GnuTLS in compat.sh: server-side
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index ff6a2a9..5f031e2 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1050,6 +1050,9 @@
         char error_buf[100];
         polarssl_strerror( ret, error_buf, 100 );
         printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
+
+        if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
+            ret = 0;
     }
 #endif
 
diff --git a/tests/compat.sh b/tests/compat.sh
index 1107b71..286eec4 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -90,11 +90,25 @@
   echo "$NEW_LIST" | sed -e 's/[[:space:]]\+/ /g' -e 's/^ //' -e 's/ $//'
 }
 
-setup_ciphersuites()
+filter_ciphersuites()
+{
+    if [ "X" != "X$FILTER" ];
+    then
+        P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" )
+        O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" )
+        G_CIPHERS=$( filter "$G_CIPHERS" "$FILTER" )
+    fi
+}
+
+reset_ciphersuites()
 {
     P_CIPHERS=""
     O_CIPHERS=""
+    G_CIPHERS=""
+}
 
+add_openssl_ciphersuites()
+{
     case $TYPE in
 
         "ECDSA")
@@ -254,54 +268,31 @@
                 "
             ;;
     esac
-
-    # Filter ciphersuites
-    if [ "X" != "X$FILTER" ];
-    then
-        O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" )
-        P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" )
-    fi
-
 }
 
-add_polarssl_ciphersuites()
+add_gnutls_ciphersuites()
 {
-    ADD_CIPHERS=""
-
+    # TODO: add to G_CIPHERS too
     case $TYPE in
 
         "ECDSA")
-            if [ "$MODE" != "ssl3" ];
-            then
-                ADD_CIPHERS="$ADD_CIPHERS                           \
-                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256    \
-                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384    \
-                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256     \
-                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384     \
-                    "
-            fi
             if [ "$MODE" = "tls1_2" ];
             then
-                ADD_CIPHERS="$ADD_CIPHERS                           \
+                P_CIPHERS="$P_CIPHERS                               \
+                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256    \
+                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384    \
                     TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256    \
                     TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384    \
-                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256     \
-                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384     \
                     "
             fi
             ;;
 
         "RSA")
-            if [ "$MODE" != "ssl3" ];
-            then
-                ADD_CIPHERS="$ADD_CIPHERS                       \
-                    TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256  \
-                    TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384  \
-                    "
-            fi
             if [ "$MODE" = "tls1_2" ];
             then
-                ADD_CIPHERS="$ADD_CIPHERS                       \
+                P_CIPHERS="$P_CIPHERS                           \
+                    TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256  \
+                    TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384  \
                     TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256        \
                     TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256        \
                     TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256    \
@@ -317,57 +308,50 @@
             ;;
 
