Increase default TLS DH min to 2048 bits, and add BSI policy class.

Moves BSI policy file to test data dir where it can be compared with
what the hardcoded class outputs.

5 files changed, 26 insertions, 4 deletions

diff --git a/src/tests/data/tls-policy/bsi.txt b/src/tests/data/tls-policy/bsi.txt
new file mode 100644
index 000000000..763c05219
--- /dev/null
+++ b/src/tests/data/tls-policy/bsi.txt
@@ -0,0 +1,22 @@
+allow_tls10=false
+allow_tls11=false
+allow_tls12=true
+allow_dtls10=false
+allow_dtls12=false
+
+ciphers=AES-256/GCM AES-128/GCM AES-256 AES-128
+signature_hashes=SHA-384 SHA-256
+macs=AEAD SHA-384 SHA-256
+key_exchange_methods=ECDH DH PSK ECDHE_PSK DHE_PSK 
+signature_methods=ECDSA RSA DSA
+ecc_curves=brainpool512r1 brainpool384r1 brainpool256r1 secp384r1 secp256r1
+minimum_dh_group_size=2000
+minimum_dsa_group_size=2000
+minimum_ecdh_group_size=250
+minimum_ecdsa_group_size=250
+minimum_rsa_bits=2000
+
+allow_insecure_renegotiation=false
+allow_server_initiated_renegotiation=true
+server_uses_own_ciphersuite_preferences=true
+negotiate_encrypt_then_mac=true
diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt
index e78429238..6a9819aff 100644
--- a/src/tests/data/tls-policy/datagram.txt
+++ b/src/tests/data/tls-policy/datagram.txt
@@ -17,7 +17,7 @@ server_uses_own_ciphersuite_preferences = true
 negotiate_encrypt_then_mac = true
 session_ticket_lifetime = 86400
 dh_group = modp/ietf/2048
-minimum_dh_group_size = 1024
+minimum_dh_group_size = 2048
 minimum_ecdh_group_size = 255
 minimum_rsa_bits = 2048
 minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt
index eb4ee245c..c96f91d96 100644
--- a/src/tests/data/tls-policy/default.txt
+++ b/src/tests/data/tls-policy/default.txt
@@ -17,7 +17,7 @@ server_uses_own_ciphersuite_preferences = true
 negotiate_encrypt_then_mac = true
 session_ticket_lifetime = 86400
 dh_group = modp/ietf/2048
-minimum_dh_group_size = 1024
+minimum_dh_group_size = 2048
 minimum_ecdh_group_size = 255
 minimum_rsa_bits = 2048
 minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/strict.txt b/src/tests/data/tls-policy/strict.txt
index 2f8dfbb3d..f59aaf271 100644
--- a/src/tests/data/tls-policy/strict.txt
+++ b/src/tests/data/tls-policy/strict.txt
@@ -17,7 +17,7 @@ server_uses_own_ciphersuite_preferences = true
 negotiate_encrypt_then_mac = true
 session_ticket_lifetime = 86400
 dh_group = modp/ietf/2048
-minimum_dh_group_size = 1024
+minimum_dh_group_size = 2048
 minimum_ecdh_group_size = 255
 minimum_rsa_bits = 2048
 minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/suiteb.txt b/src/tests/data/tls-policy/suiteb.txt
index 77e7ce5a0..51d8fec12 100644
--- a/src/tests/data/tls-policy/suiteb.txt
+++ b/src/tests/data/tls-policy/suiteb.txt
@@ -17,7 +17,7 @@ server_uses_own_ciphersuite_preferences = true
 negotiate_encrypt_then_mac = true
 session_ticket_lifetime = 86400
 dh_group = modp/ietf/2048
-minimum_dh_group_size = 1024
+minimum_dh_group_size = 2048
 minimum_ecdh_group_size = 255
 minimum_rsa_bits = 2048
 minimum_signature_strength = 128