Reorganize SSL test structures

Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: N Richard Levitte <levitte@openssl.org>

Reorganize SSL test structures
Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: N Richard Levitte <levitte@openssl.org>
9f48bbac · Emilia Kasper · a4a18b2f · 9f48bbac · 9f48bbac · 9f48bbac
28 changed file
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -45,7 +45,22 @@ An example test input looks like this:
    }
 ```
-The test section supports the following options:
+The test section supports the following options
+### Test mode
+* Method - the method to test. One of DTLS or TLS.
+* HandshakeMode - which handshake flavour to test:
+  - Simple - plain handshake (default)
+  - Resume - test resumption
+  - (Renegotiate - test renegotiation, not yet implemented)
+When HandshakeMode is Resume or Renegotiate, the original handshake is expected
+to succeed. All configured test expectations are verified against the second
+handshake.
+### Test expectations
 * ExpectedResult - expected handshake outcome. One of
  - Success - handshake success
@@ -53,54 +68,22 @@ The test section supports the following options:
  - ClientFail - clientside handshake failure
  - InternalError - some other error
-* ClientAlert, ServerAlert - expected alert. See `ssl_test_ctx.c` for known
+* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
-  values.
+  `ssl_test_ctx.c` for known values.
-* Protocol - expected negotiated protocol. One of
+* ExpectedProtocol - expected negotiated protocol. One of
  SSLv3, TLSv1, TLSv1.1, TLSv1.2.
-* ClientVerifyCallback - the client's custom certificate verify callback.
-  Used to test callback behaviour. One of
-  - None - no custom callback (default)
-  - AcceptAll - accepts all certificates.
-  - RejectAll - rejects all certificates.
-* Method - the method to test. One of DTLS or TLS.
-* ServerName - the server the client should attempt to connect to. One of
-  - None - do not use SNI (default)
-  - server1 - the initial context
-  - server2 - the secondary context
-  - invalid - an unknown context
-* ServerNameCallback - the SNI switching callback to use
-  - None - no callback (default)
-  - IgnoreMismatch - continue the handshake on SNI mismatch
-  - RejectMismatch - abort the handshake on SNI mismatch
 * SessionTicketExpected - whether or not a session ticket is expected
  - Ignore - do not check for a session ticket (default)
  - Yes - a session ticket is expected
  - No - a session ticket is not expected
-  - Broken - a special test case where the session ticket callback does not
-    initialize crypto
-* HandshakeMode - which handshake flavour to test:
-  - Simple - plain handshake (default)
-  - Resume - test resumption
-  - (Renegotiate - test renegotiation, not yet implemented)
 * ResumptionExpected - whether or not resumption is expected (Resume mode only)
  - Yes - resumed handshake
  - No - full handshake (default)
-When HandshakeMode is Resume or Renegotiate, the original handshake is expected
+* ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations.
-to succeed. All configured test expectations are verified against the second handshake.
-* ServerNPNProtocols, Server2NPNProtocols, ClientNPNProtocols, ExpectedNPNProtocol,
-  ServerALPNProtocols, Server2ALPNProtocols, ClientALPNProtocols, ExpectedALPNProtocol -
-  NPN and ALPN settings. Server and client protocols can be specified as a comma-separated list,
-  and a callback with the recommended behaviour will be installed automatically.
 ## Configuring the client and server
@@ -132,6 +115,52 @@ The following sections may optionally be defined:
  whenever HandshakeMode is Resume. If the resume_client section is not present,
  then the configuration matches client.
+### Configuring callbacks and additional options
+Additional handshake settings can be configured in the `extra` section of each
+client and server:
+```
+client => {
+    "CipherString" => "DEFAULT",
+    extra => {
+        "ServerName" => "server2",
+    }
+}
+```
+#### Supported client-side options
+* ClientVerifyCallback - the client's custom certificate verify callback.
+  Used to test callback behaviour. One of
+  - None - no custom callback (default)
+  - AcceptAll - accepts all certificates.
+  - RejectAll - rejects all certificates.
+* ServerName - the server the client should attempt to connect to. One of
+  - None - do not use SNI (default)
+  - server1 - the initial context
+  - server2 - the secondary context
+  - invalid - an unknown context
+#### Supported server-side options
+* ServerNameCallback - the SNI switching callback to use
+  - None - no callback (default)
+  - IgnoreMismatch - continue the handshake on SNI mismatch
+  - RejectMismatch - abort the handshake on SNI mismatch
+* BrokenSessionTicket - a special test case where the session ticket callback
+  does not initialize crypto.
+  - No (default)
+  - Yes
+#### Mutually supported options
+* NPNProtocols, ALPNProtocols - NPN and ALPN settings. Server and client
+  protocols can be specified as a comma-separated list, and a callback with the
+  recommended behaviour will be installed automatically.
 ### Default server and client configurations
 The default server certificate and CA files are added to the configurations

--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@@ -46,7 +46,8 @@ sub print_templates {
        if (defined $test->{"server2"}) {
            $test->{"server2"} = { (%ssltests::base_server, %{$test->{"server2"}}) };
        } else {
-            if (defined $test->{"test"}->{"ServerNameCallback"}) {
+            if ($test->{"server"}->{"extra"} &&
+                defined $test->{"server"}->{"extra"}->{"ServerNameCallback"}) {
                # Default is the same as server.
                $test->{"reuse_server2"} = 1;
            }

--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -269,7 +269,7 @@ static int server_alpn_cb(SSL *s, const unsigned char **out,
 */
 static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
                                    SSL_CTX *client_ctx,
-                                    const SSL_TEST_CTX *test_ctx,
+                                    const SSL_TEST_EXTRA_CONF *extra,
                                    CTX_DATA *server_ctx_data,
                                    CTX_DATA *server2_ctx_data,
                                    CTX_DATA *client_ctx_data)
@@ -277,7 +277,7 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
    unsigned char *ticket_keys;
    size_t ticket_key_len;
-    switch (test_ctx->client_verify_callback) {
+    switch (extra->client.verify_callback) {
    case SSL_TEST_VERIFY_ACCEPT_ALL:
        SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb,
                                         NULL);
@@ -291,7 +291,7 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
    }
    /* link the two contexts for SNI purposes */
-    switch (test_ctx->servername_callback) {
+    switch (extra->server.servername_callback) {
    case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
        SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb);
        SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
@@ -313,49 +313,49 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
        SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx,
                                         do_not_call_session_ticket_cb);
-    if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN) {
+    if (extra->server.broken_session_ticket) {
        SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb);
    }
 #ifndef OPENSSL_NO_NEXTPROTONEG
-    if (test_ctx->server_npn_protocols != NULL) {
+    if (extra->server.npn_protocols != NULL) {
-        parse_protos(test_ctx->server_npn_protocols,
+        parse_protos(extra->server.npn_protocols,
                     &server_ctx_data->npn_protocols,
                     &server_ctx_data->npn_protocols_len);
        SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb,
                                              server_ctx_data);
    }
-    if (test_ctx->server2_npn_protocols != NULL) {
+    if (extra->server2.npn_protocols != NULL) {
-        parse_protos(test_ctx->server2_npn_protocols,
