From eb087e0861f207858a4e08c72836a86f26d9701c Mon Sep 17 00:00:00 2001

From: Quanah Gibson-Mount <quanah@openldap.org>

Date: Thu, 14 Jun 2018 16:12:59 +0100

Subject: [PATCH] ITS#8573 TLS option test suite

---

 configure                                     |   4 +

 configure.in                                  |   4 +

 tests/data/slapd-tls-sasl.conf                |  65 ++

 tests/data/slapd-tls.conf                     |  61 ++

 tests/data/tls/ca/certs/testsuiteCA.crt       |  16 +

 tests/data/tls/ca/private/testsuiteCA.key     |  16 +

 .../tls/certs/bjensen@mailgw.example.com.crt  |  16 +

 tests/data/tls/certs/localhost.crt            |  16 +

 tests/data/tls/conf/openssl.cnf               | 129 ++++

 tests/data/tls/create-crt.sh                  |  78 +++

 .../private/bjensen@mailgw.example.com.key    |  16 +

 tests/data/tls/private/localhost.key          |  16 +

 tests/run.in                                  |   3 +-

 tests/scripts/defines.sh                      |  21 +-

 tests/scripts/test067-tls                     | 140 +++++

 tests/scripts/test068-sasl-tls-external       | 102 ++++

 .../test069-delta-multimaster-starttls        | 574 ++++++++++++++++++

 tests/scripts/test070-delta-multimaster-ldaps | 571 +++++++++++++++++

 18 files changed, 1846 insertions(+), 2 deletions(-)

 create mode 100644 tests/data/slapd-tls-sasl.conf

 create mode 100644 tests/data/slapd-tls.conf

 create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt

 create mode 100644 tests/data/tls/ca/private/testsuiteCA.key

 create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt

 create mode 100644 tests/data/tls/certs/localhost.crt

 create mode 100644 tests/data/tls/conf/openssl.cnf

 create mode 100755 tests/data/tls/create-crt.sh

 create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key

 create mode 100644 tests/data/tls/private/localhost.key

 create mode 100755 tests/scripts/test067-tls

 create mode 100755 tests/scripts/test068-sasl-tls-external

 create mode 100755 tests/scripts/test069-delta-multimaster-starttls

 create mode 100755 tests/scripts/test070-delta-multimaster-ldaps

diff --git a/configure b/configure

index e87850ec2..e8a720961 100755

--- a/configure

+++ b/configure

@@ -758,6 +758,7 @@ AUTH_LIBS

 LIBSLAPI

 SLAPI_LIBS

 MODULES_LIBS

+WITH_TLS_TYPE

 TLS_LIBS

 SASL_LIBS

 KRB5_LIBS

@@ -5133,6 +5134,7 @@ KRB4_LIBS=

 KRB5_LIBS=

 SASL_LIBS=

 TLS_LIBS=

+WITH_TLS_TYPE=

 MODULES_LIBS=

 SLAPI_LIBS=

 LIBSLAPI=

@@ -15582,6 +15584,7 @@ fi

 		if test $have_openssl = yes ; then

 			ol_with_tls=openssl

 			ol_link_tls=yes

+			WITH_TLS_TYPE=openssl

 $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h

@@ -15716,6 +15719,7 @@ fi

 			if test $have_gnutls = yes ; then

 				ol_with_tls=gnutls

 				ol_link_tls=yes

+				WITH_TLS_TYPE=gnutls

 				TLS_LIBS="-lgnutls"

diff --git a/configure.in b/configure.in

index 0c7c0a9ee..cf143d9bf 100644

--- a/configure.in

+++ b/configure.in

@@ -592,6 +592,7 @@ KRB4_LIBS=

 KRB5_LIBS=

 SASL_LIBS=

 TLS_LIBS=

+WITH_TLS_TYPE=

 MODULES_LIBS=

 SLAPI_LIBS=

 LIBSLAPI=

@@ -1186,6 +1187,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then

 		if test $have_openssl = yes ; then

 			ol_with_tls=openssl

 			ol_link_tls=yes

+			WITH_TLS_TYPE=openssl

 			AC_DEFINE(HAVE_OPENSSL, 1, 

 				[define if you have OpenSSL])

