[continued from previous message]
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%09 -cert pkcs11:type=cert;object=ed2Cert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MIGDAgEBAgIDBAQCEwIEIACXZtgAN2G37UwZe/4DNojzoYp0DjT/vb9VdG9FOYmn BDCB9cQiCoE6Dp95ocIdqltiWGBnAxi0Oy5WqyYLYk/nWjwmNNjCgoDR8arI0uNR 3lahBgIEZ/o7O6IEAgIcIKQGBAQBAAAArgYCBBrara6zBAICEew=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-
AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_
sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_
pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
Shared groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run test with TLS 1.2
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
0 s:O=PKCS11 Provider, CN=My Test Cert
i:CN=Issuer
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Apr 12 10:06:36 2025 GMT; NotAfter: Apr 12 10:06:36 2026 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1 ZXIwHhcNMjUwNDEyMTAwNjM2WhcNMjYwNDEyMTAwNjM2WjAxMRgwFgYDVQQKEw9Q S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMcui28zjpBTCQCCyxI2Su9brj5yxKb/ccI3 u9ipO7YCde7wVVPpjCZzXIzUmqpQ3tke+2YyBHjqcIeBJnvB+xKt6Oq6sHQ6IKL4 5dt3Vhj8Lvc/nyOFWOjJmeQLJGJvYn+ohqWIQ4Bk/3H9RDsLuam22mJ3LlHPZWcZ 2JAGyOvpZ94mrVcFXbwezCkK8kEoBCR/IZmCT7gWOFrWFEJ21JuWkyr7WZ0xaaNR 9O8EdMZBIZJ4scADmIiDn/rZ7UGQ98fC6RcCJUfZr9SG0JrGzv2ovGECF+Gd1ohT k2QV9xZ/HtV30iVD5slTfapS07ia281Q0f82YNQpgQrgvCuF+vECAwEAAaOBgTB/ MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBT0OHyt6wRKSITgknAIlOweeCNYGzAf BgNVHSMEGDAWgBQsoPImCu3nowAZzMgdv4Nr73ioDzANBgkqhkiG9w0BAQsFAAOC AQEAFzMqwcTSQ5mo130cP1oP16oECeUzEDkLJipwEg3aj+3XzagczgGjdgoNqkdH 9swEEivllD3Icrm1/cdqxWeAo8ys0PdFTMfZOqu0eHdIZmW7pV8gGXsIj+V4BWoT CKOsjfJ/rFU1emy8e+ct79VyUI2BxRJPoTKdM9qaYn5c9joC6znKi1tXN5OUho5A ae+VMWvq3crGQEDN2slPPyo56YDl1rhGFY4/pZPy0X7O2EWJzzpSJbq4M0kiXdqA YS+n/1WOx57LgfCl4VDfeZpr8VngfTC+UqCBhKCEASfshkxl9wZ0XlNEn3DxA2c/ rX/Xw3YYk1eMaw1wZ1FuP3hKXw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 1476 bytes and written 284 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4DCD1E3A0106790AD252D40AB1E4C94E233EDFAEA7C76A25F18B784776C07CB8
Session-ID-ctx:
Master-Key: 8439AD4A6B616C36FE75A17A5AC331D6D1371E329B06C31795757A9DD3F36EAC64578CC0D3A66978D270AC5EDD98281B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 11 8f b1 d5 e4 6e 26 e0-bc fb e6 51 31 0b 08 02 .....n&....Q1...
0010 - 5f 77 fe dd f7 64 d0 c1-a4 08 c7 fb 93 6d 51 e8 _w...d.......mQ.
0020 - e7 05 39 2a 61 14 c2 83-61 a1 93 08 de 70 3b 29 ..9*a...a....p;)
0030 - 89 5a db 36 23 ef 7b fe-ad 06 2c fb 9d d9 6a 14 .Z.6#.{...,...j.
0040 - d6 87 a0 4d 73 cf 46 04-10 03 68 d9 16 5c e8 ff ...Ms.F...h..\..
0050 - 73 8e 92 c8 98 b9 63 1f-df e6 a3 e5 98 f0 44 4e s.....c.......DN
0060 - f6 6c 63 20 d3 42 3d fe-79 96 d6 28 00 11 ac 13 .lc .B=.y..(....
0070 - a3 25 3a 90 c7 a6 ac fc-3a 74 9b db 4d 4e 71 c3 .%:.....:t..MNq.