+        parse_protos(extra->server2.npn_protocols,
                     &server2_ctx_data->npn_protocols,
                     &server2_ctx_data->npn_protocols_len);
        OPENSSL_assert(server2_ctx != NULL);
        SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb,
                                              server2_ctx_data);
    }
-    if (test_ctx->client_npn_protocols != NULL) {
+    if (extra->client.npn_protocols != NULL) {
-        parse_protos(test_ctx->client_npn_protocols,
+        parse_protos(extra->client.npn_protocols,
                     &client_ctx_data->npn_protocols,
                     &client_ctx_data->npn_protocols_len);
        SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb,
                                         client_ctx_data);
    }
-    if (test_ctx->server_alpn_protocols != NULL) {
+    if (extra->server.alpn_protocols != NULL) {
-        parse_protos(test_ctx->server_alpn_protocols,
+        parse_protos(extra->server.alpn_protocols,
                     &server_ctx_data->alpn_protocols,
                     &server_ctx_data->alpn_protocols_len);
        SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data);
    }
-    if (test_ctx->server2_alpn_protocols != NULL) {
+    if (extra->server2.alpn_protocols != NULL) {
        OPENSSL_assert(server2_ctx != NULL);
-        parse_protos(test_ctx->server2_alpn_protocols,
+        parse_protos(extra->server2.alpn_protocols,
                     &server2_ctx_data->alpn_protocols,
                     &server2_ctx_data->alpn_protocols_len);
        SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, server2_ctx_data);
    }
-    if (test_ctx->client_alpn_protocols != NULL) {
+    if (extra->client.alpn_protocols != NULL) {
        unsigned char *alpn_protos = NULL;
        size_t alpn_protos_len;
-        parse_protos(test_ctx->client_alpn_protocols,
+        parse_protos(extra->client.alpn_protocols,
                     &alpn_protos, &alpn_protos_len);
        /* Reversed return value convention... */
        OPENSSL_assert(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos,
@@ -377,11 +377,11 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
 /* Configure per-SSL callbacks and other properties. */
 static void configure_handshake_ssl(SSL *server, SSL *client,
-                                    const SSL_TEST_CTX *test_ctx)
+                                    const SSL_TEST_EXTRA_CONF *extra)
 {
-    if (test_ctx->servername != SSL_TEST_SERVERNAME_NONE)
+    if (extra->client.servername != SSL_TEST_SERVERNAME_NONE)
        SSL_set_tlsext_host_name(client,
-                                 ssl_servername_name(test_ctx->servername));
+                                 ssl_servername_name(extra->client.servername));
 }
@@ -518,7 +518,7 @@ static char *dup_str(const unsigned char *in, size_t len)
 static HANDSHAKE_RESULT *do_handshake_internal(
    SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx,
-    const SSL_TEST_CTX *test_ctx, SSL_SESSION *session_in,
+    const SSL_TEST_EXTRA_CONF *extra, SSL_SESSION *session_in,
    SSL_SESSION **session_out)
 {
    SSL *server, *client;
@@ -542,14 +542,14 @@ static HANDSHAKE_RESULT *do_handshake_internal(
    memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
    memset(&client_ctx_data, 0, sizeof(client_ctx_data));
-    configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx,
+    configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, extra,
                            &server_ctx_data, &server2_ctx_data, &client_ctx_data);
    server = SSL_new(server_ctx);
    client = SSL_new(client_ctx);
    OPENSSL_assert(server != NULL && client != NULL);
-    configure_handshake_ssl(server, client, test_ctx);
+    configure_handshake_ssl(server, client, extra);
    if (session_in != NULL) {
        /* In case we're testing resumption without tickets. */
        OPENSSL_assert(SSL_CTX_add_session(server_ctx, session_in));
@@ -689,7 +689,7 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
    SSL_SESSION *session = NULL;
    result = do_handshake_internal(server_ctx, server2_ctx, client_ctx,
-                                   test_ctx, NULL, &session);
+                                   &test_ctx->extra, NULL, &session);
    if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_SIMPLE)
        goto end;
@@ -703,7 +703,7 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
    HANDSHAKE_RESULT_free(result);
    /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */
    result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx,
-                                   test_ctx, session, NULL);
+                                   &test_ctx->resume_extra, session, NULL);
 end:
    SSL_SESSION_free(session);
    return result;

--- a/test/ssl-tests/01-simple.conf
+++ b/test/ssl-tests/01-simple.conf
@@ -46,7 +46,7 @@ CipherString = DEFAULT
 VerifyMode = Peer
 [test-1]
-ClientAlert = UnknownCA
+ExpectedClientAlert = UnknownCA
 ExpectedResult = ClientFail
--- a/test/ssl-tests/01-simple.conf.in
+++ b/test/ssl-tests/01-simple.conf.in
@@ -28,7 +28,7 @@ our @tests = (
        },
        test   => {
          "ExpectedResult" => "ClientFail",
-          "ClientAlert" => "UnknownCA",
+          "ExpectedClientAlert" => "UnknownCA",
        },
    },
 );
--- a/test/ssl-tests/02-protocol-version.conf
+++ b/test/ssl-tests/02-protocol-version.conf
--- a/test/ssl-tests/03-custom_verify.conf
+++ b/test/ssl-tests/03-custom_verify.conf
@@ -54,9 +54,12 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-1]
-ClientAlert = HandshakeFailure
+ExpectedClientAlert = HandshakeFailure
-ClientVerifyCallback = RejectAll
 ExpectedResult = ClientFail
+client = 1-verify-custom-reject-client-extra
+[1-verify-custom-reject-client-extra]
+VerifyCallback = RejectAll
 # ===========================================================
@@ -79,8 +82,11 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-2]
-ClientVerifyCallback = AcceptAll
 ExpectedResult = Success
+client = 2-verify-custom-allow-client-extra
+[2-verify-custom-allow-client-extra]
+VerifyCallback = AcceptAll
 # ===========================================================
@@ -122,8 +128,11 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 CipherString = DEFAULT
 [test-4]
-ClientVerifyCallback = RejectAll
 ExpectedResult = Success
+client = 4-noverify-ignore-custom-reject-client-extra
+[4-noverify-ignore-custom-reject-client-extra]
+VerifyCallback = RejectAll
 # ===========================================================
@@ -144,8 +153,11 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 CipherString = DEFAULT
 [test-5]
-ClientVerifyCallback = AcceptAll
 ExpectedResult = Success
+client = 5-noverify-accept-custom-allow-client-extra
+[5-noverify-accept-custom-allow-client-extra]
+VerifyCallback = AcceptAll
 # ===========================================================
@@ -167,7 +179,7 @@ CipherString = DEFAULT
 VerifyMode = Peer
 [test-6]
-ClientAlert = UnknownCA
+ExpectedClientAlert = UnknownCA
 ExpectedResult = ClientFail
@@ -190,8 +202,11 @@ CipherString = DEFAULT
 VerifyMode = Peer
 [test-7]
-ClientVerifyCallback = AcceptAll
 ExpectedResult = Success
+client = 7-verify-custom-success-no-root-client-extra
+[7-verify-custom-success-no-root-client-extra]
+VerifyCallback = AcceptAll
 # ===========================================================
@@ -213,8 +228,11 @@ CipherString = DEFAULT
 VerifyMode = Peer
 [test-8]
-ClientAlert = HandshakeFailure
+ExpectedClientAlert = HandshakeFailure
-ClientVerifyCallback = RejectAll
 ExpectedResult = ClientFail
+client = 8-verify-custom-fail-no-root-client-extra
+[8-verify-custom-fail-no-root-client-extra]
+VerifyCallback = RejectAll
--- a/test/ssl-tests/03-custom_verify.conf.in
+++ b/test/ssl-tests/03-custom_verify.conf.in
@@ -26,11 +26,14 @@ our @tests = (
    {
        name => "verify-custom-reject",
        server => { },
-        client => { },
+        client => {
+            extra => {
+                "VerifyCallback" => "RejectAll",
+            },
+        },
        test   => {
-            "ClientVerifyCallback" => "RejectAll",
            "ExpectedResult" => "ClientFail",
-            "ClientAlert" => "HandshakeFailure",
+            "ExpectedClientAlert" => "HandshakeFailure",
