1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
30 // zeroSource is an io.Reader that returns an unlimited number of zero bytes.
31 type zeroSource struct{}
33 func (zeroSource) Read(b []byte) (n int, err error) {
41 var testConfig *Config
43 func allCipherSuites() []uint16 {
44 ids := make([]uint16, len(cipherSuites))
45 for i, suite := range cipherSuites {
54 Time: func() time.Time { return time.Unix(0, 0) },
56 Certificates: make([]Certificate, 2),
57 InsecureSkipVerify: true,
58 MinVersion: VersionSSL30,
59 MaxVersion: VersionTLS13,
60 CipherSuites: allCipherSuites(),
62 testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
63 testConfig.Certificates[0].PrivateKey = testRSAPrivateKey
64 testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate}
65 testConfig.Certificates[1].PrivateKey = testRSAPrivateKey
66 testConfig.BuildNameToCertificate()
67 if keyFile := os.Getenv("SSLKEYLOGFILE"); keyFile != "" {
68 f, err := os.OpenFile(keyFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
70 panic("failed to open SSLKEYLOGFILE: " + err.Error())
72 testConfig.KeyLogWriter = f
76 func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
77 testClientHelloFailure(t, serverConfig, m, "")
80 func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {
83 cli := Client(c, testConfig)
84 if ch, ok := m.(*clientHelloMsg); ok {
87 cli.writeRecord(recordTypeHandshake, m.marshal())
90 conn := Server(s, serverConfig)
91 ch, err := conn.readClientHello()
92 hs := serverHandshakeState{
97 err = hs.processClientHello()
100 err = hs.pickCipherSuite()
103 if len(expectedSubStr) == 0 {
104 if err != nil && err != io.EOF {
105 t.Errorf("Got error: %s; expected to succeed", err)
107 } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) {
108 t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr)
112 func TestSimpleError(t *testing.T) {
113 testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
116 var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205}
118 func TestRejectBadProtocolVersion(t *testing.T) {
119 for _, v := range badProtocolVersions {
120 testClientHelloFailure(t, testConfig, &clientHelloMsg{
122 random: make([]byte, 32),
123 }, "unsupported versions")
125 testClientHelloFailure(t, testConfig, &clientHelloMsg{
127 supportedVersions: badProtocolVersions,
128 random: make([]byte, 32),
129 }, "unsupported versions")
132 func TestNoSuiteOverlap(t *testing.T) {
133 clientHello := &clientHelloMsg{
135 random: make([]byte, 32),
136 cipherSuites: []uint16{0xff00},
137 compressionMethods: []uint8{compressionNone},
139 testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")
142 func TestNoCompressionOverlap(t *testing.T) {
143 clientHello := &clientHelloMsg{
145 random: make([]byte, 32),
146 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
147 compressionMethods: []uint8{0xff},
149 testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
152 func TestNoRC4ByDefault(t *testing.T) {
153 clientHello := &clientHelloMsg{
155 random: make([]byte, 32),
156 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
157 compressionMethods: []uint8{compressionNone},
159 serverConfig := testConfig.Clone()
160 // Reset the enabled cipher suites to nil in order to test the
162 serverConfig.CipherSuites = nil
163 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
166 func TestRejectSNIWithTrailingDot(t *testing.T) {
167 testClientHelloFailure(t, testConfig, &clientHelloMsg{
169 random: make([]byte, 32),
170 serverName: "foo.com.",
171 }, "unexpected message")
174 func TestDontSelectECDSAWithRSAKey(t *testing.T) {
175 // Test that, even when both sides support an ECDSA cipher suite, it
176 // won't be selected if the server's private key doesn't support it.
177 clientHello := &clientHelloMsg{
179 random: make([]byte, 32),
180 cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
181 compressionMethods: []uint8{compressionNone},
182 supportedCurves: []CurveID{CurveP256},
183 supportedPoints: []uint8{pointFormatUncompressed},
185 serverConfig := testConfig.Clone()
186 serverConfig.CipherSuites = clientHello.cipherSuites
187 serverConfig.Certificates = make([]Certificate, 1)
188 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
189 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
190 serverConfig.BuildNameToCertificate()
191 // First test that it *does* work when the server's key is ECDSA.
192 testClientHello(t, serverConfig, clientHello)
194 // Now test that switching to an RSA key causes the expected error (and
195 // not an internal error about a signing failure).
196 serverConfig.Certificates = testConfig.Certificates
197 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
200 func TestDontSelectRSAWithECDSAKey(t *testing.T) {
201 // Test that, even when both sides support an RSA cipher suite, it
202 // won't be selected if the server's private key doesn't support it.
203 clientHello := &clientHelloMsg{
205 random: make([]byte, 32),
206 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
207 compressionMethods: []uint8{compressionNone},
208 supportedCurves: []CurveID{CurveP256},
209 supportedPoints: []uint8{pointFormatUncompressed},
211 serverConfig := testConfig.Clone()
212 serverConfig.CipherSuites = clientHello.cipherSuites
213 // First test that it *does* work when the server's key is RSA.
214 testClientHello(t, serverConfig, clientHello)
216 // Now test that switching to an ECDSA key causes the expected error
217 // (and not an internal error about a signing failure).
218 serverConfig.Certificates = make([]Certificate, 1)
219 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
220 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
221 serverConfig.BuildNameToCertificate()
222 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
225 func TestRenegotiationExtension(t *testing.T) {
226 clientHello := &clientHelloMsg{
228 compressionMethods: []uint8{compressionNone},
229 random: make([]byte, 32),
230 secureRenegotiationSupported: true,
231 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
234 bufChan := make(chan []byte)
238 cli := Client(c, testConfig)
239 cli.vers = clientHello.vers
240 cli.writeRecord(recordTypeHandshake, clientHello.marshal())
242 buf := make([]byte, 1024)
243 n, err := c.Read(buf)
245 t.Errorf("Server read returned error: %s", err)
252 Server(s, testConfig).Handshake()
256 t.Fatalf("Server returned short message of length %d", len(buf))
258 // buf contains a TLS record, with a 5 byte record header and a 4 byte
259 // handshake header. The length of the ServerHello is taken from the
261 serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8])
263 var serverHello serverHelloMsg
264 // unmarshal expects to be given the handshake header, but
265 // serverHelloLen doesn't include it.
266 if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) {
267 t.Fatalf("Failed to parse ServerHello")
270 if !serverHello.secureRenegotiationSupported {
271 t.Errorf("Secure renegotiation extension was not echoed.")
