From ff7a9d9f78efa8e6063f727560f4ea27f90a63f7 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 8 Feb 2016 14:52:56 -0700 Subject: [PATCH 1/7] option for fail on no peer cert except PSK suites --- examples/server/server.c | 28 ++++++++++++++++++---------- src/internal.c | 17 +++++++++++++---- src/ssl.c | 13 +++++++++++++ wolfssl/internal.h | 2 ++ wolfssl/ssl.h | 1 + 5 files changed, 47 insertions(+), 14 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index d899dacb3..0bea91863 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -257,6 +257,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int useAnyAddr = 0; word16 port = wolfSSLPort; int usePsk = 0; + int usePskPlus = 0; int useAnon = 0; int doDTLS = 0; int needDH = 0; @@ -329,7 +330,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef WOLFSSL_VXWORKS useAnyAddr = 1; #else - while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:")) + while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j")) != -1) { switch (ch) { case '?' : @@ -348,6 +349,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) usePsk = 1; break; + case 'j' : + usePskPlus = 1; + break; + case 't' : #ifdef USE_WOLFSSL_MEMORY trackMemory = 1; @@ -609,7 +614,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - if (!usePsk && !useAnon) { + if ((!usePsk || usePskPlus) && !useAnon) { if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) err_sys("can't load server cert file, check file and run from" @@ -630,7 +635,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - if (!useNtruKey && !usePsk && !useAnon) { + if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) { if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) err_sys("can't load server private key file, check file and run " @@ -638,14 +643,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif - if (usePsk) { + if (usePsk || usePskPlus) { #ifndef NO_PSK SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb); if (sendPskIdentityHint == 1) SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); - if (cipherList == NULL) { + if (cipherList == NULL && !usePskPlus) { const char *defaultCipherList; #if defined(HAVE_AESGCM) && !defined(NO_DH) defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; @@ -672,13 +677,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - /* if not using PSK, verify peer with certs */ - if (doCliCertCheck && usePsk == 0 && useAnon == 0) { + /* if not using PSK, verify peer with certs + if using PSK Plus then verify peer certs except PSK suites */ + if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) { SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | - SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); + ((usePskPlus)? SSL_VERIFY_FAIL_EXCEPT_PSK : + SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0); if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); - } + } #endif #if defined(CYASSL_SNIFFER) @@ -795,7 +802,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) wolfSSL_dtls_set_peer(ssl, &cliaddr, len); } #endif - if (usePsk == 0 || useAnon == 1 || cipherList != NULL || needDH == 1) { + if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL + || needDH == 1) { #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM); #elif !defined(NO_DH) diff --git a/src/internal.c b/src/internal.c index f1cbab102..809011de4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1835,10 +1835,11 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.sessionCacheOff = ctx->sessionCacheOff; ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff; - ssl->options.verifyPeer = ctx->verifyPeer; - ssl->options.verifyNone = ctx->verifyNone; - ssl->options.failNoCert = ctx->failNoCert; - ssl->options.sendVerify = ctx->sendVerify; + ssl->options.verifyPeer = ctx->verifyPeer; + ssl->options.verifyNone = ctx->verifyNone; + ssl->options.failNoCert = ctx->failNoCert; + ssl->options.failNoCertxPSK = ctx->failNoCertxPSK; + ssl->options.sendVerify = ctx->sendVerify; ssl->heap = ctx->heap; /* defaults to self */ ssl->options.partialWrite = ctx->partialWrite; @@ -16936,6 +16937,14 @@ int DoSessionTicket(WOLFSSL* ssl, return NO_PEER_CERT; } } + + if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) { + if (!ssl->options.havePeerCert && + !ssl->options.usingPSK_cipher){ + WOLFSSL_MSG("client didn't present peer cert"); + return NO_PEER_CERT; + } + } #endif #ifdef WOLFSSL_CALLBACKS diff --git a/src/ssl.c b/src/ssl.c index c9ec2c951..8f6f7fd20 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4608,6 +4608,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) ctx->failNoCert = 1; + if (mode & SSL_VERIFY_FAIL_EXCEPT_PSK) { + ctx->failNoCert = 0; /* fail on all is set to fail on PSK */ + ctx->failNoCertxPSK = 1; + } + ctx->verifyCallback = vc; } @@ -4628,6 +4633,11 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc) if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) ssl->options.failNoCert = 1; + if (mode & SSL_VERIFY_FAIL_EXCEPT_PSK) { + ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */ + ssl->options.failNoCertxPSK = 1; + } + ssl->verifyCallback = vc; } @@ -17074,6 +17084,9 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) if (ctx->failNoCert) mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + if (ctx->failNoCertxPSK) + mode |= SSL_VERIFY_FAIL_EXCEPT_PSK; + WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); return mode; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 5ecfd6858..4c4edb962 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1818,6 +1818,7 @@ struct WOLFSSL_CTX { byte verifyPeer; byte verifyNone; byte failNoCert; + byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/ byte sessionCacheOff; byte sessionCacheFlushOff; byte sendVerify; /* for client side */ @@ -2216,6 +2217,7 @@ typedef struct Options { word16 verifyPeer:1; word16 verifyNone:1; word16 failNoCert:1; + word16 failNoCertxPSK:1; /* fail for no cert except with PSK */ word16 downgrade:1; /* allow downgrade of versions */ word16 resuming:1; word16 haveSessionId:1; /* server may not send */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f92e3cd5a..6e965561e 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -698,6 +698,7 @@ enum { /* ssl Constants */ SSL_VERIFY_PEER = 1, SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2, SSL_VERIFY_CLIENT_ONCE = 4, + SSL_VERIFY_FAIL_EXCEPT_PSK = 8, SSL_SESS_CACHE_OFF = 30, SSL_SESS_CACHE_CLIENT = 31, From 2f747063671fa95ef365360c822b53e1e41e772a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 10 Feb 2016 11:02:09 -0700 Subject: [PATCH 2/7] allow use of RSA signed ECC key certs --- certs/renewcerts.sh | 21 ++++++++ certs/rsa-ecc-key.pem | 5 ++ certs/rsa-signed-ecc-ca.pem | 28 +++++++++++ certs/rsa-signed-ecc-cert.pem | 20 ++++++++ src/internal.c | 93 ++++++++++++++++++----------------- src/ssl.c | 38 ++++++++++---- wolfssl/internal.h | 4 +- 7 files changed, 154 insertions(+), 55 deletions(-) create mode 100644 certs/rsa-ecc-key.pem create mode 100644 certs/rsa-signed-ecc-ca.pem create mode 100644 certs/rsa-signed-ecc-cert.pem diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index da7fbe49a..081e63c70 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -94,6 +94,16 @@ function run_renewcerts(){ openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem mv \1024/tmp.pem \1024/ca-cert.pem + ############################################################ + ########## update the self-signed rsa-signed-ecc-ca.pem #### + ############################################################ + echo "Updating rsa-signed-ecc-ca.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-rsa-ecc-cert.csr + + openssl x509 -req -in ca-rsa-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out rsa-signed-ecc-ca.pem + rm ca-rsa-ecc-cert.csr ########################################################### ########## update and sign server-cert.pem ################ ########################################################### @@ -202,6 +212,17 @@ function run_renewcerts(){ openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem + ############################################################ + ###### update rsa-signed-ecc-cert.pem ########## + ############################################################ + echo "Updating rsa-signed-ecc-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key rsa-ecc-key.pem -out server-rsa-signed-ecc.csr + + + openssl req -x509 -in server-rsa-signed-ecc.csr -days 1000 -key ca-key.pem -out rsa-signed-ecc-cert.pem + rm server-rsa-signed-ecc.csr ############################################################ ########## make .der files from .pem files ################# ############################################################ diff --git a/certs/rsa-ecc-key.pem b/certs/rsa-ecc-key.pem new file mode 100644 index 000000000..38052fc0d --- /dev/null +++ b/certs/rsa-ecc-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIdLUY+7ywLvHw3hXcRh3Yjk2isYn3xRzNzh8PL8c++doAoGCCqGSM49 +AwEHoUQDQgAE5N/MA+vrmu1j6+9L9x53MwRlxQVYreEo6GbI08kMZg7Xcdo9wJ06 +6EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9A== +-----END EC PRIVATE KEY----- diff --git a/certs/rsa-signed-ecc-ca.pem b/certs/rsa-signed-ecc-ca.pem new file mode 100644 index 000000000..439c6f74e --- /dev/null +++ b/certs/rsa-signed-ecc-ca.