@@ -1226,6 +1228,7 @@ if test $ol_link_tls = no ; then

 			if test $have_gnutls = yes ; then

 				ol_with_tls=gnutls

 				ol_link_tls=yes

+				WITH_TLS_TYPE=gnutls

 				TLS_LIBS="-lgnutls"

@@ -3163,6 +3166,7 @@ AC_SUBST(KRB4_LIBS)

 AC_SUBST(KRB5_LIBS)

 AC_SUBST(SASL_LIBS)

 AC_SUBST(TLS_LIBS)

+AC_SUBST(WITH_TLS_TYPE)

 AC_SUBST(MODULES_LIBS)

 AC_SUBST(SLAPI_LIBS)

 AC_SUBST(LIBSLAPI)

diff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.conf

new file mode 100644

index 000000000..f4bb0773e

--- /dev/null

+++ b/tests/data/slapd-tls-sasl.conf

@@ -0,0 +1,65 @@

+# stand-alone slapd config -- for testing (with indexing)

+# $OpenLDAP$

+## This work is part of OpenLDAP Software <http://www.openldap.org/>.

+##

+## Copyright 1998-2017 The OpenLDAP Foundation.

+## All rights reserved.

+##

+## Redistribution and use in source and binary forms, with or without

+## modification, are permitted only as authorized by the OpenLDAP

+## Public License.

+##

+## A copy of this license is available in the file LICENSE in the

+## top-level directory of the distribution or, alternatively, at

+## <http://www.OpenLDAP.org/license.html>.

+

+#

+include		@SCHEMADIR@/core.schema

+include		@SCHEMADIR@/cosine.schema

+#

+include		@SCHEMADIR@/corba.schema

+include		@SCHEMADIR@/java.schema

+include		@SCHEMADIR@/inetorgperson.schema

+include		@SCHEMADIR@/misc.schema

+include		@SCHEMADIR@/nis.schema

+include		@SCHEMADIR@/openldap.schema

+#

+include		@SCHEMADIR@/duaconf.schema

+include		@SCHEMADIR@/dyngroup.schema

+include		@SCHEMADIR@/ppolicy.schema

+

+#

+pidfile		@TESTDIR@/slapd.1.pid

+argsfile	@TESTDIR@/slapd.1.args

+

+# SSL configuration

+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt

+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key

+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt

+TLSVerifyClient hard

+

+#

+rootdse 	@DATADIR@/rootdse.ldif

+

+#mod#modulepath	../servers/slapd/back-@BACKEND@/

+#mod#moduleload	back_@BACKEND@.la

+#monitormod#modulepath ../servers/slapd/back-monitor/

+#monitormod#moduleload back_monitor.la

+

+authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)

+

+#######################################################################

+# database definitions

+#######################################################################

+

+database	@BACKEND@

+suffix          "dc=example,dc=com"

+rootdn          "cn=Manager,dc=example,dc=com"

+rootpw          secret

+#~null~#directory	@TESTDIR@/db.1.a

+#indexdb#index		objectClass eq

+#indexdb#index		mail eq

+#ndb#dbname db_1_a

+#ndb#include @DATADIR@/ndb.conf

+

+#monitor#database	monitor

diff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.conf

new file mode 100644

index 000000000..6a7785557

--- /dev/null

+++ b/tests/data/slapd-tls.conf

@@ -0,0 +1,61 @@

+# stand-alone slapd config -- for testing (with indexing)

+# $OpenLDAP$

+## This work is part of OpenLDAP Software <http://www.openldap.org/>.

+##

+## Copyright 1998-2017 The OpenLDAP Foundation.

+## All rights reserved.

+##

+## Redistribution and use in source and binary forms, with or without

+## modification, are permitted only as authorized by the OpenLDAP

+## Public License.

+##

+## A copy of this license is available in the file LICENSE in the

+## top-level directory of the distribution or, alternatively, at

+## <http://www.OpenLDAP.org/license.html>.

