70 lines
2.9 KiB
Diff
70 lines
2.9 KiB
Diff
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
|
|
index ca16600130..c85d8789df 100644
|
|
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
|
|
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
|
|
@@ -247,45 +247,52 @@ typedef struct test_st {
|
|
} test_st;
|
|
|
|
static const test_st tests[] = {
|
|
- {.name = "ecc key",
|
|
+ {.name = "tls1.2: ecc key",
|
|
.pk = GNUTLS_PK_ECDSA,
|
|
- .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA",
|
|
+ .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
|
.cert = &server_ca3_localhost_ecc_cert,
|
|
.key = &server_ca3_ecc_key,
|
|
.exp_kx = GNUTLS_KX_ECDHE_ECDSA
|
|
},
|
|
- {.name = "rsa-sign key",
|
|
+ {.name = "tls1.2: rsa-sign key",
|
|
.pk = GNUTLS_PK_RSA,
|
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
|
.cert = &server_ca3_localhost_cert,
|
|
.key = &server_ca3_key,
|
|
.exp_kx = GNUTLS_KX_ECDHE_RSA
|
|
},
|
|
- {.name = "rsa-sign key with rsa-pss sigs prioritized",
|
|
+ {.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
|
|
.pk = GNUTLS_PK_RSA,
|
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
|
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
|
|
.cert = &server_ca3_localhost_cert,
|
|
.key = &server_ca3_key,
|
|
.exp_kx = GNUTLS_KX_ECDHE_RSA
|
|
},
|
|
- {.name = "rsa-pss-sign key",
|
|
+ {.name = "tls1.2: rsa-pss-sign key",
|
|
.pk = GNUTLS_PK_RSA_PSS,
|
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
|
.cert = &server_ca3_rsa_pss2_cert,
|
|
.key = &server_ca3_rsa_pss2_key,
|
|
.exp_kx = GNUTLS_KX_ECDHE_RSA,
|
|
.requires_pkcs11_pss = 1,
|
|
- .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
|
|
},
|
|
- {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
|
|
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key",
|
|
.pk = GNUTLS_PK_RSA,
|
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
|
+ .cert = &server_ca3_rsa_pss_cert,
|
|
+ .key = &server_ca3_rsa_pss_key,
|
|
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
|
|
+ .requires_pkcs11_pss = 1,
|
|
+ },
|
|
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
|
|
+ .pk = GNUTLS_PK_RSA,
|
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
|
|
.cert = &server_ca3_rsa_pss_cert,
|
|
.key = &server_ca3_rsa_pss_key,
|
|
.exp_kx = GNUTLS_KX_ECDHE_RSA,
|
|
.exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
|
|
},
|
|
- {.name = "ed25519 cert, ed25519 key", /* we cannot import that key */
|
|
+ {.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
|
|
.pk = GNUTLS_PK_EDDSA_ED25519,
|
|
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
|
.cert = &server_ca3_eddsa_cert,
|