1*e7be843bSPierre Pronchery#! /usr/bin/env perl 2*e7be843bSPierre Pronchery# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 3*e7be843bSPierre Pronchery# 4*e7be843bSPierre Pronchery# Licensed under the Apache License 2.0 (the "License"). You may not use 5*e7be843bSPierre Pronchery# this file except in compliance with the License. You can obtain a copy 6*e7be843bSPierre Pronchery# in the file LICENSE in the source distribution or at 7*e7be843bSPierre Pronchery# https://www.openssl.org/source/license.html 8*e7be843bSPierre Pronchery 9*e7be843bSPierre Proncheryuse strict; 10*e7be843bSPierre Proncheryuse OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11*e7be843bSPierre Proncheryuse OpenSSL::Test::Utils; 12*e7be843bSPierre Proncheryuse File::Temp qw(tempfile); 13*e7be843bSPierre Proncheryuse TLSProxy::Proxy; 14*e7be843bSPierre Proncheryuse checkhandshake qw(checkhandshake @handmessages @extensions); 15*e7be843bSPierre Pronchery 16*e7be843bSPierre Proncherymy $test_name = "test_tls13certcomp"; 17*e7be843bSPierre Proncherysetup($test_name); 18*e7be843bSPierre Pronchery 19*e7be843bSPierre Proncheryplan skip_all => "TLSProxy isn't usable on $^O" 20*e7be843bSPierre Pronchery if $^O =~ /^(VMS)$/; 21*e7be843bSPierre Pronchery 22*e7be843bSPierre Proncheryplan skip_all => "$test_name needs the dynamic engine feature enabled" 23*e7be843bSPierre Pronchery if disabled("engine") || disabled("dynamic-engine"); 24*e7be843bSPierre Pronchery 25*e7be843bSPierre Proncheryplan skip_all => "$test_name needs the sock feature enabled" 26*e7be843bSPierre Pronchery if disabled("sock"); 27*e7be843bSPierre Pronchery 28*e7be843bSPierre Proncheryplan skip_all => "$test_name needs TLSv1.3 enabled" 29*e7be843bSPierre Pronchery if disabled("tls1_3"); 30*e7be843bSPierre Pronchery 31*e7be843bSPierre Proncheryplan skip_all => "$test_name needs EC enabled" 32*e7be843bSPierre Pronchery if disabled("ec"); 33*e7be843bSPierre Pronchery 34*e7be843bSPierre Proncheryplan skip_all => "$test_name needs compression and algorithms enabled" 35*e7be843bSPierre Pronchery if disabled("comp") || (disabled("brotli") && disabled("zlib") && disabled("zstd")); 36*e7be843bSPierre Pronchery 37*e7be843bSPierre Pronchery@handmessages = ( 38*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, 39*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES], 40*e7be843bSPierre Pronchery [TLSProxy::Message::MT_SERVER_HELLO, 41*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES], 42*e7be843bSPierre Pronchery [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, 43*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES], 44*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 45*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_CLI_HANDSHAKE | checkhandshake::CERT_COMP_BOTH_HANDSHAKE], 46*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE, 47*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::CERT_COMP_SRV_HANDSHAKE | checkhandshake::CERT_COMP_BOTH_HANDSHAKE)], 48*e7be843bSPierre Pronchery [TLSProxy::Message::MT_COMPRESSED_CERTIFICATE, 49*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_SRV_HANDSHAKE | checkhandshake::CERT_COMP_BOTH_HANDSHAKE], 50*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 51*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES], 52*e7be843bSPierre Pronchery [TLSProxy::Message::MT_FINISHED, 53*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES], 54*e7be843bSPierre Pronchery [TLSProxy::Message::MT_COMPRESSED_CERTIFICATE, 55*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_CLI_HANDSHAKE | checkhandshake::CERT_COMP_BOTH_HANDSHAKE], 56*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 57*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_CLI_HANDSHAKE | checkhandshake::CERT_COMP_BOTH_HANDSHAKE], 58*e7be843bSPierre Pronchery [TLSProxy::Message::MT_FINISHED, 59*e7be843bSPierre Pronchery checkhandshake::ALL_HANDSHAKES], 60*e7be843bSPierre Pronchery [0, 0] 61*e7be843bSPierre Pronchery); 62*e7be843bSPierre Pronchery 63*e7be843bSPierre Pronchery@extensions = ( 64*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 65*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 66*e7be843bSPierre Pronchery checkhandshake::SERVER_NAME_CLI_EXTENSION], 67*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 68*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 69*e7be843bSPierre Pronchery checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 70*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 71*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 72*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 73*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 74*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 75*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 76*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 77*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 78*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 79*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 80*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 81*e7be843bSPierre Pronchery checkhandshake::ALPN_CLI_EXTENSION], 82*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 83*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 84*e7be843bSPierre Pronchery checkhandshake::SCT_CLI_EXTENSION], 85*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 86*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 87*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 88*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 89*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 90*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 91*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 92*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 93*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 94*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 95*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 96*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 97*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 98*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 99*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 100*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 