        },
    },
@@ -38,9 +41,12 @@ our @tests = (
    {
        name => "verify-custom-allow",
        server => { },
-        client => { },
+        client => {
+            extra => {
+                "VerifyCallback" => "AcceptAll",
+            },
+        },
        test   => {
-            "ClientVerifyCallback" => "AcceptAll",
            "ExpectedResult" => "Success",
        },
    },
@@ -65,9 +71,11 @@ our @tests = (
        client => {
            "VerifyMode" => undef,
            "VerifyCAFile" => undef,
+            extra => {
+                "VerifyCallback" => "RejectAll",
+            },
        },
        test   => {
-            "ClientVerifyCallback" => "RejectAll",
            "ExpectedResult" => "Success",
        },
    },
@@ -80,9 +88,11 @@ our @tests = (
        client => {
            "VerifyMode" => undef,
            "VerifyCAFile" => undef,
+            extra => {
+                "VerifyCallback" => "AcceptAll",
+            },
        },
        test   => {
-            "ClientVerifyCallback" => "AcceptAll",
            "ExpectedResult" => "Success",
        },
    },
@@ -98,7 +108,7 @@ our @tests = (
        },
        test   => {
          "ExpectedResult" => "ClientFail",
-          "ClientAlert" => "UnknownCA",
+          "ExpectedClientAlert" => "UnknownCA",
        },
    },
@@ -108,9 +118,11 @@ our @tests = (
        server => { },
        client => {
            "VerifyCAFile" => undef,
+            extra => {
+                "VerifyCallback" => "AcceptAll",
+            },
        },
        test   => {
-            "ClientVerifyCallback" => "AcceptAll",
            "ExpectedResult" => "Success"
        },
    },
@@ -121,14 +133,13 @@ our @tests = (
        server => { },
        client => {
            "VerifyCAFile" => undef,
+            extra => {
+                "VerifyCallback" => "RejectAll",
+            },
        },
        test   => {
-            "ClientVerifyCallback" => "RejectAll",
            "ExpectedResult" => "ClientFail",
-            "ClientAlert" => "HandshakeFailure",
+            "ExpectedClientAlert" => "HandshakeFailure",
        },
    },
 );
--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -92,7 +92,7 @@ VerifyMode = Peer
 [test-2]
 ExpectedResult = ServerFail
-ServerAlert = HandshakeFailure
+ExpectedServerAlert = HandshakeFailure
 # ===========================================================
@@ -146,7 +146,7 @@ VerifyMode = Peer
 [test-4]
 ExpectedResult = ServerFail
-ServerAlert = UnknownCA
+ExpectedServerAlert = UnknownCA
 # ===========================================================
@@ -231,7 +231,7 @@ VerifyMode = Peer
 [test-7]
 ExpectedResult = ServerFail
-ServerAlert = HandshakeFailure
+ExpectedServerAlert = HandshakeFailure
 # ===========================================================
@@ -293,7 +293,7 @@ VerifyMode = Peer
 [test-9]
 ExpectedResult = ServerFail
-ServerAlert = UnknownCA
+ExpectedServerAlert = UnknownCA
 # ===========================================================
@@ -378,7 +378,7 @@ VerifyMode = Peer
 [test-12]
 ExpectedResult = ServerFail
-ServerAlert = HandshakeFailure
+ExpectedServerAlert = HandshakeFailure
 # ===========================================================
@@ -440,7 +440,7 @@ VerifyMode = Peer
 [test-14]
 ExpectedResult = ServerFail
-ServerAlert = UnknownCA
+ExpectedServerAlert = UnknownCA
 # ===========================================================
@@ -525,7 +525,7 @@ VerifyMode = Peer
 [test-17]
 ExpectedResult = ServerFail
-ServerAlert = HandshakeFailure
+ExpectedServerAlert = HandshakeFailure
 # ===========================================================
@@ -587,6 +587,6 @@ VerifyMode = Peer
 [test-19]
 ExpectedResult = ServerFail
-ServerAlert = UnknownCA
+ExpectedServerAlert = UnknownCA
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -77,7 +77,7 @@ sub generate_tests() {
                },
                test   => {
                    "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => "HandshakeFailure",
+                    "ExpectedServerAlert" => "HandshakeFailure",
                },
            };
@@ -115,7 +115,7 @@ sub generate_tests() {
                },
                test   => {
                    "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => $caalert,
+                    "ExpectedServerAlert" => $caalert,
                },
            };
        }

--- a/test/ssl-tests/05-sni.conf
+++ b/test/ssl-tests/05-sni.conf
@@ -31,9 +31,16 @@ VerifyMode = Peer
 [test-0]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
+server = 0-SNI-switch-context-server-extra
+server2 = 0-SNI-switch-context-server-extra
+client = 0-SNI-switch-context-client-extra
+[0-SNI-switch-context-server-extra]
 ServerNameCallback = IgnoreMismatch
+[0-SNI-switch-context-client-extra]
+ServerName = server2
 # ===========================================================
@@ -58,9 +65,16 @@ VerifyMode = Peer
 [test-1]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
+server = 1-SNI-keep-context-server-extra
+server2 = 1-SNI-keep-context-server-extra
+client = 1-SNI-keep-context-client-extra
+[1-SNI-keep-context-server-extra]
 ServerNameCallback = IgnoreMismatch
+[1-SNI-keep-context-client-extra]
+ServerName = server1
 # ===========================================================
@@ -83,6 +97,9 @@ VerifyMode = Peer
 [test-2]
 ExpectedResult = Success
+client = 2-SNI-no-server-support-client-extra
+[2-SNI-no-server-support-client-extra]
 ServerName = server1
@@ -109,6 +126,10 @@ VerifyMode = Peer
 [test-3]
 ExpectedResult = Success
 ExpectedServerName = server1
+server = 3-SNI-no-client-support-server-extra
+server2 = 3-SNI-no-client-support-server-extra
+[3-SNI-no-client-support-server-extra]
 ServerNameCallback = IgnoreMismatch
@@ -135,9 +156,16 @@ VerifyMode = Peer
 [test-4]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = invalid
+server = 4-SNI-bad-sni-ignore-mismatch-server-extra
+server2 = 4-SNI-bad-sni-ignore-mismatch-server-extra
+client = 4-SNI-bad-sni-ignore-mismatch-client-extra
+[4-SNI-bad-sni-ignore-mismatch-server-extra]
 ServerNameCallback = IgnoreMismatch
+[4-SNI-bad-sni-ignore-mismatch-client-extra]
+ServerName = invalid
 # ===========================================================
@@ -161,8 +189,15 @@ VerifyMode = Peer
 [test-5]
 ExpectedResult = ServerFail
-ServerAlert = UnrecognizedName
+ExpectedServerAlert = UnrecognizedName
-ServerName = invalid
+server = 5-SNI-bad-sni-reject-mismatch-server-extra
+server2 = 5-SNI-bad-sni-reject-mismatch-server-extra
+client = 5-SNI-bad-sni-reject-mismatch-client-extra
+[5-SNI-bad-sni-reject-mismatch-server-extra]
 ServerNameCallback = RejectMismatch
+[5-SNI-bad-sni-reject-mismatch-client-extra]
+ServerName = invalid
--- a/test/ssl-tests/05-sni.conf.in
+++ b/test/ssl-tests/05-sni.conf.in
@@ -17,58 +17,96 @@ package ssltests;
 our @tests = (
    {
        name => "SNI-switch-context",
-        server => { },
+        server => {
-        client => { },
+            extra => {
-        test   => { "ServerName" => "server2",
+                "ServerNameCallback" => "IgnoreMismatch",
-                    "ExpectedServerName" => "server2",
+            },
-                    "ServerNameCallback" => "IgnoreMismatch",
+        },
-                    "ExpectedResult" => "Success" },
+        client => {
+            extra => {
+                "ServerName" => "server2",
+            },
+        },
+        test   => {
+            "ExpectedServerName" => "server2",
+            "ExpectedResult" => "Success"
+        },
    },
    {
        name => "SNI-keep-context",
-        server => { },
+        server => {
-        client => { },
+            extra => {
-        test   => { "ServerName" => "server1",
+                "ServerNameCallback" => "IgnoreMismatch",
-                    "ExpectedServerName" => "server1",
+            },
-                    "ServerNameCallback" => "IgnoreMismatch",
+        },
-                    "ExpectedResult" => "Success" },
+        client => {
+            extra => {
+                "ServerName" => "server1",
+            },
+        },
+        test   => {
+            "ExpectedServerName" => "server1",
+            "ExpectedResult" => "Success"
