Add ECC extensions test in ssl-opts.sh
Add test to verify if an ecc based extension exists
or not if an ecc based ciphersuite is used or not.
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index a8adf9b..bedbde1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -3739,106 +3739,39 @@
-c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
-# Tests for DTLS HelloVerifyRequest
+# Tests for ECC extensions (rfc 4492)
-run_test "DTLS cookie: enabled" \
- "$P_SRV dtls=1 debug_level=2" \
- "$P_CLI dtls=1 debug_level=2" \
+run_test "Force a non ECC ciphersuite in the client side" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
- -s "cookie verification failed" \
- -s "cookie verification passed" \
- -S "cookie verification skipped" \
- -c "received hello verify request" \
- -s "hello verification requested" \
- -S "SSL - The requested feature is not available"
+ -C "client hello, adding supported_elliptic_curves extension" \
+ -C "client hello, adding supported_point_formats extension" \
+ -S "found supported elliptic curves extension" \
+ -S "found supported point formats extension"
-run_test "DTLS cookie: disabled" \
- "$P_SRV dtls=1 debug_level=2 cookies=0" \
- "$P_CLI dtls=1 debug_level=2" \
+run_test "Force a non ECC ciphersuite in the server side" \
+ "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ "$P_CLI debug_level=3" \
0 \
- -S "cookie verification failed" \
- -S "cookie verification passed" \
- -s "cookie verification skipped" \
- -C "received hello verify request" \
- -S "hello verification requested" \
- -S "SSL - The requested feature is not available"
+ -C "found supported_point_formats extension" \
+ -S "server hello, supported_point_formats extension"
-run_test "DTLS cookie: default (failing)" \
- "$P_SRV dtls=1 debug_level=2 cookies=-1" \
- "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
- 1 \
- -s "cookie verification failed" \
- -S "cookie verification passed" \
- -S "cookie verification skipped" \
- -C "received hello verify request" \
- -S "hello verification requested" \
- -s "SSL - The requested feature is not available"
-
-requires_ipv6
-run_test "DTLS cookie: enabled, IPv6" \
- "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
- "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
+run_test "Force an ECC ciphersuite in the client side" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
0 \
- -s "cookie verification failed" \
- -s "cookie verification passed" \
- -S "cookie verification skipped" \
- -c "received hello verify request" \
- -s "hello verification requested" \
- -S "SSL - The requested feature is not available"
+ -c "client hello, adding supported_elliptic_curves extension" \
+ -c "client hello, adding supported_point_formats extension" \
+ -s "found supported elliptic curves extension" \
+ -s "found supported point formats extension"
-run_test "DTLS cookie: enabled, nbio" \
- "$P_SRV dtls=1 nbio=2 debug_level=2" \
- "$P_CLI dtls=1 nbio=2 debug_level=2" \
+run_test "Force an ECC ciphersuite in the server side" \
+ "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
+ "$P_CLI debug_level=3" \
0 \
- -s "cookie verification failed" \
- -s "cookie verification passed" \
- -S "cookie verification skipped" \
- -c "received hello verify request" \
- -s "hello verification requested" \
- -S "SSL - The requested feature is not available"
-
-# Tests for client reconnecting from the same port with DTLS
-
-not_with_valgrind # spurious resend
-run_test "DTLS client reconnect from same port: reference" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
- "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
- 0 \
- -C "resend" \
- -S "The operation timed out" \
- -S "Client initiated reconnection from same port"
-
-not_with_valgrind # spurious resend
-run_test "DTLS client reconnect from same port: reconnect" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
- "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
- 0 \
- -C "resend" \
- -S "The operation timed out" \
- -s "Client initiated reconnection from same port"
-
-not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
-run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
- "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
- 0 \
- -S "The operation timed out" \
- -s "Client initiated reconnection from same port"
-
-only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
-run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
- "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
- 0 \
- -S "The operation timed out" \
- -s "Client initiated reconnection from same port"
-
-run_test "DTLS client reconnect from same port: no cookies" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
- "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
- 0 \
- -s "The operation timed out" \
- -S "Client initiated reconnection from same port"
+ -c "found supported_point_formats extension" \
+ -s "server hello, supported_point_formats extension"
# Tests for various cases of client authentication with DTLS
# (focused on handshake flows and message parsing)