Merge branch 'wip/dueno/parallel-openssl' into 'master'

tests: remove hand-written parallelism

Closes #1099

See merge request gnutls/gnutls!1372

21 files changed, 2839 insertions, 2031 deletions

diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am
index d6f6ff135b..8cfb087eda 100644
--- a/tests/suite/Makefile.am
+++ b/tests/suite/Makefile.am
@@ -39,7 +39,19 @@ LDADD = ../../lib/libgnutls.la \
 prime_check_LDADD = $(LDADD) -lhogweed -lgmp
 
 scripts_to_test = chain.sh \
-	testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \
+	testrng.sh \
+	testcompat-polarssl-serv.sh \
+	testcompat-polarssl-serv-compat.sh \
+	testcompat-polarssl-serv-no-etm.sh \
+	testcompat-openssl-cli.sh \
+	testcompat-openssl-cli-compat.sh \
+	testcompat-openssl-cli-no-etm.sh \
+	testcompat-openssl-serv.sh \
+	testcompat-openssl-serv-compat.sh \
+	testcompat-openssl-serv-no-etm.sh \
+	testcompat-openssl-serv-no-tickets.sh \
+	testcompat-openssl-serv-no-safe-renegotiation.sh \
+	testcompat-openssl-serv-safe-renegotiation.sh \
 	testrandom.sh tls-fuzzer/tls-fuzzer-nocert.sh \
 	tls-fuzzer/tls-fuzzer-cert.sh tls-fuzzer/tls-fuzzer-alpn.sh \
 	tls-fuzzer/tls-fuzzer-nocert-tls13.sh tls-fuzzer/tls-fuzzer-psk.sh \
@@ -67,7 +79,9 @@ TESTS_ENVIRONMENT += ENABLE_SSL3=1
 endif
 
 if ENABLE_TLS13_INTEROP
-scripts_to_test += testcompat-tls13-openssl.sh
+scripts_to_test += \
+	testcompat-openssl-tls13-cli.sh \
+	testcompat-openssl-tls13-serv.sh
 endif
 
 if ENABLE_OLDGNUTLS_INTEROP
diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl
deleted file mode 100755
index bc5a602d17..0000000000
--- a/tests/suite/testcompat-main-openssl
+++ /dev/null
@@ -1,970 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2010-2016, Free Software Foundation, Inc.
-# Copyright (c) 2012-2016, Nikos Mavrogiannopoulos
-# All rights reserved.
-#
-# Author: Nikos Mavrogiannopoulos
-#
-# This file is part of GnuTLS.
-#
-# Redistribution and use in source and binary forms, with or without modification,
-# are permitted provided that the following conditions are met:
-#
-# 1. Redistributions of source code must retain the above copyright notice, this
-# list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright notice,
-# this list of conditions and the following disclaimer in the documentation and/or
-# other materials provided with the distribution.
-# 3. Neither the name of the copyright holder nor the names of its contributors may
-# be used to endorse or promote products derived from this software without specific
-# prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
-# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
-# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
-# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-: ${srcdir=.}
-: ${SERV=../../src/gnutls-serv${EXEEXT}}
-: ${CLI=../../src/gnutls-cli${EXEEXT}}
-unset RETCODE
-
-if ! test -x "${CLI}"; then
-	exit 77
-fi
-
-if ! test -z "${VALGRIND}"; then
-	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
-fi
-
-if test "${WINDIR}" != ""; then
-	exit 77
-fi
-
-. "${srcdir}/../scripts/common.sh"
-
-: ${PORT=${RPORT}}
-
-: ${OPENSSL=openssl}
-SIGALGS=RSA+SHA1:RSA+SHA256
-
-echo "Compatibility checks using "`${OPENSSL} version`
-${OPENSSL} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1
-if test $? != 0; then
-	echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests"
-	exit 77
-fi
-
-. "${srcdir}/testcompat-common"
-
-${OPENSSL} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1
-HAVE_X25519=$?
-
-test $HAVE_X25519 != 0 && echo "Disabling interop tests for x25519"
-
-${OPENSSL} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1
-NO_TLS1_2=$?
-
-test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
-
-${OPENSSL} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
-if test $? = 0;then
-	NO_DH_PARAMS=0
-else
-	NO_DH_PARAMS=1
-fi
-
-${OPENSSL} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
-NO_DSS=$?
-
-if test $NO_DSS != 0;then
-	echo "Disabling interop tests for DSS ciphersuites"
-else
-	DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}"
-	SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256"
-fi
-
-${OPENSSL} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1
-NO_CAMELLIA=$?
-
-test $NO_CAMELLIA != 0 && echo "Disabling interop tests for Camellia ciphersuites"
-
-${OPENSSL} ciphers -v ALL 2>&1|grep -e RC4 >/dev/null 2>&1
-NO_RC4=$?
-
-test $NO_RC4 != 0 && echo "Disabling interop tests for RC4 ciphersuites"
-
-${OPENSSL} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1
-NO_3DES=$?
-
-test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites"
-
-${OPENSSL} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1
-NO_NULL=$?
-
-test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
-
-${OPENSSL} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
-NO_PRIME192v1=$?
-
-test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
-
-if test "${NO_DH_PARAMS}" = 0;then
-	OPENSSL_DH_PARAMS_OPT=""
-else
-	OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\""
-fi
-
-${OPENSSL} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1
-HAVE_NOT_SSL3=$?
-
-if test $HAVE_NOT_SSL3 = 0;then
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -key "${RSA_KEY}" -cert "${RSA_CERT}" >/dev/null 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 </dev/null 2>&1 | grep "\:error\:" && \
-		HAVE_NOT_SSL3=1
-	kill ${PID}
-	wait
-fi
-
-test $HAVE_NOT_SSL3 != 0 && echo "Disabling interop tests for SSL 3.0"
-
-
-echo "#################################################"
-echo "# Client mode tests (gnutls cli-openssl server) #"
-echo "#################################################"
-
-run_client_suite() {
-	ADD=$1
-	PREFIX=""
-	if ! test -z "${ADD}"; then
-		PREFIX="$(echo $ADD|sed 's/://g'): "
-	fi
-
-	if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then
-		# It seems debian disabled SSL 3.0 completely on openssl
-
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -cipher ALL -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-		PID=$!
-		wait_server ${PID}
-
-		# Test SSL 3.0 with RSA ciphersuite
-		echo "${PREFIX}Checking SSL 3.0 with RSA..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		# Test SSL 3.0 with DHE-RSA ciphersuite
-		echo "${PREFIX}Checking SSL 3.0 with DHE-RSA..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		if test "${NO_DSS}" = 0; then
-			# Test SSL 3.0 with DHE-DSS ciphersuite
-			echo "${PREFIX}Checking SSL 3.0 with DHE-DSS..."
-			${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-				fail ${PID} "Failed"
-		fi
-
-		kill ${PID}
-		wait
-
-		if test "${NO_RC4}" != 1; then
-			eval "${GETPORT}"
-			launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-SHA >/dev/null
-			PID=$!
-			wait_server ${PID}
-
-			echo "${PREFIX}Checking SSL 3.0 with RSA-RC4-SHA..."
-			${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure </dev/null >/dev/null || \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-	fi
-
-	if test "${NO_NULL}" = 0; then
-		#-cipher RSA-NULL
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-		PID=$!
-		wait_server ${PID}
-
-		# Test TLS 1.0 with RSA-NULL ciphersuite
-		echo "${PREFIX}Checking TLS 1.0 with RSA-NULL..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-	PID=$!
-	wait_server ${PID}
-
-	# Test TLS 1.0 with RSA ciphersuite
-	if test "${NO_3DES}" != 1; then
-		echo "${PREFIX}Checking TLS 1.0 with RSA and 3DES-CBC..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-	fi
-
-	echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	if test "${NO_CAMELLIA}" != 1; then
-		echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-	fi
-
-	if test "${NO_DSS}" = 0; then
-		# Test TLS 1.0 with DHE-DSS ciphersuite
-		echo "${PREFIX}Checking TLS 1.0 with DHE-DSS..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-	fi
-
-	# Test TLS 1.0 with DHE-RSA ciphersuite
-	echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	# Test TLS 1.0 with DHE-RSA ciphersuite
-	echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null
-		PID=$!