0080 - 8a 10 e0 2e 7a 1f a2 e6-2d 2c 0f 00 c6 5d 64 67 ....z...-,...]dg
0090 - 57 d7 4b 5d 08 37 fc 98-26 be fc b1 81 5c 8f 65 W.K].7..&....\.e
00a0 - ed 63 87 df ed 49 fc be-5b 96 9c 07 e7 a6 6a 8d .c...I..[.....j.
Start Time: 1744452411
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
TLS SUCCESSFUL
406784AEBE7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MF8CAQECAgMDBALAMAQABDCEOa1Ka2FsNv51oXpawzHW0TceMpsGwxeVdXqd0/Nu rGRXjMDTpml40nCsXt2YKBuhBgIEZ/o7O6IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
HQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-
AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+
SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:
DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: x25519:secp256r1:x448:secp384r1:secp521r1
Shared groups: x25519:secp256r1:x448:secp384r1:secp521r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run test with explicit TLS 1.3
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
0 s:O=PKCS11 Provider, CN=My Test Cert
i:CN=Issuer
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Apr 12 10:06:36 2025 GMT; NotAfter: Apr 12 10:06:36 2026 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1 ZXIwHhcNMjUwNDEyMTAwNjM2WhcNMjYwNDEyMTAwNjM2WjAxMRgwFgYDVQQKEw9Q S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMcui28zjpBTCQCCyxI2Su9brj5yxKb/ccI3 u9ipO7YCde7wVVPpjCZzXIzUmqpQ3tke+2YyBHjqcIeBJnvB+xKt6Oq6sHQ6IKL4 5dt3Vhj8Lvc/nyOFWOjJmeQLJGJvYn+ohqWIQ4Bk/3H9RDsLuam22mJ3LlHPZWcZ 2JAGyOvpZ94mrVcFXbwezCkK8kEoBCR/IZmCT7gWOFrWFEJ21JuWkyr7WZ0xaaNR 9O8EdMZBIZJ4scADmIiDn/rZ7UGQ98fC6RcCJUfZr9SG0JrGzv2ovGECF+Gd1ohT k2QV9xZ/HtV30iVD5slTfapS07ia281Q0f82YNQpgQrgvCuF+vECAwEAAaOBgTB/ MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBT0OHyt6wRKSITgknAIlOweeCNYGzAf BgNVHSMEGDAWgBQsoPImCu3nowAZzMgdv4Nr73ioDzANBgkqhkiG9w0BAQsFAAOC AQEAFzMqwcTSQ5mo130cP1oP16oECeUzEDkLJipwEg3aj+3XzagczgGjdgoNqkdH 9swEEivllD3Icrm1/cdqxWeAo8ys0PdFTMfZOqu0eHdIZmW7pV8gGXsIj+V4BWoT CKOsjfJ/rFU1emy8e+ct79VyUI2BxRJPoTKdM9qaYn5c9joC6znKi1tXN5OUho5A ae+VMWvq3crGQEDN2slPPyo56YDl1rhGFY4/pZPy0X7O2EWJzzpSJbq4M0kiXdqA YS+n/1WOx57LgfCl4VDfeZpr8VngfTC+UqCBhKCEASfshkxl9wZ0XlNEn3DxA2c/ rX/Xw3YYk1eMaw1wZ1FuP3hKXw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 2479 bytes and written 1540 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 552F3B883F30C08C805B92889E8C49C2C6031FE5C29A01DA6066D02970DE59E2
Session-ID-ctx:
Resumption PSK: B98CE8112FDE5D31072F5ED60BBF2069C83EF745C122522DF88F00C946D8D4A9A38F935D303561F7A92ACB2F48C70955
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 52 25 8b e2 4b ea 84-06 db 1e 4c bd 26 73 0e .R%..K.....L.&s.
0010 - 48 20 f6 ff 00 ed 8b 1f-ac d5 d8 37 fa c1 a1 29 H .........7...)
0020 - e1 bd 69 5a f7 cb 43 f1-96 12 66 ad 83 e4 dd 10 ..iZ..C...f.....
0030 - f1 3a ea 1d 01 ff c8 4e-d5 37 91 bf b6 56 e0 ca .:.....N.7...V..