+

+#

+include		@SCHEMADIR@/core.schema

+include		@SCHEMADIR@/cosine.schema

+#

+include		@SCHEMADIR@/corba.schema

+include		@SCHEMADIR@/java.schema

+include		@SCHEMADIR@/inetorgperson.schema

+include		@SCHEMADIR@/misc.schema

+include		@SCHEMADIR@/nis.schema

+include		@SCHEMADIR@/openldap.schema

+#

+include		@SCHEMADIR@/duaconf.schema

+include		@SCHEMADIR@/dyngroup.schema

+include		@SCHEMADIR@/ppolicy.schema

+

+#

+pidfile		@TESTDIR@/slapd.1.pid

+argsfile	@TESTDIR@/slapd.1.args

+

+# SSL configuration

+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key

+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt

+

+#

+rootdse 	@DATADIR@/rootdse.ldif

+

+#mod#modulepath	../servers/slapd/back-@BACKEND@/

+#mod#moduleload	back_@BACKEND@.la

+#monitormod#modulepath ../servers/slapd/back-monitor/

+#monitormod#moduleload back_monitor.la

+

+#######################################################################

+# database definitions

+#######################################################################

+

+database	@BACKEND@

+suffix          "dc=example,dc=com"

+rootdn          "cn=Manager,dc=example,dc=com"

+rootpw          secret

+#~null~#directory	@TESTDIR@/db.1.a

+#indexdb#index		objectClass eq

+#indexdb#index		mail eq

+#ndb#dbname db_1_a

+#ndb#include @DATADIR@/ndb.conf

+

+#monitor#database	monitor

diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt

new file mode 100644

index 000000000..7458e7461

--- /dev/null

+++ b/tests/data/tls/ca/certs/testsuiteCA.crt

@@ -0,0 +1,16 @@

+-----BEGIN CERTIFICATE-----

+MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV

+BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv

+bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0

+NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB

+MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB

+UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd

+rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb

+lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL

+6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU

+7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB

+SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/

+wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws

+ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q

+aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==

+-----END CERTIFICATE-----

diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key

new file mode 100644

index 000000000..2e14d7033

--- /dev/null

+++ b/tests/data/tls/ca/private/testsuiteCA.key

@@ -0,0 +1,16 @@

+-----BEGIN PRIVATE KEY-----

+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ

+WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc

+338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/

+dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg

+O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf

+7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn

+rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f

+wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk

+AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l

+vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9

+27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X

+KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N

+I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL

++b2qljWeZbGH

+-----END PRIVATE KEY-----

diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt

new file mode 100644

index 000000000..93e3a0d39

--- /dev/null

+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt

@@ -0,0 +1,16 @@

+-----BEGIN CERTIFICATE-----

+MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL

+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV

+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx

+ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV

+BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD

+VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa

+YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A

+MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg

+QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU

+U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL

+MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn

+wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f

+7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo

+4DnnYQBDnq48VORVX94=

+-----END CERTIFICATE-----

diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt

new file mode 100644

index 000000000..194cb119d

--- /dev/null

+++ b/tests/data/tls/certs/localhost.crt

@@ -0,0 +1,16 @@

+-----BEGIN CERTIFICATE-----

+MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL

+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV

+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx

+ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE

+CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT

+dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB

+iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4

+7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv

+8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ

+BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A

+AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG

+8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl

+0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR

+GjeZB1FxqDGHjxBq2O828iejw28bSz4=

+-----END CERTIFICATE-----

diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf

new file mode 100644

index 000000000..a3c8ad9f6

--- /dev/null

+++ b/tests/data/tls/conf/openssl.cnf

@@ -0,0 +1,129 @@

+HOME                    = .

+RANDFILE                = $ENV::HOME/.rnd

+

+oid_section             = new_oids

+

+[ new_oids ]

+tsa_policy1 = 1.2.3.4.1

+tsa_policy2 = 1.2.3.4.5.6

+tsa_policy3 = 1.2.3.4.5.7

+

+[ ca ]

+default_ca      = CA_default            # The default ca section

+

+[ CA_default ]

+

+dir             = ./cruft		# Where everything is kept

+certs           = $dir/certs            # Where the issued certs are kept

+crl_dir         = $dir/crl              # Where the issued crl are kept

+database        = $dir/index.txt        # database index file.