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEwTCCA6mgAwIBAgIJANSPE5wECQHCMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G +A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV +BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804 +H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy +6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqN +OCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnl +wtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1 +Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNL +ve02eQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejV +MIHQBgNVHSMEgcgwgcWAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGhpIGeMIGbMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQ +MA4GA1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgw +FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb22CCQDUjxOcBAkBwjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQCInkcGU17ednsQj9aUge/19pr8hTvIyOgSjo6jeyNFYR3dwtSCyiNp+3xy +0751Qr3bsZFypZ6KYdq262592jS1FCA8PPT0lj2b+rs7ltt0+SWwNa5gd53i6bqL +F2eGuJxB8+eaYCNtvHb+vVt4wE+xc4arEXohNOK98Ue8a1z4t5GJgld2qIO596fC +5AF51wT2W+nmkPD8Uc57qbT0dGcYMrbV1CEzRznKlEM7/lwQzosanq2WAej/LuoK +E7fFK/HsKmGNo5h9xmp8Mffrhv/FtNY8goOzGgGVLIBEJhhAXdxMD7StDJ/wO4Yn +YVhUYNYXHRfLqlfrOKTlpom0tSTm +-----END CERTIFICATE----- diff --git a/certs/rsa-signed-ecc-cert.pem b/certs/rsa-signed-ecc-cert.pem new file mode 100644 index 000000000..95740b6c4 --- /dev/null +++ b/certs/rsa-signed-ecc-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIJAIsWzJR4pzZ8MA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G +A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV +BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5N/MA+vrmu1j6+9L9x53MwRl +xQVYreEo6GbI08kMZg7Xcdo9wJ066EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9KNQ +ME4wHQYDVR0OBBYEFJG5qzs7kKdpUhrSzNazXAYADDbDMB8GA1UdIwQYMBaAFJG5 +qzs7kKdpUhrSzNazXAYADDbDMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD +ggEBAE6wOs43QszCln/y1KlG6AQz2KhnW+qWLhc7tfjHxAzH3OjgSPZ2nbVfE0w9 +PKakWrbOYfDpMAPH4HHwbQpwJ6glHYb/ARqcRDobj8Myx4OKG7UsIRjwnyQl0BhR +sx1V1ATnNeJ/LEKm3PdO3OvfnyHUwSeH2iA8bXfpIE1jUirsbA/pAA88vJ04u4fC +uCFWQqpoCZSxqDqT4kBqKjbcfPR/2jP5XxbTbfboSdyZ6Zx2P7/AuoWgW/Nxej2P +up0rgYptHMbN+UPvjg6z2WPadC1gmJ81HEag5Mx9kl1HyDavUN/pgX+9eGYuKR5J +wJ9nFJSlBHlndOp+CSUHtI0cw1M= +-----END CERTIFICATE----- diff --git a/src/internal.c b/src/internal.c index 809011de4..babe2118f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -524,6 +524,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method) #ifdef HAVE_ECC if (method->side == WOLFSSL_CLIENT_END) { ctx->haveECDSAsig = 1; /* always on cliet side */ + ctx->haveECC = 1; /* server turns on with ECC key cert */ ctx->haveStaticECC = 1; /* server can turn on by loading key */ } #endif @@ -801,7 +802,8 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, word16 havePSK, word16 haveDH, word16 haveNTRU, - word16 haveECDSAsig, word16 haveStaticECC, int side) + word16 haveECDSAsig, word16 haveECC, + word16 haveStaticECC, int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; @@ -889,14 +891,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; } @@ -945,14 +947,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; } @@ -1001,7 +1003,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; } @@ -1029,7 +1031,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; } @@ -1043,7 +1045,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; } @@ -1057,7 +1059,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; } @@ -1071,63 +1073,63 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSAsig && haveStaticECC) { + if (tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSAsig && haveStaticECC) { + if (tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECDSAsig) { + if (!dtls && tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECDSAsig && haveStaticECC) { + if (!dtls && tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSAsig && haveStaticECC) { + if (tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; } @@ -1190,14 +1192,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; } @@ -1274,7 +1276,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256; @@ -1296,7 +1298,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; } @@ -1817,6 +1819,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.haveNTRU = ctx->haveNTRU; ssl->options.haveECDSAsig = ctx->haveECDSAsig; + ssl->options.haveECC = ctx->haveECC; ssl->options.haveStaticECC = ctx->haveStaticECC; #ifndef NO_PSK @@ -1880,12 +1883,13 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) if (ssl->options.side == WOLFSSL_SERVER_END) InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); else InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.side); #ifndef NO_CERTS /* make sure server has cert and key unless using PSK or Anon @@ -3786,7 +3790,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) enum { REQUIRES_RSA, REQUIRES_DHE, - REQUIRES_ECC_DSA, + REQUIRES_ECC, REQUIRES_ECC_STATIC, REQUIRES_PSK, REQUIRES_NTRU, @@ -3811,7 +3815,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3828,7 +3832,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3908,7 +3912,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #ifndef NO_DES3 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3919,7 +3923,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif #ifndef NO_RC4 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3943,7 +3947,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3953,7 +3957,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3963,12 +3967,12 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -4034,19 +4038,19 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; if (requirement == REQUIRES_ECC_STATIC) return 1; @@ -4069,7 +4073,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -15724,9 +15728,9 @@ int DoSessionTicket(WOLFSSL* ssl, } } - if (CipherRequires(first, second, REQUIRES_ECC_DSA)) { + if (CipherRequires(first, second, REQUIRES_ECC)) { WOLFSSL_MSG("Requires ECCDSA"); - if (ssl->options.haveECDSAsig == 0) { + if (ssl->options.haveECC == 0) { WOLFSSL_MSG("Don't have ECCDSA"); return 0; } @@ -15808,6 +15812,7 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->suites->suites[i] == peerSuites->suites[j] && ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { + WOLFSSL_MSG("found one suite match"); if (VerifyServerSuite(ssl, i)) { int result; WOLFSSL_MSG("Verified suite validity"); @@ -15913,8 +15918,8 @@ int DoSessionTicket(WOLFSSL* ssl, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } /* suite size */ @@ -16121,8 +16126,8 @@ int DoSessionTicket(WOLFSSL* ssl, #endif InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } /* random */ diff --git a/src/ssl.c b/src/ssl.c index 8f6f7fd20..4973ac80a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -515,7 +515,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, #endif InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.side); WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); return SSL_SUCCESS; @@ -2059,7 +2060,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.side); return SSL_SUCCESS; } @@ -3182,10 +3184,26 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #ifdef HAVE_ECC - if (ctx) + if (ctx) { ctx->pkCurveOID = cert->pkCurveOID; - if (ssl) + #ifndef WC_STRICT_SIG + if (cert->keyOID == ECDSAk) { + ctx->haveECC = 1; + } + #else + ctx->haveECC = ctx->haveECDSAsig; + #endif + } + if (ssl) { ssl->pkCurveOID = cert->pkCurveOID; + #ifndef WC_STRICT_SIG + if (cert->keyOID == ECDSAk) { + ssl->options.haveECC = 1; + } + #else + ssl->options.haveECC = ssl->options.haveECDSAsig; + #endif + } #endif FreeDecodedCert(cert); @@ -7180,8 +7198,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif InitSuites(ssl->suites, ssl->version, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } @@ -7207,8 +7225,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif InitSuites(ssl->suites, ssl->version, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } @@ -7613,8 +7631,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 4c4edb962..bb835db98 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1302,7 +1302,7 @@ typedef struct Suites { WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, - word16, word16, int); + word16, word16, word16, int); WOLFSSL_LOCAL int SetCipherList(Suites*, const char* list); @@ -1823,6 +1823,7 @@ struct WOLFSSL_CTX { byte sessionCacheFlushOff; byte sendVerify; /* for client side */ byte haveRSA; /* RSA available */ + byte haveECC; /* ECC available */ byte haveDH; /* server DH parms set by user */ byte haveNTRU; /* server private NTRU key loaded */ byte haveECDSAsig; /* server cert signed w/ ECDSA */ @@ -2230,6 +2231,7 @@ typedef struct Options { word16 sentNotify:1; /* we've sent a close notify */ word16 usingCompression:1; /* are we using compression */ word16 haveRSA:1; /* RSA available */ + word16 haveECC:1; /* ECC available */ word16 haveDH:1; /* server DH parms set by user */ word16 haveNTRU:1; /* server NTRU private key loaded */ word16 haveQSH:1; /* have QSH ability */ From 69fc400d2832f8b5ff1b13db47c1f42a76719a1e Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 10 Feb 2016 11:47:16 -0700 Subject: [PATCH 3/7] add new certs to EXTRA_DIST --- certs/include.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/certs/include.am b/certs/include.am index 53bb31e27..037859726 100644 --- a/certs/include.am +++ b/certs/include.am @@ -27,7 +27,10 @@ EXTRA_DIST += \ certs/server-keyPkcs8.pem \ certs/server-revoked-cert.pem \ certs/server-revoked-key.pem \ - certs/wolfssl-website-ca.pem + certs/wolfssl-website-ca.pem \ + certs/rsa-ecc-key.pem \ + certs/rsa-signed-ecc-cert.pem \ + certs/rsa-signed-ecc-ca.pem EXTRA_DIST += \ certs/ca-key.der \ certs/ca-cert.der \ From 9defe9b42b5f51e1e6839f068363e55e8dd9421b Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 10 Feb 2016 13:15:06 -0700 Subject: [PATCH 4/7] fix warning of unused variable and adjust debug statements --- src/internal.