275 func TestTLS12OnlyCipherSuites(t *testing.T) {
276 // Test that a Server doesn't select a TLS 1.2-only cipher suite when
277 // the client negotiates TLS 1.1.
278 clientHello := &clientHelloMsg{
280 random: make([]byte, 32),
281 cipherSuites: []uint16{
282 // The Server, by default, will use the client's
283 // preference order. So the GCM cipher suite
284 // will be selected unless it's excluded because
285 // of the version in this ClientHello.
286 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
287 TLS_RSA_WITH_RC4_128_SHA,
289 compressionMethods: []uint8{compressionNone},
290 supportedCurves: []CurveID{CurveP256, CurveP384, CurveP521},
291 supportedPoints: []uint8{pointFormatUncompressed},
295 replyChan := make(chan interface{})
297 cli := Client(c, testConfig)
298 cli.vers = clientHello.vers
299 cli.writeRecord(recordTypeHandshake, clientHello.marshal())
300 reply, err := cli.readHandshake()
308 config := testConfig.Clone()
309 config.CipherSuites = clientHello.cipherSuites
310 Server(s, config).Handshake()
313 if err, ok := reply.(error); ok {
316 serverHello, ok := reply.(*serverHelloMsg)
318 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
320 if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA {
321 t.Fatalf("bad cipher suite from server: %x", s)
325 func TestAlertForwarding(t *testing.T) {
328 Client(c, testConfig).sendAlert(alertUnknownCA)
332 err := Server(s, testConfig).Handshake()
334 if e, ok := err.(*net.OpError); !ok || e.Err != error(alertUnknownCA) {
335 t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
339 func TestClose(t *testing.T) {
343 err := Server(s, testConfig).Handshake()
346 t.Errorf("Got error: %s; expected: %s", err, io.EOF)
350 func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) {
352 errChan := make(chan error)
354 cli := Client(c, clientConfig)
355 err := cli.Handshake()
357 errChan <- fmt.Errorf("client: %v", err)
362 clientState = cli.ConnectionState()
363 buf, err := ioutil.ReadAll(cli)
365 t.Errorf("failed to call cli.Read: %v", err)
367 if got := string(buf); got != opensslSentinel {
368 t.Errorf("read %q from TLS connection, but expected %q", got, opensslSentinel)
372 server := Server(s, serverConfig)
373 err = server.Handshake()
375 serverState = server.ConnectionState()
376 if _, err := io.WriteString(server, opensslSentinel); err != nil {
377 t.Errorf("failed to call server.Write: %v", err)
379 if err := server.Close(); err != nil {
380 t.Errorf("failed to call server.Close: %v", err)
390 func TestVersion(t *testing.T) {
391 serverConfig := &Config{
392 Certificates: testConfig.Certificates,
393 MaxVersion: VersionTLS11,
395 clientConfig := &Config{
396 InsecureSkipVerify: true,
398 state, _, err := testHandshake(t, clientConfig, serverConfig)
400 t.Fatalf("handshake failed: %s", err)
402 if state.Version != VersionTLS11 {
403 t.Fatalf("Incorrect version %x, should be %x", state.Version, VersionTLS11)
407 func TestCipherSuitePreference(t *testing.T) {
408 serverConfig := &Config{
409 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
410 Certificates: testConfig.Certificates,
411 MaxVersion: VersionTLS11,
413 clientConfig := &Config{
414 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA},
415 InsecureSkipVerify: true,
417 state, _, err := testHandshake(t, clientConfig, serverConfig)
419 t.Fatalf("handshake failed: %s", err)
421 if state.CipherSuite != TLS_RSA_WITH_AES_128_CBC_SHA {
422 // By default the server should use the client's preference.
423 t.Fatalf("Client's preference was not used, got %x", state.CipherSuite)
426 serverConfig.PreferServerCipherSuites = true
427 state, _, err = testHandshake(t, clientConfig, serverConfig)
429 t.Fatalf("handshake failed: %s", err)
431 if state.CipherSuite != TLS_RSA_WITH_RC4_128_SHA {
432 t.Fatalf("Server's preference was not used, got %x", state.CipherSuite)
436 func TestSCTHandshake(t *testing.T) {
437 t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) })
438 t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) })
441 func testSCTHandshake(t *testing.T, version uint16) {
442 expected := [][]byte{[]byte("certificate"), []byte("transparency")}
443 serverConfig := &Config{
444 Certificates: []Certificate{{
445 Certificate: [][]byte{testRSACertificate},
446 PrivateKey: testRSAPrivateKey,
447 SignedCertificateTimestamps: expected,
451 clientConfig := &Config{
452 InsecureSkipVerify: true,
454 _, state, err := testHandshake(t, clientConfig, serverConfig)
456 t.Fatalf("handshake failed: %s", err)
458 actual := state.SignedCertificateTimestamps
459 if len(actual) != len(expected) {
460 t.Fatalf("got %d scts, want %d", len(actual), len(expected))
462 for i, sct := range expected {
463 if !bytes.Equal(sct, actual[i]) {
464 t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct)
469 func TestCrossVersionResume(t *testing.T) {
470 t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) })
471 t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) })
474 func testCrossVersionResume(t *testing.T, version uint16) {
475 serverConfig := &Config{
476 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
477 Certificates: testConfig.Certificates,
479 clientConfig := &Config{
480 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
481 InsecureSkipVerify: true,
482 ClientSessionCache: NewLRUClientSessionCache(1),
483 ServerName: "servername",
486 // Establish a session at TLS 1.1.
487 clientConfig.MaxVersion = VersionTLS11
488 _, _, err := testHandshake(t, clientConfig, serverConfig)
490 t.Fatalf("handshake failed: %s", err)
493 // The client session cache now contains a TLS 1.1 session.
494 state, _, err := testHandshake(t, clientConfig, serverConfig)
496 t.Fatalf("handshake failed: %s", err)
498 if !state.DidResume {
499 t.Fatalf("handshake did not resume at the same version")
502 // Test that the server will decline to resume at a lower version.
503 clientConfig.MaxVersion = VersionTLS10
504 state, _, err = testHandshake(t, clientConfig, serverConfig)
506 t.Fatalf("handshake failed: %s", err)
509 t.Fatalf("handshake resumed at a lower version")
512 // The client session cache now contains a TLS 1.0 session.
513 state, _, err = testHandshake(t, clientConfig, serverConfig)
515 t.Fatalf("handshake failed: %s", err)
517 if !state.DidResume {
518 t.Fatalf("handshake did not resume at the same version")
521 // Test that the server will decline to resume at a higher version.