+new_certs_dir   = $dir/certs         # default place for new certs.

+certificate     = $dir/cacert.pem       # The CA certificate

+serial          = $dir/serial           # The current serial number

+crlnumber       = $dir/crlnumber        # the current crl number

+crl             = $dir/crl.pem          # The current CRL

+private_key     = $dir/private/cakey.pem# The private key

+RANDFILE        = $dir/private/.rand    # private random number file

+x509_extensions = usr_cert              # The extentions to add to the cert

+name_opt        = ca_default            # Subject Name options

+cert_opt        = ca_default            # Certificate field options

+default_days    = 365                   # how long to certify for

+default_crl_days= 30                    # how long before next CRL

+default_md      = default               # use public key default MD

+preserve        = no                    # keep passed DN ordering

+policy          = policy_match

+

+[ policy_match ]

+countryName             = match

+stateOrProvinceName     = match

+organizationName        = match

+organizationalUnitName  = optional

+commonName              = supplied

+emailAddress            = optional

+

+[ policy_anything ]

+countryName             = optional

+stateOrProvinceName     = optional

+localityName            = optional

+organizationName        = optional

+organizationalUnitName  = optional

+commonName              = supplied

+emailAddress            = optional

+

+[ req ]

+default_bits            = 2048

+default_keyfile         = privkey.pem

+distinguished_name      = req_distinguished_name

+attributes              = req_attributes

+x509_extensions = v3_ca # The extentions to add to the self signed cert

+

+string_mask = utf8only

+

+[ req_distinguished_name ]

+basicConstraints=CA:FALSE

+

+[ req_attributes ]

+challengePassword               = A challenge password

+challengePassword_min           = 4

+challengePassword_max           = 20

+

+unstructuredName                = An optional company name

+

+[ usr_cert ]

+

+basicConstraints=CA:FALSE

+nsComment                       = "OpenSSL Generated Certificate"

+

+subjectKeyIdentifier=hash

+authorityKeyIdentifier=keyid,issuer

+

+[ v3_req ]

+

+basicConstraints = CA:FALSE

+keyUsage = nonRepudiation, digitalSignature, keyEncipherment

+subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1

+

+[ v3_ca ]

+subjectKeyIdentifier=hash

+authorityKeyIdentifier=keyid:always,issuer

+basicConstraints = CA:true

+

+[ crl_ext ]

+

+authorityKeyIdentifier=keyid:always

+

+[ proxy_cert_ext ]

+basicConstraints=CA:FALSE

+nsComment                       = "OpenSSL Generated Certificate"

+

+subjectKeyIdentifier=hash

+authorityKeyIdentifier=keyid,issuer

+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

+

+[ tsa ]

+

+default_tsa = tsa_config1       # the default TSA section

+

+[ tsa_config1 ]

+

+dir             = ./demoCA              # TSA root directory

+serial          = $dir/tsaserial        # The current serial number (mandatory)

+crypto_device   = builtin               # OpenSSL engine to use for signing

+signer_cert     = $dir/tsacert.pem      # The TSA signing certificate

+                                        # (optional)

+certs           = $dir/cacert.pem       # Certificate chain to include in reply

+                                        # (optional)

+signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)

+

+default_policy  = tsa_policy1           # Policy if request did not specify it

+                                        # (optional)

+other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)

+digests         = md5, sha1             # Acceptable message digests (mandatory)

+accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)

+clock_precision_digits  = 0     # number of digits after dot. (optional)

+ordering                = yes   # Is ordering defined for timestamps?

+                                # (optional, default: no)

+tsa_name                = yes   # Must the TSA name be included in the reply?

+                                # (optional, default: no)

+ess_cert_id_chain       = no    # Must the ESS cert id chain be included?

+                                # (optional, default: no)

diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh

new file mode 100755

index 000000000..8c33a24fe

--- /dev/null

+++ b/tests/data/tls/create-crt.sh

@@ -0,0 +1,78 @@

+#!/bin/sh

+openssl=$(which openssl)

+

+if [ x"$openssl" = "x" ]; then

+echo "OpenSSL command line binary not found, skipping..."

