diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -57,19 +57,23 @@ ssl_init() fi PORT=${PORT-8443} NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} nss_ssl_run="stapling cov auth stress" NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt - SSLAUTH=${QADIR}/ssl/sslauth.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt + if [ "${NSS_NO_SSL2}" = "1" ]; then + SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt + SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt + else + SSLCOV=${QADIR}/ssl/sslcov.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt + fi REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files SERVEROUTFILE=${TMP}/tests_server.$$ SERVERPID=${TMP}/tests_pid.$$ R_SERVERPID=../tests_pid.$$ @@ -115,17 +119,21 @@ is_selfserv_alive() if [ "${OS_ARCH}" = "WINNT" ] && \ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then PID=${SHELL_SERVERPID} else PID=`cat ${SERVERPID}` fi echo "kill -0 ${PID} >/dev/null 2>/dev/null" + if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then + echo "No server to kill" + else kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" + fi echo "selfserv with PID ${PID} found at `date`" } ########################### wait_for_selfserv ########################## # local shell function to wait until selfserver is running and initialized ######################################################################## wait_for_selfserv() @@ -138,17 +146,21 @@ wait_for_selfserv() if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to selfserv at `date`" echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} if [ $? -ne 0 ]; then + if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then + html_passed "Server never started" + else html_failed "Waiting for Server" + fi fi fi is_selfserv_alive } ########################### kill_selfserv ############################## # local shell function to kill the selfserver after the tests are done ######################################################################## @@ -273,16 +285,19 @@ ssl_cov() exec < ${SSLCOV} while read ectype testmax param testname do echo "${testname}" | grep "EXPORT" > /dev/null EXP=$? echo "${testname}" | grep "SSL2" > /dev/null SSL2=$? + # skip export and ssl2 tests when build has disabled SSL2 + [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue + if [ "${SSL2}" -eq 0 ] ; then # We cannot use asynchronous cert verification with SSL2 SSL2_FLAGS=-O VMIN="ssl2" else # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by # default in libssl but it is enabled by default in tstclnt; we want # to test the libssl default whenever possible. diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt new file mode 100644 --- /dev/null +++ b/tests/ssl/sslcov.noSSL2orExport.txt @@ -0,0 +1,134 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the various SSL ciphers +# +# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We +# mix up the enable functions so we can tests boths paths. +# +# Enable Enable Cipher Test Name +# EC TLS +# +# + noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 + noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA + noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA + noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 + noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA + noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA + noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA + noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA + noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA + noECC SSL3 z SSL3_RSA_WITH_NULL_SHA +# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA +# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA +# + noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 + noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA + noECC TLS10 i TLS_RSA_WITH_NULL_MD5 + noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA + noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA + noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA + noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA + noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA + noECC TLS10 z TLS_RSA_WITH_NULL_SHA +# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA +# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA +# +# + noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 + noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA + noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 + noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA + noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA + noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA + noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA + noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA + noECC TLS11 z TLS11_RSA_WITH_NULL_SHA +# + noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 + noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA + noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 + noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA + noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA + noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA + noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA + noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA + noECC TLS12 z TLS12_RSA_WITH_NULL_SHA + noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 + noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 + noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 + noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 +# +# ECC ciphers (TLS) +# + ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA + ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA + ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# + ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA + ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA + ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA +# + ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA + ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA + ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt new file mode 100644 --- /dev/null +++ b/tests/ssl/sslstress.noSSL2orExport.txt @@ -0,0 +1,53 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the stress tests for SSL/TLS. +# +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) + noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) + noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) + noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) + noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) + SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) + +# +# add client auth versions here... +# + noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) + noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) + noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) + noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) + noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) + noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) + noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) + SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) + SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) + +# +# ############################ ECC ciphers ############################ +# + ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) + ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) + ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA + ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 + ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM + ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) +# +# add client auth versions here... +# + ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) + ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) + ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)