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index babe2118f..0dca6aaec 100644 --- a/src/internal.c +++ b/src/internal.c @@ -818,6 +818,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, (void)havePSK; (void)haveNTRU; (void)haveStaticECC; + (void)haveECC; if (suites == NULL) { WOLFSSL_MSG("InitSuites pointer error"); @@ -15729,9 +15730,9 @@ int DoSessionTicket(WOLFSSL* ssl, } if (CipherRequires(first, second, REQUIRES_ECC)) { - WOLFSSL_MSG("Requires ECCDSA"); + WOLFSSL_MSG("Requires ECC"); if (ssl->options.haveECC == 0) { - WOLFSSL_MSG("Don't have ECCDSA"); + WOLFSSL_MSG("Don't have ECC"); return 0; } } @@ -15812,7 +15813,6 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->suites->suites[i] == peerSuites->suites[j] && ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { - WOLFSSL_MSG("found one suite match"); if (VerifyServerSuite(ssl, i)) { int result; WOLFSSL_MSG("Verified suite validity"); From 1197f88c4fffdd1cbd4ab57882d2330e100a7db0 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 11 Feb 2016 00:12:48 -0700 Subject: [PATCH 5/7] add psk.test script for testing --- configure.ac | 3 + scripts/include.am | 3 + scripts/psk.test | 152 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 158 insertions(+) create mode 100755 scripts/psk.test diff --git a/configure.ac b/configure.ac index c93569ed6..fc37082c6 100644 --- a/configure.ac +++ b/configure.ac @@ -2495,6 +2495,9 @@ fi AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"]) +# check if PSK was enabled for conditionally running psk.test script +AM_CONDITIONAL([BUILD_PSK], [test "x$ENABLED_PSK" = "xyes"]) + # Check for build-type conflicts AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ test "x$ENABLED_LEANPSK" = "xyes"], diff --git a/scripts/include.am b/scripts/include.am index 5b9d38448..5866a554e 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -47,6 +47,9 @@ endif endif +if BUILD_PSK +dist_noinst_SCRIPTS+= scripts/psk.test +endif EXTRA_DIST += scripts/testsuite.pcap # leave openssl.test as extra until non bash works diff --git a/scripts/psk.test b/scripts/psk.test new file mode 100755 index 000000000..01313b91b --- /dev/null +++ b/scripts/psk.test @@ -0,0 +1,152 @@ +#!/bin/sh + +# psk.test +# copyright wolfSSL 2016 + +# getting unique port is modeled after resume.test script +# need a unique port since may run the same time as testsuite +# use server port zero hack to get one +port=0 +no_pid=-1 +server_pid=$no_pid +counter=0 +# let's use absolute path to a local dir (make distcheck may be in sub dir) +# also let's add some randomness by adding pid in case multiple 'make check's +# per source tree +ready_file=`pwd`/wolfssl_psk_ready$$ + +echo "ready file $ready_file" + +create_port() { + while [ ! -s $ready_file -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $ready_file; then + echo -e "found ready file, starting client..." + + # get created port 0 ephemeral port + port=`cat $ready_file` + else + echo -e "NO ready file ending test..." + do_cleanup + fi +} + +remove_ready_file() { + if test -e $ready_file; then + echo -e "removing existing ready file" + rm $ready_file + fi +} + +do_cleanup() { + echo "in cleanup" + + if [ $server_pid != $no_pid ] + then + echo "killing server" + kill -9 $server_pid + fi + remove_ready_file +} + +do_trap() { + echo "got trap" + do_cleanup + exit -1 +} + +trap do_trap INT TERM + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# Usual psk server / psk client. This use case is tested in +# tests/unit.test and is used here for just checking if PSK is enabled +port=0 +./examples/server/server -s -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -s -p $port +RESULT=$? +remove_ready_file +# if fail here then is a settings issue so return 0 +if [ $RESULT -ne 0 ]; then + echo -e "\n\nPSK not enabled" + do_cleanup + exit 0 +fi +echo "" + +# client test against the server +############################### + +# usual psk server / psk client +port=0 +./examples/server/server -j -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -s -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\n\nClient connection failed" + do_cleanup + exit 1 +fi +echo "" + +# Usual server / client. This use case is tested in +# tests/unit.test and is used here for just checking if cipher suite +# is available (one case for example is with disable-asn) +port=0 +./examples/server/server -R $ready_file -p $port -l DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA & +server_pid=$! +create_port +./examples/client/client -p $port +RESULT=$? +remove_ready_file +# if fail here then is a settings issue so return 0 +if [ $RESULT -ne 0 ]; then + echo -e "\n\nIssue with choosen non PSK suites" + do_cleanup + exit 0 +fi +echo "" + +# psk server with non psk client +port=0 +./examples/server/server -j -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\n\nClient connection failed" + do_cleanup + exit 1 +fi +echo "" + +# check fail if no auth, psk server with non psk client +echo "Checking fail when not sending peer cert" +port=0 +./examples/server/server -j -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -x -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -eq 0 ]; then + echo -e "\n\nClient connected when supposed to fail" + do_cleanup + exit 1 +fi + +echo -e "\nALL Tests Passed" + +exit 0 + From 3e860107f355bdcc3677747423af45a590c2b1e8 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 11 Feb 2016 