Update client authentication tests

Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: N Rich Salz <rsalz@openssl.org>

Update client authentication tests
Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: N Rich Salz <rsalz@openssl.org>
63936115 · Emilia Kasper · 66bceb5f · 63936115 · 63936115 · 63936115
5 changed file
--- a/test/certs/ee-client-chain.pem
+++ b/test/certs/ee-client-chain.pem
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0xNjAxMTUwODE5NTBaGA8yMTE2MDExNjA4MTk1MFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl
+MA0GCSqGSIb3DQEBCwUAA4IBAQB+x23yjviJ9/n0G65xjntoPCLpsZtqId+WvN/9
+sXGqRZyAnBWPFpWrf9qXdxXZpTw7KRfywnEVsUQP12XKCc9JH4tG4l/wCDaHi9qO
+pLstQskcXk40gWaU83ojjchdtDFBaxR5KxC83SR669Rw9mn66bWz/6zpK9VYohVh
+A5/3RqteQaeQETFbZdlb6e7jAjiGp6DmAiH/WLrVvMY8k0z81TD0+UjJqI9097mF
+VtNX0l+46/tR4zvyA4yYqxK+L8M57SjfwxvwUpDxxVVnRsf3kHhudeAc+UDWzqws
+n5P71o+AfbkYzhHsSFIZyYUnGv+JApFpcGEMEiHL2iBhCRdx
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
+CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk
+IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6
+AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi
+8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6
+uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR
+5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4=
+-----END CERTIFICATE-----
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -42,7 +42,7 @@ foreach my $conf (@conf_files) {

 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 3;  # = scalar @conf_srcs
+plan tests => 4;  # = scalar @conf_srcs

 sub test_conf {
    plan tests => 3;

--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -311,11 +311,8 @@ sub testss {
 }

 sub testssl {
-    my $key = shift || bldtop_file("apps","server.pem");
-    my $cert = shift || bldtop_file("apps","server.pem");
-    my $CAtmp = shift;
+    my ($key, $cert, $CAtmp) = @_;
    my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
-    my @extra = @_;

    my @ssltest = ("ssltest_old",
 		   "-s_key", $key, "-s_cert", $cert,
@@ -334,47 +331,19 @@ sub testssl {

    subtest 'standard SSL tests' => sub {
 	######################################################################
-	plan tests => 29;
+        plan tests => 21;

      SKIP: {
 	  skip "SSLv3 is not supported by this OpenSSL build", 4
 	      if disabled("ssl3");

-	  ok(run(test([@ssltest, "-ssl3", @extra])),
-	     'test sslv3');
-	  ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
-	     'test sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
-	     'test sslv3 with client authentication');
-	  ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
-	     'test sslv3 with both server and client authentication');
-	}
-
-      SKIP: {
-	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4
-	      if $no_anytls;
-
-	  ok(run(test([@ssltest, @extra])),
-	     'test sslv2/sslv3');
-	  ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
-	     'test sslv2/sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
-	     'test sslv2/sslv3 with client authentication');
-	  ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
-	     'test sslv2/sslv3 with both server and client authentication');
-	}
-
-      SKIP: {
-	  skip "SSLv3 is not supported by this OpenSSL build", 4
-	      if disabled("ssl3");
-
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
 	     'test sslv3 via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
 	     'test sslv3 with server authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
 	     'test sslv3 with client authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
 	     'test sslv3 with both server and client authentication via BIO pair');
 	}

@@ -382,7 +351,7 @@ sub testssl {
 	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
 	      if $no_anytls;

-	  ok(run(test([@ssltest, "-bio_pair", @extra])),
+	  ok(run(test([@ssltest, "-bio_pair"])),
 	     'test sslv2/sslv3 via BIO pair');
 	}

@@ -390,13 +359,13 @@ sub testssl {
 	  skip "DTLSv1 is not supported by this OpenSSL build", 4
 	      if disabled("dtls1");

-	  ok(run(test([@ssltest, "-dtls1", @extra])),
+	  ok(run(test([@ssltest, "-dtls1"])),
 	     'test dtlsv1');
-	  ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])),
 	   'test dtlsv1 with server authentication');
-	  ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])),
 	     'test dtlsv1 with client authentication');
-	  ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])),
 	     'test dtlsv1 with both server and client authentication');
 	}

@@ -404,13 +373,13 @@ sub testssl {
 	  skip "DTLSv1.2 is not supported by this OpenSSL build", 4
 	      if disabled("dtls1_2");