-		wait_server ${PID}
-
-		# Test TLS 1.2 with ECDHE-ECDSA ciphersuite
-		echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA (SECP192R1)..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-SECP192R1${ADD}" --insecure </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
-		PID=$!
-		wait_server ${PID}
-
-		# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
-		echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
-	PID=$!
-	wait_server ${PID}
-
-	# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
-	echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
-	PID=$!
-	wait_server ${PID}
-
-	# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
-	echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	#-cipher PSK
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
-	PID=$!
-	wait_server ${PID}
-
-	echo "${PREFIX}Checking TLS 1.0 with PSK..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test ${NO_TLS1_2} = 0; then
-		# Tests requiring openssl 1.0.1 - TLS 1.2
-		#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-		PID=$!
-		wait_server ${PID}
-
-		echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-GCM..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-GCM..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		if test "${NO_DSS}" = 0; then
-			echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..."
-			${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-				fail ${PID} "Failed"
-		fi
-
-		echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA..."
-		"${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		if test "${HAVE_X25519}" = 0; then
-			eval "${GETPORT}"
-			launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -curves X25519 -CAfile "${CA_CERT}" >/dev/null
-			PID=$!
-			wait_server ${PID}
-
-			echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA (X25519)..."
-			${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --insecure --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" </dev/null >/dev/null || \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-
-		if test "${FIPS_CURVES}" != 1; then
-			#-cipher ECDHE-ECDSA-AES128-SHA
-			eval "${GETPORT}"
-			launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
-			PID=$!
-			wait_server ${PID}
-
-			echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)"
-			${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
-		PID=$!
-		wait_server ${PID}
-
-		echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)"
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		if test "${FIPS_CURVES}" != 1; then
-			#-cipher ECDHE-ECDSA-AES128-SHA
-			eval "${GETPORT}"
-			launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
-			PID=$!
-			wait_server ${PID}
-
-			echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)"
-			${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi #FIPS_CURVES
-	fi #NO_TLS1_2
-
-	#-cipher PSK
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
-	PID=$!
-	wait_server ${PID}
-
-	echo "${PREFIX}Checking TLS 1.2 with PSK..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-	PID=$!
-	wait_udp_server ${PID}
-
-	# Test DTLS 1.0 with RSA ciphersuite
-	echo "${PREFIX}Checking DTLS 1.0 with RSA..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-	PID=$!
-	wait_udp_server ${PID}
-
-	# Test DTLS 1.0 with DHE-RSA ciphersuite
-	echo "${PREFIX}Checking DTLS 1.0 with DHE-RSA..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test "${NO_DSS}" = 0; then
-		eval "${GETPORT}"
-		launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-		PID=$!
-		wait_udp_server ${PID}
-
-		# Test DTLS 1.0 with DHE-DSS ciphersuite
-		echo "${PREFIX}Checking DTLS 1.0 with DHE-DSS..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-	PID=$!
-	wait_udp_server ${PID}
-
-	echo "${PREFIX}Checking DTLS 1.2 with AES-CBC..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-	PID=$!
-	wait_udp_server ${PID}
-
-	# Test DTLS 1.2 with RSA ciphersuite
-	echo "${PREFIX}Checking DTLS 1.2 with RSA..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null
-	PID=$!
-	wait_udp_server ${PID}
-
-	echo "${PREFIX}Checking DTLS 1.2 with ECDHE-RSA..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+GROUP-ALL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-}
-
-WAITPID=""
-for mod in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION"
-	run_client_suite $mod &
-	WAITPID="$WAITPID $!"
-done
-
-for i in "$WAITPID";do
-	wait $i
-	test $? != 0 && exit 1
-done
-
-echo "${PREFIX}Client mode tests were successfully completed"
-echo "${PREFIX}"
-echo "${PREFIX}###############################################"
-echo "${PREFIX}# Server mode tests (gnutls server-openssl cli#"
-echo "${PREFIX}###############################################"
-SERV="${SERV} -q"
-
-# Note that openssl s_client does not return error code on failure
-
-run_server_suite() {
-	ADD=$1
-	PREFIX=""
-	if ! test -z "${ADD}"; then
-		PREFIX="$(echo $ADD|sed 's/://g'): "
-	fi
-
-	if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then
-
-		echo "${PREFIX}Check SSL 3.0 with RSA ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+SHA1:+ARCFOUR-128:+3DES-CBC:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		if test "${NO_RC4}" != 1; then
-			echo "${PREFIX}Check SSL 3.0 with RSA-RC4-SHA ciphersuite"
-			${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-SHA </dev/null 2>&1 | grep "\:error\:" && \
-				fail ${PID} "Failed"
-		fi
-
-		kill ${PID}
-		wait
-
-		echo "${PREFIX}Check SSL 3.0 with DHE-RSA ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		if test "${NO_DSS}" = 0; then
-			echo "${PREFIX}Check SSL 3.0 with DHE-DSS ciphersuite"
-			eval "${GETPORT}"
-			launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
-			PID=$!
-			wait_server ${PID}
-
-			${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-	fi
-
-	#TLS 1.0
-
-	# This test was disabled because it doesn't work as expected with openssl 1.0.0d
-	#echo "${PREFIX}Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)"
-	#launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	#PID=$!
-	#wait_server ${PID}
-	#
-	#${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-	#	fail ${PID} "Failed"
-	#
-	#kill ${PID}
-	#wait
-
-	if test "${NO_NULL}" = 0; then
-		echo "${PREFIX}Check TLS 1.0 with RSA-NULL ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test "${NO_DSS}" = 0; then
-		echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -sigalgs "$SIGALGS" -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-RSA-AES128-SHA
-	${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test "${FIPS_CURVES}" != 1; then
-		echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test "${FIPS_CURVES}" != 1; then
-		echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test ${NO_TLS1_2} = 0; then
-		# test resumption
-		echo "${PREFIX}Check TLS 1.2 with resumption"
-		eval "${GETPORT}"
-		launch_server --priority "NORMAL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -host localhost -reconnect -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -cipher DHE -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		if test "${NO_DSS}" = 0; then
-			echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite"
-			eval "${GETPORT}"
-			launch_server --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
-			PID=$!
-			wait_server ${PID}
-
-			${OPENSSL} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-
-		echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-RSA-AES128-SHA
-		${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		if test "${HAVE_X22519}" = 0; then
-			echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite (X25519)"
-			eval "${GETPORT}"
-			launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-			PID=$!
-			wait_server ${PID}
-
-			${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-
-		if test "${FIPS_CURVES}" != 1; then
-			echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
-			eval "${GETPORT}"
-			launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
-			PID=$!
-			wait_server ${PID}
-
-			#-cipher ECDHE-ECDSA-AES128-SHA
-			${OPENSSL} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-
-		echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-		if test "${FIPS_CURVES}" != 1; then
-			echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
-			eval "${GETPORT}"
-			launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
-			PID=$!
-			wait_server ${PID}
-
-			#-cipher ECDHE-ECDSA-AES128-SHA
-			${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-				fail ${PID} "Failed"
-
-			kill ${PID}
-			wait
-		fi
-
-		echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher PSK-AES128-SHA
-		${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-
-	fi #NO_TLS1_2
-
-	# DTLS
-	echo "${PREFIX}Check DTLS 1.0 with RSA ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_udp_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-
-	echo "${PREFIX}Check DTLS 1.0 with DHE-RSA ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_udp_server ${PID}
-
-
-	${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test "${NO_DSS}" = 0; then
-		echo "${PREFIX}Check DTLS 1.0 with DHE-DSS ciphersuite"
-		eval "${GETPORT}"
-		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
-		PID=$!