13:49:07 -0700 Subject: [PATCH 6/7] remove extra cert and key, plus add new test --- certs/include.am | 5 +- certs/renewcerts.sh | 21 ---- certs/rsa-ecc-key.pem | 5 - certs/rsa-signed-ecc-ca.pem | 28 ----- certs/rsa-signed-ecc-cert.pem | 20 ---- tests/include.am | 3 +- tests/suites.c | 12 +- tests/test-sig.conf | 199 ++++++++++++++++++++++++++++++++++ 8 files changed, 213 insertions(+), 80 deletions(-) delete mode 100644 certs/rsa-ecc-key.pem delete mode 100644 certs/rsa-signed-ecc-ca.pem delete mode 100644 certs/rsa-signed-ecc-cert.pem create mode 100644 tests/test-sig.conf diff --git a/certs/include.am b/certs/include.am index 037859726..53bb31e27 100644 --- a/certs/include.am +++ b/certs/include.am @@ -27,10 +27,7 @@ EXTRA_DIST += \ certs/server-keyPkcs8.pem \ certs/server-revoked-cert.pem \ certs/server-revoked-key.pem \ - certs/wolfssl-website-ca.pem \ - certs/rsa-ecc-key.pem \ - certs/rsa-signed-ecc-cert.pem \ - certs/rsa-signed-ecc-ca.pem + certs/wolfssl-website-ca.pem EXTRA_DIST += \ certs/ca-key.der \ certs/ca-cert.der \ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 081e63c70..da7fbe49a 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -94,16 +94,6 @@ function run_renewcerts(){ openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem mv \1024/tmp.pem \1024/ca-cert.pem - ############################################################ - ########## update the self-signed rsa-signed-ecc-ca.pem #### - ############################################################ - echo "Updating rsa-signed-ecc-ca.pem" - echo "" - #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-rsa-ecc-cert.csr - - openssl x509 -req -in ca-rsa-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out rsa-signed-ecc-ca.pem - rm ca-rsa-ecc-cert.csr ########################################################### ########## update and sign server-cert.pem ################ ########################################################### @@ -212,17 +202,6 @@ function run_renewcerts(){ openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem - ############################################################ - ###### update rsa-signed-ecc-cert.pem ########## - ############################################################ - echo "Updating rsa-signed-ecc-cert.pem" - echo "" - #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key rsa-ecc-key.pem -out server-rsa-signed-ecc.csr - - - openssl req -x509 -in server-rsa-signed-ecc.csr -days 1000 -key ca-key.pem -out rsa-signed-ecc-cert.pem - rm server-rsa-signed-ecc.csr ############################################################ ########## make .der files from .pem files ################# ############################################################ diff --git a/certs/rsa-ecc-key.pem b/certs/rsa-ecc-key.pem deleted file mode 100644 index 38052fc0d..000000000 --- a/certs/rsa-ecc-key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIIdLUY+7ywLvHw3hXcRh3Yjk2isYn3xRzNzh8PL8c++doAoGCCqGSM49 -AwEHoUQDQgAE5N/MA+vrmu1j6+9L9x53MwRlxQVYreEo6GbI08kMZg7Xcdo9wJ06 -6EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9A== ------END EC PRIVATE KEY----- diff --git a/certs/rsa-signed-ecc-ca.pem b/certs/rsa-signed-ecc-ca.pem deleted file mode 100644 index 439c6f74e..000000000 --- a/certs/rsa-signed-ecc-ca.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEwTCCA6mgAwIBAgIJANSPE5wECQHCMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD -VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G -A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD -VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz -bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE -BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV -BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE -AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804 -H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy -6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqN -OCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnl -wtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1 -Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNL -ve02eQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejV -MIHQBgNVHSMEgcgwgcWAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGhpIGeMIGbMQsw -CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQ -MA4GA1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgw -FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb22CCQDUjxOcBAkBwjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA -A4IBAQCInkcGU17ednsQj9aUge/19pr8hTvIyOgSjo6jeyNFYR3dwtSCyiNp+3xy -0751Qr3bsZFypZ6KYdq262592jS1FCA8PPT0lj2b+rs7ltt0+SWwNa5gd53i6bqL -F2eGuJxB8+eaYCNtvHb+vVt4wE+xc4arEXohNOK98Ue8a1z4t5GJgld2qIO596fC -5AF51wT2W+nmkPD8Uc57qbT0dGcYMrbV1CEzRznKlEM7/lwQzosanq2WAej/LuoK -E7fFK/HsKmGNo5h9xmp8Mffrhv/FtNY8goOzGgGVLIBEJhhAXdxMD7StDJ/wO4Yn -YVhUYNYXHRfLqlfrOKTlpom0tSTm ------END CERTIFICATE----- diff --git a/certs/rsa-signed-ecc-cert.pem