ssltest.sh revision 160814
1139747Simp#! /bin/sh 2131952Smarcel# Tests ECC cipher suites using ssltest. Requires one argument which could 3131952Smarcel# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. 4131952Smarcel# A second optional argument can be one of ssl2 ssl3 or tls1 5131952Smarcel 6131952Smarcelif [ "$1" = "" ]; then 7131952Smarcel (echo "Usage: $0 test [ protocol ]" 8131952Smarcel echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" 9131952Smarcel echo " and protocol (optional) is one of ssl2, ssl3, tls1" 10131952Smarcel echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." 11131952Smarcel ) >&2 12131952Smarcel exit 1 13131952Smarcelfi 14131952Smarcel 15131952Smarcel 16131952SmarcelOPENSSL_DIR=../.. 17131952SmarcelCERTS_DIR=./Certs 18131952SmarcelSSLTEST=$OPENSSL_DIR/test/ssltest 19131952Smarcel# SSL protocol version to test (one of ssl2 ssl3 or tls1)" 20131952SmarcelSSLVERSION= 21131952Smarcel 22131952Smarcel# These don't really require any certificates 23131952SmarcelAECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA" 24131952Smarcel 25131952Smarcel# These require ECC certificates signed with ECDSA 26131952Smarcel# The EC public key must be authorized for key agreement. 27131952SmarcelECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" 28131952Smarcel 29131952Smarcel# These require ECC certificates. 30131952Smarcel# The EC public key must be authorized for digital signature. 31131952SmarcelECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA" 32131952Smarcel 33131952Smarcel# These require ECC certificates signed with RSA. 34131952Smarcel# The EC public key must be authorized for key agreement. 35131952SmarcelECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" 36131952Smarcel 37131952Smarcel# These require RSA certificates. 38131952Smarcel# The RSA public key must be authorized for digital signature. 39174910SrwatsonECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA" 40131952Smarcel 41131952Smarcel# List of Elliptic curves over which we wish to test generation of 42131952Smarcel# ephemeral ECDH keys when using AECDH or ECDHE ciphers 43131952Smarcel# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 44131952Smarcel#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" 45131952SmarcelELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" 46131952Smarcel 47131952SmarcelDEFAULT_CURVE="sect163r2" 48131952Smarcel 49174910Srwatsonif [ "$2" = "" ]; then 50174910Srwatson if [ "$SSL_VERSION" = "" ]; then 51131952Smarcel SSL_VERSION="" 52131952Smarcel else 53164029Skib SSL_VERSION="-$SSL_VERSION" 54131952Smarcel fi 55164029Skibelse 56131952Smarcel SSL_VERSION="-$2" 57131952Smarcelfi 58131952Smarcel 59131952Smarcel#============================================================== 60131952Smarcel# Anonymous cipher suites do not require key or certificate files 61131952Smarcel# but ssltest expects a cert file and complains if it can't 62131952Smarcel# open the default one. 63131952SmarcelSERVER_PEM=$OPENSSL_DIR/apps/server.pem 64131952Smarcel 65131952Smarcelif [ "$1" = "aecdh" ]; then 66131952Smarcelfor cipher in $AECDH_CIPHER_LIST 67131952Smarceldo 68131952Smarcel echo "Testing $cipher" 69131952Smarcel $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 70131952Smarceldone 71131952Smarcel#-------------------------------------------------------------- 72131952Smarcelfor curve in $ELLIPTIC_CURVE_LIST 73131952Smarceldo 74131952Smarcel echo "Testing AECDH-NULL-SHA (with $curve)" 75131952Smarcel $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 76131952Smarcel -named_curve $curve -cipher AECDH-NULL-SHA 77131952Smarceldone 78131952Smarcel 79131952Smarcelfor curve in $ELLIPTIC_CURVE_LIST 80131952Smarceldo 81131952Smarcel echo "Testing AECDH-RC4-SHA (with $curve)" 82131952Smarcel $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 83131952Smarcel -named_curve $curve -cipher AECDH-RC4-SHA 84131952Smarceldone 85131952Smarcelfi 86131952Smarcel 87131952Smarcel#============================================================== 88131952Smarcel# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 89131952Smarcel# the server to have an ECC certificate signed with ECDSA. 