-		wait_udp_server ${PID}
-
-
-		${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	echo "${PREFIX}Check DTLS 1.2 with AES-CBC"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_udp_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo "${PREFIX}Check DTLS 1.2 with RSA ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_udp_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-
-	echo "${PREFIX}Check DTLS 1.2 with DHE-RSA ciphersuite"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_udp_server ${PID}
-
-
-	${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo "${PREFIX}Check DTLS 1.2 with ECDHE-RSA"
-	eval "${GETPORT}"
-	launch_server --priority "NONE:+GROUP-ALL:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_udp_server ${PID}
-
-
-	${OPENSSL} s_client -cipher ECDHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-}
-
-WAITPID=""
-for mod in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" ":%SAFE_RENEGOTIATION"; do
-	run_server_suite $mod &
-	WAITPID="$WAITPID $!"
-done
-
-for i in "$WAITPID";do
-	wait $i
-	test $? != 0 && exit 1
-done
-
-exit 0
diff --git a/tests/suite/testcompat-main-polarssl b/tests/suite/testcompat-main-polarssl
deleted file mode 100755
index ba8b7bbb6c..0000000000
--- a/tests/suite/testcompat-main-polarssl
+++ /dev/null
@@ -1,449 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2010-2015, Free Software Foundation, Inc.
-# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
-# All rights reserved.
-#
-# Author: Nikos Mavrogiannopoulos
-#
-# This file is part of GnuTLS.
-#
-# Redistribution and use in source and binary forms, with or without modification,
-# are permitted provided that the following conditions are met:
-#
-# 1. Redistributions of source code must retain the above copyright notice, this
-# list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright notice,
-# this list of conditions and the following disclaimer in the documentation and/or
-# other materials provided with the distribution.
-# 3. Neither the name of the copyright holder nor the names of its contributors may
-# be used to endorse or promote products derived from this software without specific
-# prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
-# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
-# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
-# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-: ${srcdir=.}
-: ${CLI=../../src/gnutls-cli${EXEEXT}}
-LOGFILE=polarssl.log
-unset RETCODE
-
-if ! test -x "${CLI}"; then
-	exit 77
-fi
-
-if ! test -z "${VALGRIND}"; then
-	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
-fi
-
-if test "${WINDIR}" != ""; then
-	exit 77
-fi
-
-. "${srcdir}/../scripts/common.sh"
-
-
-TXT=`"${CLI}" --priority NORMAL --list|grep SECP224`
-if test -z "${TXT}"; then
-	ALL_CURVES=0
-else
-	ALL_CURVES=1
-fi
-
-
-echo "Compatibility checks using polarssl"
-
-for POLARSSL_CLI in \
-		/usr/bin/polarssl_ssl_client2 \
-		/usr/bin/mbedtls_ssl_client2 \
-		/usr/libexec/mbedtls/ssl_client2 \
-		""; do
-	test -x "${POLARSSL_CLI}" && break
-done
-
-if test -z "${POLARSSL_CLI}"; then
-	echo "PolarSSL is required for this test to run"
-	exit 77
-fi
-
-"${POLARSSL_CLI}" >/dev/null 2>&1
-if test $? = 0; then
-	echo "PolarSSL 1.3.x is required for the tests to run"
-	exit 77
-fi
-
-
-. "${srcdir}/testcompat-common"
-
-echo ""
-echo "##################################################"
-echo "# Server mode tests (gnutls server-polarssl cli) #"
-echo "##################################################"
-SERV="../../src/gnutls-serv${EXEEXT} -q"
-
-rm -f "${LOGFILE}"
-
-run_server_suite() {
-	ADD=$1
-	PREFIX=""
-	if ! test -z "${ADD}"; then
-		PREFIX="$(echo $ADD|sed 's/://g'): "
-	fi
-
-	eval "${GETPORT}"
-
-	#TLS 1.0
-
-	echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	#echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite"
-	#launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
-	#PID=$!
-	#wait_server ${PID}
-
-	#"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-	#  fail ${PID} "Failed"
-
-	#kill ${PID}
-	#wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-RSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with DHE-PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with RSA-PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher RSA-PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test ${ALL_CURVES} = 1; then
-		eval "${GETPORT}"
-		echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
-		launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite"
-	launch_server  --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite"
-	launch_server  --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite"
-	launch_server  --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite"
-	launch_server  --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
-	PID=$!
-	wait_server ${PID}
-
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	#echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite"
-	#launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
-	#PID=$!
-	#wait_server ${PID}
-	#
-	#"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-	#  fail ${PID} "Failed"
-	#
-	#kill ${PID}
-	#wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-RSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	if test ${ALL_CURVES} = 1; then
-		eval "${GETPORT}"
-		echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
-		launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
-		PID=$!
-		wait_server ${PID}
-
-		#-cipher ECDHE-ECDSA-AES128-SHA
-		"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	fi
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher ECDHE-ECDSA-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with DHE-PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with ECDHE-PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	eval "${GETPORT}"
-	echo "${PREFIX}Check TLS 1.2 with RSA-PSK ciphersuite"
-	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#-cipher RSA-PSK-AES128-SHA
-	"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-}
-
-WAITPID=""
-for mod in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION"
-	run_server_suite $mod &
-	WAITPID="$WAITPID $!"
-done
-
-for i in "$WAITPID";do
-	wait $i
-	test $? != 0 && exit 1
-done
-
-rm -f "${LOGFILE}"
-
-exit 0
diff --git a/tests/suite/testcompat-openssl-cli-common.sh b/tests/suite/testcompat-openssl-cli-common.sh
new file mode 100755
index 0000000000..8f0418647d
--- /dev/null
+++ b/tests/suite/testcompat-openssl-cli-common.sh
@@ -0,0 +1,512 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2016, Free Software Foundation, Inc.
+# Copyright (c) 2012-2016, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+: ${SERV=../../src/gnutls-serv${EXEEXT}}
+: ${CLI=../../src/gnutls-cli${EXEEXT}}
+unset RETCODE
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/../scripts/common.sh"
+
+: ${PORT=${RPORT}}
+
+: ${OPENSSL=openssl}
+SIGALGS=RSA+SHA1:RSA+SHA256
+
+echo "Compatibility checks using "`${OPENSSL} version`
+${OPENSSL} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1
+if test $? != 0; then
+	echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests"
+	exit 77
+fi
+
+. "${srcdir}/testcompat-common"
+
+${OPENSSL} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1
+HAVE_X25519=$?
+
+test $HAVE_X25519 != 0 && echo "Disabling interop tests for x25519"
+
+${OPENSSL} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1
+NO_TLS1_2=$?
+
+test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
+
+${OPENSSL} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
+if test $? = 0;then
+	NO_DH_PARAMS=0
+else
+	NO_DH_PARAMS=1
+fi
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
+NO_DSS=$?
+
+if test $NO_DSS != 0;then
+	echo "Disabling interop tests for DSS ciphersuites"
+else
+	DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}"
+	SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256"
+fi
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1
+NO_CAMELLIA=$?
+
+test $NO_CAMELLIA != 0 && echo "Disabling interop tests for Camellia ciphersuites"
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e RC4 >/dev/null 2>&1
+NO_RC4=$?
+
+test $NO_RC4 != 0 && echo "Disabling interop tests for RC4 ciphersuites"
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1
+NO_3DES=$?
+
+test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites"
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1
+NO_NULL=$?
+
+test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
+
+${OPENSSL} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
+NO_PRIME192v1=$?
+
+test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
+
+if test "${NO_DH_PARAMS}" = 0;then
+	OPENSSL_DH_PARAMS_OPT=""
+else
+	OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\""
+fi
+
+${OPENSSL} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1
+HAVE_NOT_SSL3=$?
+
+if test $HAVE_NOT_SSL3 = 0;then
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -key "${RSA_KEY}" -cert "${RSA_CERT}" >/dev/null 2>&1
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 </dev/null 2>&1 | grep "\:error\:" && \
+		HAVE_NOT_SSL3=1
+	kill ${PID}
+	wait
+fi
+
+test $HAVE_NOT_SSL3 != 0 && echo "Disabling interop tests for SSL 3.0"
+
+
+echo "#################################################"
+echo "# Client mode tests (gnutls cli-openssl server) #"
+echo "#################################################"
+
+ADD=$1
+PREFIX=""
+if ! test -z "${ADD}"; then
+	PREFIX="$(echo $ADD|sed 's/://g'): "
+fi
+
+if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then
+	# It seems debian disabled SSL 3.0 completely on openssl
+
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -cipher ALL -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+	PID=$!