-	  ok(run(test([@ssltest, "-dtls12", @extra])),
+	  ok(run(test([@ssltest, "-dtls12"])),
 	     'test dtlsv1.2');
-	  ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])),
 	     'test dtlsv1.2 with server authentication');
-	  ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])),
 	     'test dtlsv1.2 with client authentication');
-	  ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])),
 	     'test dtlsv1.2 with both server and client authentication');
 	}

@@ -421,32 +390,32 @@ sub testssl {
 	SKIP: {
 	    skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;

-	    ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
+	    ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
 	       'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
 	  }

-	  ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
 	     'test sslv2/sslv3 with 1024bit DHE via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
 	     'test sslv2/sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
 	     'test sslv2/sslv3 with client authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
 	     'test sslv2/sslv3 with both client and server authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
 	     'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');

        SKIP: {
            skip "No IPv4 available on this machine", 1
                unless !disabled("sock") && have_IPv4();
-            ok(run(test([@ssltest, "-ipv4", @extra])),
+            ok(run(test([@ssltest, "-ipv4"])),
               'test TLS via IPv4');
          }

        SKIP: {
            skip "No IPv6 available on this machine", 1
                unless !disabled("sock") && have_IPv6();
-            ok(run(test([@ssltest, "-ipv6", @extra])),
+            ok(run(test([@ssltest, "-ipv6"])),
               'test TLS via IPv6');
          }
        }
@@ -525,7 +494,7 @@ sub testssl {
 	    skip "skipping anonymous DH tests", 1
 	      if ($no_dh);

-	    ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
+	    ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
 	       'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
 	  }

@@ -533,13 +502,13 @@ sub testssl {
 	    skip "skipping RSA tests", 2
 		if $no_rsa;

-	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
+	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
 	       'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');

 	    skip "skipping RSA+DHE tests", 1
 		if $no_dh;

-	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
+	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
 	       'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
 	  }

@@ -547,10 +516,10 @@ sub testssl {
 	    skip "skipping PSK tests", 2
 	        if ($no_psk);

-	    ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
+	    ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
 	       'test tls1 with PSK');

-	    ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
+	    ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
 	       'test tls1 with PSK via BIO pair');
 	  }
 	}
@@ -702,7 +671,7 @@ sub testssl {
 	      if $no_anytls;

 	  skip "skipping multi-buffer tests", 2
-	      if @extra || (POSIX::uname())[4] ne "x86_64";
+	      if (POSIX::uname())[4] ne "x86_64";

 	  ok(run(test([@ssltest, "-cipher", "AES128-SHA",    "-bytes", "8m"])));