b/certs/rsa-signed-ecc-cert.pem deleted file mode 100644 index 95740b6c4..000000000 --- a/certs/rsa-signed-ecc-cert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDQDCCAiigAwIBAgIJAIsWzJR4pzZ8MA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD -VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G -A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD -VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz -bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE -BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV -BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE -AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5N/MA+vrmu1j6+9L9x53MwRl -xQVYreEo6GbI08kMZg7Xcdo9wJ066EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9KNQ -ME4wHQYDVR0OBBYEFJG5qzs7kKdpUhrSzNazXAYADDbDMB8GA1UdIwQYMBaAFJG5 -qzs7kKdpUhrSzNazXAYADDbDMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD -ggEBAE6wOs43QszCln/y1KlG6AQz2KhnW+qWLhc7tfjHxAzH3OjgSPZ2nbVfE0w9 -PKakWrbOYfDpMAPH4HHwbQpwJ6glHYb/ARqcRDobj8Myx4OKG7UsIRjwnyQl0BhR -sx1V1ATnNeJ/LEKm3PdO3OvfnyHUwSeH2iA8bXfpIE1jUirsbA/pAA88vJ04u4fC -uCFWQqpoCZSxqDqT4kBqKjbcfPR/2jP5XxbTbfboSdyZ6Zx2P7/AuoWgW/Nxej2P -up0rgYptHMbN+UPvjg6z2WPadC1gmJ81HEag5Mx9kl1HyDavUN/pgX+9eGYuKR5J -wJ9nFJSlBHlndOp+CSUHtI0cw1M= ------END CERTIFICATE----- diff --git a/tests/include.am b/tests/include.am index 2a3f9baf0..e0a82a405 100644 --- a/tests/include.am +++ b/tests/include.am @@ -22,5 +22,6 @@ EXTRA_DIST += tests/unit.h EXTRA_DIST += tests/test.conf \ tests/test-qsh.conf \ tests/test-psk-no-id.conf \ - tests/test-dtls.conf + tests/test-dtls.conf \ + tests/test-sig.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/suites.c b/tests/suites.c index ebd2dae98..4a16770e6 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -498,8 +498,18 @@ int SuiteTest(void) exit(EXIT_FAILURE); } #endif +#ifndef WC_STRICT_SIG + /* add extra signature test suites */ + strcpy(argv0[1], "tests/test-sig.conf"); + printf("starting sig extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } +#endif #ifdef HAVE_QSH - /* add dtls extra suites */ + /* add QSH extra suites */ strcpy(argv0[1], "tests/test-qsh.conf"); printf("starting qsh extra cipher suite tests\n"); test_harness(&args); diff --git a/tests/test-sig.conf b/tests/test-sig.conf new file mode 100644 index 000000000..02c2fcb3b --- /dev/null +++ b/tests/test-sig.conf @@ -0,0 +1,199 @@ +# server TLSv1 ECDHE-ECDSA-DES3 + -v 1 + -l ECDHE-ECDSA-DES-CBC3-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-DES3 + -v 1 + -l ECDHE-ECDSA-DES-CBC3-SHA + -A ./certs/ca-cert.pem + +# server TLSv1 ECDHE-ECDSA-AES128 + -v 1 + -l ECDHE-ECDSA-AES128-SHA + -c ./certs/server-ecc.pem + -k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-AES128 + -v 1 + -l ECDHE-ECDSA-AES128-SHA + -A ./certs/server-ecc.pem + +# server TLSv1 ECDHE-ECDSA-AES128 + -v 1 + -l ECDHE-ECDSA-AES128-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-AES128 + -v 1 + -l ECDHE-ECDSA-AES128-SHA + -A ./certs/ca-cert.pem + +# server TLSv1 ECDHE-ECDSA-AES256 + -v 1 + -l ECDHE-ECDSA-AES256-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-AES256 + -v 1 + -l ECDHE-ECDSA-AES256-SHA + -A ./certs/ca-cert.pem + +# server TLSv1.1 ECDHE-ECDSA-DES3 + -v 2 + -l ECDHE-ECDSA-DES-CBC3-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1.1 ECDHE-ECDSA-DES3 + -v 2 + -l ECDHE-ECDSA-DES-CBC3-SHA + -A ./certs/ca-cert.pem + +# server TLSv1.1 ECDHE-ECDSA-AES128 + -v 2 + -l ECDHE-ECDSA-AES128-SHA + -c ./certs/server-ecc.pem + -k ./certs/ecc-key.pem + +# client TLSv1.1 ECDHE-ECDSA-AES128 + -v 2 + -l ECDHE-ECDSA-AES128-SHA + -A ./certs/server-ecc.pem + +# server TLSv1.1 ECDHE-ECDSA-AES128 + -v 2 + -l ECDHE-ECDSA-AES128-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1.1 ECDHE-ECDSA-AES128 + -v 2 + -l ECDHE-ECDSA-AES128-SHA + -A ./certs/ca-cert.pem + +# server TLSv1.1 ECDHE-ECDSA-AES256 + -v 2 + -l ECDHE-ECDSA-AES256-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1.1 ECDHE-ECDSA-AES256 + -v 2 + -l ECDHE-ECDSA-AES256-SHA + -A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-DES3 + -v 3 + -l ECDHE-ECDSA-DES-CBC3-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-DES3 + -v 3 + -l ECDHE-ECDSA-DES-CBC3-SHA + -A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128 + -v 3 + -l ECDHE-ECDSA-AES128-SHA + -c ./certs/server-ecc.pem + -k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128 + -v 3 + -l ECDHE-ECDSA-AES128-SHA + -A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 + -v 3 + -l ECDHE-ECDSA-AES128-SHA256 + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-SHA256 + -v 3 + -l ECDHE-ECDSA-AES128-SHA256 + -A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256 + -v 3 + -l ECDHE-ECDSA-AES256-SHA + -c ./certs/server-ecc-rsa.pem + -k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256 + -v 3 + -l ECDHE-ECDSA-AES256-SHA + -A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305 +-v 3 +-l ECDHE-ECDSA-CHACHA20-POLY1305 