Merge pull request #5817 from xkqian/tls13_add_server_name
Tls13 add server name
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 9912d6c..b1f0c90 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2270,4 +2270,14 @@
int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
const unsigned char *end, size_t *out_len );
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end );
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
+ mbedtls_pk_context *own_key,
+ uint16_t *algorithm );
+
#endif /* ssl_misc.h */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5331865..8332461 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8210,4 +8210,79 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/*
+ * mbedtls_ssl_parse_server_name_ext
+ *
+ * Structure of server_name extension:
+ *
+ * enum {
+ * host_name(0), (255)
+ * } NameType;
+ * opaque HostName<1..2^16-1>;
+ *
+ * struct {
+ * NameType name_type;
+ * select (name_type) {
+ * case host_name: HostName;
+ * } name;
+ * } ServerName;
+ * struct {
+ * ServerName server_name_list<1..2^16-1>
+ * } ServerNameList;
+ */
+int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ size_t server_name_list_len, hostname_len;
+ const unsigned char *server_name_list_end;
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
+ server_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, server_name_list_len );
+ server_name_list_end = p + server_name_list_len;
+ while( p < server_name_list_end )
+ {
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, server_name_list_end, 3 );
+ hostname_len = MBEDTLS_GET_UINT16_BE( p, 1 );
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, server_name_list_end,
+ hostname_len + 3 );
+
+ if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
+ {
+ /* sni_name is intended to be used only during the parsing of the
+ * ClientHello message (it is reset to NULL before the end of
+ * the message parsing). Thus it is ok to just point to the
+ * reception buffer and not make a copy of it.
+ */
+ ssl->handshake->sni_name = p + 3;
+ ssl->handshake->sni_name_len = hostname_len;
+ if( ssl->conf->f_sni == NULL )
+ return( 0 );
+ ret = ssl->conf->f_sni( ssl->conf->p_sni,
+ ssl, p + 3, hostname_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
+ MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME );
+ return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME );
+ }
+ return( 0 );
+ }
+
+ p += hostname_len + 3;
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 1c9e5cd..e92014c 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -77,80 +77,6 @@
}
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len )
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t servername_list_size, hostname_len;
- const unsigned char *p;
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
-
- if( len < 2 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
- servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
- if( servername_list_size + 2 != len )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- p = buf + 2;
- while( servername_list_size > 2 )
- {
- hostname_len = ( ( p[1] << 8 ) | p[2] );
- if( hostname_len + 3 > servername_list_size )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
- {
- ssl->handshake->sni_name = p + 3;
- ssl->handshake->sni_name_len = hostname_len;
- if( ssl->conf->f_sni == NULL )
- return( 0 );
-
- ret = ssl->conf->f_sni( ssl->conf->p_sni,
- ssl, p + 3, hostname_len );
- if( ret != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
- return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME );
- }
- return( 0 );
- }
-
- servername_list_size -= hostname_len + 3;
- p += hostname_len + 3;
- }
-
- if( servername_list_size != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- return( 0 );
-}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
{
@@ -1483,7 +1409,8 @@
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
case MBEDTLS_TLS_EXT_SERVERNAME:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
- ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
+ ret = mbedtls_ssl_parse_server_name_ext( ssl, ext + 4,
+ ext + 4 + ext_size );
if( ret != 0 )
return( ret );
break;
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index e9250fc..b498fd4 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1687,7 +1687,7 @@
}
else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) );
ret = 0;
}
else
@@ -1793,7 +1793,7 @@
}
else
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
}
#endif
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 3b49ec5..f508bca 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -548,7 +548,14 @@
* from the configuration. */
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
- authmode = ssl->conf->authmode;
+ {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+ authmode = ssl->handshake->sni_authmode;
+ else
+#endif
+ authmode = ssl->conf->authmode;
+ }
#endif
/*
@@ -847,9 +854,9 @@
/*
* STATE HANDLING: Output Certificate Verify
*/
-static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
- mbedtls_pk_context *own_key,
- uint16_t *algorithm )
+int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
+ mbedtls_pk_context *own_key,
+ uint16_t *algorithm )
{
mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
/* Determine the size of the key */
@@ -1017,7 +1024,7 @@
* opaque signature<0..2^16-1>;
* } CertificateVerify;
*/
- ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
+ ret = mbedtls_ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 6502307..5be338d 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -335,6 +335,75 @@
return( 1 );
}
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/*
+ * Pick best ( private key, certificate chain ) pair based on the signature
+ * algorithms supported by the client.