0040 - ba aa 2d 95 f8 59 b7 57-3b 5a d7 54 9c 04 c5 3c ..-..Y.W;Z.T...<
0050 - 95 78 33 9e e3 ab 5a 67-76 88 b5 07 89 32 bd 20 .x3...Zgv....2.
0060 - 47 21 a4 84 ea 84 da 1b-3b a0 97 9b 2b 8e a5 9e G!......;...+...
0070 - c9 a9 66 2f bc 49 53 8a-89 fd 92 40 73 53 bc 6f ..f/.IS....@sS.o
0080 - 9f 74 a5 1a 1c 69 d2 92-20 47 90 b9 50 95 b3 b4 .t...i.. G..P...
0090 - 75 b8 4c 29 41 e2 b7 6c-9c 3b 07 ab dc f2 ea f7 u.L)A..l.;......
00a0 - 35 e2 f3 a8 ef a7 db 71-a8 19 9b 7c eb 2b cb c5 5......q...|.+..
00b0 - d8 c9 36 99 93 5c 51 10-0e ee 97 bc db d8 4d 2f ..6..\Q.......M/
00c0 - 54 70 9c 20 58 be bc 17-74 6c 63 18 ba 71 f4 2f Tp. X...tlc..q./
Start Time: 1744452411
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 491CD7B29344A48E49F5C3C7DA4F447F7ADB47F387118F45E2000ECDF28AB93A
Session-ID-ctx:
Resumption PSK: 853B9578AFBD3D3E02378A6E3E3567E221A1DCC49A5BBB7DDD3D377309C3D6B73B2B69E7276394734A94DEADB57B17AE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 52 25 8b e2 4b ea 84-06 db 1e 4c bd 26 73 0e .R%..K.....L.&s.
0010 - 58 d1 d5 05 9a 62 e1 8e-bf 13 f2 2c d1 45 42 4e X....b.....,.EBN
0020 - 64 07 a7 84 d1 ed 9b 9a-2c a3 2e 41 75 85 c1 89 d.......,..Au...
0030 - 71 e6 ad 4c 1f e7 6c af-7f 20 d6 50 76 65 86 09 q..L..l.. .Pve..
0040 - 4e 62 b3 83 f5 9c 63 65-94 23 82 af 3b 51 35 e4 Nb....ce.#..;Q5.
0050 - 78 df 75 36 5f d0 12 97-14 f9 5a 29 90 dd ae b7 x.u6_.....Z)....
0060 - 56 17 cf 18 ca 88 de c5-61 7e 01 79 19 98 b9 84 V.......a~.y....
0070 - f9 df 2a 8f cd bc 59 52-48 e6 9b de a5 7e 74 4c ..*...YRH....~tL
0080 - 00 33 cd 25 f3 80 30 d5-19 25 c2 8c ca c6 3b 71 .3.%..0..%....;q
0090 - b4 3f ff 3f 88 c5 43 a3-75 8b f0 a6 ac 99 21 52 .?.?..C.u.....!R
00a0 - 0f 4c 3a b6 55 33 a0 d7-ed 6f 64 f6 3d 4c 54 66 .L:.U3...od.=LTf
00b0 - ab d6 fd 59 7d 8d 50 38-a5 19 d8 93 57 b9 5e 77 ...Y}.P8....W.^w
00c0 - be 5f e1 25 18 0a 78 fc-6e c6 31 a4 74 87 4f 49 ._.%..x.n.1.t.OI
Start Time: 1744452411
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
TLS SUCCESSFUL
409764793A7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MIGEAgEBAgIDBAQCEwIEIGsyfSQYI3tnO5XD6ihTL5haS86YBaFTfp/Xg5uYvI2U BDCFO5V4r709PgI3im4+NWfiIaHcxJpbu33dPTdzCcPWtzsraecnY5RzSpTerbV7 F66hBgIEZ/o7O6IEAgIcIKQGBAQBAAAArgcCBQD1FqZWswQCAhHs
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_
sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_
pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
Shared groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
0 s:O=PKCS11 Provider, CN=My EC Cert
i:CN=Issuer
a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
v:NotBefore: Apr 12 10:06:36 2025 GMT; NotAfter: Apr 12 10:06:36 2026 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1 ZXIwHhcNMjUwNDEyMTAwNjM2WhcNMjYwNDEyMTAwNjM2WjAvMRgwFgYDVQQKEw9Q S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAATBhC6Bskae48wDIXJQXRNVcx3n7y90X+kO5StIXCuMPHy1 KKX00cXF6UXUHszjlvS2SMrVZQvJc2WTOiDTiv27o4GBMH8wDAYDVR0TAQH/BAIw ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC B4AwHQYDVR0OBBYEFL+L0nMF/mpdNL6bGu74hnxx2622MB8GA1UdIwQYMBaAFCyg 8iYK7eejABnMyB2/g2vveKgPMA0GCSqGSIb3DQEBCwUAA4IBAQA50M5wbeBoxn/E X6VGW6QqIvM6rSi+/1e4bPpF3QAWDQDe1dktyIuV+S845UEW0+evWQzNIvPuahXJ gqOHJyTVYJNK2UZHd1P0GMCbnNwAFPuJtbikTG0XXj5mCmDDGfjMDe7f4iB7yoho eXijLDEYcSu9EBSHTKMFl1KHYI59fKsFaG1/vblPeRiXYwGpynuWnS9hiRpM5Bng FVSuHPZaD/CsVje/tqIzp7dx+EVwAmCEbWSLuzM8SvOf7LPU8NJOfUHTKPnq9ul7 UbgGKwA4ITGLF6tuviJ+AXVkF6k/mlEGBU2AeEVrYxsJfIpZ9iUGLRw0DYHX9pXy
B4KikiF9
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 1086 bytes and written 284 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: 5D41B177F2AE1B93023712C86BDB48478064673D2799FE44991C9A5D81A44864
Session-ID-ctx:
Master-Key: 00049725C42086050BEDEB6E2BE3828C424A63EA12CB579B7850393074F444BE25A6A348677D2B80BA4A0EFF13CE89D3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 5f b8 ca 85 6b 5d d9 fa-7f 65 97 00 7e ff 7c 52 _...k]...e..~.|R
0010 - df 1d f7 c9 cc 29 7c e5-ec bc 54 8a a7 14 40 48 .....)|...T...@H
0020 - bd 52 90 d4 d9 aa d5 6a-64 5c 06 cd 07 75 06 d1 .R.....jd\...u..
0030 - 94 87 20 10 20 f0 03 bb-78 a9 c1 df b7 c4 ee da .. . ...x.......
0040 - 19 22 1b 77 e4 54 60 59-6f 1c 76 39 85 13 10 0f .".w.T`Yo.v9....
0050 - e0 dc 4c 0c 47 e1 42 a0-34 24 26 12 a3 9a d5 bb ..L.G.B.4$&.....
0060 - 33 bd 17 c8 a8 ba 8a 2d-bd f6 b2 ad 9a b4 2b 60 3......-......+`
0070 - 06 73 bd eb 15 a8 8f eb-09 d9 89 17 4a ef 0f d1 .s..........J...
0080 - d1 b6 8a bd 33 ce 1f ac-01 ea 38 6f 25 39 14 5a ....3.....8o%9.Z
0090 - f4 dd 10 a9 84 a3 50 a7-0f 8f ab 79 de 3f c1 c5 ......P....y.?..
00a0 - 66 c0 f1 62 d6 b5 88 60-0c f8 81 78 ea 8d 8a d5 f..b...`...x....