+        },
    },
    {
        name => "SNI-no-server-support",
        server => { },
-        client => { },
+        client => {
-        test   => { "ServerName" => "server1",
+            extra => {
-                    "ExpectedResult" => "Success" },
+                "ServerName" => "server1",
+            },
+        },
+        test   => { "ExpectedResult" => "Success" },
    },
    {
        name => "SNI-no-client-support",
-        server => { },
+        server => {
+            extra => {
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
        client => { },
        test   => {
            # We expect that the callback is still called
            # to let the application decide whether they tolerate
            # missing SNI (as our test callback does).
            "ExpectedServerName" => "server1",
-            "ServerNameCallback" => "IgnoreMismatch",
            "ExpectedResult" => "Success"
        },
    },
    {
        name => "SNI-bad-sni-ignore-mismatch",
-        server => { },
+        server => {
-        client => { },
+            extra => {
-        test   => { "ServerName" => "invalid",
+                "ServerNameCallback" => "IgnoreMismatch",
-                    "ExpectedServerName" => "server1",
+            },
-                    "ServerNameCallback" => "IgnoreMismatch",
+        },
-                    "ExpectedResult" => "Success" },
+        client => {
+            extra => {
+                "ServerName" => "invalid",
+            },
+        },
+        test   => {
+            "ExpectedServerName" => "server1",
+            "ExpectedResult" => "Success"
+        },
    },
    {
        name => "SNI-bad-sni-reject-mismatch",
-        server => { },
+        server => {
-        client => { },
+            extra => {
-        test   => { "ServerName" => "invalid",
+                "ServerNameCallback" => "RejectMismatch",
-                    "ServerNameCallback" => "RejectMismatch",
+            },
-                    "ExpectedResult" => "ServerFail",
+        },
-                    "ServerAlert" => "UnrecognizedName"},
+        client => {
+            extra => {
+                "ServerName" => "invalid",
+            },
+        },
+        test   => {
+            "ExpectedResult" => "ServerFail",
+            "ExpectedServerAlert" => "UnrecognizedName"
+        },
    },
 );
--- a/test/ssl-tests/06-sni-ticket.conf
+++ b/test/ssl-tests/06-sni-ticket.conf
@@ -49,8 +49,15 @@ VerifyMode = Peer
 [test-0]
 ExpectedResult = Success
+SessionTicketExpected = No
+server = 0-sni-session-ticket-server-extra
+client = 0-sni-session-ticket-client-extra
+[0-sni-session-ticket-server-extra]
+BrokenSessionTicket = Yes
+[0-sni-session-ticket-client-extra]
 ServerName = server1
-SessionTicketExpected = Broken
 # ===========================================================
@@ -84,9 +91,15 @@ VerifyMode = Peer
 [test-1]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = Yes
+server = 1-sni-session-ticket-server-extra
+client = 1-sni-session-ticket-client-extra
+[1-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[1-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -120,9 +133,15 @@ VerifyMode = Peer
 [test-2]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = Yes
+server = 2-sni-session-ticket-server-extra
+client = 2-sni-session-ticket-client-extra
+[2-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[2-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -156,9 +175,15 @@ VerifyMode = Peer
 [test-3]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = Yes
+server = 3-sni-session-ticket-server-extra
+client = 3-sni-session-ticket-client-extra
+[3-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[3-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -192,9 +217,15 @@ VerifyMode = Peer
 [test-4]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 4-sni-session-ticket-server-extra
+client = 4-sni-session-ticket-client-extra
+[4-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[4-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -228,9 +259,15 @@ VerifyMode = Peer
 [test-5]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 5-sni-session-ticket-server-extra
+client = 5-sni-session-ticket-client-extra
+[5-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[5-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -264,9 +301,15 @@ VerifyMode = Peer
 [test-6]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 6-sni-session-ticket-server-extra
+client = 6-sni-session-ticket-client-extra
+[6-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[6-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -300,9 +343,15 @@ VerifyMode = Peer
 [test-7]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 7-sni-session-ticket-server-extra
+client = 7-sni-session-ticket-client-extra
+[7-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[7-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -336,9 +385,15 @@ VerifyMode = Peer
 [test-8]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 8-sni-session-ticket-server-extra
+client = 8-sni-session-ticket-client-extra
+[8-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[8-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -372,9 +427,15 @@ VerifyMode = Peer
 [test-9]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 9-sni-session-ticket-server-extra
+client = 9-sni-session-ticket-client-extra
+[9-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[9-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -408,9 +469,15 @@ VerifyMode = Peer
 [test-10]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 10-sni-session-ticket-server-extra
+client = 10-sni-session-ticket-client-extra
+[10-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[10-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -444,9 +511,15 @@ VerifyMode = Peer
 [test-11]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 11-sni-session-ticket-server-extra
+client = 11-sni-session-ticket-client-extra
+[11-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[11-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -480,9 +553,15 @@ VerifyMode = Peer
 [test-12]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 12-sni-session-ticket-server-extra
+client = 12-sni-session-ticket-client-extra
+[12-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[12-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -516,9 +595,15 @@ VerifyMode = Peer
 [test-13]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 13-sni-session-ticket-server-extra
+client = 13-sni-session-ticket-client-extra
+[13-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[13-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -552,9 +637,15 @@ VerifyMode = Peer
 [test-14]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 14-sni-session-ticket-server-extra
+client = 14-sni-session-ticket-client-extra
+[14-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[14-sni-session-ticket-client-extra]
+ServerName = server2
 # ===========================================================
@@ -588,9 +679,15 @@ VerifyMode = Peer
 [test-15]
 ExpectedResult = Success
 ExpectedServerName = server1
-ServerName = server1
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 15-sni-session-ticket-server-extra
+client = 15-sni-session-ticket-client-extra
+[15-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[15-sni-session-ticket-client-extra]
+ServerName = server1
 # ===========================================================
@@ -624,8 +721,14 @@ VerifyMode = Peer
 [test-16]
 ExpectedResult = Success
 ExpectedServerName = server2
-ServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = No
+server = 16-sni-session-ticket-server-extra
+client = 16-sni-session-ticket-client-extra
+[16-sni-session-ticket-server-extra]
+ServerNameCallback = IgnoreMismatch
+[16-sni-session-ticket-client-extra]
+ServerName = server2
--- a/test/ssl-tests/06-sni-ticket.conf.in
+++ b/test/ssl-tests/06-sni-ticket.conf.in
@@ -27,18 +27,22 @@ sub generate_tests() {
                        "name" => "sni-session-ticket",
                        "client" => {
                            "Options" => $c,
+                            "extra" => {
+                                "ServerName" => $n,
+                            },
                        },
                        "server" => {
                            "Options" => $s1,
+                            "extra" => {
+                                # We don't test mismatch here.
+                                "ServerNameCallback" => "IgnoreMismatch",
+                            },
                        },
 			"server2" => {
 			    "Options" => $s2,
 			},
                        "test" => {
-                            "ServerName" => $n,
                            "ExpectedServerName" => $n,
-                            # We don't test mismatch here.
