#!/bin/sh # Copyright (c) 2010-2016, Free Software Foundation, Inc. # Copyright (c) 2012-2016, Nikos Mavrogiannopoulos # All rights reserved. # # Author: Nikos Mavrogiannopoulos # # This file is part of GnuTLS. # # Redistribution and use in source and binary forms, with or without modification, # are permitted provided that the following conditions are met: # # 1. Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation and/or # other materials provided with the distribution. # 3. Neither the name of the copyright holder nor the names of its contributors may # be used to endorse or promote products derived from this software without specific # prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT # SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. srcdir="${srcdir:-.}" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE if ! test -x "${CLI}"; then exit 77 fi if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi if test "${WINDIR}" != ""; then exit 77 fi . "${srcdir}/../scripts/common.sh" PORT="${PORT:-${RPORT}}" SERV=openssl OPENSSL_CLI="$SERV" echo "Compatibility checks using "`${SERV} version` ${SERV} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1 SV=$? if test ${SV} != 0; then echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" exit 77 fi ${SERV} ecparam -list_curves|grep X25519 >/dev/null 2>&1 NO_X25519=$? ${SERV} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1 NO_TLS1_2=$? ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 NO_DH_PARAMS=$? ${SERV} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1 HAVE_SSL3=$? ${SERV} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1 NO_CAMELLIA=$? ${SERV} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1 NO_3DES=$? ${SERV} ciphers -v ALL 2>&1|grep -e DSS >/dev/null 2>&1 NO_DSS=$? ${SERV} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1 NO_NULL=$? . "${srcdir}/testcompat-common" if test "${NO_DH_PARAMS}" = 0;then OPENSSL_DH_PARAMS_OPT="" else OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\"" fi echo "#################################################" echo "# Client mode tests (gnutls cli-openssl server) #" echo "#################################################" run_client_suite() { ADD=$1 PREFIX="" if ! test -z "${ADD}"; then PREFIX="$(echo $ADD|sed 's/://g'): " fi if test "${HAVE_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then # It seems debian disabled SSL 3.0 completely on openssl eval "${GETPORT}" launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_server ${PID} # Test SSL 3.0 with RSA ciphersuite echo "${PREFIX}Checking SSL 3.0 with RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" # Test SSL 3.0 with DHE-RSA ciphersuite echo "${PREFIX}Checking SSL 3.0 with DHE-RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" # Test SSL 3.0 with DHE-DSS ciphersuite echo "${PREFIX}Checking SSL 3.0 with DHE-DSS..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-MD5 PID=$! wait_server ${PID} echo "${PREFIX}Checking SSL 3.0 with RSA-RC4-MD5..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi if test "${NO_NULL}" = 0; then #-cipher RSA-NULL eval "${GETPORT}" launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_server ${PID} # Test TLS 1.0 with RSA-NULL ciphersuite echo "${PREFIX}Checking TLS 1.0 with RSA-NULL..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_server ${PID} # Test TLS 1.0 with RSA ciphersuite if test "${NO_3DES}" != 1; then echo "${PREFIX}Checking TLS 1.0 with RSA and 3DES-CBC..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" fi echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" if test "${NO_CAMELLIA}" != 1; then echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" fi if test "${NO_DSS}" != 1; then # Test TLS 1.0 with DHE-DSS ciphersuite echo "${PREFIX}Checking TLS 1.0 with DHE-DSS..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" fi # Test TLS 1.0 with DHE-RSA ciphersuite echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" # Test TLS 1.0 with DHE-RSA ciphersuite echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait if test "${FIPS}" != 1; then eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" PID=$! wait_server ${PID} # Test TLS 1.2 with ECDHE-ECDSA ciphersuite echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA (SECP192R1)..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-SECP192R1${ADD}" --insecure /dev/null || \ fail ${PID} "Failed" kill ${PID} wait #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" PID=$! wait_server ${PID} # Test TLS 1.0 with ECDHE-ECDSA ciphersuite echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" PID=$! wait_server ${PID} # Test TLS 1.0 with ECDHE-ECDSA ciphersuite echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" PID=$! wait_server ${PID} # Test TLS 1.0 with ECDHE-ECDSA ciphersuite echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait #-cipher PSK eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.0 with PSK..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure /dev/null || \ fail ${PID} "Failed" kill ${PID} wait if test ${NO_TLS1_2} = 0; then # Tests requiring openssl 1.0.1 - TLS 1.2 #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-GCM..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-GCM..