}
array set suites {
-rsa:1024 {ECDHE-RSA-AES256-SHA}
-gost2001:XA {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0 GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0}
-gost2012_256:XA {GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0 GOST2012-MAGMA-MAGMAOMAC GOST2012-KUZNYECHIK-KUZNYECHIKOMAC}
-gost2012_512:A {GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0 GOST2012-MAGMA-MAGMAOMAC GOST2012-KUZNYECHIK-KUZNYECHIKOMAC}
+rsa:1024 {ECDHE-RSA-AES256-SHA@SECLEVEL=0}
+gost2001:XA {GOST2001-GOST89-GOST89@SECLEVEL=1 GOST2001-NULL-GOST94@SECLEVEL=0 LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1 IANA-GOST2012-GOST8912-GOST8912@SECLEVEL=1 GOST2012-NULL-GOST12@SECLEVEL=0}
+gost2012_256:XA {LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1 GOST2012-NULL-GOST12@SECLEVEL=0}
+gost2012_512:A {LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1 GOST2012-NULL-GOST12@SECLEVEL=0}
}
#
# Incompatible cipher suites
#
array set badsuites {
-gost2012_256:XA {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0}
-gost2012_512:A {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0}
+gost2012_256:XA {GOST2001-GOST89-GOST89@SECLEVEL=1 GOST2001-NULL-GOST94@SECLEVEL=0}
+gost2012_512:A {GOST2001-GOST89-GOST89@SECLEVEL=1 GOST2001-NULL-GOST94@SECLEVEL=0}
}
#
# Default cipher suite negotiated for algorithm
#
array set defsuite {
-rsa:1024 ECDHE-RSA-AES256-SHA
+rsa:1024 ECDHE-RSA-AES256-SHA@SECLEVEL=1
#gost94:XA GOST94-GOST89-GOST89
-gost2001:XA GOST2012-GOST8912-GOST8912
-gost2012_256:XA GOST2012-GOST8912-GOST8912
-gost2012_512:A GOST2012-GOST8912-GOST8912
+gost2001:XA GOST2012-GOST8912-GOST8912@SECLEVEL=1
+gost2012_256:XA LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1
+gost2012_512:A LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1
}
array set defsuite_12 {
-rsa:1024 ECDHE-RSA-AES256-GCM-SHA384
+rsa:1024 ECDHE-RSA-AES256-GCM-SHA384@SECLEVEL=1
#gost94:XA GOST94-GOST89-GOST89
-gost2001:XA GOST2012-GOST8912-GOST8912
-gost2012_256:XA GOST2012-MAGMA-MAGMAOMAC
-gost2012_512:A GOST2012-MAGMA-MAGMAOMAC
+gost2001:XA LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1
+gost2012_256:XA GOST2012-MAGMA-MAGMAOMAC@SECLEVEL=1
+gost2012_512:A GOST2012-MAGMA-MAGMAOMAC@SECLEVEL=1
}
set proto_list {"TLSv1" "TLSv1.1" "TLSv1.2"}
-verify 1 -state -cipher $suite] \
[list -www -cert localhost_$alg_fn/cert.pem \
-key localhost_$alg_fn/seckey.pem \
- -cipher DHE-RSA-AES256-SHA $protos($proto)] {}]
+ -cipher DHE-RSA-AES256-SHA@SECLEVEL=1 $protos($proto)] {}]
list [lindex $list 2] [grep ":fatal:" [lindex $list 1]]
} 0 [list 1 "SSL3 alert read:fatal:handshake failure
"]
-CAfile $::test::ca/cacert.pem -verify_return_error \
-verify 1 -state -cipher $suite] \
[list -www -cert localhost_$alg_fn/cert.pem \
- -key localhost_$alg_fn/seckey.pem $protos($proto)] {}]
+ -key localhost_$alg_fn/seckey.pem $protos($proto) -cipher ALL@SECLEVEL=0] {}]
if {[regexp -lineanchor \
{^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
[lindex $list 0] -> result_proto result_cipher]} {
} else {
lindex $list 1
}
- } 0 [list 0 $proto $suite]
+ } 0 [list 0 $proto $raw_name]
test "Сервер c несколькими алгоритмами, клиент $suite $proto" {
[list -www -cert localhost_rsa/cert.pem \
-key localhost_rsa/seckey.pem \
-dcert localhost_$alg_fn/cert.pem \
- -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}]
+ -dkey localhost_$alg_fn/seckey.pem $protos($proto) -cipher ALL@SECLEVEL=0] {}]
if {[regexp -lineanchor \
{^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
[lindex $list 0] -> result_proto result_cipher]} {
} else {
lindex $list 1
}
- } 0 [list 0 $proto $suite]
+ } 0 [list 0 $proto $raw_name]
}
test "Сервер c несколькими алгоритмами, клиент AES256-SHA $proto" {
set list [client_server [list -connect localhost:4433 \
-CAfile $::test::ca/cacert.pem -verify_return_error \
- -verify 1 -state -cipher AES256-SHA] \
+ -verify 1 -state -cipher AES256-SHA@SECLEVEL=0] \
[list -www -cert localhost_rsa/cert.pem \
-key localhost_rsa/seckey.pem \
-dcert localhost_$alg_fn/cert.pem \
- -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}]
+ -dkey localhost_$alg_fn/seckey.pem $protos($proto) -cipher ALL@SECLEVEL=0] {}]
if {[regexp -lineanchor \
{^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
[lindex $list 0] -> result_proto result_cipher]} {
} else {
set expected_proto "TLSv1.0"
}
-
+if {0} {
test "Умолчательный хендшейк с ключами $alg $proto" {
set list [client_server [list -connect localhost:4433\
-CAfile $::test::ca/cacert.pem -verify_return_error -verify 1\
"GET /\n"]
list [lindex $list 2] [grep "^New," [lindex $list 0]]
} 0 [list 0 [string repeat "New, $expected_proto, Cipher is $etalon\n" 2]]
-
+}; # if {0}
}
}