From 393d4250ad5a9b8527ace7f3194fb2e67bde216e Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 30 Jan 2017 09:48:51 +0100 Subject: [PATCH 1/5] renegotiation-with-OpenSSL: Test extension --- .../renegotiation-with-OpenSSL/runtest.sh | 400 ++++++++++++++++-- 1 file changed, 376 insertions(+), 24 deletions(-) diff --git a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh index 3aa0b65..0258b47 100755 --- a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh +++ b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh @@ -35,36 +35,388 @@ PACKAGES="gnutls openssl" rlJournalStart rlPhaseStartSetup rlAssertRpm --all + rlRun "rlImport openssl/certgen" rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" rlRun "pushd $TmpDir" - rlRun "openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost" - rlPhaseEnd + rlRun "x509KeyGen ca" + rlRun "x509KeyGen rsa-ca" + rlRun "x509KeyGen -t dsa dsa-ca" + rlRun "x509KeyGen -t ecdsa ecdsa-ca" + rlRun "x509KeyGen rsa-server" + rlRun "x509KeyGen -t dsa dsa-server" + rlRun "x509KeyGen -t ecdsa ecdsa-server" + rlRun "x509KeyGen rsa-client" + rlRun "x509KeyGen -t dsa dsa-client" + rlRun "x509KeyGen -t ecdsa ecdsa-client" + rlRun "x509SelfSign ca" + rlRun "x509CertSign --CA ca -t ca --DN 'CN=RSA CA' rsa-ca" + rlRun "x509CertSign --CA ca -t ca --DN 'CN=DSA CA' dsa-ca" + rlRun "x509CertSign --CA ca -t ca --DN 'CN=ECDSA CA' ecdsa-ca" + rlRun "x509CertSign --CA rsa-ca rsa-server" + rlRun "x509CertSign --CA dsa-ca dsa-server" + rlRun "x509CertSign --CA ecdsa-ca ecdsa-server" + rlRun "x509CertSign --CA rsa-ca -t webclient rsa-client" + rlRun "x509CertSign --CA dsa-ca -t webclient dsa-client" + rlRun "x509CertSign --CA ecdsa-ca -t webclient ecdsa-client" + rlRun "x509DumpCert ca" 0 "Root CA" + rlRun "x509DumpCert rsa-ca" 0 "Intermediate RSA CA" + rlRun "x509DumpCert dsa-ca" 0 "Intermediate DSA CA" + rlRun "x509DumpCert ecdsa-ca" 0 "Intermediate ECDSA CA" + rlRun "x509DumpCert rsa-server" 0 "Server RSA certificate" + rlRun "x509DumpCert dsa-server" 0 "Server DSA certificate" + rlRun "x509DumpCert ecdsa-server" 0 "Server ECDSA certificate" + rlRun "x509DumpCert rsa-client" 0 "Client RSA certificate" + rlRun "x509DumpCert dsa-client" 0 "Client DSA certificate" + rlRun "x509DumpCert ecdsa-client" 0 "Client ECDSA certificate" + + # Tested combinations + + # Structure definiton: + # C_NAME IETF name of a ciphersuite + # C_OPENSSL OpenSSL ciphersuite ID + # C_GNUTLS GNUTLS ciphersuite ID (unused for now) + # C_TLS1_2_ONLY new ciphersuite in TLS1.2 + # C_SUBCA intermediate CA + # C_CERT EE (end-entity) certificate + # C_KEY EE key + # C_CLNT_CERT client certificate + # C_CLNT_KEY client key + i=0 + + C_NAME[$i]="TLS_RSA_WITH_AES_128_CBC_SHA" + C_OPENSSL[$i]="AES128-SHA" + C_GNUTLS[$i]="TLS_RSA_AES_128_CBC_SHA1" + C_TLS1_2_ONLY[$i]="False" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_RSA_WITH_AES_256_CBC_SHA256" + C_OPENSSL[$i]="AES256-SHA256" + C_GNUTLS[$i]="TLS_RSA_AES_256_CBC_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_RSA_WITH_AES_128_GCM_SHA256" + C_OPENSSL[$i]="AES128-GCM-SHA256" + C_GNUTLS[$i]="TLS_RSA_AES_128_GCM_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_RSA_WITH_AES_256_GCM_SHA384" + C_OPENSSL[$i]="AES256-GCM-SHA384" + C_GNUTLS[$i]="TLS_RSA_AES_256_GCM_SHA384" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + C_OPENSSL[$i]="DHE-RSA-AES128-SHA" + C_GNUTLS[$i]="TLS_DHE_RSA_AES_128_CBC_SHA1" + C_TLS1_2_ONLY[$i]="False" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" + C_OPENSSL[$i]="DHE-RSA-AES256-SHA256" + C_GNUTLS[$i]="TLS_DHE_RSA_AES_256_CBC_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" + C_OPENSSL[$i]="DHE-RSA-AES128-GCM-SHA256" + C_GNUTLS[$i]="TLS_DHE_RSA_AES_128_GCM_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" + C_OPENSSL[$i]="DHE-RSA-AES256-GCM-SHA384" + C_GNUTLS[$i]="TLS_DHE_RSA_AES_256_GCM_SHA384" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + C_OPENSSL[$i]="DHE-DSS-AES128-SHA" + C_GNUTLS[$i]="TLS_DHE_DSS_AES_128_CBC_SHA1" + C_TLS1_2_ONLY[$i]="False" + C_SUBCA[$i]="$(x509Cert dsa-ca)" + C_CERT[$i]="$(x509Cert dsa-server)" + C_KEY[$i]="$(x509Key dsa-server)" + C_CLNT_CERT[$i]="$(x509Cert dsa-client)" + C_CLNT_KEY[$i]="$(x509Key dsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" + C_OPENSSL[$i]="DHE-DSS-AES256-SHA256" + C_GNUTLS[$i]="TLS_DHE_DSS_AES_256_CBC_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert dsa-ca)" + C_CERT[$i]="$(x509Cert dsa-server)" + C_KEY[$i]="$(x509Key dsa-server)" + C_CLNT_CERT[$i]="$(x509Cert dsa-client)" + C_CLNT_KEY[$i]="$(x509Key dsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" + C_OPENSSL[$i]="DHE-DSS-AES128-GCM-SHA256" + C_GNUTLS[$i]="TLS_DHE_DSS_AES_128_GCM_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert dsa-ca)" + C_CERT[$i]="$(x509Cert dsa-server)" + C_KEY[$i]="$(x509Key dsa-server)" + C_CLNT_CERT[$i]="$(x509Cert dsa-client)" + C_CLNT_KEY[$i]="$(x509Key dsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" + C_OPENSSL[$i]="DHE-DSS-AES256-GCM-SHA384" + C_GNUTLS[$i]="TLS_DHE_DSS_AES_256_GCM_SHA384" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert dsa-ca)" + C_CERT[$i]="$(x509Cert dsa-server)" + C_KEY[$i]="$(x509Key dsa-server)" + C_CLNT_CERT[$i]="$(x509Cert dsa-client)" + C_CLNT_KEY[$i]="$(x509Key dsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" + C_OPENSSL[$i]="ECDHE-RSA-DES-CBC3-SHA" + C_GNUTLS[$i]="TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1" + C_TLS1_2_ONLY[$i]="False" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" + C_OPENSSL[$i]="ECDHE-RSA-AES256-SHA384" + C_GNUTLS[$i]="TLS_ECDHE_RSA_AES_256_CBC_SHA384" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + C_OPENSSL[$i]="ECDHE-RSA-AES128-GCM-SHA256" + C_GNUTLS[$i]="TLS_ECDHE_RSA_AES_128_GCM_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + C_OPENSSL[$i]="ECDHE-RSA-AES256-GCM-SHA384" + C_GNUTLS[$i]="TLS_ECDHE_RSA_AES_256_GCM_SHA384" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert rsa-ca)" + C_CERT[$i]="$(x509Cert rsa-server)" + C_KEY[$i]="$(x509Key rsa-server)" + C_CLNT_CERT[$i]="$(x509Cert rsa-client)" + C_CLNT_KEY[$i]="$(x509Key rsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + C_OPENSSL[$i]="ECDHE-ECDSA-AES256-SHA" + C_GNUTLS[$i]="TLS_ECDHE_ECDSA_AES_256_CBC_SHA1" + C_TLS1_2_ONLY[$i]="False" + C_SUBCA[$i]="$(x509Cert