         "PSK")
-            ADD_CIPHERS="$ADD_CIPHERS                    \
-                TLS-DHE-PSK-WITH-RC4-128-SHA             \
-                TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA        \
-                TLS-DHE-PSK-WITH-AES-128-CBC-SHA         \
-                TLS-DHE-PSK-WITH-AES-256-CBC-SHA         \
-                TLS-DHE-PSK-WITH-NULL-SHA                \
-                TLS-PSK-WITH-NULL-SHA                    \
-                TLS-RSA-PSK-WITH-RC4-128-SHA             \
-                TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA        \
-                TLS-RSA-PSK-WITH-AES-256-CBC-SHA         \
-                TLS-RSA-PSK-WITH-AES-128-CBC-SHA         \
-                TLS-RSA-WITH-NULL-SHA                    \
-                TLS-RSA-WITH-NULL-MD5                    \
-                TLS-PSK-WITH-AES-128-CBC-SHA256          \
-                TLS-PSK-WITH-AES-256-CBC-SHA384          \
-                TLS-DHE-PSK-WITH-AES-128-CBC-SHA256      \
-                TLS-DHE-PSK-WITH-AES-256-CBC-SHA384      \
-                TLS-PSK-WITH-NULL-SHA256                 \
-                TLS-PSK-WITH-NULL-SHA384                 \
-                TLS-DHE-PSK-WITH-NULL-SHA256             \
-                TLS-DHE-PSK-WITH-NULL-SHA384             \
-                TLS-RSA-PSK-WITH-AES-256-CBC-SHA384      \
-                TLS-RSA-PSK-WITH-AES-128-CBC-SHA256      \
-                TLS-RSA-PSK-WITH-NULL-SHA256             \
-                TLS-RSA-PSK-WITH-NULL-SHA384             \
-                TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
-                TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
-                TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256     \
-                TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384     \
-                TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
-                TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
-                "
+            # GnuTLS 3.2.11 (2014-02-13) requires TLS 1.x for most *PSK suites
             if [ "$MODE" != "ssl3" ];
             then
-                ADD_CIPHERS="$ADD_CIPHERS                       \
+                P_CIPHERS="$P_CIPHERS                           \
                     TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA          \
                     TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA          \
                     TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA         \
-                    TLS-ECDHE-PSK-WITH-RC4-128-SHA              \
-                    TLS-ECDHE-PSK-WITH-NULL-SHA                 \
+                    TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA           \
+                    TLS-DHE-PSK-WITH-AES-128-CBC-SHA            \
+                    TLS-DHE-PSK-WITH-AES-256-CBC-SHA            \
+                    TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA           \
+                    TLS-RSA-PSK-WITH-AES-256-CBC-SHA            \
+                    TLS-RSA-PSK-WITH-AES-128-CBC-SHA            \
+                    TLS-RSA-WITH-NULL-SHA                       \
+                    TLS-RSA-WITH-NULL-MD5                       \
+                    "
+            fi
+            if [ "$MODE" = "tls1_2" ];
+            then
+                P_CIPHERS="$P_CIPHERS                           \
                     TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384       \
                     TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384  \
                     TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256       \
                     TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256  \
                     TLS-ECDHE-PSK-WITH-NULL-SHA384              \
                     TLS-ECDHE-PSK-WITH-NULL-SHA256              \
-                    "
-            fi
-            if [ "$MODE" = "tls1_2" ];
-            then
-                ADD_CIPHERS="$ADD_CIPHERS                       \
+                    TLS-PSK-WITH-AES-128-CBC-SHA256             \
+                    TLS-PSK-WITH-AES-256-CBC-SHA384             \
+                    TLS-DHE-PSK-WITH-AES-128-CBC-SHA256         \
+                    TLS-DHE-PSK-WITH-AES-256-CBC-SHA384         \
+                    TLS-PSK-WITH-NULL-SHA256                    \
+                    TLS-PSK-WITH-NULL-SHA384                    \
+                    TLS-DHE-PSK-WITH-NULL-SHA256                \
+                    TLS-DHE-PSK-WITH-NULL-SHA384                \
+                    TLS-RSA-PSK-WITH-AES-256-CBC-SHA384         \
+                    TLS-RSA-PSK-WITH-AES-128-CBC-SHA256         \
+                    TLS-RSA-PSK-WITH-NULL-SHA256                \
+                    TLS-RSA-PSK-WITH-NULL-SHA384                \
+                    TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256    \
+                    TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384    \
+                    TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256        \
+                    TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384        \
+                    TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384    \
+                    TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256    \
                     TLS-PSK-WITH-AES-128-GCM-SHA256             \
                     TLS-PSK-WITH-AES-256-GCM-SHA384             \
                     TLS-DHE-PSK-WITH-AES-128-GCM-SHA256         \
@@ -385,24 +369,64 @@
             fi
             ;;
     esac
+}
 
-    # Filter new ciphersuites and add them
-    if [ "X" != "X$FILTER" ]; then
-        ADD_CIPHERS=$( filter "$ADD_CIPHERS" "$FILTER" )
-    fi
-    # avoid P_CIPHERS being only ' '
-    if [ "X" != "X$P_CIPHERS" ]; then
-        P_CIPHERS="$P_CIPHERS $ADD_CIPHERS"
-    else
-        P_CIPHERS="$ADD_CIPHERS"
-    fi
+add_polarssl_ciphersuites()
+{
+    case $TYPE in
+
+        "ECDSA")
+            if [ "$MODE" != "ssl3" ];
+            then
+                P_CIPHERS="$P_CIPHERS                               \
+                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256     \
+                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384     \
+                    "
+            fi
+            if [ "$MODE" = "tls1_2" ];
+            then
+                P_CIPHERS="$P_CIPHERS                               \
+                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256     \
+                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384     \
+                    "
+            fi
+            ;;
+
+        "RSA")
+            ;;
+
+        "PSK")
+            P_CIPHERS="$P_CIPHERS                        \
+                TLS-PSK-WITH-NULL-SHA                    \
+                TLS-DHE-PSK-WITH-RC4-128-SHA             \
+                TLS-DHE-PSK-WITH-NULL-SHA                \
+                TLS-RSA-PSK-WITH-RC4-128-SHA             \
+                "
+            if [ "$MODE" != "ssl3" ];
+            then
+                P_CIPHERS="$P_CIPHERS                    \
+                    TLS-ECDHE-PSK-WITH-RC4-128-SHA       \
+                    TLS-ECDHE-PSK-WITH-NULL-SHA          \
+                    "
+            fi
+            ;;
+    esac
 }
 
 setup_arguments()
 {
-    # avoid an avalanche of errors due to typos
     case $MODE in
-        ssl3|tls1|tls1_1|tls1_2)
+        "ssl3")
+            G_PRIO_MODE="+VERS-SSL3.0"
+            ;;
+        "tls1")
+            G_PRIO_MODE="+VERS-TLS1.0"
+            ;;
+        "tls1_1")
+            G_PRIO_MODE="+VERS-TLS1.1"
+            ;;
+        "tls1_2")
+            G_PRIO_MODE="+VERS-TLS1.2"
             ;;
         *)
             echo "error: invalid mode: $MODE" >&2
@@ -410,20 +434,26 @@
     esac
 