Start Time: 1744452411
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
TLS SUCCESSFUL
4057A481027F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MF8CAQECAgMDBALALAQABDAABJclxCCGBQvt624r44KMQkpj6hLLV5t4UDkwdPRE viWmo0hnfSuAukoO/xPOidOhBgIEZ/o7O6IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
HQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-
AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+
SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:
DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: x25519:secp256r1:x448:secp384r1:secp521r1
Shared groups: x25519:secp256r1:x448:secp384r1:secp521r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run test with TLS 1.2 and ECDH
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
40370681A17F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so): /usr/lib/x86_64-linux-gnu/engines-3/rdrand.so: cannot open shared
object file: No such file or directory
40370681A17F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:147:
40370681A17F0000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:438:
40370681A17F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:475:id=rdrand
---
Certificate chain
0 s:O=PKCS11 Provider, CN=My EC Cert
i:CN=Issuer
a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
v:NotBefore: Apr 12 10:06:36 2025 GMT; NotAfter: Apr 12 10:06:36 2026 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1 ZXIwHhcNMjUwNDEyMTAwNjM2WhcNMjYwNDEyMTAwNjM2WjAvMRgwFgYDVQQKEw9Q S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAATBhC6Bskae48wDIXJQXRNVcx3n7y90X+kO5StIXCuMPHy1 KKX00cXF6UXUHszjlvS2SMrVZQvJc2WTOiDTiv27o4GBMH8wDAYDVR0TAQH/BAIw ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC B4AwHQYDVR0OBBYEFL+L0nMF/mpdNL6bGu74hnxx2622MB8GA1UdIwQYMBaAFCyg 8iYK7eejABnMyB2/g2vveKgPMA0GCSqGSIb3DQEBCwUAA4IBAQA50M5wbeBoxn/E X6VGW6QqIvM6rSi+/1e4bPpF3QAWDQDe1dktyIuV+S845UEW0+evWQzNIvPuahXJ gqOHJyTVYJNK2UZHd1P0GMCbnNwAFPuJtbikTG0XXj5mCmDDGfjMDe7f4iB7yoho eXijLDEYcSu9EBSHTKMFl1KHYI59fKsFaG1/vblPeRiXYwGpynuWnS9hiRpM5Bng FVSuHPZaD/CsVje/tqIzp7dx+EVwAmCEbWSLuzM8SvOf7LPU8NJOfUHTKPnq9ul7 UbgGKwA4ITGLF6tuviJ+AXVkF6k/mlEGBU2AeEVrYxsJfIpZ9iUGLRw0DYHX9pXy
B4KikiF9
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1120 bytes and written 257 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Protocol: TLSv1.2
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 9F203A3EF5CA535942AD079E5A58361A11222733565495818EF8492BB6C74E40
Session-ID-ctx:
Master-Key: 4940078B6A3AC9C21EB99B388F0D3D8F13E5F05F563A93BDAD1E346238A8B92997F90B80ECA38FD5D0BA1E6DF26C25F1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b2 30 7f 4f bd 9c 97 b4-0e b9 99 c3 30 35 ec 3b .0.O........05.;
0010 - 4a bc a4 a2 6e 53 81 98-3f fd 23 e9 1b 75 fb 70 J...nS..?.#..u.p
0020 - ba bd c0 44 c9 20 6c 89-0d a3 5c 4e 53 7d 1e 17 ...D. l...\NS}..
0030 - fe eb 25 42 2f c2 f2 14-fc cb 03 44 47 60 71 8a ..%B/......DG`q.
0040 - ed f0 67 47 51 84 c8 3f-67 8f 5d 19 9e c2 e0 92 ..gGQ..?g.].....
0050 - b2 4d 81 06 26 14 15 d4-d2 2b 0d 05 da 76 7f 81 .M..&....+...v..
0060 - a4 fe 1e dd 60 c9 63 28-ea 4c a4 d6 11 58 13 91 ....`.c(.L...X..
0070 - a5 bd f1 35 7c 21 9a 08-91 a7 7d e6 06 c0 c5 43 ...5|!....}....C
0080 - 6a d8 65 06 4d b8 4f 7a-6c c1 08 98 05 4b 11 64 j.e.M.Ozl....K.d
0090 - 23 53 c4 ae 72 74 96 b8-d9 c9 4f af 08 6c 5a 2a #S..rt....O..lZ*
00a0 - 82 8b 0f ea f0 6f 19 49-f8 a7 b2 c3 75 7c 12 a5 .....o.I....u|..
Start Time: 1744452411
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
/build/reproducible-path/pkcs11-provider-1.0/tests/ttls: line 28: wait: pid 1598 is not a child of this shell
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MF8CAQECAgMDBALAKwQABDBJQAeLajrJwh65mziPDT2PE+XwX1Y6k72tHjRiOKi5 KZf5C4Dso4/V0LoebfJsJfGhBgIEZ/o7O6IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+
SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:
DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutting down SSL
TLS SUCCESSFUL
Q
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MF8CAQECAgMDBALAKwQABDBJQAeLajrJwh65mziPDT2PE+XwX1Y6k72tHjRiOKi5 KZf5C4Dso4/V0LoebfJsJfGhBgIEZ/o7O6IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+
SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:
DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutting down SSL
TLS SUCCESSFUL
Q
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed) ==============================================================================
=================================== 76/92 ====================================
test: pkcs11-provider:kryoptic / tls
start time: 10:06:51
duration: 0.01s
result: exit status 77
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)