diff options
Diffstat (limited to 'lib/ssl/test/ssl_cert_SUITE.erl')
-rw-r--r-- | lib/ssl/test/ssl_cert_SUITE.erl | 183 |
1 files changed, 99 insertions, 84 deletions
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl index 315c0e20b1..28f8d06aa7 100644 --- a/lib/ssl/test/ssl_cert_SUITE.erl +++ b/lib/ssl/test/ssl_cert_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2019-2022. All Rights Reserved. +%% Copyright Ericsson AB 2019-2023. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -25,6 +25,7 @@ -include_lib("common_test/include/ct.hrl"). -include_lib("public_key/include/public_key.hrl"). +-include("ssl_record.hrl"). %% Common test -export([all/0, @@ -66,6 +67,8 @@ missing_root_cert_auth_user_verify_fun_accept/1, missing_root_cert_auth_user_verify_fun_reject/0, missing_root_cert_auth_user_verify_fun_reject/1, + missing_root_cert_auth_user_old_verify_fun_accept/0, + missing_root_cert_auth_user_old_verify_fun_accept/1, verify_fun_always_run_client/0, verify_fun_always_run_client/1, verify_fun_always_run_server/0, @@ -235,6 +238,7 @@ all_version_tests() -> missing_root_cert_auth, missing_root_cert_auth_user_verify_fun_accept, missing_root_cert_auth_user_verify_fun_reject, + missing_root_cert_auth_user_old_verify_fun_accept, verify_fun_always_run_client, verify_fun_always_run_server, incomplete_chain_auth, @@ -270,11 +274,11 @@ init_per_group(GroupName, Config) -> case ssl_test_lib:is_protocol_version(GroupName) of true -> ssl_test_lib:clean_start(), - ssl_test_lib:init_per_group(GroupName, + ssl_test_lib:init_per_group(GroupName, [{client_type, erlang}, {server_type, erlang}, {version, GroupName} | Config]); - false -> + false -> do_init_per_group(GroupName, Config) end. @@ -282,18 +286,22 @@ do_init_per_group(Group, Config0) when Group == rsa; Group == rsa_1_3 -> Config1 = ssl_test_lib:make_rsa_cert(Config0), Config = ssl_test_lib:make_rsa_1024_cert(Config1), - COpts = proplists:get_value(client_rsa_opts, Config), + COpts = proplists:get_value(client_rsa_verify_opts, Config), SOpts = proplists:get_value(server_rsa_opts, Config), - [{cert_key_alg, rsa} | - lists:delete(cert_key_alg, - [{client_cert_opts, COpts}, - {server_cert_opts, SOpts} | - lists:delete(server_cert_opts, + Version = proplists:get_value(version, Config), + [{cert_key_alg, rsa}, + {extra_client, ssl_test_lib:sig_algs(rsa, Version)}, + {extra_server, ssl_test_lib:sig_algs(rsa, Version)} | + lists:delete(cert_key_alg, + [{client_cert_opts, COpts}, + {server_cert_opts, SOpts} | + lists:delete(server_cert_opts, lists:delete(client_cert_opts, Config))])]; do_init_per_group(Alg, Config) when Alg == rsa_pss_rsae; Alg == rsa_pss_pss -> Supports = crypto:supports(), RSAOpts = proplists:get_value(rsa_opts, Supports), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), case lists:member(rsa_pkcs1_pss_padding, RSAOpts) andalso lists:member(rsa_pss_saltlen, RSAOpts) @@ -302,8 +310,8 @@ do_init_per_group(Alg, Config) when Alg == rsa_pss_rsae; #{client_config := COpts, server_config := SOpts} = ssl_test_lib:make_rsa_pss_pem(rsa_alg(Alg), [], Config, ""), [{cert_key_alg, Alg}, - {extra_client, sig_algs(Alg)}, - {extra_server, sig_algs(Alg)} | + {extra_client, ssl_test_lib:sig_algs(Alg, Version)}, + {extra_server, ssl_test_lib:sig_algs(Alg, Version)} | lists:delete(cert_key_alg, [{client_cert_opts, COpts}, {server_cert_opts, SOpts} | @@ -340,13 +348,13 @@ do_init_per_group(Group, Config0) when Group == ecdsa; case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse lists:member(dh, PKAlg)) of true -> Config = ssl_test_lib:make_ecdsa_cert(Config0), - COpts = proplists:get_value(client_ecdsa_opts, Config), + COpts = proplists:get_value(client_ecdsa_verify_opts, Config), SOpts = proplists:get_value(server_ecdsa_opts, Config), [{cert_key_alg, ecdsa} | lists:delete(cert_key_alg, - [{client_cert_opts, COpts}, - {server_cert_opts, SOpts} | - lists:delete(server_cert_opts, + [{client_cert_opts, COpts}, + {server_cert_opts, SOpts} | + lists:delete(server_cert_opts, lists:delete(client_cert_opts, Config))] )]; false -> @@ -377,18 +385,23 @@ do_init_per_group(eddsa_1_3, Config0) -> false -> {skip, "Missing EC crypto support"} end; -do_init_per_group(dsa, Config0) -> +do_init_per_group(dsa = Alg, Config0) -> PKAlg = crypto:supports(public_keys), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config0)), case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg) of true -> Config = ssl_test_lib:make_dsa_cert(Config0), COpts = proplists:get_value(client_dsa_opts, Config), SOpts = proplists:get_value(server_dsa_opts, Config), - [{cert_key_alg, dsa} | + [{cert_key_alg, dsa}, + {extra_client, ssl_test_lib:sig_algs(Alg, Version) ++ + [{ciphers, ssl_test_lib:dsa_suites(Version)}]}, + {extra_server, ssl_test_lib:sig_algs(Alg, Version) ++ + [{ciphers, ssl_test_lib:dsa_suites(Version)}]} | lists:delete(cert_key_alg, - [{client_cert_opts, COpts}, - {server_cert_opts, SOpts} | - lists:delete(server_cert_opts, + [{client_cert_opts, COpts}, + {server_cert_opts, SOpts} | + lists:delete(server_cert_opts, lists:delete(client_cert_opts, Config))])]; false -> {skip, "Missing DSS crypto support"} @@ -400,11 +413,11 @@ end_per_group(GroupName, Config) -> ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(signature_algorithms_bad_curve_secp256r1, Config) -> - init_rsa_ecdsa_opts(Config, secp256r1); + init_ecdsa_opts(Config, secp256r1); init_per_testcase(signature_algorithms_bad_curve_secp384r1, Config) -> - init_rsa_ecdsa_opts(Config, secp384r1); + init_ecdsa_opts(Config, secp384r1); init_per_testcase(signature_algorithms_bad_curve_secp521r1, Config) -> - init_rsa_ecdsa_opts(Config, secp521r1); + init_ecdsa_opts(Config, secp521r1); init_per_testcase(_TestCase, Config) -> ssl_test_lib:ct_log_supported_protocol_versions(Config), ct:timetrap({seconds, 10}), @@ -413,17 +426,18 @@ init_per_testcase(_TestCase, Config) -> end_per_testcase(_TestCase, Config) -> Config. -init_rsa_ecdsa_opts(Config0, Curve) -> +init_ecdsa_opts(Config0, Curve) -> + Version = ssl_test_lib:n_version(proplists:get_value(version, Config0)), PKAlg = crypto:supports(public_keys), case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse lists:member(dh, PKAlg)) of true -> Config = ssl_test_lib:make_rsa_ecdsa_cert(Config0, Curve), - COpts = proplists:get_value(client_rsa_ecdsa_opts, Config), - SOpts = proplists:get_value(server_rsa_ecdsa_opts, Config), + COpts = proplists:get_value(client_ecdsa_verify_opts, Config), + SOpts = proplists:get_value(server_ecdsa_opts, Config), [{cert_key_alg, ecdsa} | lists:delete(cert_key_alg, - [{client_cert_opts, COpts}, - {server_cert_opts, SOpts} | + [{client_cert_opts, ssl_test_lib:sig_algs(ecdsa, Version) ++ COpts}, + {server_cert_opts, ssl_test_lib:sig_algs(ecdsa, Version) ++ SOpts} | lists:delete(server_cert_opts, lists:delete(client_cert_opts, Config))] )]; @@ -500,13 +514,15 @@ missing_root_cert_auth() -> missing_root_cert_auth(Config) when is_list(Config) -> ServerOpts = proplists:delete(cacertfile, ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)), {ClientNode, ServerNode, _} = ssl_test_lib:run_where(Config), - Version = proplists:get_value(version, Config), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, {from, self()}, - {options, no_reuse(n_version(Version)) ++ [{verify, verify_peer} + {options, no_reuse(Version) ++ [{verify, verify_peer} | ServerOpts]}]), - ssl_test_lib:check_result(Server, {error, {options, {cacertfile, ""}}}), + Error = {error, {options, incompatible, + [{verify,verify_peer},{cacerts,undefined}]}}, + ssl_test_lib:check_result(Server, Error), ClientOpts = proplists:delete(cacertfile, ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config)), Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0}, @@ -514,7 +530,7 @@ missing_root_cert_auth(Config) when is_list(Config) -> {options, [{verify, verify_peer} | ClientOpts]}]), - ssl_test_lib:check_result(Client, {error, {options, {cacertfile, ""}}}). + ssl_test_lib:check_result(Client, Error). %%-------------------------------------------------------------------- missing_root_cert_auth_user_verify_fun_accept() -> @@ -523,6 +539,7 @@ missing_root_cert_auth_user_verify_fun_accept() -> missing_root_cert_auth_user_verify_fun_accept(Config) -> ServerOpts = ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config), + ClientCaCerts = public_key:cacerts_get(), FunAndState = {fun(_,{bad_cert, unknown_ca}, UserState) -> {valid, UserState}; (_,{bad_cert, _} = Reason, _) -> @@ -534,16 +551,19 @@ missing_root_cert_auth_user_verify_fun_accept(Config) -> (_, valid_peer, UserState) -> {valid, UserState} end, []}, - ClientOpts = ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer}, - {verify_fun, FunAndState}], Config), + ClientOpts = ssl_test_lib:ssl_options(extra_client, + [{verify, verify_peer}, {verify_fun, FunAndState}, + {cacerts, ClientCaCerts}], + Config), ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- -missing_root_cert_auth_user_backwardscompatibility_verify_fun_accept() -> +missing_root_cert_auth_user_old_verify_fun_accept() -> [{doc, "Test old style verify fun"}]. -missing_root_cert_auth_user_backwardscompatibility_verify_fun_accept(Config) -> +missing_root_cert_auth_user_old_verify_fun_accept(Config) -> ServerOpts = ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config), + ClientCaCerts = public_key:cacerts_get(), AcceptBadCa = fun({bad_cert,unknown_ca}, Acc) -> Acc; (Other, Acc) -> [Other | Acc] end, @@ -554,8 +574,10 @@ missing_root_cert_auth_user_backwardscompatibility_verify_fun_accept(Config) -> [_|_] -> false end end, - ClientOpts = ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer}, - {verify_fun, VerifyFun}], Config), + ClientOpts = ssl_test_lib:ssl_options(extra_client, + [{verify, verify_peer}, + {verify_fun, VerifyFun}, + {cacerts, ClientCaCerts}], Config), ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- @@ -565,6 +587,7 @@ missing_root_cert_auth_user_verify_fun_reject() -> missing_root_cert_auth_user_verify_fun_reject(Config) -> ServerOpts = ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config), + ClientCaCerts = public_key:cacerts_get(), FunAndState = {fun(_,{bad_cert, unknown_ca} = Reason, _UserState) -> {fail, Reason}; (_,{bad_cert, _} = Reason, _) -> @@ -576,8 +599,11 @@ missing_root_cert_auth_user_verify_fun_reject(Config) -> (_, valid_peer, UserState) -> {valid, UserState} end, []}, - ClientOpts = ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer}, - {verify_fun, FunAndState}], Config), + ClientOpts = ssl_test_lib:ssl_options(extra_client, + [{verify, verify_peer}, + {verify_fun, FunAndState}, + {cacerts, ClientCaCerts}], + Config), ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, unknown_ca). @@ -641,7 +667,7 @@ verify_fun_always_run_client(Config) when is_list(Config) -> {from, self()}, {mfa, {ssl_test_lib, no_result, []}}, - {options, no_reuse(n_version(Version)) ++ ServerOpts}]), + {options, no_reuse(ssl_test_lib:n_version(Version)) ++ ServerOpts}]), Port = ssl_test_lib:inet_port(Server), %% If user verify fun is called correctly we fail the connection. @@ -705,7 +731,7 @@ verify_fun_always_run_server(Config) when is_list(Config) -> {mfa, {ssl_test_lib, no_result, []}}, {options, - no_reuse(n_version(Version)) ++ [{verify, verify_peer}, + no_reuse(ssl_test_lib:n_version(Version)) ++ [{verify, verify_peer}, {verify_fun, FunAndState} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), @@ -754,7 +780,7 @@ critical_extension_auth(Config) when is_list(Config) -> [{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {ssl_test_lib, no_result, []}}, - {options, no_reuse(n_version(Version)) ++ [{verify, verify_none} | ServerOpts]}]), + {options, no_reuse(ssl_test_lib:n_version(Version)) ++ [{verify, verify_none} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client_error( [{node, ClientNode}, {port, Port}, @@ -786,7 +812,7 @@ critical_extension_client_auth(Config) when is_list(Config) -> [{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {ssl_test_lib, no_result, []}}, - {options, no_reuse(n_version(Version)) ++ [{verify, verify_peer} | ServerOpts]}]), + {options, no_reuse(ssl_test_lib:n_version(Version)) ++ [{verify, verify_peer} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client_error( [{node, ClientNode}, {port, Port}, @@ -841,7 +867,7 @@ extended_key_usage_auth(Config) when is_list(Config) -> Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, no_reuse(n_version(Version)) ++ [{verify, verify_none} | ServerOpts]}]), + {options, no_reuse(ssl_test_lib:n_version(Version)) ++ [{verify, verify_none} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, {host, Hostname}, @@ -876,7 +902,7 @@ extended_key_usage_client_auth(Config) when is_list(Config) -> Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, no_reuse(n_version(Version)) ++ [{verify, verify_peer} | ServerOpts]}]), + {options, no_reuse(ssl_test_lib:n_version(Version)) ++ [{verify, verify_peer} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, {host, Hostname}, @@ -913,7 +939,7 @@ cert_expired(Config) when is_list(Config) -> Version = proplists:get_value(version, Config), Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, {from, self()}, - {options, no_reuse(n_version(Version)) ++ ServerOpts}]), + {options, no_reuse(ssl_test_lib:n_version(Version)) ++ ServerOpts}]), Port = ssl_test_lib:inet_port(Server), Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, {host, Hostname}, @@ -975,34 +1001,35 @@ key_auth_ext_sign_only(Config) when is_list(Config) -> Version = proplists:get_value(version, Config), ClientOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(extra_client, ClientOpts0, Config)], ServerOpts = [{verify, verify_peer}, {ciphers, - ssl_test_lib:rsa_non_signed_suites(n_version(Version))} - | ssl_test_lib:ssl_options(extra_server, ServerOpts0, Config)], + ssl_test_lib:rsa_non_signed_suites(ssl_test_lib:n_version(Version))} + | ssl_test_lib:ssl_options(extra_server, ServerOpts0, Config)], ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- longer_chain() -> [{doc,"Test depth option"}]. -longer_chain(Config) when is_list(Config) -> +longer_chain(Config) when is_list(Config) -> #{server_config := ServerOpts0, - client_config := ClientOpts0} = + client_config := ClientOpts0} = public_key:pkix_test_data(#{server_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}], - intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}], + intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}], [{key, ssl_test_lib:hardcode_rsa_key(3)}], [{key, ssl_test_lib:hardcode_rsa_key(4)}]], peer => [{key, ssl_test_lib:hardcode_rsa_key(5)}]}, - client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}], + client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}], intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}]], - peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}), + peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}), [ServerRoot| _] = ServerCas = proplists:get_value(cacerts, ServerOpts0), ClientCas = proplists:get_value(cacerts, ClientOpts0), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), ServerOpts = ssl_test_lib:ssl_options(extra_server, [{verify, verify_peer}, {cacerts, [ServerRoot]} | - proplists:delete(cacerts, ServerOpts0)], Config), + proplists:delete(cacerts, ServerOpts0)] ++ ssl_test_lib:sig_algs(rsa, Version), Config), ClientOpts = ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer}, {depth, 5}, - {cacerts, ServerCas ++ ClientCas} | - proplists:delete(cacerts, ClientOpts0)], Config), + {cacerts, ServerCas ++ ClientCas} | + proplists:delete(cacerts, ClientOpts0)]++ ssl_test_lib:sig_algs(rsa, Version) , Config), ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). cross_signed_chain() -> @@ -1031,26 +1058,28 @@ cross_signed_chain(Config) ServerCas0 = proplists:get_value(cacerts, ServerOpts0), ClientCas0 = proplists:get_value(cacerts, ClientOpts0), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), {[Peer,CI1,CI2,CROld], CROld} = chain_and_root(ClientOpts0), {[_Peer,CI1New,CI2New,CRNew], CRNew} = chain_and_root(ClientOptsNew), ServerCas = [CRNew|ServerCas0 -- [CROld]], ServerOpts = ssl_test_lib:ssl_options(extra_server, [{verify, verify_peer} | - lists:keyreplace(cacerts, 1, ServerOpts0, {cacerts, ServerCas})], + lists:keyreplace(cacerts, 1, ServerOpts0, {cacerts, ServerCas})] + ++ ssl_test_lib:sig_algs(rsa, Version), Config), ClientOpts = ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer} | lists:keyreplace(cacerts, 1, lists:keyreplace(cert, 1, ClientOpts0, {cert, [Peer,CI1New,CI2New,CI1,CI2,CRNew,CROld]}), - {cacerts, ClientCas0})], + {cacerts, ClientCas0})] ++ ssl_test_lib:sig_algs(rsa, Version), Config), ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config), ClientOpts2 = ssl_test_lib:ssl_options(extra_client, [{verify, verify_peer} | lists:keyreplace(cacerts, 1, lists:keyreplace(cert, 1, ClientOpts0, {cert, [Peer,CI1,CI1New,CI2,CI2New,CROld,CRNew]}), - {cacerts, ClientCas0})], + {cacerts, ClientCas0})] ++ ssl_test_lib:sig_algs(rsa, Version), Config), ssl_test_lib:basic_test(ClientOpts2, ServerOpts, Config), ok. @@ -1072,12 +1101,15 @@ expired_root_with_cross_signed_root(Config) when is_list(Config) -> #{cert := Root} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", [{key, Key1}, {validity, {{Year-2, Month, Day}, {Year-1, Month, Day}}}]), - #{server_config := ServerOpts, client_config := ClientOpts} = + #{server_config := ServerOpts0, client_config := ClientOpts0} = public_key:pkix_test_data(#{server_chain => #{root => SRoot, intermediates => [[{key, Key2}], [{key, Key3}]], peer => [{key, Key4}]}, client_chain => #{root => [{key, Key5}], peer => [{key, Key6}]}}), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ClientOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ClientOpts0, + ServerOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ServerOpts0, SCert = proplists:get_value(cert, ServerOpts), SCerts = proplists:get_value(cacerts, ServerOpts), @@ -1190,7 +1222,7 @@ hello_retry_client_auth(Config) -> {supported_groups, [secp256r1, x25519]}|ClientOpts0], ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} | ServerOpts1], - + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- hello_retry_client_auth_empty_cert_accepted() -> @@ -1277,12 +1309,14 @@ signature_algorithms_bad_curve_secp521r1(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config), ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config), %% Set versions - ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0], + ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}, + {signature_algs, [ecdsa_secp512r1_sha256, + {sha256,rsa}]} + | ServerOpts0], ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}, {signature_algs, [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, {sha256,rsa}]}|ClientOpts0], - ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security). %%-------------------------------------------------------------------- @@ -1337,17 +1371,6 @@ server_certificate_authorities_disabled(Config) -> %%-------------------------------------------------------------------- %% Internal functions ----------------------------------------------- %%-------------------------------------------------------------------- -n_version(Version) when - Version == 'tlsv1.3'; - Version == 'tlsv1.2'; - Version == 'tlsv1.1'; - Version == 'tlsv1'; - Version == 'sslv3' -> - tls_record:protocol_version(Version); -n_version(Version) when Version == 'dtlsv1.2'; - Version == 'dtlsv1' -> - dtls_record:protocol_version(Version). - rsa_alg(rsa_pss_rsae_1_3) -> rsa_pss_rsae; rsa_alg(rsa_pss_pss_1_3) -> @@ -1355,7 +1378,7 @@ rsa_alg(rsa_pss_pss_1_3) -> rsa_alg(Atom) -> Atom. -no_reuse({3, N}) when N >= 4 -> +no_reuse(?TLS_1_3) -> []; no_reuse(_) -> [{reuse_sessions, false}]. @@ -1366,11 +1389,3 @@ chain_and_root(Config) -> {ok, Root, Chain} = ssl_certificate:certificate_chain(OwnCert, ets:new(foo, []), ExtractedCAs, [], encoded), {Chain, Root}. -sig_algs(rsa_pss_pss) -> - [{signature_algs, [rsa_pss_pss_sha512, - rsa_pss_pss_sha384, - rsa_pss_pss_sha256]}]; -sig_algs(rsa_pss_rsae) -> - [{signature_algs, [rsa_pss_rsae_sha512, - rsa_pss_rsae_sha384, - rsa_pss_rsae_sha256]}]. |