522 clientConfig.MaxVersion = VersionTLS11
523 state, _, err = testHandshake(t, clientConfig, serverConfig)
525 t.Fatalf("handshake failed: %s", err)
528 t.Fatalf("handshake resumed at a higher version")
532 // Note: see comment in handshake_test.go for details of how the reference
535 // serverTest represents a test of the TLS server handshake against a reference
537 type serverTest struct {
538 // name is a freeform string identifying the test and the file in which
539 // the expected results will be stored.
541 // command, if not empty, contains a series of arguments for the
542 // command to run for the reference server.
544 // expectedPeerCerts contains a list of PEM blocks of expected
545 // certificates from the client.
546 expectedPeerCerts []string
547 // config, if not nil, contains a custom Config to use for this test.
549 // expectHandshakeErrorIncluding, when not empty, contains a string
550 // that must be a substring of the error resulting from the handshake.
551 expectHandshakeErrorIncluding string
552 // validate, if not nil, is a function that will be called with the
553 // ConnectionState of the resulting connection. It returns false if the
554 // ConnectionState is unacceptable.
555 validate func(ConnectionState) error
556 // wait, if true, prevents this subtest from calling t.Parallel.
557 // If false, runServerTest* returns immediately.
561 var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
563 // connFromCommand starts opens a listening socket and starts the reference
564 // client to connect to it. It returns a recordingConn that wraps the resulting
566 func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) {
567 l, err := net.ListenTCP("tcp", &net.TCPAddr{
568 IP: net.IPv4(127, 0, 0, 1),
576 port := l.Addr().(*net.TCPAddr).Port
579 command = append(command, test.command...)
580 if len(command) == 0 {
581 command = defaultClientCommand
583 command = append(command, "-connect")
584 command = append(command, fmt.Sprintf("127.0.0.1:%d", port))
585 cmd := exec.Command(command[0], command[1:]...)
587 var output bytes.Buffer
590 if err := cmd.Start(); err != nil {
594 connChan := make(chan interface{})
596 tcpConn, err := l.Accept()
605 case connOrError := <-connChan:
606 if err, ok := connOrError.(error); ok {
609 tcpConn = connOrError.(net.Conn)
610 case <-time.After(2 * time.Second):
611 return nil, nil, errors.New("timed out waiting for connection from child process")
614 record := &recordingConn{
618 return record, cmd, nil
621 func (test *serverTest) dataPath() string {
622 return filepath.Join("testdata", "Server-"+test.name)
625 func (test *serverTest) loadData() (flows [][]byte, err error) {
626 in, err := os.Open(test.dataPath())
631 return parseTestData(in)
634 func (test *serverTest) run(t *testing.T, write bool) {
635 checkOpenSSLVersion(t)
637 var clientConn, serverConn net.Conn
638 var recordingConn *recordingConn
639 var childProcess *exec.Cmd
643 recordingConn, childProcess, err = test.connFromCommand()
645 t.Fatalf("Failed to start subcommand: %s", err)
647 serverConn = recordingConn
650 t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout)
654 clientConn, serverConn = localPipe(t)
656 config := test.config
660 server := Server(serverConn, config)
661 connStateChan := make(chan ConnectionState, 1)
663 _, err := server.Write([]byte("hello, world\n"))
664 if len(test.expectHandshakeErrorIncluding) > 0 {
666 t.Errorf("Error expected, but no error returned")
667 } else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) {
668 t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s)
672 t.Logf("Error from Server.Write: '%s'", err)
677 connStateChan <- server.ConnectionState()
681 flows, err := test.loadData()
683 t.Fatalf("%s: failed to load data from %s", test.name, test.dataPath())
685 for i, b := range flows {
687 clientConn.SetWriteDeadline(time.Now().Add(1 * time.Minute))
691 bb := make([]byte, len(b))
692 clientConn.SetReadDeadline(time.Now().Add(1 * time.Minute))
693 n, err := io.ReadFull(clientConn, bb)
695 t.Fatalf("%s #%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", test.name, i+1, err, n, len(bb), bb[:n], b)
697 if !bytes.Equal(b, bb) {
698 t.Fatalf("%s #%d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b)
704 connState := <-connStateChan
705 peerCerts := connState.PeerCertificates
706 if len(peerCerts) == len(test.expectedPeerCerts) {
707 for i, peerCert := range peerCerts {
708 block, _ := pem.Decode([]byte(test.expectedPeerCerts[i]))
709 if !bytes.Equal(block.Bytes, peerCert.Raw) {
710 t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1)
714 t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
717 if test.validate != nil {
718 if err := test.validate(connState); err != nil {
719 t.Fatalf("validate callback returned error: %s", err)
724 path := test.dataPath()
725 out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
727 t.Fatalf("Failed to create output file: %s", err)
730 recordingConn.Close()
731 if len(recordingConn.flows) < 3 {
732 if len(test.expectHandshakeErrorIncluding) == 0 {
733 t.Fatalf("Handshake failed")
736 recordingConn.WriteTo(out)
737 t.Logf("Wrote %s\n", path)
742 func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) {
743 t.Run(version, func(t *testing.T) {
744 // Make a deep copy of the template before going parallel.
746 if template.config != nil {
747 test.config = template.config.Clone()
750 if !*update && !template.wait {
754 test.name = version + "-" + test.name
755 if len(test.command) == 0 {
756 test.command = defaultClientCommand
758 test.command = append([]string(nil), test.command...)