+	wait_server ${PID}
+
+	# Test SSL 3.0 with RSA ciphersuite
+	echo "${PREFIX}Checking SSL 3.0 with RSA..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	# Test SSL 3.0 with DHE-RSA ciphersuite
+	echo "${PREFIX}Checking SSL 3.0 with DHE-RSA..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	if test "${NO_DSS}" = 0; then
+		# Test SSL 3.0 with DHE-DSS ciphersuite
+		echo "${PREFIX}Checking SSL 3.0 with DHE-DSS..."
+		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+			fail ${PID} "Failed"
+	fi
+
+	kill ${PID}
+	wait
+
+	if test "${NO_RC4}" != 1; then
+		eval "${GETPORT}"
+		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-SHA >/dev/null
+		PID=$!
+		wait_server ${PID}
+
+		echo "${PREFIX}Checking SSL 3.0 with RSA-RC4-SHA..."
+		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure </dev/null >/dev/null || \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+fi
+
+if test "${NO_NULL}" = 0; then
+	#-cipher RSA-NULL
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+	PID=$!
+	wait_server ${PID}
+
+	# Test TLS 1.0 with RSA-NULL ciphersuite
+	echo "${PREFIX}Checking TLS 1.0 with RSA-NULL..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+PID=$!
+wait_server ${PID}
+
+# Test TLS 1.0 with RSA ciphersuite
+if test "${NO_3DES}" != 1; then
+	echo "${PREFIX}Checking TLS 1.0 with RSA and 3DES-CBC..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+fi
+
+echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+if test "${NO_CAMELLIA}" != 1; then
+	echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+fi
+
+if test "${NO_DSS}" = 0; then
+	# Test TLS 1.0 with DHE-DSS ciphersuite
+	echo "${PREFIX}Checking TLS 1.0 with DHE-DSS..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+fi
+
+# Test TLS 1.0 with DHE-RSA ciphersuite
+echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+# Test TLS 1.0 with DHE-RSA ciphersuite
+echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null
+	PID=$!
+	wait_server ${PID}
+
+	# Test TLS 1.2 with ECDHE-ECDSA ciphersuite
+	echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA (SECP192R1)..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-SECP192R1${ADD}" --insecure </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+	PID=$!
+	wait_server ${PID}
+
+	# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+	echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+PID=$!
+wait_server ${PID}
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+PID=$!
+wait_server ${PID}
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+#-cipher PSK
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
+PID=$!
+wait_server ${PID}
+
+echo "${PREFIX}Checking TLS 1.0 with PSK..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test ${NO_TLS1_2} = 0; then
+	# Tests requiring openssl 1.0.1 - TLS 1.2
+	#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+	PID=$!
+	wait_server ${PID}
+
+	echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-GCM..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-GCM..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	if test "${NO_DSS}" = 0; then
+		echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..."
+		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+			fail ${PID} "Failed"
+	fi
+
+	echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA..."
+	"${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	if test "${HAVE_X25519}" = 0; then
+		eval "${GETPORT}"
+		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -curves X25519 -CAfile "${CA_CERT}" >/dev/null
+		PID=$!
+		wait_server ${PID}
+
+		echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA (X25519)..."
+		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --insecure --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" </dev/null >/dev/null || \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+
+	if test "${FIPS_CURVES}" != 1; then
+		#-cipher ECDHE-ECDSA-AES128-SHA
+		eval "${GETPORT}"
+		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+		PID=$!
+		wait_server ${PID}
+
+		echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)"
+		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+	PID=$!
+	wait_server ${PID}
+
+	echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)"
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	if test "${FIPS_CURVES}" != 1; then
+		#-cipher ECDHE-ECDSA-AES128-SHA
+		eval "${GETPORT}"
+		launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null
+		PID=$!
+		wait_server ${PID}
+
+		echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)"
+		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi #FIPS_CURVES
+fi #NO_TLS1_2
+
+#-cipher PSK
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null
+PID=$!
+wait_server ${PID}
+
+echo "${PREFIX}Checking TLS 1.2 with PSK..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+PID=$!
+wait_udp_server ${PID}
+
+# Test DTLS 1.0 with RSA ciphersuite
+echo "${PREFIX}Checking DTLS 1.0 with RSA..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+PID=$!
+wait_udp_server ${PID}
+
+# Test DTLS 1.0 with DHE-RSA ciphersuite
+echo "${PREFIX}Checking DTLS 1.0 with DHE-RSA..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test "${NO_DSS}" = 0; then
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+	PID=$!
+	wait_udp_server ${PID}
+
+	# Test DTLS 1.0 with DHE-DSS ciphersuite
+	echo "${PREFIX}Checking DTLS 1.0 with DHE-DSS..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+PID=$!
+wait_udp_server ${PID}
+
+echo "${PREFIX}Checking DTLS 1.2 with AES-CBC..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+PID=$!
+wait_udp_server ${PID}
+
+# Test DTLS 1.2 with RSA ciphersuite
+echo "${PREFIX}Checking DTLS 1.2 with RSA..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null
+PID=$!
+wait_udp_server ${PID}
+
+echo "${PREFIX}Checking DTLS 1.2 with ECDHE-RSA..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+GROUP-ALL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
diff --git a/tests/suite/testcompat-openssl-cli-compat.sh b/tests/suite/testcompat-openssl-cli-compat.sh
new file mode 100755
index 0000000000..f3513acb55
--- /dev/null
+++ b/tests/suite/testcompat-openssl-cli-compat.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-cli-common.sh" ":%COMPAT"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-cli-no-etm.sh b/tests/suite/testcompat-openssl-cli-no-etm.sh
new file mode 100755
index 0000000000..aa941d7092
--- /dev/null
+++ b/tests/suite/testcompat-openssl-cli-no-etm.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-cli-common.sh" ":%NO_ETM"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl.sh b/tests/suite/testcompat-openssl-cli.sh
index 847eded621..3e1b67018e 100755
--- a/tests/suite/testcompat-openssl.sh
+++ b/tests/suite/testcompat-openssl-cli.sh
@@ -56,7 +56,8 @@ export TZ="UTC"
 
 skip_if_no_datefudge
 
-timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl"
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-cli-common.sh"
 
 ret=$?
 test $ret = 124 && exit 77
diff --git a/tests/suite/testcompat-openssl-serv-common.sh b/tests/suite/testcompat-openssl-serv-common.sh
new file mode 100755
index 0000000000..ae18358521
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv-common.sh
@@ -0,0 +1,567 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2016, Free Software Foundation, Inc.
+# Copyright (c) 2012-2016, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+: ${SERV=../../src/gnutls-serv${EXEEXT}}
+: ${CLI=../../src/gnutls-cli${EXEEXT}}
+unset RETCODE
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/../scripts/common.sh"
+
+: ${PORT=${RPORT}}
+
+: ${OPENSSL=openssl}
+SIGALGS=RSA+SHA1:RSA+SHA256
+
+echo "Compatibility checks using "`${OPENSSL} version`
+${OPENSSL} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1
+if test $? != 0; then
+	echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests"
+	exit 77
+fi
+
+. "${srcdir}/testcompat-common"
+
+${OPENSSL} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1
+HAVE_X25519=$?
+
+test $HAVE_X25519 != 0 && echo "Disabling interop tests for x25519"
+
+${OPENSSL} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1
+NO_TLS1_2=$?
+
+test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2"
+
+${OPENSSL} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1
+if test $? = 0;then
+	NO_DH_PARAMS=0
+else
+	NO_DH_PARAMS=1
+fi
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1
+NO_DSS=$?
+
+if test $NO_DSS != 0;then
+	echo "Disabling interop tests for DSS ciphersuites"
+else
+	DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}"
+	SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256"
+fi
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1
+NO_CAMELLIA=$?
+
+test $NO_CAMELLIA != 0 && echo "Disabling interop tests for Camellia ciphersuites"
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e RC4 >/dev/null 2>&1
+NO_RC4=$?
+
+test $NO_RC4 != 0 && echo "Disabling interop tests for RC4 ciphersuites"
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1
+NO_3DES=$?