-                            "ServerNameCallback" => "IgnoreMismatch",
                            "ExpectedResult" => "Success",
 			    "SessionTicketExpected" => $result,
                        }
@@ -69,17 +73,22 @@ push @tests, {
    "name" => "sni-session-ticket",
    "client" => {
 	"Options" => "SessionTicket",
+        "extra" => {
+            "ServerName" => "server1",
+        }
    },
    "server" => {
 	"Options" => "SessionTicket",
+        "extra" => {
+              "BrokenSessionTicket" => "Yes",
+        },
    },
    "server2" => {
 	"Options" => "SessionTicket",
    },
    "test" => {
-	"ServerName" => "server1",
 	"ExpectedResult" => "Success",
-	"SessionTicketExpected" => "Broken",
+	"SessionTicketExpected" => "No",
    }
 };

--- a/test/ssl-tests/07-dtls-protocol-version.conf
+++ b/test/ssl-tests/07-dtls-protocol-version.conf
@@ -88,9 +88,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-0]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -115,9 +115,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-1]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -141,9 +141,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-2]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -169,9 +169,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-3]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -197,9 +197,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-4]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -224,9 +224,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-5]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -304,9 +304,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-8]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -331,9 +331,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-9]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -357,9 +357,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-10]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -385,9 +385,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-11]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -413,9 +413,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-12]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -440,9 +440,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-13]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -468,9 +468,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-14]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -495,9 +495,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-15]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -521,9 +521,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-16]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -547,9 +547,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-17]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -572,9 +572,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-18]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -599,9 +599,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-19]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -626,9 +626,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-20]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -652,9 +652,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-21]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -679,9 +679,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-22]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -705,9 +705,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-23]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -733,9 +733,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-24]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -761,9 +761,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-25]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -788,9 +788,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-26]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -817,9 +817,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-27]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -846,9 +846,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-28]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -874,9 +874,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-29]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -957,9 +957,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-32]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -985,9 +985,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-33]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1012,9 +1012,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-34]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1041,9 +1041,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-35]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -1070,9 +1070,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-36]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1098,9 +1098,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-37]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1127,9 +1127,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-38]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1155,9 +1155,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-39]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1182,9 +1182,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-40]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -1209,9 +1209,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-41]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1235,9 +1235,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-42]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1263,9 +1263,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-43]
+ExpectedProtocol = DTLSv1
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1
 # ===========================================================
@@ -1291,9 +1291,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-44]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1318,9 +1318,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-45]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1346,9 +1346,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-46]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1373,9 +1373,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-47]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1428,9 +1428,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-49]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1455,9 +1455,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-50]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1512,9 +1512,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-52]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1540,9 +1540,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-53]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1569,9 +1569,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-54]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1597,9 +1597,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-55]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1650,9 +1650,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-57]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1676,9 +1676,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-58]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1731,9 +1731,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-60]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1758,9 +1758,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-61]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1786,9 +1786,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-62]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
 # ===========================================================
@@ -1813,8 +1813,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-63]
+ExpectedProtocol = DTLSv1.2
 ExpectedResult = Success
 Method = DTLS
-Protocol = DTLSv1.2
--- a/test/ssl-tests/08-npn.conf
+++ b/test/ssl-tests/08-npn.conf
@@ -34,9 +34,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-0]
-ClientNPNProtocols = foo
 ExpectedNPNProtocol = foo
-ServerNPNProtocols = foo
+server = 0-npn-simple-server-extra
+client = 0-npn-simple-client-extra
+[0-npn-simple-server-extra]
+NPNProtocols = foo
+[0-npn-simple-client-extra]
+NPNProtocols = foo
 # ===========================================================
@@ -59,9 +65,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-1]
-ClientNPNProtocols = foo,bar
 ExpectedNPNProtocol = bar
-ServerNPNProtocols = baz,bar
+server = 1-npn-client-finds-match-server-extra
+client = 1-npn-client-finds-match-client-extra
+[1-npn-client-finds-match-server-extra]
+NPNProtocols = baz,bar
+[1-npn-client-finds-match-client-extra]
+NPNProtocols = foo,bar
 # ===========================================================
@@ -84,9 +96,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-2]
-ClientNPNProtocols = foo,bar
 ExpectedNPNProtocol = bar
-ServerNPNProtocols = bar,foo
+server = 2-npn-client-honours-server-pref-server-extra
+client = 2-npn-client-honours-server-pref-client-extra
+[2-npn-client-honours-server-pref-server-extra]
+NPNProtocols = bar,foo
+[2-npn-client-honours-server-pref-client-extra]
+NPNProtocols = foo,bar
 # ===========================================================
@@ -109,9 +127,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-3]
-ClientNPNProtocols = foo,bar
 ExpectedNPNProtocol = foo
-ServerNPNProtocols = baz
+server = 3-npn-client-first-pref-on-mismatch-server-extra
+client = 3-npn-client-first-pref-on-mismatch-client-extra