759 test.command = append(test.command, option)
764 func runServerTestSSLv3(t *testing.T, template *serverTest) {
765 runServerTestForVersion(t, template, "SSLv3", "-ssl3")
768 func runServerTestTLS10(t *testing.T, template *serverTest) {
769 runServerTestForVersion(t, template, "TLSv10", "-tls1")
772 func runServerTestTLS11(t *testing.T, template *serverTest) {
773 runServerTestForVersion(t, template, "TLSv11", "-tls1_1")
776 func runServerTestTLS12(t *testing.T, template *serverTest) {
777 runServerTestForVersion(t, template, "TLSv12", "-tls1_2")
780 func runServerTestTLS13(t *testing.T, template *serverTest) {
781 runServerTestForVersion(t, template, "TLSv13", "-tls1_3")
784 func TestHandshakeServerRSARC4(t *testing.T) {
787 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
789 runServerTestSSLv3(t, test)
790 runServerTestTLS10(t, test)
791 runServerTestTLS11(t, test)
792 runServerTestTLS12(t, test)
795 func TestHandshakeServerRSA3DES(t *testing.T) {
798 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
800 runServerTestSSLv3(t, test)
801 runServerTestTLS10(t, test)
802 runServerTestTLS12(t, test)
805 func TestHandshakeServerRSAAES(t *testing.T) {
808 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
810 runServerTestSSLv3(t, test)
811 runServerTestTLS10(t, test)
812 runServerTestTLS12(t, test)
815 func TestHandshakeServerAESGCM(t *testing.T) {
818 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"},
820 runServerTestTLS12(t, test)
823 func TestHandshakeServerAES256GCMSHA384(t *testing.T) {
825 name: "RSA-AES256-GCM-SHA384",
826 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"},
828 runServerTestTLS12(t, test)
831 func TestHandshakeServerAES128SHA256(t *testing.T) {
833 name: "AES128-SHA256",
834 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
836 runServerTestTLS13(t, test)
838 func TestHandshakeServerAES256SHA384(t *testing.T) {
840 name: "AES256-SHA384",
841 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"},
843 runServerTestTLS13(t, test)
845 func TestHandshakeServerCHACHA20SHA256(t *testing.T) {
847 name: "CHACHA20-SHA256",
848 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
850 runServerTestTLS13(t, test)
853 func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
854 config := testConfig.Clone()
855 config.Certificates = make([]Certificate, 1)
856 config.Certificates[0].Certificate = [][]byte{testECDSACertificate}
857 config.Certificates[0].PrivateKey = testECDSAPrivateKey
858 config.BuildNameToCertificate()
861 name: "ECDHE-ECDSA-AES",
862 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
865 runServerTestTLS10(t, test)
866 runServerTestTLS12(t, test)
867 runServerTestTLS13(t, test)
870 func TestHandshakeServerX25519(t *testing.T) {
871 config := testConfig.Clone()
872 config.CurvePreferences = []CurveID{X25519}
876 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"},
879 runServerTestTLS12(t, test)
880 runServerTestTLS13(t, test)
883 func TestHandshakeServerP256(t *testing.T) {
884 config := testConfig.Clone()
885 config.CurvePreferences = []CurveID{CurveP256}
889 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
892 runServerTestTLS12(t, test)
893 runServerTestTLS13(t, test)
896 func TestHandshakeServerHelloRetryRequest(t *testing.T) {
897 config := testConfig.Clone()
898 config.CurvePreferences = []CurveID{CurveP256}
901 name: "HelloRetryRequest",
902 command: []string{"openssl", "s_client", "-no_ticket", "-curves", "X25519:P-256"},
905 runServerTestTLS13(t, test)
908 func TestHandshakeServerALPN(t *testing.T) {
909 config := testConfig.Clone()
910 config.NextProtos = []string{"proto1", "proto2"}
914 // Note that this needs OpenSSL 1.0.2 because that is the first
915 // version that supports the -alpn flag.
916 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"},
918 validate: func(state ConnectionState) error {
919 // The server's preferences should override the client.
920 if state.NegotiatedProtocol != "proto1" {
921 return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol)
926 runServerTestTLS12(t, test)
927 runServerTestTLS13(t, test)
930 func TestHandshakeServerALPNNoMatch(t *testing.T) {
931 config := testConfig.Clone()
932 config.NextProtos = []string{"proto3"}
935 name: "ALPN-NoMatch",
936 // Note that this needs OpenSSL 1.0.2 because that is the first
937 // version that supports the -alpn flag.
938 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"},
940 validate: func(state ConnectionState) error {
941 // Rather than reject the connection, Go doesn't select
942 // a protocol when there is no overlap.
943 if state.NegotiatedProtocol != "" {
944 return fmt.Errorf("Got protocol %q, wanted ''", state.NegotiatedProtocol)
949 runServerTestTLS12(t, test)
950 runServerTestTLS13(t, test)
953 // TestHandshakeServerSNI involves a client sending an SNI extension of
954 // "snitest.com", which happens to match the CN of testSNICertificate. The test
955 // verifies that the server correctly selects that certificate.
956 func TestHandshakeServerSNI(t *testing.T) {
959 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
961 runServerTestTLS12(t, test)
964 // TestHandshakeServerSNICertForName is similar to TestHandshakeServerSNI, but
965 // tests the dynamic GetCertificate method
966 func TestHandshakeServerSNIGetCertificate(t *testing.T) {
967 config := testConfig.Clone()
969 // Replace the NameToCertificate map with a GetCertificate function
970 nameToCert := config.NameToCertificate
971 config.NameToCertificate = nil
972 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
973 cert := nameToCert[clientHello.ServerName]
977 name: "SNI-GetCertificate",
978 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
981 runServerTestTLS12(t, test)
984 // TestHandshakeServerSNICertForNameNotFound is similar to
985 // TestHandshakeServerSNICertForName, but tests to make sure that when the
986 // GetCertificate method doesn't return a cert, we fall back to what's in
987 // the NameToCertificate map.
988 func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {
989 config := testConfig.Clone()
991 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
995 name: "SNI-GetCertificateNotFound",
996 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
999 runServerTestTLS12(t, test)
1002 // TestHandshakeServerSNICertForNameError tests to make sure that errors in
1003 // GetCertificate result in a tls alert.
1004 func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
1005 const errMsg = "TestHandshakeServerSNIGetCertificateError error"
1007 serverConfig := testConfig.Clone()
1008 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1009 return nil, errors.New(errMsg)
1012 clientHello := &clientHelloMsg{
1014 random: make([]byte, 32),
1015 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
1016 compressionMethods: []uint8{compressionNone},
1019 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1022 // TestHandshakeServerEmptyCertificates tests that GetCertificates is called in
1023 // the case that Certificates is empty, even without SNI.
1024 func TestHandshakeServerEmptyCertificates(t *testing.T) {
1025 const errMsg = "TestHandshakeServerEmptyCertificates error"
1027 serverConfig := testConfig.Clone()
1028 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1029 return nil, errors.New(errMsg)
1031 serverConfig.Certificates = nil
1033 clientHello := &clientHelloMsg{
1035 random: make([]byte, 32),
1036 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
1037 compressionMethods: []uint8{compressionNone},
1039 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1041 // With an empty Certificates and a nil GetCertificate, the server
1042 // should always return a “no certificates” error.
1043 serverConfig.GetCertificate = nil
1045 clientHello = &clientHelloMsg{
1047 random: make([]byte, 32),
1048 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
1049 compressionMethods: []uint8{compressionNone},
1051 testClientHelloFailure(t, serverConfig, clientHello, "no certificates")
1054 // TestCipherSuiteCertPreferance ensures that we select an RSA ciphersuite with
1055 // an RSA certificate and an ECDSA ciphersuite with an ECDSA certificate.