+
+test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites"
+
+${OPENSSL} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1
+NO_NULL=$?
+
+test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites"
+
+${OPENSSL} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1
+NO_PRIME192v1=$?
+
+test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam"
+
+if test "${NO_DH_PARAMS}" = 0;then
+	OPENSSL_DH_PARAMS_OPT=""
+else
+	OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\""
+fi
+
+${OPENSSL} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1
+HAVE_NOT_SSL3=$?
+
+if test $HAVE_NOT_SSL3 = 0;then
+	eval "${GETPORT}"
+	launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -key "${RSA_KEY}" -cert "${RSA_CERT}" >/dev/null 2>&1
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 </dev/null 2>&1 | grep "\:error\:" && \
+		HAVE_NOT_SSL3=1
+	kill ${PID}
+	wait
+fi
+
+test $HAVE_NOT_SSL3 != 0 && echo "Disabling interop tests for SSL 3.0"
+
+
+echo "${PREFIX}###############################################"
+echo "${PREFIX}# Server mode tests (gnutls server-openssl cli#"
+echo "${PREFIX}###############################################"
+SERV="${SERV} -q"
+
+# Note that openssl s_client does not return error code on failure
+
+ADD=$1
+PREFIX=""
+if ! test -z "${ADD}"; then
+	PREFIX="$(echo $ADD|sed 's/://g'): "
+fi
+
+if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then
+
+	echo "${PREFIX}Check SSL 3.0 with RSA ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+SHA1:+ARCFOUR-128:+3DES-CBC:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	if test "${NO_RC4}" != 1; then
+		echo "${PREFIX}Check SSL 3.0 with RSA-RC4-SHA ciphersuite"
+		${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-SHA </dev/null 2>&1 | grep "\:error\:" && \
+			fail ${PID} "Failed"
+	fi
+
+	kill ${PID}
+	wait
+
+	echo "${PREFIX}Check SSL 3.0 with DHE-RSA ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	if test "${NO_DSS}" = 0; then
+		echo "${PREFIX}Check SSL 3.0 with DHE-DSS ciphersuite"
+		eval "${GETPORT}"
+		launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+		PID=$!
+		wait_server ${PID}
+
+		${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+fi
+
+#TLS 1.0
+
+# This test was disabled because it doesn't work as expected with openssl 1.0.0d
+#echo "${PREFIX}Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)"
+#launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+#PID=$!
+#wait_server ${PID}
+#
+#${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+#	fail ${PID} "Failed"
+#
+#kill ${PID}
+#wait
+
+if test "${NO_NULL}" = 0; then
+	echo "${PREFIX}Check TLS 1.0 with RSA-NULL ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+${OPENSSL} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test "${NO_DSS}" = 0; then
+	echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -sigalgs "$SIGALGS" -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-RSA-AES128-SHA
+${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test "${FIPS_CURVES}" != 1; then
+	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test "${FIPS_CURVES}" != 1; then
+	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test ${NO_TLS1_2} = 0; then
+	# test resumption
+	echo "${PREFIX}Check TLS 1.2 with resumption"
+	eval "${GETPORT}"
+	launch_server --priority "NORMAL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -reconnect -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -cipher DHE -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	if test "${NO_DSS}" = 0; then
+		echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite"
+		eval "${GETPORT}"
+		launch_server --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+		PID=$!
+		wait_server ${PID}
+
+		${OPENSSL} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+
+	echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-RSA-AES128-SHA
+	${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	if test "${HAVE_X22519}" = 0; then
+		echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite (X25519)"
+		eval "${GETPORT}"
+		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+		PID=$!
+		wait_server ${PID}
+
+		${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+
+	if test "${FIPS_CURVES}" != 1; then
+		echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+		eval "${GETPORT}"
+		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
+		PID=$!
+		wait_server ${PID}
+
+		#-cipher ECDHE-ECDSA-AES128-SHA
+		${OPENSSL} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+
+	echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+	if test "${FIPS_CURVES}" != 1; then
+		echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+		eval "${GETPORT}"
+		launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
+		PID=$!
+		wait_server ${PID}
+
+		#-cipher ECDHE-ECDSA-AES128-SHA
+		${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+			fail ${PID} "Failed"
+
+		kill ${PID}
+		wait
+	fi
+
+	echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher PSK-AES128-SHA
+	${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+
+fi #NO_TLS1_2
+
+# DTLS
+echo "${PREFIX}Check DTLS 1.0 with RSA ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_udp_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+
+echo "${PREFIX}Check DTLS 1.0 with DHE-RSA ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_udp_server ${PID}
+
+
+${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test "${NO_DSS}" = 0; then
+	echo "${PREFIX}Check DTLS 1.0 with DHE-DSS ciphersuite"
+	eval "${GETPORT}"
+	launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+	PID=$!
+	wait_udp_server ${PID}
+
+
+	${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+echo "${PREFIX}Check DTLS 1.2 with AES-CBC"
+eval "${GETPORT}"
+launch_server --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_udp_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo "${PREFIX}Check DTLS 1.2 with RSA ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_udp_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+
+echo "${PREFIX}Check DTLS 1.2 with DHE-RSA ciphersuite"
+eval "${GETPORT}"
+launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_udp_server ${PID}
+
+
+${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo "${PREFIX}Check DTLS 1.2 with ECDHE-RSA"
+eval "${GETPORT}"
+launch_server --priority "NONE:+GROUP-ALL:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_udp_server ${PID}
+
+
+${OPENSSL} s_client -cipher ECDHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
diff --git a/tests/suite/testcompat-openssl-serv-compat.sh b/tests/suite/testcompat-openssl-serv-compat.sh
new file mode 100755
index 0000000000..79a2b458e5
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv-compat.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-serv-common.sh" ":%COMPAT"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-serv-no-etm.sh b/tests/suite/testcompat-openssl-serv-no-etm.sh
new file mode 100755
index 0000000000..68c540f67f
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv-no-etm.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-serv-common.sh" ":%NO_ETM"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-serv-no-safe-renegotiation.sh b/tests/suite/testcompat-openssl-serv-no-safe-renegotiation.sh
new file mode 100755
index 0000000000..4e71716c54
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv-no-safe-renegotiation.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-serv-common.sh" ":%DISABLE_SAFE_RENEGOTIATION"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-serv-no-tickets.sh b/tests/suite/testcompat-openssl-serv-no-tickets.sh
new file mode 100755
index 0000000000..137b697b20
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv-no-tickets.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-serv-common.sh" ":%NO_TICKETS"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-serv-safe-renegotiation.sh b/tests/suite/testcompat-openssl-serv-safe-renegotiation.sh
new file mode 100755
index 0000000000..dd866af888
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv-safe-renegotiation.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-serv-common.sh" ":%SAFE_RENEGOTIATION"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-serv.sh b/tests/suite/testcompat-openssl-serv.sh
new file mode 100755
index 0000000000..788e2abea2
--- /dev/null
+++ b/tests/suite/testcompat-openssl-serv.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+if ! test -x /usr/bin/openssl; then
+	echo "You need openssl to run this test"
+	exit 77
+fi
+
+/usr/bin/openssl version|grep fips >/dev/null 2>&1
+if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then
+	export FIPS_CURVES=1
+else
+	export FIPS_CURVES=0
+fi
+
+export TZ="UTC"
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-openssl-serv-common.sh"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-openssl-tls13-cli.sh b/tests/suite/testcompat-openssl-tls13-cli.sh
new file mode 100755
index 0000000000..e57b59cb13
--- /dev/null
+++ b/tests/suite/testcompat-openssl-tls13-cli.sh
@@ -0,0 +1,299 @@
+#!/bin/bash
+
+# Copyright (c) 2010-2016, Free Software Foundation, Inc.
+# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+: ${SERV=../../src/gnutls-serv${EXEEXT}}
+: ${CLI=../../src/gnutls-cli${EXEEXT}}
+unset RETCODE
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+. "${srcdir}/testcompat-common"
+
+: ${PORT=${RPORT}}
+
+: ${OPENSSL=openssl}
+
+if test -z "$OUTPUT";then
+OUTPUT=/dev/null
+fi
+
+>${OUTPUT}
+
+echo_cmd() {
+	tee -a ${OUTPUT} <<<$(echo $1)
+}
+
+echo_cmd "Compatibility checks using "`${OPENSSL} version`
+
+echo_cmd "#################################################"
+echo_cmd "# Client mode tests (gnutls cli-openssl server) #"
+echo_cmd "#################################################"
+
+OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256"
+
+ADD=$1
+PREFIX=""
+if ! test -z "${ADD}"; then
+	PREFIX="$(echo $ADD|sed 's/://g'): "
+fi
+
+
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#AES-128-CCM
+for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do
+	echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+done
+
+for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do
+	echo_cmd "${PREFIX}Checking TLS 1.3 with $i..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+done
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \
+	fail ${PID} "Failed"
+
+# Try hello retry request
+echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure </dev/null >>${OUTPUT} || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+
+#test PSK ciphersuites
+# disabled as I do not seem to be able to connect to openssl s_server with PSK
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert
+PID=$!
+wait_server ${PID}
+
+# by default only SHA256 is supported under PSK as PRF, so we cannot try all
+# ciphers; only the ones which use SHA256 PRF.
+for i in AES-128-GCM;do
+# plain PSK with (EC)DHE not supported by openssl
+#              echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..."
+#              ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null || \
+#                      fail ${PID} "Failed"
+
+	echo_cmd "${PREFIX}Checking TLS 1.3 with DHE-PSK with ${i}..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+DHE-PSK:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+done
+
+kill ${PID}
+wait
+
+#test client certificates
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+for i in GROUP-SECP256R1;do
+	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+
+	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+
+	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+
+	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..."
+	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+done
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..."
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..."
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED448_KEY}" -cert "${ED448_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..."
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..."
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+# Try resumption
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..."
+testdir=`create_testdir tls13-openssl-resumption`
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
+grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+# Try resumption with HRR
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..."
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -groups 'X25519:P-256' -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1${ADD}" --single-key-share --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
+grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+# Try resumption with early data
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..."
+testdir=`create_testdir tls13-openssl-resumption`
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data
+PID=$!
+wait_server ${PID}
+
+echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'| tee "${testdir}/client.out" >> ${OUTPUT}
+grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+# Try resumption with early data with small limit
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..."
+testdir=`create_testdir tls13-openssl-resumption`
+eval "${GETPORT}"
+launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data -max_early_data 1
+PID=$!
+wait_server ${PID}
+
+echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'|& tee "${testdir}/client.out" >> ${OUTPUT}
+grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
+	fail ${PID} "Failed"
+grep '^\*\*\* Received alert \[10\]: Unexpected message' "${testdir}/client.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+# Try exporting keying material
+echo_cmd "${PREFIX}Checking TLS 1.3 to export keying material..."
+testdir=`create_testdir tls13-openssl-keymatexport`
+eval "${GETPORT}"
+LOGFILE="${testdir}/server.out"
+launch_bare_server "$OPENSSL" s_server -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -keymatexport label -keymatexportlen 20
+unset LOGFILE
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --keymatexport label --keymatexportsize 20| tee "${testdir}/client.out" >> ${OUTPUT}
+grep '^- Key material: ' "${testdir}/client.out" | \
+sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/client.key" || \
+	fail ${PID} "Failed"
+grep '^    Keying material: ' "${testdir}/server.out" | \
+sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/server.key" || \
+	fail ${PID} "Failed"
+diff "${testdir}/client.key" "${testdir}/server.key" || \
+	fail ${PID} "Failed"
+kill ${PID}
+wait
+
+rm -rf "${testdir}"
diff --git a/tests/suite/testcompat-openssl-tls13-serv.sh b/tests/suite/testcompat-openssl-tls13-serv.sh
new file mode 100755
index 0000000000..fdabc4e515
--- /dev/null
+++ b/tests/suite/testcompat-openssl-tls13-serv.sh
@@ -0,0 +1,371 @@
+#!/bin/bash
+
+# Copyright (c) 2010-2016, Free Software Foundation, Inc.
+# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+: ${SERV=../../src/gnutls-serv${EXEEXT}}
+: ${CLI=../../src/gnutls-cli${EXEEXT}}
+unset RETCODE
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+. "${srcdir}/testcompat-common"
+
+: ${PORT=${RPORT}}
+
+: ${OPENSSL=openssl}
+
+if test -z "$OUTPUT";then
+OUTPUT=/dev/null
+fi
+
+>${OUTPUT}
+
+echo_cmd() {
+	tee -a ${OUTPUT} <<<$(echo $1)
+}
+
+echo_cmd "Compatibility checks using "`${OPENSSL} version`
+
+echo_cmd "#################################################"
+echo_cmd "# Client mode tests (gnutls cli-openssl server) #"
+echo_cmd "#################################################"
+
+OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256"
+
+echo_cmd "${PREFIX}###############################################"
+echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#"
+echo_cmd "${PREFIX}###############################################"
+SERV="${SERV} -q"
+
+# Note that openssl s_client does not return error code on failure
+
+ADD=$1
+PREFIX=""
+if ! test -z "${ADD}"; then
+	PREFIX="$(echo $ADD|sed 's/://g'): "
+fi
+
+#AES-128-CCM
+for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do
+	echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
+
+	eval "${GETPORT}"
+	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+done
+
+GROUPS="GROUP-X25519 GROUP-X448 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1"
+for i in $GROUPS;do
+	echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
+
+	eval "${GETPORT}"
+	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+done
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+${OPENSSL} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..."
+expect - >/dev/null <<_EOF_
+set timeout 10
+set os_error_flag 1
+spawn ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}"
+
+expect "SSL-Session" {send "K\n"} timeout {exit 1}
+expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1}
+expect "HELLO" {close} timeout {exit 1}
+
+lassign [wait] pid spawnid os_error_flag value
+if {\$os_error_flag == 0} {
+    exit $value
+} else {
+    exit 1
+}
+_EOF_
+if test $? != 0;then
+	fail ${PID} "Failed"
+fi
+
+kill ${PID}
+wait
+
+# client certificates
+
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..."
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..."
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..."
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..."
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 client certificate..."
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED448_CLI_CERT}" -key "${ED448_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..."
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+expect - >/dev/null <<_EOF_
+set timeout 10
+set os_error_flag 1
+spawn ${OPENSSL} s_client -enable_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}"
+
+expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1}
+expect {
+  timeout {exit 1}
+  "error*" {exit 1}
+  "Successfully executed command" {send "**REAUTH**\n"}
+}
+expect {
+  timeout {exit 1}
+  "error*" {exit 1}
+  "Successfully executed command" {send "HELLO\n"}
+}
+
+expect "HELLO" {close} timeout {exit 1}
+
+lassign [wait] pid spawnid os_error_flag value
+if {\$os_error_flag == 0} {
+    exit $value
+} else {
+    exit 1
+}
+_EOF_
+if test $? != 0;then
+	fail ${PID} "Failed"
+fi
+
+kill ${PID}
+wait
+
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..."
+
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..."
+
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED448_CERT}" --x509keyfile "${ED448_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..."
+
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..."
+
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+
+# openssl doesn't support PSK
+for i in DHE-PSK;do
+	echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
+
+	eval "${GETPORT}"
+	launch_server --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
+	PID=$!
+	wait_server ${PID}
+
+	${OPENSSL} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" </dev/null >>${OUTPUT} || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+done
+
+# Try resumption
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..."
+testdir=`create_testdir tls13-openssl-resumption`
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+{ echo a; sleep 1; } | \
+${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess.pem" 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess.pem" </dev/null 2>&1 > "${testdir}/server.out"
+grep "\:error\:" "${testdir}/server.out" && \
+	fail ${PID} "Failed"
+grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..."
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+{ echo a; sleep 1; } | \
+${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-hrr.pem" 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-hrr.pem" </dev/null 2>&1 > "${testdir}/server.out"
+grep "\:error\:" "${testdir}/server.out" && \
+	fail ${PID} "Failed"
+grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data..."