+[3-npn-client-first-pref-on-mismatch-server-extra]
+NPNProtocols = baz
+[3-npn-client-first-pref-on-mismatch-client-extra]
+NPNProtocols = foo,bar
 # ===========================================================
@@ -134,7 +158,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-4]
-ClientNPNProtocols = foo
+client = 4-npn-no-server-support-client-extra
+[4-npn-no-server-support-client-extra]
+NPNProtocols = foo
 # ===========================================================
@@ -157,7 +184,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-5]
-ServerNPNProtocols = foo
+server = 5-npn-no-client-support-server-extra
+[5-npn-no-client-support-server-extra]
+NPNProtocols = foo
 # ===========================================================
@@ -186,14 +216,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-6]
-ClientNPNProtocols = foo,bar
 ExpectedNPNProtocol = foo
 ExpectedServerName = server1
-Server2NPNProtocols = bar
+server = 6-npn-with-sni-no-context-switch-server-extra
-ServerNPNProtocols = foo
+server2 = 6-npn-with-sni-no-context-switch-server2-extra
-ServerName = server1
+client = 6-npn-with-sni-no-context-switch-client-extra
+[6-npn-with-sni-no-context-switch-server-extra]
+NPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
+[6-npn-with-sni-no-context-switch-server2-extra]
+NPNProtocols = bar
+[6-npn-with-sni-no-context-switch-client-extra]
+NPNProtocols = foo,bar
+ServerName = server1
 # ===========================================================
@@ -221,14 +260,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-7]
-ClientNPNProtocols = foo,bar
 ExpectedNPNProtocol = bar
 ExpectedServerName = server2
-Server2NPNProtocols = bar
+server = 7-npn-with-sni-context-switch-server-extra
-ServerNPNProtocols = foo
+server2 = 7-npn-with-sni-context-switch-server2-extra
-ServerName = server2
+client = 7-npn-with-sni-context-switch-client-extra
+[7-npn-with-sni-context-switch-server-extra]
+NPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
+[7-npn-with-sni-context-switch-server2-extra]
+NPNProtocols = bar
+[7-npn-with-sni-context-switch-client-extra]
+NPNProtocols = foo,bar
+ServerName = server2
 # ===========================================================
@@ -256,13 +304,22 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-8]
-ClientNPNProtocols = foo,bar
 ExpectedNPNProtocol = bar
 ExpectedServerName = server2
-Server2NPNProtocols = bar
+server = 8-npn-selected-sni-server-supports-npn-server-extra
-ServerName = server2
+server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
+client = 8-npn-selected-sni-server-supports-npn-client-extra
+[8-npn-selected-sni-server-supports-npn-server-extra]
 ServerNameCallback = IgnoreMismatch
+[8-npn-selected-sni-server-supports-npn-server2-extra]
+NPNProtocols = bar
+[8-npn-selected-sni-server-supports-npn-client-extra]
+NPNProtocols = foo,bar
+ServerName = server2
 # ===========================================================
@@ -290,12 +347,18 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-9]
-ClientNPNProtocols = foo,bar
 ExpectedServerName = server2
-ServerNPNProtocols = foo
+server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
-ServerName = server2
+client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
+[9-npn-selected-sni-server-does-not-support-npn-server-extra]
+NPNProtocols = bar
 ServerNameCallback = IgnoreMismatch
+[9-npn-selected-sni-server-does-not-support-npn-client-extra]
+NPNProtocols = foo,bar
+ServerName = server2
 # ===========================================================
@@ -317,11 +380,17 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-10]
-ClientALPNProtocols = foo
-ClientNPNProtocols = bar
 ExpectedALPNProtocol = foo
-ServerALPNProtocols = foo
+server = 10-alpn-preferred-over-npn-server-extra
-ServerNPNProtocols = bar
+client = 10-alpn-preferred-over-npn-client-extra
+[10-alpn-preferred-over-npn-server-extra]
+ALPNProtocols = foo
+NPNProtocols = bar
+[10-alpn-preferred-over-npn-client-extra]
+ALPNProtocols = foo
+NPNProtocols = bar
 # ===========================================================
@@ -350,13 +419,22 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-11]
-ClientALPNProtocols = foo
-ClientNPNProtocols = bar
 ExpectedNPNProtocol = bar
 ExpectedServerName = server2
-Server2NPNProtocols = bar
+server = 11-sni-npn-preferred-over-alpn-server-extra
-ServerALPNProtocols = foo
+server2 = 11-sni-npn-preferred-over-alpn-server2-extra
-ServerName = server2
+client = 11-sni-npn-preferred-over-alpn-client-extra
+[11-sni-npn-preferred-over-alpn-server-extra]
+ALPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
+[11-sni-npn-preferred-over-alpn-server2-extra]
+NPNProtocols = bar
+[11-sni-npn-preferred-over-alpn-client-extra]
+ALPNProtocols = foo
+NPNProtocols = bar
+ServerName = server2
--- a/test/ssl-tests/08-npn.conf.in
+++ b/test/ssl-tests/08-npn.conf.in
@@ -18,148 +18,226 @@ package ssltests;
 our @tests = (
    {
        name => "npn-simple",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "NPNProtocols" => "foo",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo",
-             "ServerNPNProtocols" => "foo",
             "ExpectedNPNProtocol" => "foo",
        },
    },
    {
        name => "npn-client-finds-match",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "NPNProtocols" => "baz,bar",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "ServerNPNProtocols" => "baz,bar",
             "ExpectedNPNProtocol" => "bar",
        },
    },
    {
        name => "npn-client-honours-server-pref",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "NPNProtocols" => "bar,foo",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "ServerNPNProtocols" => "bar,foo",
             "ExpectedNPNProtocol" => "bar",
        },
    },
    {
        name => "npn-client-first-pref-on-mismatch",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "NPNProtocols" => "baz",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "ServerNPNProtocols" => "baz",
             "ExpectedNPNProtocol" => "foo",
        },
    },
    {
        name => "npn-no-server-support",
        server => { },
-        client => { },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo",
             "ExpectedNPNProtocol" => undef,
        },
    },
    {
        name => "npn-no-client-support",
-        server => { },
+        server => {
+            extra => {
+                "NPNProtocols" => "foo",
+            },
+        },
        client => { },
        test => {
-             "ServerNPNProtocols" => "foo",
             "ExpectedNPNProtocol" => undef,
        },
    },
    {
        name => "npn-with-sni-no-context-switch",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+                "NPNProtocols" => "foo",
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
+        server2 => {
+            extra => {
+                "NPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+                "ServerName" => "server1",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "ServerNPNProtocols" => "foo",
-             "Server2NPNProtocols" => "bar",
-             "ServerName" => "server1",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server1",
             "ExpectedNPNProtocol" => "foo",
        },
    },
    {
        name => "npn-with-sni-context-switch",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+                "NPNProtocols" => "foo",
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
+        server2 => {
+            extra => {
+                "NPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+                "ServerName" => "server2",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "ServerNPNProtocols" => "foo",
-             "Server2NPNProtocols" => "bar",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server2",
             "ExpectedNPNProtocol" => "bar",
        },
    },
    {
        name => "npn-selected-sni-server-supports-npn",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
+        server2 => {
+            extra => {
+                "NPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+                "ServerName" => "server2",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "Server2NPNProtocols" => "bar",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server2",
             "ExpectedNPNProtocol" => "bar",
        },
    },
    {
        name => "npn-selected-sni-server-does-not-support-npn",
-        server => { },
+        server => {
+            extra => {
+                "NPNProtocols" => "bar",
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
        server2 => { },
-        client => { },
+        client => {
+            extra => {
+                "NPNProtocols" => "foo,bar",
+                "ServerName" => "server2",
+            },
+        },
        test => {
-             "ClientNPNProtocols" => "foo,bar",
-             "ServerNPNProtocols" => "foo",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server2",
             "ExpectedNPNProtocol" => undef,
        },
    },
    {
        name => "alpn-preferred-over-npn",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "ALPNProtocols" => "foo",
+                "NPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo",
+                "NPNProtocols" => "bar",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo",
-             "ClientNPNProtocols" => "bar",
-             "ServerALPNProtocols" => "foo",
-             "ServerNPNProtocols" => "bar",
             "ExpectedALPNProtocol" => "foo",
             "ExpectedNPNProtocol" => undef,