1056 func TestCipherSuiteCertPreferenceECDSA(t *testing.T) {
1057 config := testConfig.Clone()
1058 config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}
1059 config.PreferServerCipherSuites = true
1061 test := &serverTest{
1062 name: "CipherSuiteCertPreferenceRSA",
1065 runServerTestTLS12(t, test)
1067 config = testConfig.Clone()
1068 config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}
1069 config.Certificates = []Certificate{
1071 Certificate: [][]byte{testECDSACertificate},
1072 PrivateKey: testECDSAPrivateKey,
1075 config.BuildNameToCertificate()
1076 config.PreferServerCipherSuites = true
1079 name: "CipherSuiteCertPreferenceECDSA",
1082 runServerTestTLS12(t, test)
1085 func TestServerResumption(t *testing.T) {
1086 sessionFilePath := tempFile("")
1087 defer os.Remove(sessionFilePath)
1089 testIssue := &serverTest{
1090 name: "IssueTicket",
1091 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath},
1094 testResume := &serverTest{
1096 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_in", sessionFilePath},
1097 validate: func(state ConnectionState) error {
1098 if !state.DidResume {
1099 return errors.New("did not resume")
1105 runServerTestTLS12(t, testIssue)
1106 runServerTestTLS12(t, testResume)
1108 runServerTestTLS13(t, testIssue)
1109 runServerTestTLS13(t, testResume)
1111 config := testConfig.Clone()
1112 config.CurvePreferences = []CurveID{CurveP256}
1114 testResumeHRR := &serverTest{
1115 name: "Resume-HelloRetryRequest",
1116 command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-sess_in", sessionFilePath},
1118 validate: func(state ConnectionState) error {
1119 if !state.DidResume {
1120 return errors.New("did not resume")
1126 runServerTestTLS13(t, testResumeHRR)
1129 func TestServerResumptionDisabled(t *testing.T) {
1130 sessionFilePath := tempFile("")
1131 defer os.Remove(sessionFilePath)
1133 config := testConfig.Clone()
1135 testIssue := &serverTest{
1136 name: "IssueTicketPreDisable",
1137 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath},
1141 testResume := &serverTest{
1142 name: "ResumeDisabled",
1143 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_in", sessionFilePath},
1145 validate: func(state ConnectionState) error {
1146 if state.DidResume {
1147 return errors.New("resumed with SessionTicketsDisabled")
1153 config.SessionTicketsDisabled = false
1154 runServerTestTLS12(t, testIssue)
1155 config.SessionTicketsDisabled = true
1156 runServerTestTLS12(t, testResume)
1158 config.SessionTicketsDisabled = false
1159 runServerTestTLS13(t, testIssue)
1160 config.SessionTicketsDisabled = true
1161 runServerTestTLS13(t, testResume)
1164 func TestFallbackSCSV(t *testing.T) {
1165 serverConfig := Config{
1166 Certificates: testConfig.Certificates,
1168 test := &serverTest{
1169 name: "FallbackSCSV",
1170 config: &serverConfig,
1171 // OpenSSL 1.0.1j is needed for the -fallback_scsv option.
1172 command: []string{"openssl", "s_client", "-fallback_scsv"},
1173 expectHandshakeErrorIncluding: "inappropriate protocol fallback",
1175 runServerTestTLS11(t, test)
1178 func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
1179 test := &serverTest{
1180 name: "ExportKeyingMaterial",
1181 command: []string{"openssl", "s_client"},
1182 config: testConfig.Clone(),
1183 validate: func(state ConnectionState) error {
1184 if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
1185 return fmt.Errorf("ExportKeyingMaterial failed: %v", err)
1186 } else if len(km) != 42 {
1187 return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42)
1192 runServerTestTLS10(t, test)
1193 runServerTestTLS12(t, test)
1194 runServerTestTLS13(t, test)
1197 func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
1198 test := &serverTest{
1199 name: "RSA-RSAPKCS1v15",
1200 command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pkcs1_sha256"},
1202 runServerTestTLS12(t, test)
1205 func TestHandshakeServerRSAPSS(t *testing.T) {
1206 test := &serverTest{
1208 command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
1210 runServerTestTLS12(t, test)
1211 runServerTestTLS13(t, test)
1214 func TestHandshakeServerPSSDisabled(t *testing.T) {
1215 test := &serverTest{
1216 name: "RSA-PSS-Disabled",
1217 command: []string{"openssl", "s_client", "-no_ticket"},
1221 // Restore the default signature algorithms, disabling RSA-PSS in TLS 1.2,
1222 // and check that handshakes still work.
1223 testSupportedSignatureAlgorithmsTLS12 := supportedSignatureAlgorithmsTLS12
1224 defer func() { supportedSignatureAlgorithmsTLS12 = testSupportedSignatureAlgorithmsTLS12 }()
1225 supportedSignatureAlgorithmsTLS12 = savedSupportedSignatureAlgorithmsTLS12
1227 runServerTestTLS12(t, test)
1228 runServerTestTLS13(t, test)
1231 name: "RSA-PSS-Disabled-Required",
1232 command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
1235 expectHandshakeErrorIncluding: "peer doesn't support any common signature algorithms",
1238 runServerTestTLS12(t, test)
1241 func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
1242 config := testConfig.Clone()
1243 config.CipherSuites = []uint16{cipherSuite}
1244 config.CurvePreferences = []CurveID{curve}
1245 config.Certificates = make([]Certificate, 1)
1246 config.Certificates[0].Certificate = [][]byte{cert}
1247 config.Certificates[0].PrivateKey = key
1248 config.BuildNameToCertificate()
1250 clientConn, serverConn := localPipe(b)
1251 serverConn = &recordingConn{Conn: serverConn}
1253 config := testConfig.Clone()
1254 config.MaxVersion = version
1255 config.CurvePreferences = []CurveID{curve}
1256 client := Client(clientConn, config)
1259 server := Server(serverConn, config)
1260 if err := server.Handshake(); err != nil {
1261 b.Fatalf("handshake failed: %v", err)
1264 flows := serverConn.(*recordingConn).flows
1266 feeder := make(chan struct{})
1267 clientConn, serverConn = localPipe(b)
1271 for i, f := range flows {
1276 ff := make([]byte, len(f))
1277 n, err := io.ReadFull(clientConn, ff)
1279 b.Errorf("#%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", i+1, err, n, len(ff), ff[:n], f)
1281 if !bytes.Equal(f, ff) {
1282 b.Errorf("#%d: mismatch on read: got:%x want:%x", i+1, ff, f)
1289 for i := 0; i < b.N; i++ {
1290 feeder <- struct{}{}
1291 server := Server(serverConn, config)
1292 if err := server.Handshake(); err != nil {
1293 b.Fatalf("handshake failed: %v", err)
1299 func BenchmarkHandshakeServer(b *testing.B) {
1300 b.Run("RSA", func(b *testing.B) {
1301 benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256,