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 +-v 3 +-l ECDHE-ECDSA-CHACHA20-POLY1305 +-A ./certs/ca-cert.pem + +# server TLSv1.2 ECDH-ECDSA-AES128-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-SHA256 +-A ./certs/ca-cert.pem + +# server TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8 +-A ./certs/ca-cert.pem + + From 8073024ee71ef60af937e2c966a668a1bffc21e7 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 12 Feb 2016 13:41:30 -0700 Subject: [PATCH 7/7] fix formatting of .conf file so ephemeral port is used --- tests/test-sig.conf | 169 ++++++++++++++++++++++---------------------- 1 file changed, 84 insertions(+), 85 deletions(-) diff --git a/tests/test-sig.conf b/tests/test-sig.conf index 02c2fcb3b..db643c5c2 100644 --- a/tests/test-sig.conf +++ b/tests/test-sig.conf @@ -1,134 +1,134 @@ # server TLSv1 ECDHE-ECDSA-DES3 - -v 1 - -l ECDHE-ECDSA-DES-CBC3-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 1 +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1 ECDHE-ECDSA-DES3 - -v 1 - -l ECDHE-ECDSA-DES-CBC3-SHA - -A ./certs/ca-cert.pem +-v 1 +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/ca-cert.pem # server TLSv1 ECDHE-ECDSA-AES128 - -v 1 - -l ECDHE-ECDSA-AES128-SHA - -c ./certs/server-ecc.pem - -k ./certs/ecc-key.pem +-v 1 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem # client TLSv1 ECDHE-ECDSA-AES128 - -v 1 - -l ECDHE-ECDSA-AES128-SHA - -A ./certs/server-ecc.pem +-v 1 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem # server TLSv1 ECDHE-ECDSA-AES128 - -v 1 - -l ECDHE-ECDSA-AES128-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 1 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1 ECDHE-ECDSA-AES128 - -v 1 - -l ECDHE-ECDSA-AES128-SHA - -A ./certs/ca-cert.pem +-v 1 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/ca-cert.pem # server TLSv1 ECDHE-ECDSA-AES256 - -v 1 - -l ECDHE-ECDSA-AES256-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 1 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1 ECDHE-ECDSA-AES256 - -v 1 - -l ECDHE-ECDSA-AES256-SHA - -A ./certs/ca-cert.pem +-v 1 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/ca-cert.pem # server TLSv1.1 ECDHE-ECDSA-DES3 - -v 2 - -l ECDHE-ECDSA-DES-CBC3-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 2 +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1.1 ECDHE-ECDSA-DES3 - -v 2 - -l ECDHE-ECDSA-DES-CBC3-SHA - -A ./certs/ca-cert.pem +-v 2 +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/ca-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES128 - -v 2 - -l ECDHE-ECDSA-AES128-SHA - -c ./certs/server-ecc.pem - -k ./certs/ecc-key.pem +-v 2 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem # client TLSv1.1 ECDHE-ECDSA-AES128 - -v 2 - -l ECDHE-ECDSA-AES128-SHA - -A ./certs/server-ecc.pem +-v 2 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem # server TLSv1.1 ECDHE-ECDSA-AES128 - -v 2 - -l ECDHE-ECDSA-AES128-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 2 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1.1 ECDHE-ECDSA-AES128 - -v 2 - -l ECDHE-ECDSA-AES128-SHA - -A ./certs/ca-cert.pem +-v 2 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/ca-cert.pem # server TLSv1.1 ECDHE-ECDSA-AES256 - -v 2 - -l ECDHE-ECDSA-AES256-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 2 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1.1 ECDHE-ECDSA-AES256 - -v 2 - -l ECDHE-ECDSA-AES256-SHA - -A ./certs/ca-cert.pem +-v 2 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/ca-cert.pem # server TLSv1.2 ECDHE-ECDSA-DES3 - -v 3 - -l ECDHE-ECDSA-DES-CBC3-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 3 +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1.2 ECDHE-ECDSA-DES3 - -v 3 - -l ECDHE-ECDSA-DES-CBC3-SHA - -A ./certs/ca-cert.pem +-v 3 +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/ca-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES128 - -v 3 - -l ECDHE-ECDSA-AES128-SHA - -c ./certs/server-ecc.pem - -k ./certs/ecc-key.pem +-v 3 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem # client TLSv1.2 ECDHE-ECDSA-AES128 - -v 3 - -l ECDHE-ECDSA-AES128-SHA - -A ./certs/server-ecc.pem +-v 3 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 - -v 3 - -l ECDHE-ECDSA-AES128-SHA256 - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256 - -v 3 - -l ECDHE-ECDSA-AES128-SHA256 - -A ./certs/ca-cert.pem +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-A ./certs/ca-cert.pem # server TLSv1.2 ECDHE-ECDSA-AES256 - -v 3 - -l ECDHE-ECDSA-AES256-SHA - -c ./certs/server-ecc-rsa.pem - -k ./certs/ecc-key.pem +-v 3 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem # client TLSv1.2 ECDHE-ECDSA-AES256 - -v 3 - -l ECDHE-ECDSA-AES256-SHA - -A ./certs/ca-cert.pem +-v 3 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/ca-cert.pem # server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305 -v 3 @@ -196,4 +196,3 @@ -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/ca-cert.pem -