        },
    },
    {
        name => "sni-npn-preferred-over-alpn",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+                "ServerNameCallback" => "IgnoreMismatch",
+                "ALPNProtocols" => "foo",
+            },
+        },
+        server2 => {
+            extra => {
+                "NPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "ServerName" => "server2",
+                "ALPNProtocols" => "foo",
+                "NPNProtocols" => "bar",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo",
-             "ClientNPNProtocols" => "bar",
-             "ServerALPNProtocols" => "foo",
-             "Server2NPNProtocols" => "bar",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
-             "ExpectedServerName" => "server2",
             "ExpectedALPNProtocol" => undef,
             "ExpectedNPNProtocol" => "bar",
+             "ExpectedServerName" => "server2",  
        },
    },
 );
--- a/test/ssl-tests/09-alpn.conf
+++ b/test/ssl-tests/09-alpn.conf
@@ -3,8 +3,8 @@
 num_tests = 10
 test-0 = 0-alpn-simple
-test-1 = 1-alpn-client-finds-match
+test-1 = 1-alpn-server-finds-match
-test-2 = 2-alpn-client-honours-server-pref
+test-2 = 2-alpn-server-honours-server-pref
 test-3 = 3-alpn-alert-on-mismatch
 test-4 = 4-alpn-no-server-support
 test-5 = 5-alpn-no-client-support
@@ -32,59 +32,77 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-0]
-ClientALPNProtocols = foo
 ExpectedALPNProtocol = foo
-ServerALPNProtocols = foo
+server = 0-alpn-simple-server-extra
+client = 0-alpn-simple-client-extra
+[0-alpn-simple-server-extra]
+ALPNProtocols = foo
+[0-alpn-simple-client-extra]
+ALPNProtocols = foo
 # ===========================================================
-[1-alpn-client-finds-match]
+[1-alpn-server-finds-match]
-ssl_conf = 1-alpn-client-finds-match-ssl
+ssl_conf = 1-alpn-server-finds-match-ssl
-[1-alpn-client-finds-match-ssl]
+[1-alpn-server-finds-match-ssl]
-server = 1-alpn-client-finds-match-server
+server = 1-alpn-server-finds-match-server
-client = 1-alpn-client-finds-match-client
+client = 1-alpn-server-finds-match-client
-[1-alpn-client-finds-match-server]
+[1-alpn-server-finds-match-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[1-alpn-client-finds-match-client]
+[1-alpn-server-finds-match-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-1]
-ClientALPNProtocols = foo,bar
 ExpectedALPNProtocol = bar
-ServerALPNProtocols = baz,bar
+server = 1-alpn-server-finds-match-server-extra
+client = 1-alpn-server-finds-match-client-extra
+[1-alpn-server-finds-match-server-extra]
+ALPNProtocols = baz,bar
+[1-alpn-server-finds-match-client-extra]
+ALPNProtocols = foo,bar
 # ===========================================================
-[2-alpn-client-honours-server-pref]
+[2-alpn-server-honours-server-pref]
-ssl_conf = 2-alpn-client-honours-server-pref-ssl
+ssl_conf = 2-alpn-server-honours-server-pref-ssl
-[2-alpn-client-honours-server-pref-ssl]
+[2-alpn-server-honours-server-pref-ssl]
-server = 2-alpn-client-honours-server-pref-server
+server = 2-alpn-server-honours-server-pref-server
-client = 2-alpn-client-honours-server-pref-client
+client = 2-alpn-server-honours-server-pref-client
-[2-alpn-client-honours-server-pref-server]
+[2-alpn-server-honours-server-pref-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[2-alpn-client-honours-server-pref-client]
+[2-alpn-server-honours-server-pref-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-2]
-ClientALPNProtocols = foo,bar
 ExpectedALPNProtocol = bar
-ServerALPNProtocols = bar,foo
+server = 2-alpn-server-honours-server-pref-server-extra
+client = 2-alpn-server-honours-server-pref-client-extra
+[2-alpn-server-honours-server-pref-server-extra]
+ALPNProtocols = bar,foo
+[2-alpn-server-honours-server-pref-client-extra]
+ALPNProtocols = foo,bar
 # ===========================================================
@@ -107,10 +125,16 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-3]
-ClientALPNProtocols = foo,bar
 ExpectedResult = ServerFail
-ServerALPNProtocols = baz
+ExpectedServerAlert = NoApplicationProtocol
-ServerAlert = NoApplicationProtocol
+server = 3-alpn-alert-on-mismatch-server-extra
+client = 3-alpn-alert-on-mismatch-client-extra
+[3-alpn-alert-on-mismatch-server-extra]
+ALPNProtocols = baz
+[3-alpn-alert-on-mismatch-client-extra]
+ALPNProtocols = foo,bar
 # ===========================================================
@@ -133,7 +157,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-4]
-ClientALPNProtocols = foo
+client = 4-alpn-no-server-support-client-extra
+[4-alpn-no-server-support-client-extra]
+ALPNProtocols = foo
 # ===========================================================
@@ -156,7 +183,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-5]
-ServerALPNProtocols = foo
+server = 5-alpn-no-client-support-server-extra
+[5-alpn-no-client-support-server-extra]
+ALPNProtocols = foo
 # ===========================================================
@@ -185,14 +215,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-6]
-ClientALPNProtocols = foo,bar
 ExpectedALPNProtocol = foo
 ExpectedServerName = server1
-Server2ALPNProtocols = bar
+server = 6-alpn-with-sni-no-context-switch-server-extra
-ServerALPNProtocols = foo
+server2 = 6-alpn-with-sni-no-context-switch-server2-extra
-ServerName = server1
+client = 6-alpn-with-sni-no-context-switch-client-extra
+[6-alpn-with-sni-no-context-switch-server-extra]
+ALPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
+[6-alpn-with-sni-no-context-switch-server2-extra]
+ALPNProtocols = bar
+[6-alpn-with-sni-no-context-switch-client-extra]
+ALPNProtocols = foo,bar
+ServerName = server1
 # ===========================================================
@@ -220,14 +259,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-7]
-ClientALPNProtocols = foo,bar
 ExpectedALPNProtocol = bar
 ExpectedServerName = server2
-Server2ALPNProtocols = bar
+server = 7-alpn-with-sni-context-switch-server-extra
-ServerALPNProtocols = foo
+server2 = 7-alpn-with-sni-context-switch-server2-extra
-ServerName = server2
+client = 7-alpn-with-sni-context-switch-client-extra
+[7-alpn-with-sni-context-switch-server-extra]
+ALPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
+[7-alpn-with-sni-context-switch-server2-extra]
+ALPNProtocols = bar
+[7-alpn-with-sni-context-switch-client-extra]
+ALPNProtocols = foo,bar
+ServerName = server2
 # ===========================================================
@@ -255,13 +303,22 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-8]
-ClientALPNProtocols = foo,bar
 ExpectedALPNProtocol = bar
 ExpectedServerName = server2
-Server2ALPNProtocols = bar
+server = 8-alpn-selected-sni-server-supports-alpn-server-extra
-ServerName = server2
+server2 = 8-alpn-selected-sni-server-supports-alpn-server2-extra
+client = 8-alpn-selected-sni-server-supports-alpn-client-extra
+[8-alpn-selected-sni-server-supports-alpn-server-extra]
 ServerNameCallback = IgnoreMismatch
+[8-alpn-selected-sni-server-supports-alpn-server2-extra]
+ALPNProtocols = bar
+[8-alpn-selected-sni-server-supports-alpn-client-extra]
+ALPNProtocols = foo,bar
+ServerName = server2
 # ===========================================================
@@ -289,10 +346,16 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 [test-9]
-ClientALPNProtocols = foo,bar
 ExpectedServerName = server2
-ServerALPNProtocols = foo
+server = 9-alpn-selected-sni-server-does-not-support-alpn-server-extra
-ServerName = server2
+client = 9-alpn-selected-sni-server-does-not-support-alpn-client-extra
+[9-alpn-selected-sni-server-does-not-support-alpn-server-extra]
+ALPNProtocols = bar
 ServerNameCallback = IgnoreMismatch
+[9-alpn-selected-sni-server-does-not-support-alpn-client-extra]
+ALPNProtocols = foo,bar
+ServerName = server2
--- a/test/ssl-tests/09-alpn.conf.in
+++ b/test/ssl-tests/09-alpn.conf.in
@@ -18,117 +18,180 @@ package ssltests;
 our @tests = (
    {
        name => "alpn-simple",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "ALPNProtocols" => "foo",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo",
-             "ServerALPNProtocols" => "foo",
             "ExpectedALPNProtocol" => "foo",
        },
    },
    {
-        name => "alpn-client-finds-match",
+        name => "alpn-server-finds-match",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "ALPNProtocols" => "baz,bar",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "ServerALPNProtocols" => "baz,bar",
             "ExpectedALPNProtocol" => "bar",
        },
    },
    {
-        name => "alpn-client-honours-server-pref",
+        name => "alpn-server-honours-server-pref",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "ALPNProtocols" => "bar,foo",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "ServerALPNProtocols" => "bar,foo",
             "ExpectedALPNProtocol" => "bar",
        },
    },
    {
        name => "alpn-alert-on-mismatch",
-        server => { },
+        server => {
-        client => { },
+            extra => {
+                "ALPNProtocols" => "baz",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "ServerALPNProtocols" => "baz",
             "ExpectedResult" => "ServerFail",
-             "ServerAlert" => "NoApplicationProtocol",
+             "ExpectedServerAlert" => "NoApplicationProtocol",
        },
    },
    {
        name => "alpn-no-server-support",
        server => { },
-        client => { },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo",
             "ExpectedALPNProtocol" => undef,
        },
    },
    {