1302 0, testRSACertificate, testRSAPrivateKey)
1304 b.Run("ECDHE-P256-RSA", func(b *testing.B) {
1305 b.Run("TLSv13", func(b *testing.B) {
1306 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1307 CurveP256, testRSACertificate, testRSAPrivateKey)
1309 b.Run("TLSv12", func(b *testing.B) {
1310 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1311 CurveP256, testRSACertificate, testRSAPrivateKey)
1314 b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) {
1315 b.Run("TLSv13", func(b *testing.B) {
1316 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1317 CurveP256, testP256Certificate, testP256PrivateKey)
1319 b.Run("TLSv12", func(b *testing.B) {
1320 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1321 CurveP256, testP256Certificate, testP256PrivateKey)
1324 b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) {
1325 b.Run("TLSv13", func(b *testing.B) {
1326 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1327 X25519, testP256Certificate, testP256PrivateKey)
1329 b.Run("TLSv12", func(b *testing.B) {
1330 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1331 X25519, testP256Certificate, testP256PrivateKey)
1334 b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) {
1335 if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() {
1336 b.Fatal("test ECDSA key doesn't use curve P-521")
1338 b.Run("TLSv13", func(b *testing.B) {
1339 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1340 CurveP521, testECDSACertificate, testECDSAPrivateKey)
1342 b.Run("TLSv12", func(b *testing.B) {
1343 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1344 CurveP521, testECDSACertificate, testECDSAPrivateKey)
1349 const clientCertificatePEM = `
1350 -----BEGIN CERTIFICATE-----
1351 MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS
1352 MRAwDgYDVQQKEwdBY21lIENvMB4XDTE2MDgxNzIxNTIzMVoXDTE3MDgxNzIxNTIz
1353 MVowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
1354 gYEAum+qhr3Pv5/y71yUYHhv6BPy0ZZvzdkybiI3zkH5yl0prOEn2mGi7oHLEMff
1355 NFiVhuk9GeZcJ3NgyI14AvQdpJgJoxlwaTwlYmYqqyIjxXuFOE8uCXMyp70+m63K
1356 hAfmDzr/d8WdQYUAirab7rCkPy1MTOZCPrtRyN1IVPQMjkcCAwEAAaNGMEQwDgYD
1357 VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw
1358 DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOBgQBGq0Si+yhU+Fpn+GKU
1359 8ZqyGJ7ysd4dfm92lam6512oFmyc9wnTN+RLKzZ8Aa1B0jLYw9KT+RBrjpW5LBeK
1360 o0RIvFkTgxYEiKSBXCUNmAysEbEoVr4dzWFihAm/1oDGRY2CLLTYg5vbySK3KhIR
1361 e/oCO8HJ/+rJnahJ05XX1Q7lNQ==
1362 -----END CERTIFICATE-----`
1364 const clientKeyPEM = `
1365 -----BEGIN RSA PRIVATE KEY-----
1366 MIICXQIBAAKBgQC6b6qGvc+/n/LvXJRgeG/oE/LRlm/N2TJuIjfOQfnKXSms4Sfa
1367 YaLugcsQx980WJWG6T0Z5lwnc2DIjXgC9B2kmAmjGXBpPCViZiqrIiPFe4U4Ty4J
1368 czKnvT6brcqEB+YPOv93xZ1BhQCKtpvusKQ/LUxM5kI+u1HI3UhU9AyORwIDAQAB
1369 AoGAEJZ03q4uuMb7b26WSQsOMeDsftdatT747LGgs3pNRkMJvTb/O7/qJjxoG+Mc
1370 qeSj0TAZXp+PXXc3ikCECAc+R8rVMfWdmp903XgO/qYtmZGCorxAHEmR80SrfMXv
1371 PJnznLQWc8U9nphQErR+tTESg7xWEzmFcPKwnZd1xg8ERYkCQQDTGtrFczlB2b/Z
1372 9TjNMqUlMnTLIk/a/rPE2fLLmAYhK5sHnJdvDURaH2mF4nso0EGtENnTsh6LATnY
1373 dkrxXGm9AkEA4hXHG2q3MnhgK1Z5hjv+Fnqd+8bcbII9WW4flFs15EKoMgS1w/PJ
1374 zbsySaSy5IVS8XeShmT9+3lrleed4sy+UwJBAJOOAbxhfXP5r4+5R6ql66jES75w
1375 jUCVJzJA5ORJrn8g64u2eGK28z/LFQbv9wXgCwfc72R468BdawFSLa/m2EECQGbZ
1376 rWiFla26IVXV0xcD98VWJsTBZMlgPnSOqoMdM1kSEd4fUmlAYI/dFzV1XYSkOmVr
1377 FhdZnklmpVDeu27P4c0CQQCuCOup0FlJSBpWY1TTfun/KMBkBatMz0VMA3d7FKIU
1378 csPezl677Yjo8u1r/KzeI6zLg87Z8E6r6ZWNc9wBSZK6
1379 -----END RSA PRIVATE KEY-----`
1381 const clientECDSACertificatePEM = `
1382 -----BEGIN CERTIFICATE-----
1383 MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
1384 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
1385 eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG
1386 EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK
1387 b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv
1388 ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs
1389 jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q
1390 ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg
1391 C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa
1392 2RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw
1393 jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes=
1394 -----END CERTIFICATE-----`
1396 const clientECDSAKeyPEM = `
1397 -----BEGIN EC PARAMETERS-----
1399 -----END EC PARAMETERS-----
1400 -----BEGIN EC PRIVATE KEY-----
1401 MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8
1402 k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1
1403 FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd
1404 3kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx
1405 +U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q==
1406 -----END EC PRIVATE KEY-----`
1408 func TestClientAuth(t *testing.T) {
1409 var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath string
1412 certPath = tempFile(clientCertificatePEM)
1413 defer os.Remove(certPath)
1414 keyPath = tempFile(clientKeyPEM)
1415 defer os.Remove(keyPath)
1416 ecdsaCertPath = tempFile(clientECDSACertificatePEM)
1417 defer os.Remove(ecdsaCertPath)
1418 ecdsaKeyPath = tempFile(clientECDSAKeyPEM)
1419 defer os.Remove(ecdsaKeyPath)
1422 t.Run("Normal", func(t *testing.T) {
1423 config := testConfig.Clone()
1424 config.ClientAuth = RequestClientCert
1426 test := &serverTest{
1427 name: "ClientAuthRequestedNotGiven",
1428 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
1431 runServerTestTLS12(t, test)
1432 runServerTestTLS13(t, test)
1434 config.ClientAuth = RequireAnyClientCert
1437 name: "ClientAuthRequestedAndGiven",
1438 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1439 "-cert", certPath, "-key", keyPath, "-sigalgs", "rsa_pss_rsae_sha256"},
1441 expectedPeerCerts: []string{clientCertificatePEM},
1443 runServerTestTLS12(t, test)
1444 runServerTestTLS13(t, test)
1447 name: "ClientAuthRequestedAndECDSAGiven",
1448 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1449 "-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
1451 expectedPeerCerts: []string{clientECDSACertificatePEM},
1453 runServerTestTLS12(t, test)
1454 runServerTestTLS13(t, test)
1457 name: "ClientAuthRequestedAndPKCS1v15Given",
1458 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1459 "-cert", certPath, "-key", keyPath, "-sigalgs", "rsa_pkcs1_sha256"},
1461 expectedPeerCerts: []string{clientCertificatePEM},
1463 runServerTestTLS12(t, test)
1466 // Restore the default signature algorithms, disabling RSA-PSS in TLS 1.2,
1467 // and check that handshakes still work.