+fi

+

+USAGE="$0 [-s] [-u <user@domain.com>]"

+SERVER=0

+USER=0

+EMAIL=

+

+while test $# -gt 0 ; do

+	case "$1" in

+		-s | -server)

+			SERVER=1;

+			shift;;

+		-u | -user)

+			if [ x"$2" = "x" ]; then

+				echo "User cert requires an email address as an argument"

+				exit;

+			fi

+			USER=1;

+			EMAIL="$2";

+			shift; shift;;

+		-)

+			shift;;

+		-*)

+			echo "$USAGE"; exit 1

+			;;

+		*)

+			break;;

+	esac

+done

+

+if [ $SERVER = 0 -a $USER = 0 ]; then

+	echo "$USAGE";

+	exit 1;

+fi

+

+rm -rf ./openssl.cnf cruft

+mkdir -p private certs cruft/private cruft/certs

+

+echo "00" > cruft/serial

+touch cruft/index.txt

+touch cruft/index.txt.attr

+hn=$(hostname -f)

+sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf

+

+if [ $SERVER = 1 ]; then

+	rm -rf private/localhost.key certs/localhost.crt

+

+	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \

+		-newkey rsa:1024 -config ./openssl.cnf \

+		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \

+		-batch > /dev/null 2>&1

+

+	$openssl ca -out certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in localhost.csr \

+		-keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \

+		-batch >/dev/null 2>&1

+

+	rm -rf ./openssl.cnf ./localhost.csr cruft

+fi

+

+if [ $USER = 1 ]; then

+	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr

+

+	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \

+		-newkey rsa:1024 -config ./openssl.cnf \

+		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \

+		-batch >/dev/null 2>&1

+

+	$openssl ca -out certs/$EMAIL.crt -notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \

+		-keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \

+		-cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1

+

+	rm -rf ./openssl.cnf ./$EMAIL.csr cruft

+fi

diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key

new file mode 100644

index 000000000..5f4625fd7

--- /dev/null

+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key

@@ -0,0 +1,16 @@

+-----BEGIN PRIVATE KEY-----

+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2

+xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4

+9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z

+yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r

+oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e

+nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg

+xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra

+EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd

+9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/

+pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI

+tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ

+3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D

+tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg

+36Ixj3L+5H18

+-----END PRIVATE KEY-----

diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key

new file mode 100644

index 000000000..8a24f69f8

--- /dev/null

+++ b/tests/data/tls/private/localhost.key

@@ -0,0 +1,16 @@

+-----BEGIN PRIVATE KEY-----

+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg

+ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM

+w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM

+brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij

+Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf

+2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ

+bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q

+1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf

+3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U

+VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7

+TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b

+iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP

+5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3

+b61hkjQZfbEg5cg=

+-----END PRIVATE KEY-----

diff --git a/tests/run.in b/tests/run.in

index a542eedec..468c3e1f2 100644

--- a/tests/run.in

+++ b/tests/run.in

@@ -56,6 +56,7 @@ AC_valsort=valsort@BUILD_VALSORT@

 # misc

 AC_WITH_SASL=@WITH_SASL@

 AC_WITH_TLS=@WITH_TLS@

+AC_TLS_TYPE=@WITH_TLS_TYPE@

 AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@

 AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@

 AC_THREADS=threads@BUILD_THREAD@

@@ -74,7 +75,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \

 	AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \

 	AC_valsort \

 	AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \

-	AC_THREADS AC_LIBS_DYNAMIC

+	AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE

 if test ! -x ../servers/slapd/slapd ; then

 	echo "Could not locate slapd(8)"

diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh

index b374cc500..8f7c7b853 100755

--- a/tests/scripts/defines.sh

+++ b/tests/scripts/defines.sh

@@ -45,6 +45,9 @@ VALSORT=${AC_valsort-valsortno}

 # misc

 WITH_SASL=${AC_WITH_SASL-no}

 USE_SASL=${SLAPD_USE_SASL-no}

+WITH_TLS=${AC_WITH_TLS-no}

+WITH_TLS_TYPE=${AC_TLS_TYPE-no}

+

 ACI=${AC_ACI_ENABLED-acino}

 THREADS=${AC_THREADS-threadsno}

 SLEEP0=${SLEEP0-1}

@@ -103,6 +106,8 @@ P2SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist2.conf