+testdir=`create_testdir tls13-openssl-resumption`
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
+{ echo a; sleep 1; } | \
+${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out"
+grep "\:error\:" "${testdir}/server.out" && \
+	fail ${PID} "Failed"
+grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data with small limit..."
+testdir=`create_testdir tls13-openssl-resumption`
+eval "${GETPORT}"
+launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata --maxearlydata 1  >>${OUTPUT} 2>&1
+PID=$!
+wait_server ${PID}
+
+echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
+{ echo a; sleep 1; } | \
+${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \
+	fail ${PID} "Failed"
+${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out"
+grep "^Early data was rejected" "${testdir}/server.out" || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+rm -rf "${testdir}"
diff --git a/tests/suite/testcompat-polarssl-serv-common.sh b/tests/suite/testcompat-polarssl-serv-common.sh
new file mode 100755
index 0000000000..f16882b22d
--- /dev/null
+++ b/tests/suite/testcompat-polarssl-serv-common.sh
@@ -0,0 +1,432 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+: ${CLI=../../src/gnutls-cli${EXEEXT}}
+LOGFILE=polarssl.log
+unset RETCODE
+
+if ! test -x "${CLI}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${WINDIR}" != ""; then
+	exit 77
+fi
+
+. "${srcdir}/../scripts/common.sh"
+
+
+TXT=`"${CLI}" --priority NORMAL --list|grep SECP224`
+if test -z "${TXT}"; then
+	ALL_CURVES=0
+else
+	ALL_CURVES=1
+fi
+
+
+echo "Compatibility checks using polarssl"
+
+for POLARSSL_CLI in \
+		/usr/bin/polarssl_ssl_client2 \
+		/usr/bin/mbedtls_ssl_client2 \
+		/usr/libexec/mbedtls/ssl_client2 \
+		""; do
+	test -x "${POLARSSL_CLI}" && break
+done
+
+if test -z "${POLARSSL_CLI}"; then
+	echo "PolarSSL is required for this test to run"
+	exit 77
+fi
+
+"${POLARSSL_CLI}" >/dev/null 2>&1
+if test $? = 0; then
+	echo "PolarSSL 1.3.x is required for the tests to run"
+	exit 77
+fi
+
+
+. "${srcdir}/testcompat-common"
+
+echo ""
+echo "##################################################"
+echo "# Server mode tests (gnutls server-polarssl cli) #"
+echo "##################################################"
+SERV="../../src/gnutls-serv${EXEEXT} -q"
+
+rm -f "${LOGFILE}"
+
+ADD=$1
+PREFIX=""
+if ! test -z "${ADD}"; then
+	PREFIX="$(echo $ADD|sed 's/://g'): "
+fi
+
+eval "${GETPORT}"
+
+#TLS 1.0
+
+echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+#echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite"
+#launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+#PID=$!
+#wait_server ${PID}
+
+#"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+#  fail ${PID} "Failed"
+
+#kill ${PID}
+#wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-RSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with DHE-PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with ECDHE-PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with RSA-PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher RSA-PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test ${ALL_CURVES} = 1; then
+	eval "${GETPORT}"
+	echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite"
+launch_server  --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite"
+launch_server  --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite"
+launch_server  --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite"
+launch_server  --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}"
+PID=$!
+wait_server ${PID}
+
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+#echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite"
+#launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+#PID=$!
+#wait_server ${PID}
+#
+#"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+#  fail ${PID} "Failed"
+#
+#kill ${PID}
+#wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-RSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+if test ${ALL_CURVES} = 1; then
+	eval "${GETPORT}"
+	echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+	launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}"
+	PID=$!
+	wait_server ${PID}
+
+	#-cipher ECDHE-ECDSA-AES128-SHA
+	"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+		fail ${PID} "Failed"
+
+	kill ${PID}
+	wait
+fi
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with DHE-PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with ECDHE-PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+echo "${PREFIX}Check TLS 1.2 with RSA-PSK ciphersuite"
+launch_server  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"
+PID=$!
+wait_server ${PID}
+
+#-cipher RSA-PSK-AES128-SHA
+"${POLARSSL_CLI}"  server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \
+	fail ${PID} "Failed"
+
+kill ${PID}
+wait
diff --git a/tests/suite/testcompat-polarssl-serv-compat.sh b/tests/suite/testcompat-polarssl-serv-compat.sh
new file mode 100755
index 0000000000..841c3c61ce
--- /dev/null
+++ b/tests/suite/testcompat-polarssl-serv-compat.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+export TZ="UTC"
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1
+if test $? = 0; then
+	echo "PolarSSL is broken on VIA processors"
+	exit 77
+fi
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-polarssl-serv-common.sh" ":%COMPAT"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-polarssl-serv-no-etm.sh b/tests/suite/testcompat-polarssl-serv-no-etm.sh
new file mode 100755
index 0000000000..d64dbaad28
--- /dev/null
+++ b/tests/suite/testcompat-polarssl-serv-no-etm.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# Copyright (c) 2010-2015, Free Software Foundation, Inc.
+# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
+# All rights reserved.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this 
+# list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice, 
+# this list of conditions and the following disclaimer in the documentation and/or
+# other materials provided with the distribution.
+# 3. Neither the name of the copyright holder nor the names of its contributors may
+# be used to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+: ${srcdir=.}
+
+export TZ="UTC"
+
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
+# Check for datefudge
+. "${srcdir}/../scripts/common.sh"
+
+skip_if_no_datefudge
+
+cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1
+if test $? = 0; then
+	echo "PolarSSL is broken on VIA processors"
+	exit 77
+fi
+
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-polarssl-serv-common.sh" ":%NO_ETM"
+
+ret=$?
+test $ret = 124 && exit 77
+
+exit $ret
diff --git a/tests/suite/testcompat-polarssl.sh b/tests/suite/testcompat-polarssl-serv.sh
index 7a9f67c27c..f4ed2ba6d1 100755
--- a/tests/suite/testcompat-polarssl.sh
+++ b/tests/suite/testcompat-polarssl-serv.sh
@@ -50,7 +50,8 @@ if test $? = 0; then
 	exit 77
 fi
 
-timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-polarssl"
+timeout 1800 datefudge "2012-09-02" \
+"${srcdir}/testcompat-polarssl-serv-common.sh"
 
 ret=$?
 test $ret = 124 && exit 77
diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh
deleted file mode 100755
index 7abbb5d7bc..0000000000
--- a/tests/suite/testcompat-tls13-openssl.sh
+++ /dev/null
@@ -1,608 +0,0 @@
-#!/bin/bash
-
-# Copyright (c) 2010-2016, Free Software Foundation, Inc.
-# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos
-# All rights reserved.
-#
-# Author: Nikos Mavrogiannopoulos
-#
-# This file is part of GnuTLS.
-#
-# Redistribution and use in source and binary forms, with or without modification,
-# are permitted provided that the following conditions are met:
-#
-# 1. Redistributions of source code must retain the above copyright notice, this
-# list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright notice,
-# this list of conditions and the following disclaimer in the documentation and/or
-# other materials provided with the distribution.
-# 3. Neither the name of the copyright holder nor the names of its contributors may
-# be used to endorse or promote products derived from this software without specific
-# prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
-# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
-# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
-# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-: ${srcdir=.}
-: ${SERV=../../src/gnutls-serv${EXEEXT}}
-: ${CLI=../../src/gnutls-cli${EXEEXT}}
-unset RETCODE
-
-if ! test -x "${CLI}"; then
-	exit 77
-fi
-
-if ! test -z "${VALGRIND}"; then
-	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
-fi
-
-if test "${WINDIR}" != ""; then
-	exit 77
-fi
-
-. "${srcdir}/../scripts/common.sh"
-
-skip_if_no_datefudge
-
-. "${srcdir}/testcompat-common"
-
-: ${PORT=${RPORT}}
-
-: ${OPENSSL=openssl}
-
-if test -z "$OUTPUT";then
-OUTPUT=/dev/null
-fi
-
->${OUTPUT}
-
-echo_cmd() {
-	tee -a ${OUTPUT} <<<$(echo $1)
-}
-
-echo_cmd "Compatibility checks using "`${OPENSSL} version`
-
-echo_cmd "#################################################"
-echo_cmd "# Client mode tests (gnutls cli-openssl server) #"
-echo_cmd "#################################################"
-
-OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256"
-
-run_client_suite() {
-	ADD=$1
-	PREFIX=""
-	if ! test -z "${ADD}"; then
-		PREFIX="$(echo $ADD|sed 's/://g'): "
-	fi
-
-
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	#AES-128-CCM
-	for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do
-		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-	done
-
-	for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do
-		echo_cmd "${PREFIX}Checking TLS 1.3 with $i..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-	done
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \
-		fail ${PID} "Failed"
-
-	# Try hello retry request
-	echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure </dev/null >>${OUTPUT} || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-
-	#test PSK ciphersuites
-	# disabled as I do not seem to be able to connect to openssl s_server with PSK
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert
-	PID=$!
