSv1.1-require-fail-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -476,7 +476,7 @@ client = 15-client-auth-TLSv1.1-require-client
[15-client-auth-TLSv1.1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -485,7 +485,7 @@ VerifyMode = Request
[15-client-auth-TLSv1.1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -509,7 +509,7 @@ client = 16-client-auth-TLSv1.1-require-non-empty-names-client
[16-client-auth-TLSv1.1-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
@ -519,7 +519,7 @@ VerifyMode = Request
[16-client-auth-TLSv1.1-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -543,7 +543,7 @@ client = 17-client-auth-TLSv1.1-noroot-client
[17-client-auth-TLSv1.1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -551,7 +551,7 @@ VerifyMode = Require
[17-client-auth-TLSv1.1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.1
MinProtocol = TLSv1.1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -574,13 +574,13 @@ client = 18-server-auth-TLSv1.2-client
[18-server-auth-TLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[18-server-auth-TLSv1.2-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -601,14 +601,14 @@ client = 19-client-auth-TLSv1.2-request-client
[19-client-auth-TLSv1.2-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[19-client-auth-TLSv1.2-request-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -629,7 +629,7 @@ client = 20-client-auth-TLSv1.2-require-fail-client
[20-client-auth-TLSv1.2-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -637,7 +637,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[20-client-auth-TLSv1.2-require-fail-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -659,7 +659,7 @@ client = 21-client-auth-TLSv1.2-require-client
[21-client-auth-TLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientSignatureAlgorithms = SHA256+RSA
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
@ -669,7 +669,7 @@ VerifyMode = Request
[21-client-auth-TLSv1.2-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -695,7 +695,7 @@ client = 22-client-auth-TLSv1.2-require-non-empty-names-client
[22-client-auth-TLSv1.2-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
ClientSignatureAlgorithms = SHA256+RSA
MaxProtocol = TLSv1.2
@ -706,7 +706,7 @@ VerifyMode = Request
[22-client-auth-TLSv1.2-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -732,7 +732,7 @@ client = 23-client-auth-TLSv1.2-noroot-client
[23-client-auth-TLSv1.2-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -740,7 +740,7 @@ VerifyMode = Require
[23-client-auth-TLSv1.2-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -763,13 +763,13 @@ client = 24-server-auth-DTLSv1-client
[24-server-auth-DTLSv1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[24-server-auth-DTLSv1-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -791,14 +791,14 @@ client = 25-client-auth-DTLSv1-request-client
[25-client-auth-DTLSv1-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[25-client-auth-DTLSv1-request-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -820,7 +820,7 @@ client = 26-client-auth-DTLSv1-require-fail-client
[26-client-auth-DTLSv1-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -828,7 +828,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[26-client-auth-DTLSv1-require-fail-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -851,7 +851,7 @@ client = 27-client-auth-DTLSv1-require-client
[27-client-auth-DTLSv1-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -860,7 +860,7 @@ VerifyMode = Request
[27-client-auth-DTLSv1-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -885,7 +885,7 @@ client = 28-client-auth-DTLSv1-require-non-empty-names-client
[28-client-auth-DTLSv1-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
@ -895,7 +895,7 @@ VerifyMode = Request
[28-client-auth-DTLSv1-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -920,7 +920,7 @@ client = 29-client-auth-DTLSv1-noroot-client
[29-client-auth-DTLSv1-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -928,7 +928,7 @@ VerifyMode = Require
[29-client-auth-DTLSv1-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -952,13 +952,13 @@ client = 30-server-auth-DTLSv1.2-client
[30-server-auth-DTLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[30-server-auth-DTLSv1.2-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -980,14 +980,14 @@ client = 31-client-auth-DTLSv1.2-request-client
[31-client-auth-DTLSv1.2-request-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyMode = Request
[31-client-auth-DTLSv1.2-request-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1009,7 +1009,7 @@ client = 32-client-auth-DTLSv1.2-require-fail-client
[32-client-auth-DTLSv1.2-require-fail-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -1017,7 +1017,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[32-client-auth-DTLSv1.2-require-fail-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1040,7 +1040,7 @@ client = 33-client-auth-DTLSv1.2-require-client
[33-client-auth-DTLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -1049,7 +1049,7 @@ VerifyMode = Request
[33-client-auth-DTLSv1.2-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -1074,7 +1074,7 @@ client = 34-client-auth-DTLSv1.2-require-non-empty-names-client
[34-client-auth-DTLSv1.2-require-non-empty-names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
ClientCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
@ -1084,7 +1084,7 @@ VerifyMode = Request
[34-client-auth-DTLSv1.2-require-non-empty-names-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
@ -1109,7 +1109,7 @@ client = 35-client-auth-DTLSv1.2-noroot-client
[35-client-auth-DTLSv1.2-noroot-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@ -1117,7 +1117,7 @@ VerifyMode = Require
[35-client-auth-DTLSv1.2-noroot-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem

12
test/ssl-tests/04-client_auth.cnf.in
Unescape View File

@ -58,10 +58,12 @@ sub generate_tests() {
name => "server-auth-${protocol_name}"
.($sctp ? "-sctp" : ""),
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
@ -77,11 +79,13 @@ sub generate_tests() {
name => "client-auth-${protocol_name}-request"
.($sctp ? "-sctp" : ""),
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"VerifyMode" => "Request"
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
@ -97,12 +101,14 @@ sub generate_tests() {
name => "client-auth-${protocol_name}-require-fail"
.($sctp ? "-sctp" : ""),
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require",
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol
},
@ -121,6 +127,7 @@ sub generate_tests() {
name => "client-auth-${protocol_name}-require"
.($sctp ? "-sctp" : ""),
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"ClientSignatureAlgorithms" => $clisigalgs,
@ -128,6 +135,7 @@ sub generate_tests() {
"VerifyMode" => "Request",
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"Certificate" => test_pem("ee-client-chain.pem"),
@ -149,6 +157,7 @@ sub generate_tests() {
name => "client-auth-${protocol_name}-require-non-empty-names"
.($sctp ? "-sctp" : ""),
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"ClientSignatureAlgorithms" => $clisigalgs,
@ -157,6 +166,7 @@ sub generate_tests() {
"VerifyMode" => "Request",
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"Certificate" => test_pem("ee-client-chain.pem"),
@ -178,11 +188,13 @@ sub generate_tests() {
name => "client-auth-${protocol_name}-noroot"
.($sctp ? "-sctp" : ""),
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"VerifyMode" => "Require",
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"Certificate" => test_pem("ee-client-chain.pem"),

4
test/ssl-tests/05-sni.cnf
Unescape View File

@ -284,11 +284,11 @@ server2 = 8-SNI-clienthello-disable-v12-server
[8-SNI-clienthello-disable-v12-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-SNI-clienthello-disable-v12-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer

2
test/ssl-tests/05-sni.cnf.in
Unescape View File

@ -152,11 +152,13 @@ our @tests_tls_1_1 = (
{
name => "SNI-clienthello-disable-v12",
server => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
extra => {
"ServerNameCallback" => "ClientHelloNoV12",
},
},
client => {
"CipherString" => "DEFAULT:\@SECLEVEL=0",
extra => {
"ServerName" => "server2",
},

256
test/ssl-tests/07-dtls-protocol-version.cnf
Unescape View File

@ -77,12 +77,12 @@ client = 0-version-negotiation-client
[0-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -104,12 +104,12 @@ client = 1-version-negotiation-client
[1-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -131,11 +131,11 @@ client = 2-version-negotiation-client
[2-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -157,13 +157,13 @@ client = 3-version-negotiation-client
[3-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -185,13 +185,13 @@ client = 4-version-negotiation-client
[4-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -213,12 +213,12 @@ client = 5-version-negotiation-client
[5-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -240,13 +240,13 @@ client = 6-version-negotiation-client
[6-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -267,12 +267,12 @@ client = 7-version-negotiation-client
[7-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -293,12 +293,12 @@ client = 8-version-negotiation-client
[8-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -320,12 +320,12 @@ client = 9-version-negotiation-client
[9-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -347,11 +347,11 @@ client = 10-version-negotiation-client
[10-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[10-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -373,13 +373,13 @@ client = 11-version-negotiation-client
[11-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[11-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -401,13 +401,13 @@ client = 12-version-negotiation-client
[12-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[12-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -429,12 +429,12 @@ client = 13-version-negotiation-client
[13-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[13-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -456,13 +456,13 @@ client = 14-version-negotiation-client
[14-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[14-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -484,12 +484,12 @@ client = 15-version-negotiation-client
[15-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[15-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -511,12 +511,12 @@ client = 16-version-negotiation-client
[16-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[16-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -537,12 +537,12 @@ client = 17-version-negotiation-client
[17-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[17-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -563,11 +563,11 @@ client = 18-version-negotiation-client
[18-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[18-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -588,13 +588,13 @@ client = 19-version-negotiation-client
[19-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[19-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -615,13 +615,13 @@ client = 20-version-negotiation-client
[20-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[20-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -642,12 +642,12 @@ client = 21-version-negotiation-client
[21-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[21-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -668,13 +668,13 @@ client = 22-version-negotiation-client
[22-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[22-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -695,12 +695,12 @@ client = 23-version-negotiation-client
[23-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MinProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[23-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -721,12 +721,12 @@ client = 24-version-negotiation-client
[24-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[24-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -749,12 +749,12 @@ client = 25-version-negotiation-client
[25-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[25-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -777,11 +777,11 @@ client = 26-version-negotiation-client
[26-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[26-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -804,13 +804,13 @@ client = 27-version-negotiation-client
[27-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[27-version-negotiation-client]
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1
MinProtocol = DTLSv1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -833,13 +833,13 @@ client = 28-version-negotiation-client
[28-version-negotiation-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT:@SECLEVEL=0
MaxProtocol = DTLSv1.2
MinProtocol = DTLSv1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[28-version-negotiation-client]
CipherString = DEFAULT