1468 testSupportedSignatureAlgorithmsTLS12 := supportedSignatureAlgorithmsTLS12
1469 defer func() { supportedSignatureAlgorithmsTLS12 = testSupportedSignatureAlgorithmsTLS12 }()
1470 supportedSignatureAlgorithmsTLS12 = savedSupportedSignatureAlgorithmsTLS12
1472 t.Run("PSSDisabled", func(t *testing.T) {
1473 config := testConfig.Clone()
1474 config.ClientAuth = RequireAnyClientCert
1476 test := &serverTest{
1477 name: "ClientAuthRequestedAndGiven-PSS-Disabled",
1478 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1479 "-cert", certPath, "-key", keyPath},
1481 expectedPeerCerts: []string{clientCertificatePEM},
1483 runServerTestTLS12(t, test)
1484 runServerTestTLS13(t, test)
1487 name: "ClientAuthRequestedAndGiven-PSS-Disabled-Required",
1488 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1489 "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
1492 expectHandshakeErrorIncluding: "client didn't provide a certificate",
1494 runServerTestTLS12(t, test)
1498 func TestSNIGivenOnFailure(t *testing.T) {
1499 const expectedServerName = "test.testing"
1501 clientHello := &clientHelloMsg{
1503 random: make([]byte, 32),
1504 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
1505 compressionMethods: []uint8{compressionNone},
1506 serverName: expectedServerName,
1509 serverConfig := testConfig.Clone()
1510 // Erase the server's cipher suites to ensure the handshake fails.
1511 serverConfig.CipherSuites = nil
1513 c, s := localPipe(t)
1515 cli := Client(c, testConfig)
1516 cli.vers = clientHello.vers
1517 cli.writeRecord(recordTypeHandshake, clientHello.marshal())
1520 conn := Server(s, serverConfig)
1521 ch, err := conn.readClientHello()
1522 hs := serverHandshakeState{
1527 err = hs.processClientHello()
1530 err = hs.pickCipherSuite()
1535 t.Error("No error reported from server")
1538 cs := hs.c.ConnectionState()
1539 if cs.HandshakeComplete {
1540 t.Error("Handshake registered as complete")
1543 if cs.ServerName != expectedServerName {
1544 t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName)
1548 var getConfigForClientTests = []struct {
1549 setup func(config *Config)
1550 callback func(clientHello *ClientHelloInfo) (*Config, error)
1551 errorSubstring string
1552 verify func(config *Config) error
1556 func(clientHello *ClientHelloInfo) (*Config, error) {
1564 func(clientHello *ClientHelloInfo) (*Config, error) {
1565 return nil, errors.New("should bubble up")
1572 func(clientHello *ClientHelloInfo) (*Config, error) {
1573 config := testConfig.Clone()
1574 // Setting a maximum version of TLS 1.1 should cause
1575 // the handshake to fail, as the client MinVersion is TLS 1.2.
1576 config.MaxVersion = VersionTLS11
1579 "client offered only unsupported versions",
1583 func(config *Config) {
1584 for i := range config.SessionTicketKey {
1585 config.SessionTicketKey[i] = byte(i)
1587 config.sessionTicketKeys = nil
1589 func(clientHello *ClientHelloInfo) (*Config, error) {
1590 config := testConfig.Clone()
1591 for i := range config.SessionTicketKey {
1592 config.SessionTicketKey[i] = 0
1594 config.sessionTicketKeys = nil
1598 func(config *Config) error {
1599 // The value of SessionTicketKey should have been
1600 // duplicated into the per-connection Config.
1601 for i := range config.SessionTicketKey {
1602 if b := config.SessionTicketKey[i]; b != byte(i) {
1603 return fmt.Errorf("SessionTicketKey was not duplicated from original Config: byte %d has value %d", i, b)
1610 func(config *Config) {
1611 var dummyKey [32]byte
1612 for i := range dummyKey {
1613 dummyKey[i] = byte(i)
1616 config.SetSessionTicketKeys([][32]byte{dummyKey})
1618 func(clientHello *ClientHelloInfo) (*Config, error) {
1619 config := testConfig.Clone()
1620 config.sessionTicketKeys = nil
1624 func(config *Config) error {
1625 // The session ticket keys should have been duplicated
1626 // into the per-connection Config.
