Netscape SSL Test SuiteNewsgroup: mozilla.dev.tech.crypto
Technical contact: Bob Relyea
Yell at the manager: Bob Lord
PurposeThe SSL test suite uses the regress framework to run a series of test programs (up to 8000). Each test opens a client and server SSL socket and transfers data between the two. By default, the suite runs on the communicator internal crypto library, but it can be configured to run over any PKCS #11 cryptographic provider.
Setting Up the SuiteTo set up the environment for the suite, put regress, sslt, ssl.reg, cert7.db, key3.db, secmod.db into a directory.
Running the SuiteThe test suite is run like this:
This command will read the specfile, then start running the test program (sslt).regress specfile=ssl.reg progress
The test suite uses Netscape's PKCS#11 implementation to locate a certificate with the nickname 'SSLServer' to use as the SSL server certificate, and a certificate with the nickname 'SSLClient' to use as the SSL client certificate.
sslt takes at least one argument, the test ID number. This is automatically provided by regress. However, to facilitate running the suite on other cryptographic providers, other arguments may be required. You can run individual tests by simply running sslt with the appropriate test-id. sslt allows you to specify the nickname to be used for the SSL server and client certificates with the '-n' and '-c' options, and the password/pin protecting the key with the '-p' option. It's recommended to put these options as the 'globalArgs' parameter in the [General] section of the ssl.reg file.
We have provided you with keys and certificates in cert7.db and key3.db, so you can try out the suite on the internal Cryptographic Service Provider. The nicknames of the certificates are 'SSLServer' and 'SSLClient', and the password is 'netscape'.
Output is provided in a file named according to the date. In the event of any failures, we recommend running the same test combination with the internal cryptographic provider.
Please note that the listing of variables in each test in ssl.reg (the 'testname' line) is for information only. For example, changing SSLVersion3 to NoSSLVersion3 will not actually change the test at all. The 'testname' information is not transferred to the test. The variables are transferred to the test by way of the testid number.
Generating Your Keys and Certificates on Your Card
To use the suite with a hardware PKCS #11 solution, you will first need to use modutil and certutil (see Tools Information) to make a 2 key pairs and 2 certificates on your card. You need to make one certificate which is good for SSL Server, and one for SSL Client auth. Please refer to the documentation for these tools. The following is an example of the commands that should be performed:
modutil -dbdir . -create modutil -dbdir . -add "modulename" -libfile "c:\windows\driver.dll" modutil -dbdir . -changepw "tokenname"
#create server key certutil -d . -G -n SSLServer -k rsa -g 512 -y 65537 -h "tokenname" certutil -d . -G -n SSLClient -k rsa -g 512 -y 65537 -h "tokenname"
certutil -d . -S -s "CN=www.domain.com" -x -t "Pu,Pu,Pu" -m 1 -n SSLServer -h tokenname
certutil -d . -S -s "CN=xyz" -x -t "Pu,Pu,Pu" -m 2 -n SSLClient -h tokennameThe DN of the certificates (the -s parameter to certutil) is ignored by the suite. The secmod.db, cert7.db and key3.db should be placed into the same directory as the sslt executable. Edit 'globalArgs' at the start of ssl.reg to point the suite at your new hardware-based certificates. To indicate that the certs are on a hardware token, you must specify the token name in the nickname argument.
[General] . . globalArgs= -n "Hardware Token Name:SSLServer" -c "Hardware Token Name:SSLClient"-p password
|2||Couldn't initialize address for server socket|
|3||Couldn't bind server socket to address.|
|5||Couldn't find out which port server socket is sitting at|
|6||Couldn't create client thread|
|7||PR_Accept return NULL|
|9||Join Thread failed|
|10||Couldn't enable security on this socket|
|11||Couldn't enable client auth on this socket|
|12||Couldn't find server certificate|
|13||Couldn't find private key for this certificate|
|14||Couldn't configure server with this certificate/key pair|
|15||Couldn't configure server session ID cache|
|16||Found non-existant certificate in database|
|20||Couldn't create new NSPR20 TCP socket for server|
|21||Couldn't create SSL socket from NSPR20 socket for server|
|30||Couldn't allocate memory for CertDBHandle|
|31||Couldn't open Certificate Database 'cert7.db' in current directory|
|40||Couldn't Enable SSL2 in SSL2-only case|
|41||Couldn't Disable SSL3 in SSL2-only case|
|42||Couldn't Disable SSL2 in SSL3-only case|
|43||Couldn't Enable SSL3 in SSL3-only case|
|44||Couldn't Enable SSL2 in Both SSL2 and 3 case|
|45||Couldn't Enable SSL3 in Both SSL2 and 3 case|
|50||Got an exception on the socket|
|51||Got an error while SSL Reading data|
|52||Didn't SSL Write any bytes|
|53||Got an Error while SSL Writing|
|54||We didn't write the write amount of bytes|
|71||Data got corrupted|
|73||Error inside verify code|
|101||Couldn't make Client point back to 127.0.0.1|
|102||Client couldn't connect to Server|
|120||Couldn't create new NSPR20 TCP socket for Client|
|121||Couldn't create SSL socket from NSPR20 socket for Client|
|130||Could not enable security on Client Socket|
|131||Couldn't find client's certificate|