Add -B option and clean up usage statement for cmds; add bypass testing NSS_PERFORMANCE_HACKS_BRANCH
authorsaul.edwards%sun.com
Fri, 26 Aug 2005 03:00:46 +0000
branchNSS_PERFORMANCE_HACKS_BRANCH
changeset 6056 f923c49d615968cb77b21cad6a19794a49500a0f
parent 6051 74f981777766e543e5a8027409597884f48af5ee
child 6057 4520878f7e3ee72c82f9e11d8269deaf27cdf3cc
push idunknown
push userunknown
push dateunknown
Add -B option and clean up usage statement for cmds; add bypass testing with -B option in ssl.sh. Output is probably too long - eliminate some testing later.
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/tests/ssl/ssl.sh
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -196,26 +196,27 @@ ownPasswd(PK11SlotInfo *info, PRBool ret
 #define FLUSH	if (verbose) { fflush(stdout); fflush(stderr); }
 #define VLOG(arg) PR_LOG(lm,PR_LOG_DEBUG,arg)
 
 static void
 Usage(const char *progName)
 {
     fprintf(stderr, 
 
-"Usage: %s -n rsa_nickname -p port [-3DNRSTbmrvx] [-w password] [-t threads]\n"
+"Usage: %s -n rsa_nickname -p port [-3BDENRSTblmrvx] [-w password] [-t threads]\n"
 #ifdef NSS_ENABLE_ECC
 "         [-i pid_file] [-c ciphers] [-d dbdir] [-e ec_nickname] \n"
-"         [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n"
+"         [-f fortezza_nickname] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
 #else
 "         [-i pid_file] [-c ciphers] [-d dbdir] [-f fortezza_nickname] \n"
-"         [-L [seconds]] [-M maxProcs] [-l] [-P dbprefix]\n"
+"         [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
 #endif /* NSS_ENABLE_ECC */
 "-S means disable SSL v2\n"
 "-3 means disable SSL v3\n"
+"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
 "-D means disable Nagle delays in TCP\n"
 "-E means disable export ciphersuites and SSL step down key gen\n"
 "-T means disable TLS\n"
 "-R means disable detection of rollback from TLS to SSL3\n"
 "-b means try binding to the port and exit\n"
 "-m means test the model-socket feature of SSL_ImportFD.\n"
 "-r flag is interepreted as follows:\n"
 "    1 -r  means request, not require, cert on initial handshake.\n"
@@ -687,16 +688,17 @@ logger(void *arg)
 PRBool useModelSocket  = PR_FALSE;
 PRBool disableSSL2     = PR_FALSE;
 PRBool disableSSL3     = PR_FALSE;
 PRBool disableTLS      = PR_FALSE;
 PRBool disableRollBack = PR_FALSE;
 PRBool NoReuse         = PR_FALSE;
 PRBool hasSidCache     = PR_FALSE;
 PRBool disableStepDown = PR_FALSE;
+PRBool bypassPKCS11    = PR_FALSE;
 
 static const char stopCmd[] = { "GET /stop " };
 static const char getCmd[]  = { "GET " };
 static const char EOFmsg[]  = { "EOF\r\n\r\n\r\n" };
 static const char outHeader[] = {
     "HTTP/1.0 200 OK\r\n"
     "Server: Generic Web Server\r\n"
     "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
@@ -1405,16 +1407,22 @@ server_main(
 	errExit("error enabling RollBack detection ");
     }
     if (disableStepDown) {
 	rv = SSL_OptionSet(model_sock, SSL_NO_STEP_DOWN, PR_TRUE);
 	if (rv != SECSuccess) {
 	    errExit("error disabling SSL StepDown ");
 	}
     }
+    if (bypassPKCS11) {
+       rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error enabling PKCS11 bypass ");
+	}
+    } 
 
     for (kea = kt_rsa; kea < kt_kea_size; kea++) {
 	if (cert[kea] != NULL) {
 	    secStatus = SSL_ConfigSecureServer(model_sock, 
 	    		cert[kea], privKey[kea], kea);
 	    if (secStatus != SECSuccess)
 		errExit("SSL_ConfigSecureServer");
 	}
@@ -1647,24 +1655,26 @@ main(int argc, char **argv)
     progName = progName ? progName + 1 : tmp;
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     /* please keep this list of options in ASCII collating sequence.
     ** numbers, then capital letters, then lower case, alphabetical. 
     */
     optstate = PL_CreateOptState(argc, argv, 
-    	"2:3DEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy");
+    	"2:3BDEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	++optionsFound;
 	switch(optstate->option) {
 	case '2': fileName = optstate->value; break;
 
 	case '3': disableSSL3 = PR_TRUE; break;
 