ecdsa-ca)" + C_CERT[$i]="$(x509Cert ecdsa-server)" + C_KEY[$i]="$(x509Key ecdsa-server)" + C_CLNT_CERT[$i]="$(x509Cert ecdsa-client)" + C_CLNT_KEY[$i]="$(x509Key ecdsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" + C_OPENSSL[$i]="ECDHE-ECDSA-AES128-SHA256" + C_GNUTLS[$i]="TLS_ECDHE_ECDSA_AES_128_CBC_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert ecdsa-ca)" + C_CERT[$i]="$(x509Cert ecdsa-server)" + C_KEY[$i]="$(x509Key ecdsa-server)" + C_CLNT_CERT[$i]="$(x509Cert ecdsa-client)" + C_CLNT_KEY[$i]="$(x509Key ecdsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + C_OPENSSL[$i]="ECDHE-ECDSA-AES128-GCM-SHA256" + C_GNUTLS[$i]="TLS_ECDHE_ECDSA_AES_128_GCM_SHA256" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert ecdsa-ca)" + C_CERT[$i]="$(x509Cert ecdsa-server)" + C_KEY[$i]="$(x509Key ecdsa-server)" + C_CLNT_CERT[$i]="$(x509Cert ecdsa-client)" + C_CLNT_KEY[$i]="$(x509Key ecdsa-client)" + i=$(($i+1)) + + C_NAME[$i]="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + C_OPENSSL[$i]="ECDHE-ECDSA-AES256-GCM-SHA384" + C_GNUTLS[$i]="TLS_ECDHE_ECDSA_AES_256_GCM_SHA384" + C_TLS1_2_ONLY[$i]="True" + C_SUBCA[$i]="$(x509Cert ecdsa-ca)" + C_CERT[$i]="$(x509Cert ecdsa-server)" + C_KEY[$i]="$(x509Key ecdsa-server)" + C_CLNT_CERT[$i]="$(x509Cert ecdsa-client)" + C_CLNT_KEY[$i]="$(x509Key ecdsa-client)" + i=$(($i+1)) - rlPhaseStartTest "openssl server" - rlRun "openssl s_server -www -key localhost.key -cert localhost.crt >server.log 2>server.err &" - openssl_pid=$! - rlRun "rlWaitForSocket -p $openssl_pid 4433" - for sett in NORMAL "NORMAL:+VERS-TLS1.2" "NORMAL:-VERS-TLS1.2"; do - rlRun -s "gnutls-cli --priority '$sett' --rehandshake --x509cafile localhost.crt --port 4433 localhost server.log 2>server.err &" - gnutls_pid=$! - rlRun "rlWaitForSocket -p $gnutls_pid 4433" - for sett in "" "-tls1_1" "-tls1_2"; do - rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | openssl s_client -connect localhost:4433 -CAfile localhost.crt $sett" - rlAssertGrep "RENEGOTIATING" $rlRun_LOG - rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" + for idx in ${!C_NAME[@]}; do + for proto in tls1_2 tls1_1; do + + # skip tests of TLSv1.2 specific ciphers when testing TLSv1.1 + if [[ $proto == "tls1_1" ]] && [[ ${C_TLS1_2_ONLY[$idx]} == "True" ]]; then + continue + fi + + rlPhaseStartTest "OpenSSL <-> GNUTLS [${C_NAME[$idx]}, $proto]" + # OpenSSL server setup + options=(openssl s_server -www -key ${C_KEY[$idx]}) + options+=(-cert ${C_CERT[$idx]}) + options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$idx]})') + options+=(-cipher ${C_OPENSSL[$idx]}) + rlRun "${options[*]} >server.log 2>server.err &" + openssl_pid=$! + rlRun "rlWaitForSocket -p $openssl_pid 4433" + + # GNUTLS client setup + options=(gnutls-cli --rehandshake --x509cafile $(x509Cert ca)) + options+=(--port 4433) + if [[ $proto == "tls1_1" ]]; then + options+=(--priority NORMAL:-VERS-TLS1.2) + else + options+=(--priority NORMAL:+VERS-TLS1.2) + fi + rlRun -s "${options[*]} localhost GNUTLS [${C_NAME[$idx]}, $proto, client auth]" + # OpenSSL server setup + options=(openssl s_server -www -key ${C_KEY[$idx]}) + options+=(-cert ${C_CERT[$idx]}) + options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$idx]})') + options+=(-cipher ${C_OPENSSL[$idx]}) + options+=(-Verify 1 -verify_return_error) + rlRun "${options[*]} >server.log 2>server.err &" + openssl_pid=$! + rlRun "rlWaitForSocket -p $openssl_pid 4433" + + # GNUTLS client setup + options=(gnutls-cli --rehandshake) + options+=(--x509cafile '<(cat $(x509Cert ca) ${C_SUBCA[$idx]})') + options+=(--x509keyfile ${C_CLNT_KEY[$idx]}) + options+=(--x509certfile ${C_CLNT_CERT[$idx]}) + options+=(--port 4433) + if [[ $proto == "tls1_1" ]]; then + options+=(--priority NORMAL:-VERS-TLS1.2) + else + options+=(--priority NORMAL:+VERS-TLS1.2) + fi + rlRun -s "${options[*]} localhost OpenSSL [${C_NAME[$idx]}, $proto]" + # GNUTLS server setup + options=(gnutls-serv --x509keyfile ${C_KEY[$idx]}) + options+=(--x509certfile '<(cat ${C_CERT[$idx]} ${C_SUBCA[$idx]})') + options+=(--http --port 4433 --priority NORMAL:+VERS-TLS1.2) + rlRun "${options[*]} >server.log 2>server.err &" + gnutls_pid=$! + rlRun "rlWaitForSocket -p $gnutls_pid 4433" + + # OpenSSL client setup + options=(openssl s_client -connect localhost:4433) + options+=(-CAfile $(x509Cert ca)) + options+=(-cipher ${C_OPENSSL[$idx]}) + if [[ $proto == "tls1_1" ]]; then + options+=(-tls1_1) + fi + rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | ${options[*]}" + rlAssertGrep "RENEGOTIATING" $rlRun_LOG + rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" + rlRun "kill $gnutls_pid" 0,1 + rlRun "rlWait $gnutls_pid" 1,143 + rlPhaseEnd + + rlPhaseStartTest "GNUTLS <-> OpenSSL [${C_NAME[$idx]}, $proto, client auth]" + # GNUTLS server setup + options=(gnutls-serv --x509keyfile ${C_KEY[$idx]}) + options+=(--x509cafile '<(cat $(x509Cert ca) ${C_SUBCA[$idx]})') + options+=(--x509certfile '<(cat ${C_CERT[$idx]} ${C_SUBCA[$idx]})') + options+=(--http --port 4433 --priority NORMAL:+VERS-TLS1.2) + options+=(--require-client-cert --verify-client-cert) + rlRun "${options[*]} >server.log 2>server.err &" + gnutls_pid=$! + rlRun "rlWaitForSocket -p $gnutls_pid 4433" + + # OpenSSL client setup + options=(openssl s_client -connect localhost:4433) + options+=(-CAfile $(x509Cert ca)) + options+=(-cert ${C_CLNT_CERT[$idx]} -key ${C_CLNT_KEY[$idx]}) + options+=(-cipher ${C_OPENSSL[$idx]}) + if [[ $proto == "tls1_1" ]]; then + options+=(-tls1_1) + fi + rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | ${options[*]}" + rlAssertGrep "RENEGOTIATING" $rlRun_LOG + rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" + rlRun "kill $gnutls_pid" 0,1 + rlRun "rlWait $gnutls_pid" 1,143 + rlPhaseEnd done - rlRun "kill $gnutls_pid" 0,1 - rlRun "rlWait $gnutls_pid" 1,143 - rlPhaseEnd + done rlPhaseStartCleanup rlRun "popd" From 5aae8de3273c36af657b74046b4a6ffe6c3aad91 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Wed, 1 Feb 2017 19:46:27 +0100 Subject: [PATCH 2/5] Dump server logs on phase fail --- .../renegotiation-with-OpenSSL/runtest.