101*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 102*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 103*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 104*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 105*e7be843bSPierre Pronchery checkhandshake::PSK_CLI_EXTENSION], 106*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 107*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 108*e7be843bSPierre Pronchery checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 109*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_COMPRESS_CERTIFICATE, 110*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 111*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_CLI_EXTENSION], 112*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 113*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 114*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 115*e7be843bSPierre Pronchery 116*e7be843bSPierre Pronchery [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 117*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 118*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 119*e7be843bSPierre Pronchery [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 120*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 121*e7be843bSPierre Pronchery checkhandshake::KEY_SHARE_HRR_EXTENSION], 122*e7be843bSPierre Pronchery 123*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 124*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 125*e7be843bSPierre Pronchery checkhandshake::SERVER_NAME_CLI_EXTENSION], 126*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 127*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 128*e7be843bSPierre Pronchery checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 129*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 130*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 131*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 132*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 133*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 134*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 135*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 136*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 137*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 138*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 139*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 140*e7be843bSPierre Pronchery checkhandshake::ALPN_CLI_EXTENSION], 141*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 142*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 143*e7be843bSPierre Pronchery checkhandshake::SCT_CLI_EXTENSION], 144*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 145*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 146*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 147*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 148*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 149*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 150*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 151*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 152*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 153*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 154*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 155*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 156*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 157*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 158*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 159*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 160*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 161*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 162*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 163*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 164*e7be843bSPierre Pronchery checkhandshake::PSK_CLI_EXTENSION], 165*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 166*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 167*e7be843bSPierre Pronchery checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 168*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_COMPRESS_CERTIFICATE, 169*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 170*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_CLI_EXTENSION], 171*e7be843bSPierre Pronchery 172*e7be843bSPierre Pronchery [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 173*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 174*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 175*e7be843bSPierre Pronchery [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 176*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 177*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 178*e7be843bSPierre Pronchery [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, 179*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 180*e7be843bSPierre Pronchery checkhandshake::PSK_SRV_EXTENSION], 181*e7be843bSPierre Pronchery 182*e7be843bSPierre Pronchery [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, 183*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 184*e7be843bSPierre Pronchery checkhandshake::SERVER_NAME_SRV_EXTENSION], 185*e7be843bSPierre Pronchery [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, 186*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 187*e7be843bSPierre Pronchery checkhandshake::ALPN_SRV_EXTENSION], 188*e7be843bSPierre Pronchery [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 189*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 190*e7be843bSPierre Pronchery checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], 191*e7be843bSPierre Pronchery 192*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS, 193*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 194*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 195*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_COMPRESS_CERTIFICATE, 196*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 197*e7be843bSPierre Pronchery checkhandshake::CERT_COMP_SRV_EXTENSION], 198*e7be843bSPierre Pronchery 199*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, 200*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 