From 4adaeb858517928966cbdb116e4b2ab47ee7f739 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 15 Oct 2018 17:06:21 -0700
Subject: [PATCH 1/3] Added new 256-byte max fragment option `WOLFSSL_MFL_2_8`.

---
 doc/dox_comments/header_files/ssl.h | 8 +++++---
 examples/client/client.c            | 6 +++---
 src/tls.c                           | 3 ++-
 tests/api.c                         | 2 ++
 wolfssl/ssl.h                       | 7 +++++--
 5 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h
index 8f37dfda5..72312307c 100644
--- a/doc/dox_comments/header_files/ssl.h
+++ b/doc/dox_comments/header_files/ssl.h
@@ -10259,9 +10259,11 @@ WOLFSSL_API int wolfSSL_UseMaxFragment(WOLFSSL* ssl, unsigned char mfl);
     \param ctx pointer to a SSL context, created with wolfSSL_CTX_new().
     \param mfl indicates which is the Maximum Fragment Length requested
     for the session. The available options are:
-    enum { WOLFSSL_MFL_2_9  = 1, 512 bytes WOLFSSL_MFL_2_10 = 2,
-    1024 bytes WOLFSSL_MFL_2_11 = 3, 2048 bytes WOLFSSL_MFL_2_12 = 4,
-    4096 bytes WOLFSSL_MFL_2_13 = 5, 8192 bytes wolfSSL ONLY!!! };
+    enum { WOLFSSL_MFL_2_9  = 1 512 bytes, WOLFSSL_MFL_2_10 = 2 1024 bytes,
+           WOLFSSL_MFL_2_11 = 3 2048 bytes WOLFSSL_MFL_2_12 = 4 4096 bytes,
+           WOLFSSL_MFL_2_13 = 5 8192 bytes wolfSSL ONLY!!!,
+           WOLFSSL_MFL_2_13 = 6  256 bytes wolfSSL ONLY!!!
+    };
 
     _Example_
     \code
diff --git a/examples/client/client.c b/examples/client/client.c
index b9f692363..2b4b27052 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -858,7 +858,7 @@ static void Usage(void)
     printf("-S <str>    Use Host Name Indication\n");
 #endif
 #ifdef HAVE_MAX_FRAGMENT
-    printf("-F <num>    Use Maximum Fragment Length [1-5]\n");
+    printf("-F <num>    Use Maximum Fragment Length [0-5]\n");
 #endif
 #ifdef HAVE_TRUNCATED_HMAC
     printf("-T          Use Truncated HMAC\n");
@@ -1341,8 +1341,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case 'F' :
                 #ifdef HAVE_MAX_FRAGMENT
                     maxFragment = atoi(myoptarg);
-                    if (maxFragment < WOLFSSL_MFL_2_9 ||
-                                               maxFragment > WOLFSSL_MFL_2_13) {
+                    if (maxFragment < WOLFSSL_MFL_MIN ||
+                                               maxFragment > WOLFSSL_MFL_MAX) {
                         Usage();
                         XEXIT_T(MY_EX_USAGE);
                     }
diff --git a/src/tls.c b/src/tls.c
index 39a67af16..901b74383 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -2464,6 +2464,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
 #endif
 
     switch (*input) {
+        case WOLFSSL_MFL_2_8 : ssl->max_fragment =  256; break;
         case WOLFSSL_MFL_2_9 : ssl->max_fragment =  512; break;
         case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
         case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
@@ -2495,7 +2496,7 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap)
     byte* data = NULL;
     int ret = 0;
 
-    if (extensions == NULL || mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
+    if (extensions == NULL || mfl < WOLFSSL_MFL_MIN || mfl > WOLFSSL_MFL_MAX)
         return BAD_FUNC_ARG;
 
     data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX);
diff --git a/tests/api.c b/tests/api.c
index c565bdda6..cd44528fc 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -2875,11 +2875,13 @@ static void test_wolfSSL_UseMaxFragment(void)
     AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 6));
 
     /* success case */
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_8));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_9));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_10));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_11));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_12));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_13));
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(    ssl,  WOLFSSL_MFL_2_8));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(    ssl,  WOLFSSL_MFL_2_9));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(    ssl,  WOLFSSL_MFL_2_10));
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(    ssl,  WOLFSSL_MFL_2_11));
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index e925dffea..d1deb8722 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -2275,7 +2275,10 @@ enum {
     WOLFSSL_MFL_2_10 = 2, /* 1024 bytes */
     WOLFSSL_MFL_2_11 = 3, /* 2048 bytes */
     WOLFSSL_MFL_2_12 = 4, /* 4096 bytes */
-    WOLFSSL_MFL_2_13 = 5  /* 8192 bytes *//* wolfSSL ONLY!!! */
+    WOLFSSL_MFL_2_13 = 5, /* 8192 bytes *//* wolfSSL ONLY!!! */
+    WOLFSSL_MFL_2_8  = 6, /*  256 bytes *//* wolfSSL ONLY!!! */
+    WOLFSSL_MFL_MIN  = WOLFSSL_MFL_2_9,
+    WOLFSSL_MFL_MAX  = WOLFSSL_MFL_2_8,
 };
 
 #ifndef NO_WOLFSSL_CLIENT
@@ -2284,7 +2287,7 @@ WOLFSSL_API int wolfSSL_UseMaxFragment(WOLFSSL* ssl, unsigned char mfl);
 WOLFSSL_API int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, unsigned char mfl);
 
 #endif
-#endif
+#endif /* HAVE_MAX_FRAGMENT */
 
 /* Truncated HMAC */
 #ifdef HAVE_TRUNCATED_HMAC

From ab61cefa58e03a0efb3bbfceb53d66de93c027ea Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 16 Oct 2018 08:58:46 -0700
Subject: [PATCH 2/3] Fix max frag error case tests to use min/max.