+ */
+static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
+{
+ mbedtls_ssl_key_cert *key_cert, *key_cert_list;
+ const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+ uint16_t key_sig_alg;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->sni_key_cert != NULL )
+ key_cert_list = ssl->handshake->sni_key_cert;
+ else
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+ key_cert_list = ssl->conf->key_cert;
+
+ if( key_cert_list == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
+ return( -1 );
+ }
+
+ for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
+ {
+ for( key_cert = key_cert_list; key_cert != NULL;
+ key_cert = key_cert->next )
+ {
+ int ret;
+ MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
+ key_cert->cert );
+
+ /*
+ * This avoids sending the client a cert it'll reject based on
+ * keyUsage or other extensions.
+ */
+ if( mbedtls_x509_crt_check_key_usage(
+ key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ||
+ mbedtls_x509_crt_check_extended_key_usage(
+ key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
+ MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
+ "(extended) key usage extension" ) );
+ continue;
+ }
+
+ ret = mbedtls_ssl_tls13_get_sig_alg_from_pk(
+ ssl, &key_cert->cert->pk, &key_sig_alg );
+ if( ret != 0 )
+ continue;
+ if( *sig_alg == key_sig_alg )
+ {
+ ssl->handshake->key_cert = key_cert;
+ MBEDTLS_SSL_DEBUG_CRT(
+ 3, "selected certificate (chain)",
+ ssl->handshake->key_cert->cert );
+ return( 0 );
+ }
+ }
+ }
+
+ return( -1 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C &&
+ MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
/*
*
* STATE HANDLING: ClientHello
@@ -580,6 +649,21 @@
switch( extension_type )
{
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ case MBEDTLS_TLS_EXT_SERVERNAME:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
+ ret = mbedtls_ssl_parse_server_name_ext( ssl, p,
+ extension_data_end );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_parse_servername_ext", ret );
+ return( ret );
+ }
+ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
+ break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
#if defined(MBEDTLS_ECDH_C)
case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
@@ -685,10 +769,18 @@
ssl_tls13_debug_print_client_hello_exts( ssl );
#endif /* MBEDTLS_DEBUG_C */
+ return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
+}
+
+/* Update the handshake state machine */
+
+static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
/*
* Here we only support the ephemeral or (EC)DHE key echange mode
*/
-
if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG(
@@ -699,14 +791,18 @@
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
- return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
-}
-
-/* Update the handshake state machine */
-
-static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ /*
+ * Server certificate selection
+ */
+ if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
+ return( ret );
+ }
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ ssl->handshake->sni_name = NULL;
+ ssl->handshake->sni_name_len = 0;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
if( ret != 0 )
@@ -1337,6 +1433,11 @@
{
int authmode;
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+ authmode = ssl->handshake->sni_authmode;
+ else
+#endif
authmode = ssl->conf->authmode;
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
@@ -1450,13 +1551,17 @@
static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if( mbedtls_ssl_own_cert( ssl ) == NULL )
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if( ( ssl_tls13_pick_key_cert( ssl ) != 0 ) ||
+ mbedtls_ssl_own_cert( ssl ) == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
ret = mbedtls_ssl_tls13_write_certificate( ssl );
if( ret != 0 )
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 9ec2ffa..f507a32 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -5373,7 +5373,6 @@
# tests for SNI
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: no SNI callback" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
@@ -5383,7 +5382,6 @@
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5395,7 +5393,6 @@
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5407,7 +5404,6 @@
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: no matching cert" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5420,7 +5416,6 @@
-c "mbedtls_ssl_handshake returned" \
-c "SSL - A fatal alert message was received from our peer"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: client auth no override: optional" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5434,7 +5429,6 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: client auth override: none -> optional" \
"$P_SRV debug_level=3 auth_mode=none \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5448,7 +5442,6 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: client auth override: optional -> none" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5458,11 +5451,8 @@
-s "skip write certificate request" \
-C "skip parse certificate request" \
-c "got no certificate request" \
- -c "skip write certificate" \
- -c "skip write certificate verify" \
- -s "skip parse certificate verify"
+ -c "skip write certificate"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: CA no override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5481,7 +5471,6 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: CA override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -5500,7 +5489,6 @@
-S "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -11408,6 +11396,46 @@
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "No certificate available."
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Server side check - openssl with sni" \
+ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
+ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
+ 0 \
+ -s "parse ServerName extension" \
+ -s "HTTP/1.0 200 OK"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Server side check - gnutls with sni" \
+ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
+ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
+ 0 \
+ -s "parse ServerName extension" \
+ -s "HTTP/1.0 200 OK"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Server side check - mbedtls with sni" \
+ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ force_version=tls13" \
+ 0 \
+ -s "parse ServerName extension" \
+ -s "HTTP/1.0 200 OK"
+
for i in opt-testcases/*.sh
do
TEST_SUITE_NAME=${i##*/}