201*e7be843bSPierre Pronchery checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 202*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, 203*e7be843bSPierre Pronchery TLSProxy::Message::SERVER, 204*e7be843bSPierre Pronchery checkhandshake::SCT_SRV_EXTENSION], 205*e7be843bSPierre Pronchery 206*e7be843bSPierre Pronchery [0,0,0,0] 207*e7be843bSPierre Pronchery); 208*e7be843bSPierre Pronchery 209*e7be843bSPierre Proncherymy $proxy = TLSProxy::Proxy->new( 210*e7be843bSPierre Pronchery undef, 211*e7be843bSPierre Pronchery cmdstr(app(["openssl"]), display => 1), 212*e7be843bSPierre Pronchery srctop_file("apps", "server.pem"), 213*e7be843bSPierre Pronchery (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 214*e7be843bSPierre Pronchery); 215*e7be843bSPierre Pronchery 216*e7be843bSPierre Pronchery 217*e7be843bSPierre Pronchery#Test 1: Client sends cert comp, but no client auth 218*e7be843bSPierre Pronchery$proxy->serverconnects(2); 219*e7be843bSPierre Pronchery$proxy->clear(); 220*e7be843bSPierre Pronchery$proxy->serverflags("-no_tx_cert_comp -no_rx_cert_comp"); 221*e7be843bSPierre Pronchery# One final skip check 222*e7be843bSPierre Pronchery$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 223*e7be843bSPierre Proncheryplan tests => 8; 224*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 225*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 226*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_CLI_EXTENSION, 227*e7be843bSPierre Pronchery "Client supports certificate compression"); 228*e7be843bSPierre Pronchery 229*e7be843bSPierre Pronchery#Test 2: Server sends cert comp, no client auth 230*e7be843bSPierre Pronchery$proxy->clear(); 231*e7be843bSPierre Pronchery$proxy->clientflags("-no_tx_cert_comp -no_rx_cert_comp"); 232*e7be843bSPierre Pronchery$proxy->serverflags("-cert_comp"); 233*e7be843bSPierre Pronchery$proxy->start(); 234*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 235*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 236*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_SRV_EXTENSION, 237*e7be843bSPierre Pronchery "Server supports certificate compression, but no client auth"); 238*e7be843bSPierre Pronchery 239*e7be843bSPierre Pronchery#Test 3: Both send cert comp, no client auth 240*e7be843bSPierre Pronchery$proxy->clear(); 241*e7be843bSPierre Pronchery$proxy->serverflags("-cert_comp"); 242*e7be843bSPierre Pronchery$proxy->start(); 243*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::CERT_COMP_SRV_HANDSHAKE, 244*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 245*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_CLI_EXTENSION 246*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_SRV_EXTENSION, 247*e7be843bSPierre Pronchery "Both support certificate compression, but no client auth"); 248*e7be843bSPierre Pronchery 249*e7be843bSPierre Pronchery#Test 4: Both send cert comp, with client auth 250*e7be843bSPierre Pronchery$proxy->clear(); 251*e7be843bSPierre Pronchery$proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); 252*e7be843bSPierre Pronchery$proxy->serverflags("-Verify 5 -cert_comp"); 253*e7be843bSPierre Pronchery$proxy->start(); 254*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::CERT_COMP_BOTH_HANDSHAKE, 255*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 256*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_CLI_EXTENSION 257*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_SRV_EXTENSION, 258*e7be843bSPierre Pronchery "Both support certificate compression, with client auth"); 259*e7be843bSPierre Pronchery 260*e7be843bSPierre Pronchery#Test 5: Client-to-server-only certificate compression, with client auth 261*e7be843bSPierre Pronchery$proxy->clear(); 262*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -cert ".srctop_file("apps", "server.pem")); 263*e7be843bSPierre Pronchery$proxy->serverflags("-no_tx_cert_comp -Verify 5 -cert_comp"); 264*e7be843bSPierre Pronchery$proxy->start(); 265*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::CERT_COMP_CLI_HANDSHAKE, 266*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 267*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_SRV_EXTENSION, 268*e7be843bSPierre Pronchery "Client-to-server-only certificate compression, with client auth"); 269*e7be843bSPierre Pronchery 270*e7be843bSPierre Pronchery#Test 6: Server-to-client-only certificate compression 271*e7be843bSPierre Pronchery$proxy->clear(); 272*e7be843bSPierre Pronchery$proxy->clientflags("-no_tx_cert_comp"); 273*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -cert_comp"); 274*e7be843bSPierre Pronchery$proxy->start(); 275*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::CERT_COMP_SRV_HANDSHAKE, 276*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 277*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_CLI_EXTENSION, 278*e7be843bSPierre Pronchery "Server-to-client-only certificate compression"); 279*e7be843bSPierre Pronchery 280*e7be843bSPierre Pronchery#Test 7: Neither side wants to send a compressed cert, but will accept one 281*e7be843bSPierre Pronchery$proxy->clear(); 282*e7be843bSPierre Pronchery$proxy->clientflags("-no_tx_cert_comp"); 283*e7be843bSPierre Pronchery$proxy->serverflags("-no_tx_cert_comp -cert_comp"); 284*e7be843bSPierre Pronchery$proxy->start(); 285*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 286*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS 287*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_CLI_EXTENSION 288*e7be843bSPierre Pronchery | checkhandshake::CERT_COMP_SRV_EXTENSION, 289*e7be843bSPierre Pronchery "Accept but not send compressed certificates"); 290*e7be843bSPierre Pronchery 291*e7be843bSPierre Pronchery#Test 8: Neither side wants to receive a compressed cert, but will send one 292*e7be843bSPierre Pronchery$proxy->clear(); 293*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp"); 294*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -cert_comp"); 295*e7be843bSPierre Pronchery$proxy->start(); 296*e7be843bSPierre Proncherycheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 297*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS, 298*e7be843bSPierre Pronchery "Send but not accept compressed certificates"); 299