1627 if l := len(config.sessionTicketKeys); l != 1 {
1628 return fmt.Errorf("got len(sessionTicketKeys) == %d, wanted 1", l)
1635 func TestGetConfigForClient(t *testing.T) {
1636 serverConfig := testConfig.Clone()
1637 clientConfig := testConfig.Clone()
1638 clientConfig.MinVersion = VersionTLS12
1640 for i, test := range getConfigForClientTests {
1641 if test.setup != nil {
1642 test.setup(serverConfig)
1645 var configReturned *Config
1646 serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
1647 config, err := test.callback(clientHello)
1648 configReturned = config
1651 c, s := localPipe(t)
1652 done := make(chan error)
1656 done <- Server(s, serverConfig).Handshake()
1659 clientErr := Client(c, clientConfig).Handshake()
1664 if len(test.errorSubstring) == 0 {
1665 if serverErr != nil || clientErr != nil {
1666 t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr)
1668 if test.verify != nil {
1669 if err := test.verify(configReturned); err != nil {
1670 t.Errorf("test[%d]: verify returned error: %v", i, err)
1674 if serverErr == nil {
1675 t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring)
1676 } else if !strings.Contains(serverErr.Error(), test.errorSubstring) {
1677 t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr)
1683 func bigFromString(s string) *big.Int {
1685 ret.SetString(s, 10)
1689 func fromHex(s string) []byte {
1690 b, _ := hex.DecodeString(s)
1694 var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a38193308190300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b30190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b0500038181009d30cc402b5b50a061cbbae55358e1ed8328a9581aa938a495a1ac315a1a84663d43d32dd90bf297dfd320643892243a00bccf9c7db74020015faad3166109a276fd13c3cce10c5ceeb18782f16c04ed73bbb343778d0c1cf10fa1d8408361c94c722b9daedb4606064df4c1b33ec0d1bd42d4dbfe3d1360845c21d33be9fae7")
1696 var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76")
1698 // testRSAPSSCertificate has signatureAlgorithm rsassaPss, and subjectPublicKeyInfo
1699 // algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes.
1700 // See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed.
1701 var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1")
1703 var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a")
1705 var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed")
1707 var testP256Certificate = fromHex("308201693082010ea00302010202105012dc24e1124ade4f3e153326ff27bf300a06082a8648ce3d04030230123110300e060355040a130741636d6520436f301e170d3137303533313232343934375a170d3138303533313232343934375a30123110300e060355040a130741636d6520436f3059301306072a8648ce3d020106082a8648ce3d03010703420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d1104083006820474657374300a06082a8648ce3d0403020349003046022100963712d6226c7b2bef41512d47e1434131aaca3ba585d666c924df71ac0448b3022100f4d05c725064741aef125f243cdbccaa2a5d485927831f221c43023bd5ae471a")
1709 var testRSAPrivateKey = &rsa.PrivateKey{
1710 PublicKey: rsa.PublicKey{
1711 N: bigFromString("153980389784927331788354528594524332344709972855165340650588877572729725338415474372475094155672066328274535240275856844648695200875763869073572078279316458648124537905600131008790701752441155668003033945258023841165089852359980273279085783159654751552359397986180318708491098942831252291841441726305535546071"),
1714 D: bigFromString("7746362285745539358014631136245887418412633787074173796862711588221766398229333338511838891484974940633857861775630560092874987828057333663969469797013996401149696897591265769095952887917296740109742927689053276850469671231961384712725169432413343763989564437170644270643461665184965150423819594083121075825"),
1716 bigFromString("13299275414352936908236095374926261633419699590839189494995965049151460173257838079863316944311313904000258169883815802963543635820059341150014695560313417"),
1717 bigFromString("11578103692682951732111718237224894755352163854919244905974423810539077224889290605729035287537520656160688625383765857517518932447378594964220731750802463"),
1721 var testECDSAPrivateKey = &ecdsa.PrivateKey{
1722 PublicKey: ecdsa.PublicKey{
1723 Curve: elliptic.P521(),
1724 X: bigFromString("2636411247892461147287360222306590634450676461695221912739908880441342231985950069527906976759812296359387337367668045707086543273113073382714101597903639351"),
1725 Y: bigFromString("3204695818431246682253994090650952614555094516658732116404513121125038617915183037601737180082382202488628239201196033284060130040574800684774115478859677243"),
1727 D: bigFromString("5477294338614160138026852784385529180817726002953041720191098180813046231640184669647735805135001309477695746518160084669446643325196003346204701381388769751"),
1730 var testP256PrivateKey, _ = x509.ParseECPrivateKey(fromHex("30770201010420012f3b52bc54c36ba3577ad45034e2e8efe1e6999851284cb848725cfe029991a00a06082a8648ce3d030107a14403420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75"))
1732 func TestCloseServerConnectionOnIdleClient(t *testing.T) {
1733 clientConn, serverConn := localPipe(t)
1734 server := Server(serverConn, testConfig.Clone())
1736 clientConn.Write([]byte{'0'})
1739 server.SetReadDeadline(time.Now().Add(time.Minute))
1740 err := server.Handshake()
1742 if err, ok := err.(net.Error); ok && err.Timeout() {
1743 t.Errorf("Expected a closed network connection error but got '%s'", err.Error())
1746 t.Errorf("Error expected, but no error returned")
1750 func TestCloneHash(t *testing.T) {
1751 h1 := crypto.SHA256.New()
1752 h1.Write([]byte("test"))
1754 h2 := cloneHash(h1, crypto.SHA256)
1756 if !bytes.Equal(s1, s2) {
1757 t.Error("cloned hash generated a different sum")
1761 func TestKeyTooSmallForRSAPSS(t *testing.T) {
1762 clientConn, serverConn := localPipe(t)
1763 client := Client(clientConn, testConfig)
1764 cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE-----
1765 MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS
1766 MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy
1767 OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd
1768 ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ
1769 nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
1770 DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu
1771 Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q
1772 KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA==
1773 -----END CERTIFICATE-----`), []byte(`-----BEGIN RSA PRIVATE KEY-----
1774 MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T
1775 HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/
1776 yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z
1777 4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz
1778 nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd
1779 hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s
1780 T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
1781 -----END RSA PRIVATE KEY-----`))
1786 done := make(chan struct{})
1788 config := testConfig.Clone()
1789 config.Certificates = []Certificate{cert}
1790 config.MinVersion = VersionTLS13
1791 server := Server(serverConn, config)
1792 err := server.Handshake()
1793 if !strings.Contains(err.Error(), "key size too small for PSS signature") {
1794 t.Errorf(`expected "key size too small for PSS signature", got %q`, err)
1798 err = client.Handshake()
1799 if !strings.Contains(err.Error(), "handshake failure") {
1800 t.Errorf(`expected "handshake failure", got %q`, err)
1804 // With RSA-PSS disabled and TLS 1.2, this should work.
1806 testSupportedSignatureAlgorithmsTLS12 := supportedSignatureAlgorithmsTLS12
1807 defer func() { supportedSignatureAlgorithmsTLS12 = testSupportedSignatureAlgorithmsTLS12 }()
1808 supportedSignatureAlgorithmsTLS12 = savedSupportedSignatureAlgorithmsTLS12
1810 serverConfig := testConfig.Clone()
1811 serverConfig.Certificates = []Certificate{cert}
1812 serverConfig.MaxVersion = VersionTLS12
1813 testHandshake(t, testConfig, serverConfig)