90131952SmarcelCA_PEM=$CERTS_DIR/secp160r1TestCA.pem 91131952SmarcelSERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem 92131952SmarcelCLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem 93131952Smarcel 94131952Smarcelif [ "$1" = "ecdh-ecdsa" ]; then 95131952Smarcelfor cipher in $ECDH_ECDSA_CIPHER_LIST 96131952Smarceldo 97131952Smarcel echo "Testing $cipher (with server authentication)" 98131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 99131952Smarcel -cert $SERVER_PEM -server_auth \ 100131952Smarcel -cipher $cipher 101131952Smarcel 102131952Smarcel echo "Testing $cipher (with server and client authentication)" 103131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 104131952Smarcel -cert $SERVER_PEM -server_auth \ 105131952Smarcel -c_cert $CLIENT_PEM -client_auth \ 106131952Smarcel -cipher $cipher 107131952Smarceldone 108131952Smarcelfi 109131952Smarcel 110131952Smarcel#============================================================== 111131952Smarcelif [ "$1" = "ecdhe-ecdsa" ]; then 112131952Smarcelfor cipher in $ECDHE_ECDSA_CIPHER_LIST 113131952Smarceldo 114131952Smarcel echo "Testing $cipher (with server authentication)" 115131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 116131952Smarcel -cert $SERVER_PEM -server_auth \ 117131952Smarcel -cipher $cipher -named_curve $DEFAULT_CURVE 118131952Smarcel 119131952Smarcel echo "Testing $cipher (with server and client authentication)" 120131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 121131952Smarcel -cert $SERVER_PEM -server_auth \ 122131952Smarcel -c_cert $CLIENT_PEM -client_auth \ 123131952Smarcel -cipher $cipher -named_curve $DEFAULT_CURVE 124131952Smarceldone 125131952Smarcel 126131952Smarcel#-------------------------------------------------------------- 127131952Smarcelfor curve in $ELLIPTIC_CURVE_LIST 128131952Smarceldo 129131952Smarcel echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" 130131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 131131952Smarcel -cert $SERVER_PEM -server_auth \ 132131952Smarcel -c_cert $CLIENT_PEM -client_auth \ 133131952Smarcel -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 134131952Smarceldone 135131952Smarcelfi 136131952Smarcel 137131952Smarcel#============================================================== 138131952Smarcel# ECDH-RSA cipher suites require the server to have an ECC 139131952Smarcel# certificate signed with RSA. 140131952SmarcelCA_PEM=$CERTS_DIR/rsa1024TestCA.pem 141131952SmarcelSERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem 142131952SmarcelCLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem 143131952Smarcel 144131952Smarcelif [ "$1" = "ecdh-rsa" ]; then 145131952Smarcelfor cipher in $ECDH_RSA_CIPHER_LIST 146131952Smarceldo 147131952Smarcel echo "Testing $cipher (with server authentication)" 148131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 149131952Smarcel -cert $SERVER_PEM -server_auth \ 150131952Smarcel -cipher $cipher 151131952Smarcel 152131952Smarcel echo "Testing $cipher (with server and client authentication)" 153131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 154131952Smarcel -cert $SERVER_PEM -server_auth \ 155131952Smarcel -c_cert $CLIENT_PEM -client_auth \ 156131952Smarcel -cipher $cipher 157131952Smarceldone 158131952Smarcelfi 159131952Smarcel 160131952Smarcel#============================================================== 161131952Smarcel# ECDHE-RSA cipher suites require the server to have an RSA cert. 162131952SmarcelCA_PEM=$CERTS_DIR/rsa1024TestCA.pem 163131952SmarcelSERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem 164131952SmarcelCLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem 165131952Smarcel 166131952Smarcelif [ "$1" = "ecdhe-rsa" ]; then 167131952Smarcelfor cipher in $ECDHE_RSA_CIPHER_LIST 168131952Smarceldo 169131952Smarcel echo "Testing $cipher (with server authentication)" 170131952Smarcel echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 171131952Smarcel -cert $SERVER_PEM -server_auth \ 172131952Smarcel -cipher $cipher -named_curve $DEFAULT_CURVE 173131952Smarcel $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 174131952Smarcel -cert $SERVER_PEM -server_auth \ 175131952Smarcel -cipher $cipher -named_curve $DEFAULT_CURVE 176131952Smarcel 177132771Skan echo "Testing $cipher (with server and client authentication)" 178132791Skan $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 179131952Smarcel -cert $SERVER_PEM -server_auth \ 180132771Skan -c_cert $CLIENT_PEM -client_auth \ 181132791Skan -cipher $cipher -named_curve $DEFAULT_CURVE 182131952Smarceldone 183131952Smarcelfi 184131952Smarcel#============================================================== 185131952Smarcel 186131952Smarcel 187131952Smarcel 188131952Smarcel 189131952Smarcel