-	wait_server ${PID}
-
-# by default only SHA256 is supported under PSK as PRF, so we cannot try all
-# ciphers; only the ones which use SHA256 PRF.
-	for i in AES-128-GCM;do
-# plain PSK with (EC)DHE not supported by openssl
-#		echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..."
-#		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null || \
-#			fail ${PID} "Failed"
-
-		echo_cmd "${PREFIX}Checking TLS 1.3 with DHE-PSK with ${i}..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+DHE-PSK:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-	done
-
-	kill ${PID}
-	wait
-
-	#test client certificates
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	for i in GROUP-SECP256R1;do
-		echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-
-		echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-
-		echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-
-		echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..."
-		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-	done
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..."
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..."
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED448_KEY}" -cert "${ED448_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..."
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..."
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	# Try resumption
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..."
-	testdir=`create_testdir tls13-openssl-resumption`
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
-	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	# Try resumption with HRR
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..."
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -groups 'X25519:P-256' -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1${ADD}" --single-key-share --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
-	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	# Try resumption with early data
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..."
-	testdir=`create_testdir tls13-openssl-resumption`
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data
-	PID=$!
-	wait_server ${PID}
-
-	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'| tee "${testdir}/client.out" >> ${OUTPUT}
-	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	# Try resumption with early data with small limit
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..."
-	testdir=`create_testdir tls13-openssl-resumption`
-	eval "${GETPORT}"
-	launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data -max_early_data 1
-	PID=$!
-	wait_server ${PID}
-
-	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'|& tee "${testdir}/client.out" >> ${OUTPUT}
-	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
-		fail ${PID} "Failed"
-	grep '^\*\*\* Received alert \[10\]: Unexpected message' "${testdir}/client.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	# Try exporting keying material
-	echo_cmd "${PREFIX}Checking TLS 1.3 to export keying material..."
-	testdir=`create_testdir tls13-openssl-keymatexport`
-	eval "${GETPORT}"
-	LOGFILE="${testdir}/server.out"
-	launch_bare_server "$OPENSSL" s_server -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -keymatexport label -keymatexportlen 20
-	unset LOGFILE
-	PID=$!
-	wait_server ${PID}
-
-	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --keymatexport label --keymatexportsize 20| tee "${testdir}/client.out" >> ${OUTPUT}
-	grep '^- Key material: ' "${testdir}/client.out" | \
-	sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/client.key" || \
-		fail ${PID} "Failed"
-	grep '^    Keying material: ' "${testdir}/server.out" | \
-	sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/server.key" || \
-		fail ${PID} "Failed"
-	diff "${testdir}/client.key" "${testdir}/server.key" || \
-		fail ${PID} "Failed"
-	kill ${PID}
-	wait
-
-	rm -rf "${testdir}"
-
-}
-
-run_client_suite
-
-echo_cmd "${PREFIX}Client mode tests were successfully completed"
-echo_cmd "${PREFIX}"
-echo_cmd "${PREFIX}###############################################"
-echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#"
-echo_cmd "${PREFIX}###############################################"
-SERV="${SERV} -q"
-
-# Note that openssl s_client does not return error code on failure
-
-run_server_suite() {
-	ADD=$1
-	PREFIX=""
-	if ! test -z "${ADD}"; then
-		PREFIX="$(echo $ADD|sed 's/://g'): "
-	fi
-
-	#AES-128-CCM
-	for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do
-		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
-
-		eval "${GETPORT}"
-		launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	done
-
-	GROUPS="GROUP-X25519 GROUP-X448 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1"
-	for i in $GROUPS;do
-		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
-
-		eval "${GETPORT}"
-		launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	done
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
-	eval "${GETPORT}"
-	launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..."
-	expect - >/dev/null <<_EOF_
-set timeout 10
-set os_error_flag 1
-spawn ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}"
-
-expect "SSL-Session" {send "K\n"} timeout {exit 1}
-expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1}
-expect "HELLO" {close} timeout {exit 1}
-
-lassign [wait] pid spawnid os_error_flag value
-if {\$os_error_flag == 0} {
-    exit $value
-} else {
-    exit 1
-}
-_EOF_
-	if test $? != 0;then
-		fail ${PID} "Failed"
-	fi
-
-	kill ${PID}
-	wait
-
-	# client certificates
-
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..."
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..."
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..."
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..."
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 client certificate..."
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED448_CLI_CERT}" -key "${ED448_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..."
-
-	eval "${GETPORT}"
-	launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	expect - >/dev/null <<_EOF_
-set timeout 10
-set os_error_flag 1
-spawn ${OPENSSL} s_client -enable_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}"
-
-expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1}
-expect {
-  timeout {exit 1}
-  "error*" {exit 1}
-  "Successfully executed command" {send "**REAUTH**\n"}
-}
-expect {
-  timeout {exit 1}
-  "error*" {exit 1}
-  "Successfully executed command" {send "HELLO\n"}
-}
-
-expect "HELLO" {close} timeout {exit 1}
-
-lassign [wait] pid spawnid os_error_flag value
-if {\$os_error_flag == 0} {
-    exit $value
-} else {
-    exit 1
-}
-_EOF_
-	if test $? != 0;then
-		fail ${PID} "Failed"
-	fi
-
-	kill ${PID}
-	wait
-
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..."
-
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..."
-
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED448_CERT}" --x509keyfile "${ED448_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..."
-
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..."
-
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-
-	# openssl doesn't support PSK
-	for i in DHE-PSK;do
-		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
-
-		eval "${GETPORT}"
-		launch_server --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
-		PID=$!
-		wait_server ${PID}
-
-		${OPENSSL} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" </dev/null >>${OUTPUT} || \
-			fail ${PID} "Failed"
-
-		kill ${PID}
-		wait
-	done
-
-	# Try resumption
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..."
-	testdir=`create_testdir tls13-openssl-resumption`
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	{ echo a; sleep 1; } | \
-	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess.pem" 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess.pem" </dev/null 2>&1 > "${testdir}/server.out"
-	grep "\:error\:" "${testdir}/server.out" && \
-		fail ${PID} "Failed"
-	grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..."
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	{ echo a; sleep 1; } | \
-	${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-hrr.pem" 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-	${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-hrr.pem" </dev/null 2>&1 > "${testdir}/server.out"
-	grep "\:error\:" "${testdir}/server.out" && \
-		fail ${PID} "Failed"
-	grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data..."
-	testdir=`create_testdir tls13-openssl-resumption`
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
-	{ echo a; sleep 1; } | \
-	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out"
-	grep "\:error\:" "${testdir}/server.out" && \
-		fail ${PID} "Failed"
-	grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-
-	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data with small limit..."
-	testdir=`create_testdir tls13-openssl-resumption`
-	eval "${GETPORT}"
-	launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata --maxearlydata 1  >>${OUTPUT} 2>&1
-	PID=$!
-	wait_server ${PID}
-
-	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
-	{ echo a; sleep 1; } | \
-	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \
-		fail ${PID} "Failed"
-	${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out"
-	grep "^Early data was rejected" "${testdir}/server.out" || \
-		fail ${PID} "Failed"
-
-	kill ${PID}
-	wait
-	rm -rf "${testdir}"
-
-}
-
-run_server_suite
-
-exit 0