--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
+# Generated with generate_ssl_tests.pl
+
+num_tests = 20
+
+test-0 = 0-server-auth-flex
+test-1 = 1-client-auth-flex-request
+test-2 = 2-client-auth-flex-require-fail
+test-3 = 3-client-auth-flex-require
+test-4 = 4-client-auth-flex-noroot
+test-5 = 5-server-auth-TLSv1
+test-6 = 6-client-auth-TLSv1-request
+test-7 = 7-client-auth-TLSv1-require-fail
+test-8 = 8-client-auth-TLSv1-require
+test-9 = 9-client-auth-TLSv1-noroot
+test-10 = 10-server-auth-TLSv1.1
+test-11 = 11-client-auth-TLSv1.1-request
+test-12 = 12-client-auth-TLSv1.1-require-fail
+test-13 = 13-client-auth-TLSv1.1-require
+test-14 = 14-client-auth-TLSv1.1-noroot
+test-15 = 15-server-auth-TLSv1.2
+test-16 = 16-client-auth-TLSv1.2-request
+test-17 = 17-client-auth-TLSv1.2-require-fail
+test-18 = 18-client-auth-TLSv1.2-require
+test-19 = 19-client-auth-TLSv1.2-noroot
+# ===========================================================
+
+[0-server-auth-flex]
+ssl_conf = 0-server-auth-flex-ssl
+
+[0-server-auth-flex-ssl]
+server = 0-server-auth-flex-server
+client = 0-server-auth-flex-client
+
+[0-server-auth-flex-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-server-auth-flex-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-0]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-client-auth-flex-request]
+ssl_conf = 1-client-auth-flex-request-ssl
+
+[1-client-auth-flex-request-ssl]
+server = 1-client-auth-flex-request-server
+client = 1-client-auth-flex-request-client
+
+[1-client-auth-flex-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Request
+
+
+[1-client-auth-flex-request-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-1]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-client-auth-flex-require-fail]
+ssl_conf = 2-client-auth-flex-require-fail-ssl
+
+[2-client-auth-flex-require-fail-ssl]
+server = 2-client-auth-flex-require-fail-server
+client = 2-client-auth-flex-require-fail-client
+
+[2-client-auth-flex-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[2-client-auth-flex-require-fail-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-2]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[3-client-auth-flex-require]
+ssl_conf = 3-client-auth-flex-require-ssl
+
+[3-client-auth-flex-require-ssl]
+server = 3-client-auth-flex-require-server
+client = 3-client-auth-flex-require-client
+
+[3-client-auth-flex-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[3-client-auth-flex-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-3]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[4-client-auth-flex-noroot]
+ssl_conf = 4-client-auth-flex-noroot-ssl
+
+[4-client-auth-flex-noroot-ssl]
+server = 4-client-auth-flex-noroot-server
+client = 4-client-auth-flex-noroot-client
+
+[4-client-auth-flex-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Require
+
+
+[4-client-auth-flex-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-4]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[5-server-auth-TLSv1]
+ssl_conf = 5-server-auth-TLSv1-ssl
+
+[5-server-auth-TLSv1-ssl]
+server = 5-server-auth-TLSv1-server
+client = 5-server-auth-TLSv1-client
+
+[5-server-auth-TLSv1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+
+
+[5-server-auth-TLSv1-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-5]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[6-client-auth-TLSv1-request]
+ssl_conf = 6-client-auth-TLSv1-request-ssl
+
+[6-client-auth-TLSv1-request-ssl]
+server = 6-client-auth-TLSv1-request-server
+client = 6-client-auth-TLSv1-request-client
+
+[6-client-auth-TLSv1-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Request
+
+
+[6-client-auth-TLSv1-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-6]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[7-client-auth-TLSv1-require-fail]
+ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
+
+[7-client-auth-TLSv1-require-fail-ssl]
+server = 7-client-auth-TLSv1-require-fail-server
+client = 7-client-auth-TLSv1-require-fail-client
+
+[7-client-auth-TLSv1-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[7-client-auth-TLSv1-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-7]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[8-client-auth-TLSv1-require]
+ssl_conf = 8-client-auth-TLSv1-require-ssl
+
+[8-client-auth-TLSv1-require-ssl]
+server = 8-client-auth-TLSv1-require-server
+client = 8-client-auth-TLSv1-require-client
+
+[8-client-auth-TLSv1-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[8-client-auth-TLSv1-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-8]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[9-client-auth-TLSv1-noroot]
+ssl_conf = 9-client-auth-TLSv1-noroot-ssl
+
+[9-client-auth-TLSv1-noroot-ssl]
+server = 9-client-auth-TLSv1-noroot-server
+client = 9-client-auth-TLSv1-noroot-client
+
+[9-client-auth-TLSv1-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Require
+
+
+[9-client-auth-TLSv1-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-9]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[10-server-auth-TLSv1.1]
+ssl_conf = 10-server-auth-TLSv1.1-ssl
+
+[10-server-auth-TLSv1.1-ssl]
+server = 10-server-auth-TLSv1.1-server
+client = 10-server-auth-TLSv1.1-client
+
+[10-server-auth-TLSv1.1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+
+
+[10-server-auth-TLSv1.1-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-10]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[11-client-auth-TLSv1.1-request]
+ssl_conf = 11-client-auth-TLSv1.1-request-ssl
+
+[11-client-auth-TLSv1.1-request-ssl]
+server = 11-client-auth-TLSv1.1-request-server
+client = 11-client-auth-TLSv1.1-request-client
+
+[11-client-auth-TLSv1.1-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Request
+
+
+[11-client-auth-TLSv1.1-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-11]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[12-client-auth-TLSv1.1-require-fail]
+ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
+
+[12-client-auth-TLSv1.1-require-fail-ssl]
+server = 12-client-auth-TLSv1.1-require-fail-server
+client = 12-client-auth-TLSv1.1-require-fail-client
+
+[12-client-auth-TLSv1.1-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[12-client-auth-TLSv1.1-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-12]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[13-client-auth-TLSv1.1-require]