        name => "alpn-no-client-support",
-        server => { },
+        server => {
+            extra => {
+                "ALPNProtocols" => "foo",
+            },
+        },
        client => { },
        test => {
-             "ServerALPNProtocols" => "foo",
             "ExpectedALPNProtocol" => undef,
        },
    },
    {
        name => "alpn-with-sni-no-context-switch",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+                "ALPNProtocols" => "foo",
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
+        server2 => {
+            extra => {
+                "ALPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+                "ServerName" => "server1",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "ServerALPNProtocols" => "foo",
-             "Server2ALPNProtocols" => "bar",
-             "ServerName" => "server1",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server1",
             "ExpectedALPNProtocol" => "foo",
        },
    },
    {
        name => "alpn-with-sni-context-switch",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+                "ALPNProtocols" => "foo",
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
+        server2 => {
+            extra => {
+                "ALPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+                "ServerName" => "server2",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "ServerALPNProtocols" => "foo",
-             "Server2ALPNProtocols" => "bar",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server2",
             "ExpectedALPNProtocol" => "bar",
        },
    },
    {
        name => "alpn-selected-sni-server-supports-alpn",
-        server => { },
+        server => {
-        server2 => { },
+            extra => {
-        client => { },
+               "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
+        server2 => {
+            extra => {
+                "ALPNProtocols" => "bar",
+            },
+        },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+                "ServerName" => "server2",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "Server2ALPNProtocols" => "bar",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server2",
             "ExpectedALPNProtocol" => "bar",
        },
    },
    {
        name => "alpn-selected-sni-server-does-not-support-alpn",
-        server => { },
+        server => {
+            extra => {
+                "ALPNProtocols" => "bar", 
+                "ServerNameCallback" => "IgnoreMismatch",
+            },
+        },
        server2 => { },
-        client => { },
+        client => {
+            extra => {
+                "ALPNProtocols" => "foo,bar",
+                "ServerName" => "server2",
+            },
+        },
        test => {
-             "ClientALPNProtocols" => "foo,bar",
-             "ServerALPNProtocols" => "foo",
-             "ServerName" => "server2",
-             "ServerNameCallback" => "IgnoreMismatch",
             "ExpectedServerName" => "server2",
             "ExpectedALPNProtocol" => undef,
        },

--- a/test/ssl-tests/10-resumption.conf
+++ b/test/ssl-tests/10-resumption.conf
--- a/test/ssl-tests/11-dtls_resumption.conf
+++ b/test/ssl-tests/11-dtls_resumption.conf
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -117,7 +117,7 @@ sub generate_version_tests {
                        },
                        "test" => {
                            "ExpectedResult" => $result,
-                            "Protocol" => $protocol,
+                            "ExpectedProtocol" => $protocol,
                            "Method" => $method,
                        }
                    };
@@ -172,7 +172,7 @@ sub generate_resumption_tests {
                        "MaxProtocol" => $protocols[$resume_protocol],
                    },
                    "test" => {
-                        "Protocol" => $protocols[$resume_protocol],
+                        "ExpectedProtocol" => $protocols[$resume_protocol],
                        "Method" => $method,
                        "HandshakeMode" => "Resume",
                        "ResumptionExpected" => $resumption_expected,
@@ -192,7 +192,7 @@ sub generate_resumption_tests {
                        "MaxProtocol" => $protocols[$resume_protocol],
                    },
                    "test" => {
-                        "Protocol" => $protocols[$resume_protocol],
+                        "ExpectedProtocol" => $protocols[$resume_protocol],
                        "Method" => $method,
                        "HandshakeMode" => "Resume",
                        "ResumptionExpected" => $resumption_expected,

--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -79,23 +79,23 @@ static int check_alerts(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
    }
    /* Tolerate an alert if one wasn't explicitly specified in the test. */
-    if (test_ctx->client_alert
+    if (test_ctx->expected_client_alert
        /*
         * The info callback alert value is computed as
         * (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]
         * where the low byte is the alert code and the high byte is other stuff.
         */
-        && (result->client_alert_sent & 0xff) != test_ctx->client_alert) {
+        && (result->client_alert_sent & 0xff) != test_ctx->expected_client_alert) {
        fprintf(stderr, "ClientAlert mismatch: expected %s, got %s.\n",
-                print_alert(test_ctx->client_alert),
+                print_alert(test_ctx->expected_client_alert),
                print_alert(result->client_alert_sent));
        return 0;
    }
-    if (test_ctx->server_alert
+    if (test_ctx->expected_server_alert
-        && (result->server_alert_sent & 0xff) != test_ctx->server_alert) {
+        && (result->server_alert_sent & 0xff) != test_ctx->expected_server_alert) {
        fprintf(stderr, "ServerAlert mismatch: expected %s, got %s.\n",
-                print_alert(test_ctx->server_alert),
+                print_alert(test_ctx->expected_server_alert),
                print_alert(result->server_alert_sent));
        return 0;
    }
@@ -112,10 +112,10 @@ static int check_protocol(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
        return 0;
    }
-    if (test_ctx->protocol) {
+    if (test_ctx->expected_protocol) {
-        if (result->client_protocol != test_ctx->protocol) {
+        if (result->client_protocol != test_ctx->expected_protocol) {
            fprintf(stderr, "Protocol mismatch: expected %s, got %s.\n",
-                    ssl_protocol_name(test_ctx->protocol),
+                    ssl_protocol_name(test_ctx->expected_protocol),
                    ssl_protocol_name(result->client_protocol));
            return 0;
        }
@@ -138,9 +138,6 @@ static int check_session_ticket(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx
 {
    if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_IGNORE)
        return 1;
-    if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN &&
-        result->session_ticket == SSL_TEST_SESSION_TICKET_NO)
-        return 1;
    if (result->session_ticket != test_ctx->session_ticket_expected) {
        fprintf(stderr, "Client SessionTicketExpected mismatch, expected %s, got %s\n.",
                ssl_session_ticket_name(test_ctx->session_ticket_expected),
@@ -230,7 +227,8 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
 #ifndef OPENSSL_NO_DTLS
    if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
        server_ctx = SSL_CTX_new(DTLS_server_method());
-        if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) {
+        if (test_ctx->extra.server.servername_callback !=
+            SSL_TEST_SERVERNAME_CB_NONE) {
            server2_ctx = SSL_CTX_new(DTLS_server_method());
            OPENSSL_assert(server2_ctx != NULL);
        }
@@ -245,7 +243,9 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
 #endif
    if (test_ctx->method == SSL_TEST_METHOD_TLS) {
        server_ctx = SSL_CTX_new(TLS_server_method());
-        if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) {
+        /* SNI on resumption isn't supported/tested yet. */
+        if (test_ctx->extra.server.servername_callback !=
+            SSL_TEST_SERVERNAME_CB_NONE) {
            server2_ctx = SSL_CTX_new(TLS_server_method());
            OPENSSL_assert(server2_ctx != NULL);
        }

--- a/test/ssl_test.tmpl
+++ b/test/ssl_test.tmpl
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
--- a/test/ssl_test_ctx_test.c
+++ b/test/ssl_test_ctx_test.c
--- a/test/ssl_test_ctx_test.conf
+++ b/test/ssl_test_ctx_test.conf
 [ssltest_default]
 [ssltest_good]
+client = ssltest_good_client_extra
+server = ssltest_good_server_extra
+resume-server2 = ssltest_good_resume_server2_extra
+Method = DTLS
+HandshakeMode = Resume
 ExpectedResult = ServerFail
-ClientAlert = UnknownCA
+ExpectedClientAlert = UnknownCA
-Protocol = TLSv1.1
+ExpectedProtocol = TLSv1.1
-ClientVerifyCallback = RejectAll
-ServerName = server2
 ExpectedServerName = server2
-ServerNameCallback = IgnoreMismatch
 SessionTicketExpected = Yes
-Method = DTLS
+ResumptionExpected = Yes
-ClientNPNProtocols = foo,bar
-Server2ALPNProtocols = baz
+[ssltest_good_client_extra]
-HandshakeMode = Resume
+VerifyCallback = RejectAll
-ResumptionExpected = yes
+ServerName = server2
+NPNProtocols = foo,bar
+[ssltest_good_server_extra]
+ServerNameCallback = IgnoreMismatch
+BrokenSessionTicket = Yes
+[ssltest_good_resume_server2_extra]
+ALPNProtocols = baz
 [ssltest_unknown_option]
 UnknownOption = Foo