Netscape SSL Test Suite

Newsgroup: mozilla.dev.tech.crypto
Technical contact: Bob Relyea
Yell at the manager: Bob Lord

Purpose

The SSL test suite uses the regress framework to run a series of test programs (up to 8000). Each test opens a client and server SSL socket and transfers data between the two. By default, the suite runs on the communicator internal crypto library, but it can be configured to run over any PKCS #11 cryptographic provider.

Setting Up the Suite

To set up the environment for the suite, put regress, sslt, ssl.reg, cert7.db, key3.db, secmod.db into a directory.

Running the Suite

The test suite is run like this:
regress specfile=ssl.reg progress
This command will read the specfile, then start running the test program (sslt).

The test suite uses Netscape's PKCS#11 implementation to locate a certificate with the nickname 'SSLServer' to use as the SSL server certificate, and a certificate with the nickname 'SSLClient' to use as the SSL client certificate.

sslt takes at least one argument, the test ID number. This is automatically provided by regress. However, to facilitate running the suite on other cryptographic providers, other arguments may be required. You can run individual tests by simply running sslt with the appropriate test-id. sslt allows you to specify the nickname to be used for the SSL server and client certificates with the '-n' and '-c' options, and the password/pin protecting the key with the '-p' option. It's recommended to put these options as the 'globalArgs' parameter in the [General] section of the ssl.reg file.

We have provided you with keys and certificates in cert7.db and key3.db, so you can try out the suite on the internal Cryptographic Service Provider. The nicknames of the certificates are 'SSLServer' and 'SSLClient', and the password is 'netscape'.

Output is provided in a file named according to the date. In the event of any failures, we recommend running the same test combination with the internal cryptographic provider.

Please note that the listing of variables in each test in ssl.reg (the 'testname' line) is for information only. For example, changing SSLVersion3 to NoSSLVersion3 will not actually change the test at all. The 'testname' information is not transferred to the test. The variables are transferred to the test by way of the testid number.

Generating Your Keys and Certificates on Your Card

To use the suite with a hardware PKCS #11 solution, you will first need to use modutil and certutil (see Tools Information) to make a 2 key pairs and 2 certificates on your card. You need to make one certificate which is good for SSL Server, and one for SSL Client auth. Please refer to the documentation for these tools. The following is an example of the commands that should be performed:

modutil -dbdir . -create
modutil -dbdir . -add "modulename" -libfile
             "c:\windows\driver.dll"
modutil -dbdir . -changepw "tokenname"
#create server key
certutil -d . -G -n SSLServer -k rsa 
             -g 512 -y 65537 -h "tokenname"
certutil -d . -G -n SSLClient -k rsa 
             -g 512 -y 65537 -h "tokenname"
certutil -d . -S -s "CN=www.domain.com" 
             -x -t "Pu,Pu,Pu" -m 1 -n SSLServer
             -h tokenname
certutil -d . -S -s "CN=xyz" 
             -x -t "Pu,Pu,Pu" -m 2 -n SSLClient
             -h tokenname
The DN of the certificates (the -s parameter to certutil) is ignored by the suite. The secmod.db, cert7.db and key3.db should be placed into the same directory as the sslt executable. Edit 'globalArgs' at the start of ssl.reg to point the suite at your new hardware-based certificates. To indicate that the certs are on a hardware token, you must specify the token name in the nickname argument.

 For example:

[General]
.
.
globalArgs= -n "Hardware Token Name:SSLServer" -c 
             "Hardware Token Name:SSLClient"-p password

Error Codes

Error Code Description
0 SUCCESS
1 reserved
2 Couldn't initialize address for server socket
3 Couldn't bind server socket to address.
4 Couldn't listen
5 Couldn't find out which port server socket is sitting at
6 Couldn't create client thread
7 PR_Accept return NULL
9 Join Thread failed
10 Couldn't enable security on this socket
11 Couldn't enable client auth on this socket
12 Couldn't find server certificate
13 Couldn't find private key for this certificate
14 Couldn't configure server with this certificate/key pair
15 Couldn't configure server session ID cache
16 Found non-existant certificate in database
20 Couldn't create new NSPR20 TCP socket for server
21 Couldn't create SSL socket from NSPR20 socket for server
30 Couldn't allocate memory for CertDBHandle
31 Couldn't open Certificate Database 'cert7.db' in current directory
40 Couldn't Enable SSL2 in SSL2-only case
41 Couldn't Disable SSL3 in SSL2-only case
42 Couldn't Disable SSL2 in SSL3-only case
43 Couldn't Enable SSL3 in SSL3-only case
44 Couldn't Enable SSL2 in Both SSL2 and 3 case
45 Couldn't Enable SSL3 in Both SSL2 and 3 case
50 Got an exception on the socket
51 Got an error while SSL Reading data
52 Didn't SSL Write any bytes
53 Got an Error while SSL Writing
54 We didn't write the write amount of bytes
71 Data got corrupted
73 Error inside verify code
101 Couldn't make Client point back to 127.0.0.1
102 Client couldn't connect to Server
120 Couldn't create new NSPR20 TCP socket for Client
121 Couldn't create SSL socket from NSPR20 socket for Client
130 Could not enable security on Client Socket
131 Couldn't find client's certificate