+ssl_conf = 13-client-auth-TLSv1.1-require-ssl
+
+[13-client-auth-TLSv1.1-require-ssl]
+server = 13-client-auth-TLSv1.1-require-server
+client = 13-client-auth-TLSv1.1-require-client
+
+[13-client-auth-TLSv1.1-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[13-client-auth-TLSv1.1-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-13]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[14-client-auth-TLSv1.1-noroot]
+ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
+
+[14-client-auth-TLSv1.1-noroot-ssl]
+server = 14-client-auth-TLSv1.1-noroot-server
+client = 14-client-auth-TLSv1.1-noroot-client
+
+[14-client-auth-TLSv1.1-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Require
+
+
+[14-client-auth-TLSv1.1-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-14]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[15-server-auth-TLSv1.2]
+ssl_conf = 15-server-auth-TLSv1.2-ssl
+
+[15-server-auth-TLSv1.2-ssl]
+server = 15-server-auth-TLSv1.2-server
+client = 15-server-auth-TLSv1.2-client
+
+[15-server-auth-TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+
+
+[15-server-auth-TLSv1.2-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-15]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[16-client-auth-TLSv1.2-request]
+ssl_conf = 16-client-auth-TLSv1.2-request-ssl
+
+[16-client-auth-TLSv1.2-request-ssl]
+server = 16-client-auth-TLSv1.2-request-server
+client = 16-client-auth-TLSv1.2-request-client
+
+[16-client-auth-TLSv1.2-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Request
+
+
+[16-client-auth-TLSv1.2-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-16]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[17-client-auth-TLSv1.2-require-fail]
+ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
+
+[17-client-auth-TLSv1.2-require-fail-ssl]
+server = 17-client-auth-TLSv1.2-require-fail-server
+client = 17-client-auth-TLSv1.2-require-fail-client
+
+[17-client-auth-TLSv1.2-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[17-client-auth-TLSv1.2-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-17]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[18-client-auth-TLSv1.2-require]
+ssl_conf = 18-client-auth-TLSv1.2-require-ssl
+
+[18-client-auth-TLSv1.2-require-ssl]
+server = 18-client-auth-TLSv1.2-require-server
+client = 18-client-auth-TLSv1.2-require-client
+
+[18-client-auth-TLSv1.2-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[18-client-auth-TLSv1.2-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-18]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[19-client-auth-TLSv1.2-noroot]
+ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
+
+[19-client-auth-TLSv1.2-noroot-ssl]
+server = 19-client-auth-TLSv1.2-noroot-server
+client = 19-client-auth-TLSv1.2-noroot-client
+
+[19-client-auth-TLSv1.2-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Require
+
+
+[19-client-auth-TLSv1.2-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-19]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
+# -*- mode: perl; -*-
+
+## SSL test configurations
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils qw(anydisabled);
+setup("no_test_here");
+
+# We test version-flexible negotiation (undef) and each protocol version.
+my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+
+my @is_disabled = (0);
+push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+
+our @tests = ();
+
+my $dir_sep = $^O ne "VMS" ? "/" : "";
+
+sub generate_tests() {
+
+    foreach (0..$#protocols) {
+        my $protocol = $protocols[$_];
+        my $protocol_name = $protocol || "flex";
+        if (!$is_disabled[$_]) {
+            # Sanity-check simple handshake.
+            push @tests, {
+                name => "server-auth-${protocol_name}",
+                server => {
+                    "Protocol" => $protocol
+                },
+                client => {
+                    "Protocol" => $protocol
+                },
+                test   => { "ExpectedResult" => "Success" },
+            };
+
+            # Handshake with client cert requested but not required or received.
+            push @tests, {
+                name => "client-auth-${protocol_name}-request",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyMode" => "Request",
+                },
+                client => {
+                    "Protocol" => $protocol
+                },
+                test   => { "ExpectedResult" => "Success" },
+            };
+
+            # Handshake with client cert required but not present.
+            push @tests, {
+                name => "client-auth-${protocol_name}-require-fail",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+                    "VerifyMode" => "Require",
+                },
+                client => {
+                    "Protocol" => $protocol,
+                },
+                test   => {
+                    "ExpectedResult" => "ServerFail",
+                    "ServerAlert" => "HandshakeFailure",
+                },
+            };
+
+            # Successful handshake with client authentication.
+            push @tests, {
+                name => "client-auth-${protocol_name}-require",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+                    "VerifyMode" => "Request",
+                },
+                client => {
+                    "Protocol" => $protocol,
+                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+                },
+                test   => { "ExpectedResult" => "Success" },
+            };
+
+            # Handshake with client authentication but without the root certificate.
+            push @tests, {
+                name => "client-auth-${protocol_name}-noroot",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyMode" => "Require",
+                },
+                client => {
+                    "Protocol" => $protocol,
+                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+                },
+                test   => {
+                    "ExpectedResult" => "ServerFail",
+                    "ServerAlert" => "UnknownCA",
+                },
+            };
+        }
+    }
+}
+ 
+generate_tests();