     P_SERVER_ARGS="server_addr=0.0.0.0 force_version=$MODE"
-    P_CLIENT_ARGS="server_name=localhost force_version=$MODE"
-    O_SERVER_ARGS="-www -quiet -cipher NULL,ALL -$MODE"
+    O_SERVER_ARGS="-www -cipher NULL,ALL -$MODE"
+    G_SERVER_ARGS="-p 4433 --http"
+    G_PRIO_BASE="EXPORT:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL"
+
+    P_CLIENT_ARGS="force_version=$MODE"
     O_CLIENT_ARGS="-$MODE"
 
     if [ "X$VERIFY" = "XYES" ];
     then
         P_SERVER_ARGS="$P_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
-        P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
         O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
+        G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
+
+        P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
         O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
     else
-        # ssl_server2 defaults to optional, but we want to test handshakes
-        # that don't exchange client certificate at all too
+        # don't request a client cert at all
         P_SERVER_ARGS="$P_SERVER_ARGS ca_file=none auth_mode=none"
+        G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
+
         # give dummy CA to clients
         P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/cli2.crt"
         O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/cli2.crt"
@@ -433,6 +463,8 @@
         "ECDSA")
             P_SERVER_ARGS="$P_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
             O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
+            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
+
             if [ "X$VERIFY" = "XYES" ]; then
                 P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
                 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
@@ -444,6 +476,8 @@
         "RSA")
             P_SERVER_ARGS="$P_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key"
             O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key"
+            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key"
+
             if [ "X$VERIFY" = "XYES" ]; then
                 P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key"
                 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key"
@@ -453,11 +487,13 @@
             ;;
 
         "PSK")
-            # give our server a certificate for RSA-PSK
+            # give RSA-PSK-capable server a RSA cert
             # (should be a separate type, but harder to close with openssl)
             P_SERVER_ARGS="$P_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key"
-            P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
             O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
+            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
+
+            P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
             O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
             ;;
     esac
@@ -486,6 +522,9 @@
         [Oo]pen*)
             SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
             ;;
+        [Gg]nu*)
+            SERVER_CMD="gnutls-serv $G_SERVER_ARGS --priority $G_PRIO_BASE:$G_PRIO_MODE"
+            ;;
         [Pp]olar*)
             SERVER_CMD="$P_SRV $P_SERVER_ARGS"
             if [ "$MEMCHECK" -gt 0 ]; then
@@ -642,7 +681,7 @@
 
 get_options "$@"
 
-killall -q openssl ssl_server ssl_server2
+killall -q gnutls-serv openssl ssl_server ssl_server2
 trap cleanup INT TERM HUP
 
 for VERIFY in $VERIFIES; do
@@ -650,7 +689,10 @@
         for TYPE in $TYPES; do
 
             setup_arguments
-            setup_ciphersuites
+
+            reset_ciphersuites
+            add_openssl_ciphersuites
+            filter_ciphersuites
 
             if [ "X" != "X$P_CIPHERS" ]; then
                 start_server "OpenSSL"
@@ -668,7 +710,31 @@
                 stop_server
             fi
 
+            reset_ciphersuites
+            add_gnutls_ciphersuites
+            filter_ciphersuites
+
+            if [ "X" != "X$P_CIPHERS" ]; then
+                start_server "GnuTLS"
+                for i in $P_CIPHERS; do
+                    run_client PolarSSL $i
+                done
+                stop_server
+            fi
+
+            if [ "X" != "X$G_CIPHERS" ]; then
+                start_server "PolarSSL"
+                for i in $G_CIPHERS; do
+                    run_client GnuTLS $i
+                done
+                stop_server
+            fi
+
+            reset_ciphersuites
+            add_openssl_ciphersuites
+            add_gnutls_ciphersuites
             add_polarssl_ciphersuites
+            filter_ciphersuites
 
             if [ "X" != "X$P_CIPHERS" ]; then
                 start_server "PolarSSL"
diff --git a/tests/data_files/passwd.psk b/tests/data_files/passwd.psk
new file mode 100644
index 0000000..17fee37
--- /dev/null
+++ b/tests/data_files/passwd.psk
@@ -0,0 +1 @@
+Client_identity:6162636465666768696a6b6c6d6e6f70