---
 tests/api.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index cd44528fc..f4424a22f 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -2869,10 +2869,10 @@ static void test_wolfSSL_UseMaxFragment(void)
     /* error cases */
     AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(NULL, WOLFSSL_MFL_2_9));
     AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(    NULL, WOLFSSL_MFL_2_9));
-    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, 0));
-    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, 6));
-    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 0));
-    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 6));
+    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MIN-1));
+    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MAX+1));
+    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, WOLFSSL_MFL_MIN-1));
+    AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, WOLFSSL_MFL_MAX+1));
 
     /* success case */
     AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx,  WOLFSSL_MFL_2_8));

From d7d102d90ac88e4e738181ea5acbc524d2085f3c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 16 Oct 2018 16:47:24 -0700
Subject: [PATCH 3/3] Added cipher suite unit tests for max fragment options
 1-6 for TLS v1.2 and DTLS v1.2. Fix for client usage comment for max
 fragment.

---
 examples/client/client.c     |   2 +-
 tests/include.am             |   2 +
 tests/suites.c               |  23 ++++
 tests/test-maxfrag-dtls.conf | 215 +++++++++++++++++++++++++++++++++++
 tests/test-maxfrag.conf      | 179 +++++++++++++++++++++++++++++
 5 files changed, 420 insertions(+), 1 deletion(-)
 create mode 100644 tests/test-maxfrag-dtls.conf
 create mode 100644 tests/test-maxfrag.conf

diff --git a/examples/client/client.c b/examples/client/client.c
index 2b4b27052..ef878e6a4 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -858,7 +858,7 @@ static void Usage(void)
     printf("-S <str>    Use Host Name Indication\n");
 #endif
 #ifdef HAVE_MAX_FRAGMENT
-    printf("-F <num>    Use Maximum Fragment Length [0-5]\n");
+    printf("-F <num>    Use Maximum Fragment Length [0-6]\n");
 #endif
 #ifdef HAVE_TRUNCATED_HMAC
     printf("-T          Use Truncated HMAC\n");
diff --git a/tests/include.am b/tests/include.am
index 9c7aa09ca..2b6baf558 100644
--- a/tests/include.am
+++ b/tests/include.am
@@ -32,5 +32,7 @@ EXTRA_DIST += tests/test.conf \
               tests/test-sig.conf \
               tests/test-ed25519.conf \
               tests/test-enckeys.conf \
+              tests/test-maxfrag.conf \
+              tests/test-maxfrag-dtls.conf \
               tests/test-fails.conf
 DISTCLEANFILES+= tests/.libs/unit.test
diff --git a/tests/suites.c b/tests/suites.c
index cc12d5d24..e4dd93a0d 100644
--- a/tests/suites.c
+++ b/tests/suites.c
@@ -783,6 +783,29 @@ int SuiteTest(void)
     }
 #endif
 
+#ifdef HAVE_MAX_FRAGMENT
+    /* Max fragment cipher suite tests */
+    strcpy(argv0[1], "tests/test-maxfrag.conf");
+    printf("starting max fragment cipher suite tests\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+
+    #ifdef WOLFSSL_DTLS
+    strcpy(argv0[1], "tests/test-maxfrag-dtls.conf");
+    printf("starting dtls max fragment cipher suite tests\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+    #endif
+#endif
+
     /* failure tests */
     args.argc = 3;
     strcpy(argv0[1], "tests/test-fails.conf");
diff --git a/tests/test-maxfrag-dtls.conf b/tests/test-maxfrag-dtls.conf
new file mode 100644
index 000000000..67aef1776
--- /dev/null
+++ b/tests/test-maxfrag-dtls.conf
@@ -0,0 +1,215 @@
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 1
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 1
+
+# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 1
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 2
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 2
+
+# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 2
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 3
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 3
+
+# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 3
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 4
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 4
+
+# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 4
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 5
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 5
+
+# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 5
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 6
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 6
+
+# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 6
diff --git a/tests/test-maxfrag.conf b/tests/test-maxfrag.conf
new file mode 100644
index 000000000..2ca6cc8dd
--- /dev/null
+++ b/tests/test-maxfrag.conf
@@ -0,0 +1,179 @@
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 1
+
+# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 1
+
+# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 1
+
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 2
+
+# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 2
+
+# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 2
+
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 3
+
+# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 3
+
+# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 3
+
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 4
+
+# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 4
+
+# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 4
+
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 5
+
+# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 5
+
+# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 5
+
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/ca-ecc-cert.pem
+-F 6
+
+# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+-F 6
+
+# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+
+# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
+-v 3
+-l DHE-RSA-AES256-GCM-SHA384
+-F 6