tests: Run TLS tests also when forcing all server operations on token

[Jakuje]

Description

This is likely the missing bit we had when trying to reproduce the issue #395. These are changes forcing all the TLS operations on token for the s_server. The s_client fails the basic key verification, because it is likely not correctly imported to the provider (?).

With this configuration the TLS 1.3 with RSA and ECDSA host certs work ok, TLS 1.2 with RSA too, but TLS 1.2 with ECDSA fails with

00EE1FD59A7F0000:error:0A0000C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2220:^M

I was not able to figure out what OpenSSL needs at this point. I did not see any failures on the pkcs11 nor on the pkcs11 provider layer.

Checklist

• Code modified for feature
• Test suite updated with functionality tests
• Test suite updated with negative tests
• Documentation updated

Reviewer's checklist:

• Any issues marked for closing are addressed
• There is a test suite reasonably covering new functionality or modifications
• This feature/change has adequate documentation added
• Code conform to coding style that today cannot yet be enforced via the check style test
• Commits have short titles and sensible commit messages
• Coverity Scan has run if needed (code PR) and no new defects were found

[simo5]

Have you tried importing #424 to see if that improves something ?

[simo5]

If that does not help it may be some issue with the group aliases, OpenSSL is quite baroque and uses multiple names for ciphers in some places, and then insists on specific names among the aliases in other places.

[Jakuje]

Have you tried importing #424 to see if that improves something ?

Good point. Tried now, but the error is the same.

[simo5]

This has basically been done in #446, so I am going to close this PR.

[Jakuje]

This has basically been done in #446, so I am going to close this PR.

This is actually not true. The #446 added just one test forcing the operation on the token, while here I added all the existing TLS tests to be executed. But all of them seems to work now in the way how they are written.

When I add the test from #449, it fails as described in the issue, but the expect is not catching the error for some reason (which needs some more digging), even though we got the failure as described:

spawn openssl s_client -connect localhost:23456 -CAfile /home/jjelen/devel/pkcs11-provider/builddir/tests/softokn/CAcert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
80220C337F7F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:909:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
ERROR
80F22F2D037F0000:error:0A00013A:SSL routines:tls_parse_ctos_key_share:unable to find ecdh parameters:ssl/statem/extensions_srvr.c:685:
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
send: spawn id exp3 not open
    while executing
"send " NO SESSION PARAMETERS \n""
    invoked from within
"expect {
            "END SSL SESSION PARAMETERS" {};
            default {
                send " NO SESSION PARAMETERS \n";
                exit 1;
..."