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh index 0258b47..9cbb50c 100755 --- a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh +++ b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh @@ -336,6 +336,10 @@ rlJournalStart rlAssertNotGrep "failure" $rlRun_LOG -i rlRun "kill $openssl_pid" 0,1 rlRun "rlWait $openssl_pid" 143 + if ! rlGetPhaseState; then + rlRun "cat server.log" + rlRun "cat server.err" + fi rlPhaseEnd rlPhaseStartTest "OpenSSL <-> GNUTLS [${C_NAME[$idx]}, $proto, client auth]" @@ -365,6 +369,10 @@ rlJournalStart rlAssertNotGrep "failure" $rlRun_LOG -i rlRun "kill $openssl_pid" 0,1 rlRun "rlWait $openssl_pid" 143 + if ! rlGetPhaseState; then + rlRun "cat server.log" + rlRun "cat server.err" + fi rlPhaseEnd rlPhaseStartTest "GNUTLS <-> OpenSSL [${C_NAME[$idx]}, $proto]" @@ -388,6 +396,10 @@ rlJournalStart rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" rlRun "kill $gnutls_pid" 0,1 rlRun "rlWait $gnutls_pid" 1,143 + if ! rlGetPhaseState; then + rlRun "cat server.log" + rlRun "cat server.err" + fi rlPhaseEnd rlPhaseStartTest "GNUTLS <-> OpenSSL [${C_NAME[$idx]}, $proto, client auth]" @@ -414,6 +426,10 @@ rlJournalStart rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" rlRun "kill $gnutls_pid" 0,1 rlRun "rlWait $gnutls_pid" 1,143 + if ! rlGetPhaseState; then + rlRun "cat server.log" + rlRun "cat server.err" + fi rlPhaseEnd done done From 741c621750d981e2b59759d64aa69edc05ed65e1 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 13 Mar 2017 17:56:27 +0100 Subject: [PATCH 3/5] Disable this test on RHEL/CentOS 6 GnuTLS on RHEL 6 has minimal TLS 1.2 implementation and most of the ciphersuites/features used in this test don't work there. --- gnutls/Interoperability/renegotiation-with-OpenSSL/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls/Interoperability/renegotiation-with-OpenSSL/Makefile b/gnutls/Interoperability/renegotiation-with-OpenSSL/Makefile index 46b73d3..e600c26 100644 --- a/gnutls/Interoperability/renegotiation-with-OpenSSL/Makefile +++ b/gnutls/Interoperability/renegotiation-with-OpenSSL/Makefile @@ -59,5 +59,5 @@ $(METADATA): Makefile @echo "License: GPLv2" >> $(METADATA) @echo "Confidential: no" >> $(METADATA) @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA) From 862d0984aee306073797b798059244278418859e Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 13 Mar 2017 18:13:05 +0100 Subject: [PATCH 4/5] Use 1024-bit DSA keys with TLS_DHE_DSS_AES_128_CBC_SHA1 --- .../renegotiation-with-OpenSSL/runtest.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh index 9cbb50c..848d452 100755 --- a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh +++ b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh @@ -44,9 +44,11 @@ rlJournalStart rlRun "x509KeyGen -t ecdsa ecdsa-ca" rlRun "x509KeyGen rsa-server" rlRun "x509KeyGen -t dsa dsa-server" + rlRun "x509KeyGen -t dsa -s 1024 dsa-server-1024" rlRun "x509KeyGen -t ecdsa ecdsa-server" rlRun "x509KeyGen rsa-client" rlRun "x509KeyGen -t dsa dsa-client" + rlRun "x509KeyGen -t dsa -s 1024 dsa-client-1024" rlRun "x509KeyGen -t ecdsa ecdsa-client" rlRun "x509SelfSign ca" rlRun "x509CertSign --CA ca -t ca --DN 'CN=RSA CA' rsa-ca" @@ -54,9 +56,11 @@ rlJournalStart rlRun "x509CertSign --CA ca -t ca --DN 'CN=ECDSA CA' ecdsa-ca" rlRun "x509CertSign --CA rsa-ca rsa-server" rlRun "x509CertSign --CA dsa-ca dsa-server" + rlRun "x509CertSign --CA dsa-ca dsa-server-1024" rlRun "x509CertSign --CA ecdsa-ca ecdsa-server" rlRun "x509CertSign --CA rsa-ca -t webclient rsa-client" rlRun "x509CertSign --CA dsa-ca -t webclient dsa-client" + rlRun "x509CertSign --CA dsa-ca -t webclient dsa-client-1024" rlRun "x509CertSign --CA ecdsa-ca -t webclient ecdsa-client" rlRun "x509DumpCert ca" 0 "Root CA" rlRun "x509DumpCert rsa-ca" 0 "Intermediate RSA CA" @@ -64,9 +68,11 @@ rlJournalStart rlRun "x509DumpCert ecdsa-ca" 0 "Intermediate ECDSA CA" rlRun "x509DumpCert rsa-server" 0 "Server RSA certificate" rlRun "x509DumpCert dsa-server" 0 "Server DSA certificate" + rlRun "x509DumpCert dsa-server-1024" 0 "Server DSA certificate (1024-bit)" rlRun "x509DumpCert ecdsa-server" 0 "Server ECDSA certificate" rlRun "x509DumpCert rsa-client" 0 "Client RSA certificate" rlRun "x509DumpCert dsa-client" 0 "Client DSA certificate" + rlRun "x509DumpCert dsa-client-1024" 0 "Client DSA certificate (1024-bit)" rlRun "x509DumpCert ecdsa-client" 0 "Client ECDSA certificate" # Tested combinations @@ -176,10 +182,10 @@ rlJournalStart C_GNUTLS[$i]="TLS_DHE_DSS_AES_128_CBC_SHA1" C_TLS1_2_ONLY[$i]="False" C_SUBCA[$i]="$(x509Cert dsa-ca)" - C_CERT[$i]="$(x509Cert dsa-server)" - C_KEY[$i]="$(x509Key dsa-server)" - C_CLNT_CERT[$i]="$(x509Cert dsa-client)" - C_CLNT_KEY[$i]="$(x509Key dsa-client)" + C_CERT[$i]="$(x509Cert dsa-server-1024)" + C_KEY[$i]="$(x509Key dsa-server-1024)" + C_CLNT_CERT[$i]="$(x509Cert dsa-client-1024)" + C_CLNT_KEY[$i]="$(x509Key dsa-client-1024)" i=$(($i+1)) C_NAME[$i]="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" From 3b9010ca7b7032bf382b86dc2ee9e355c35621e0 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 21 Mar 2017 15:45:40 +0100 Subject: [PATCH 5/5] Explicitly enable DHE-DSS --- .../renegotiation-with-OpenSSL/runtest.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh index 848d452..cf37c9b 100755 --- a/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh +++ b/gnutls/Interoperability/renegotiation-with-OpenSSL/runtest.sh @@ -31,6 +31,7 @@ PACKAGE="gnutls" PACKAGES="gnutls openssl" +GNUTLS_PRIO="NORMAL:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA224:+SIGN-DSA-SHA256" rlJournalStart rlPhaseStartSetup @@ -333,9 +334,9 @@ rlJournalStart options=(gnutls-cli --rehandshake --x509cafile $(x509Cert ca)) options+=(--port 4433) if [[ $proto == "tls1_1" ]]; then - options+=(--priority NORMAL:-VERS-TLS1.2) + options+=(--priority ${GNUTLS_PRIO}:-VERS-TLS1.2) else - options+=(--priority NORMAL:+VERS-TLS1.2) + options+=(--priority ${GNUTLS_PRIO}:+VERS-TLS1.2) fi rlRun -s "${options[*]} localhost server.log 2>server.err &" gnutls_pid=$! rlRun "rlWaitForSocket -p $gnutls_pid 4433" @@ -413,7 +414,7 @@ rlJournalStart options=(gnutls-serv --x509keyfile ${C_KEY[$idx]}) options+=(--x509cafile '<(cat $(x509Cert ca) ${C_SUBCA[$idx]})') options+=(--x509certfile '<(cat ${C_CERT[$idx]} ${C_SUBCA[$idx]})') - options+=(--http --port 4433 --priority NORMAL:+VERS-TLS1.2) + options+=(--http --port 4433 --priority ${GNUTLS_PRIO}:+VERS-TLS1.2) options+=(--require-client-cert --verify-client-cert) rlRun "${options[*]} >server.log 2>server.err &" gnutls_pid=$!