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" if test "${NO_DSS}" != 1; then echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" fi echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA..." "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait if test "${NO_X25519}" = 0 && test "${FIPS}" != 1; then eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve X25519 -CAfile "${CA_CERT}" PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA (X25519)..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --insecure --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi if test "${FIPS}" != 1; then #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait if test "${FIPS}" != 1; then #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi #FIPS fi #NO_TLS1_2 #-cipher PSK eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db PID=$! wait_server ${PID} echo "${PREFIX}Checking TLS 1.2 with PSK..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ fail ${PID} "Failed" kill ${PID} wait eval "${GETPORT}" launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_udp_server ${PID} # Test DTLS 1.0 with RSA ciphersuite echo "${PREFIX}Checking DTLS 1.0 with RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait eval "${GETPORT}" launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_udp_server ${PID} # Test DTLS 1.0 with DHE-RSA ciphersuite echo "${PREFIX}Checking DTLS 1.0 with DHE-RSA..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait if test "${NO_DSS}" != 1; then eval "${GETPORT}" launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" PID=$! wait_udp_server ${PID} # Test DTLS 1.0 with DHE-DSS ciphersuite echo "${PREFIX}Checking DTLS 1.0 with DHE-DSS..." ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" kill ${PID} wait fi } WAITPID="" for mod in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" run_client_suite $mod & WAITPID="$WAITPID $!" done for i in "$WAITPID";do wait $i test $? != 0 && exit 1 done echo "${PREFIX}Client mode tests were successfully completed" echo "${PREFIX}" echo "${PREFIX}###############################################" echo "${PREFIX}# Server mode tests (gnutls server-openssl cli#" echo "${PREFIX}###############################################" SERV="../../src/gnutls-serv${EXEEXT} -q" # Note that openssl s_client does not return error code on failure run_server_suite() { ADD=$1 PREFIX="" if ! test -z "${ADD}"; then PREFIX="$(echo $ADD|sed 's/://g'): " fi if test "${HAVE_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then echo "${PREFIX}Check SSL 3.0 with RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+MD5:+ARCFOUR-128:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" echo "${PREFIX}Check SSL 3.0 with RSA-RC4-MD5 ciphersuite" ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-MD5 &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait echo "${PREFIX}Check SSL 3.0 with DHE-RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait echo "${PREFIX}Check SSL 3.0 with DHE-DSS ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi #TLS 1.0 # This test was disabled because it doesn't work as expected with openssl 1.0.0d #echo "${PREFIX}Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" #PID=$! #wait_server ${PID} # #${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ # fail ${PID} "Failed" # #kill ${PID} #wait if test "${NO_NULL}" = 0; then echo "${PREFIX}Check TLS 1.0 with RSA-NULL ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait if test "${NO_DSS}" != 1; then echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-RSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait if test "${FIPS}" != 1; then echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait if test "${FIPS}" != 1; then echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" PID=$! wait_server ${PID} #-cipher PSK-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ fail ${PID} "Failed" kill ${PID} wait if test ${NO_TLS1_2} = 0; then echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait if test "${NO_DSS}" != 1; then echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-RSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait if test "${NO_X22519}" = 0 && test "${FIPS}" != 1; then echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite (X25519)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" PID=$! wait_server ${PID} ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi if test "${FIPS}" != 1; then echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait if test "${FIPS}" != 1; then echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" PID=$! wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait fi echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" PID=$! wait_server ${PID} #-cipher PSK-AES128-SHA ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ fail ${PID} "Failed" kill ${PID} wait fi #NO_TLS1_2 # DTLS echo "${PREFIX}Check DTLS 1.0 with RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_udp_server ${PID} ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait echo "${PREFIX}Check DTLS 1.0 with DHE-RSA ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" PID=$! wait_udp_server ${PID} ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait echo "${PREFIX}Check DTLS 1.0 with DHE-DSS ciphersuite" eval "${GETPORT}" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" PID=$! wait_udp_server ${PID} ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} wait } WAITPID="" for mod in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION"; do run_server_suite $mod & WAITPID="$WAITPID $!" done for i in "$WAITPID";do wait $i test $? != 0 && exit 1 done exit 0