 P3SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist3.conf

 REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf

 SCHEMACONF=$DATADIR/slapd-schema.conf

+TLSCONF=$DATADIR/slapd-tls.conf

+TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf

 GLUECONF=$DATADIR/slapd-glue.conf

 REFINTCONF=$DATADIR/slapd-refint.conf

 RETCODECONF=$DATADIR/slapd-retcode.conf

@@ -163,6 +168,7 @@ SLURPLOG=$TESTDIR/slurp.log

 CONFIGPWF=$TESTDIR/configpw

 # args

+SASLARGS="-Q"

 TOOLARGS="-x $LDAP_TOOLARGS"

 TOOLPROTO="-P 3"

@@ -184,7 +190,8 @@ BCMP="diff -iB"

 CMPOUT=/dev/null

 SLAPD="$TESTWD/../servers/slapd/slapd -s0"

 LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"

-LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL"

+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL"

+LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS"

 LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL"

 LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS"

 LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS"

@@ -199,6 +206,7 @@ LDIFFILTER=$PROGDIR/ldif-filter

 SLAPDMTREAD=$PROGDIR/slapd-mtread

 LVL=${SLAPD_DEBUG-0x4105}

 LOCALHOST=localhost

+LOCALIP=127.0.0.1

 BASEPORT=${SLAPD_BASEPORT-9010}

 PORT1=`expr $BASEPORT + 1`

 PORT2=`expr $BASEPORT + 2`

@@ -207,11 +215,22 @@ PORT4=`expr $BASEPORT + 4`

 PORT5=`expr $BASEPORT + 5`

 PORT6=`expr $BASEPORT + 6`

 URI1="ldap://${LOCALHOST}:$PORT1/"

+URIP1="ldap://${LOCALIP}:$PORT1/"

 URI2="ldap://${LOCALHOST}:$PORT2/"

+URIP2="ldap://${LOCALIP}:$PORT2/"

 URI3="ldap://${LOCALHOST}:$PORT3/"

+URIP3="ldap://${LOCALIP}:$PORT3/"

 URI4="ldap://${LOCALHOST}:$PORT4/"

 URI5="ldap://${LOCALHOST}:$PORT5/"

 URI6="ldap://${LOCALHOST}:$PORT6/"

+SURI1="ldaps://${LOCALHOST}:$PORT1/"

+SURIP1="ldaps://${LOCALIP}:$PORT1/"

+SURI2="ldaps://${LOCALHOST}:$PORT2/"

+SURIP2="ldaps://${LOCALIP}:$PORT2/"

+SURI3="ldaps://${LOCALHOST}:$PORT3/"

+SURI4="ldaps://${LOCALHOST}:$PORT4/"

+SURI5="ldaps://${LOCALHOST}:$PORT5/"

+SURI6="ldaps://${LOCALHOST}:$PORT6/"

 # LDIF

 LDIF=$DATADIR/test.ldif

diff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tls

new file mode 100755

index 000000000..2b245f5f5

--- /dev/null

+++ b/tests/scripts/test067-tls

@@ -0,0 +1,140 @@

+#! /bin/sh

+# $OpenLDAP$

+## This work is part of OpenLDAP Software <http://www.openldap.org/>.

+##

+## Copyright 1998-2017 The OpenLDAP Foundation.

+## All rights reserved.

+##

+## Redistribution and use in source and binary forms, with or without

+## modification, are permitted only as authorized by the OpenLDAP

+## Public License.

+##

+## A copy of this license is available in the file LICENSE in the

+## top-level directory of the distribution or, alternatively, at

+## <http://www.OpenLDAP.org/license.html>.

+

+echo "running defines.sh"

+. $SRCDIR/scripts/defines.sh

+

+if test $WITH_TLS = no ; then