+	case 'B': bypassPKCS11 = PR_TRUE; break;
+
 	case 'D': noDelay = PR_TRUE; break;
 	case 'E': disableStepDown = PR_TRUE; break;
 
         case 'L':
             logStats = PR_TRUE;
 	    if (optstate->value == NULL) {
 	    	logPeriod = 30;
 	    } else {
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -154,16 +154,17 @@ static PRInt32 globalconid = 0;
 static PRBool NoDelay;
 static PRBool QuitOnTimeout = PR_FALSE;
 
 static SSL3Statistics * ssl3stats;
 
 static int failed_already = 0;
 static PRBool disableSSL3     = PR_FALSE;
 static PRBool disableTLS      = PR_FALSE;
+static PRBool bypassPKCS11    = PR_FALSE;
 
 
 char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
 {
         char *passwd = NULL;
 
         if ( (!retry) && arg ) {
                 passwd = PL_strdup((char *)arg);
@@ -179,26 +180,29 @@ SECItem	bigBuf;
 #define PRINTF  if (verbose)  printf
 #define FPRINTF if (verbose) fprintf
 
 static void
 Usage(const char *progName)
 {
     fprintf(stderr, 
     	"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
-	"          [-3DNTovq] [-2 filename] [-P fullhandshakespercentage]\n"
+	"          [-3BDNTovq] [-2 filename] [-P fullhandshakespercentage]\n"
 	"          [-w dbpasswd] [-C cipher(s)] [-t threads] hostname\n"
 	" where -v means verbose\n"
 	"       -o flag is interpreted as follows:\n"
    	"          1 -o   means override the result of server certificate validation.\n"
    	"          2 -o's mean skip server certificate validation altogether.\n"
 	"       -D means no TCP delays\n"
 	"       -q means quit when server gone (timeout rather than retry forever)\n"
 	"       -N means no session reuse\n"
-	"       -P means do a specified percentage of full handshakes\n",
+	"       -P means do a specified percentage of full handshakes\n"
+	"       -3 disables SSL v3\n"
+	"       -T disables TLS\n"
+	"       -B bypasses the PKCS11 layer for SSL encryption and MACing\n",
 	progName);
     exit(1);
 }
 
 
 static void
 errWarn(char * funcString)
 {
@@ -1128,16 +1132,23 @@ client_main(
 
     if (NoReuse) {
 	rv = SSL_OptionSet(model_sock, SSL_NO_CACHE, 1);
 	if (rv < 0) {
 	    errExit("SSL_OptionSet SSL_NO_CACHE");
 	}
     }
 
+    if (bypassPKCS11) {
+	rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_BYPASS_PKCS11");
+	}
+    }
+
     SSL_SetURL(model_sock, hostName);
 
     SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
 			(void *)CERT_GetDefaultCertDB());
     SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
 
     SSL_GetClientAuthDataHook(model_sock, StressClient_GetClientAuthData, (void*)Cert_And_Key);
 
@@ -1231,24 +1242,26 @@ main(int argc, char **argv)
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     tmp      = strrchr(argv[0], '/');
     tmp      = tmp ? tmp + 1 : argv[0];
     progName = strrchr(tmp, '\\');
     progName = progName ? progName + 1 : tmp;
  
 
-    optstate = PL_CreateOptState(argc, argv, "2:3C:DNP:Tc:d:n:op:qt:vw:");
+    optstate = PL_CreateOptState(argc, argv, "2:3BC:DNP:Tc:d:n:op:qt:vw:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch(optstate->option) {
 
 	case '2': fileName = optstate->value; break;
 
 	case '3': disableSSL3 = PR_TRUE; break;
 
+	case 'B': bypassPKCS11 = PR_TRUE; break;
+
 	case 'C': cipherString = optstate->value; break;
 
 	case 'D': NoDelay = PR_TRUE; break;
 
 	case 'N': NoReuse = 1; break;
 
 	case 'T': disableTLS = PR_TRUE; break;
 
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -209,25 +209,27 @@ void
 handshakeCallback(PRFileDesc *fd, void *client_data)
 {
     printSecurityInfo(fd);
 }
 
 static void Usage(const char *progName)
 {
     fprintf(stderr, 
-"Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23Tfovx] \n"
+"Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfovx] \n"
 "                   [-c ciphers] [-w passwd] [-q]\n", progName);
     fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
     fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
     fprintf(stderr, 
             "%-20s Directory with cert database (default is ~/.netscape)\n",
 	    "-d certdir");
     fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", 
                     "-n nickname");
+    fprintf(stderr, 
+            "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
     fprintf(stderr, "%-20s Disable SSL v2.\n", "-2");
     fprintf(stderr, "%-20s Disable SSL v3.\n", "-3");
     fprintf(stderr, "%-20s Disable TLS (SSL v3.1).\n", "-T");
     fprintf(stderr, "%-20s Client speaks first. \n", "-f");
     fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
     fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
     fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
@@ -441,16 +443,17 @@ int main(int argc, char **argv)
     SECStatus          rv;
     PRStatus           status;
     PRInt32            filesReady;
     int                npds;
     int                override = 0;
     int                disableSSL2 = 0;
     int                disableSSL3 = 0;
     int                disableTLS  = 0;
+    int                bypassPKCS11 = 0;
     int                useExportPolicy = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRHostEnt          hp;
     PRPollDesc         pollset[2];
     PRBool             useCommandLinePassword = PR_FALSE;
     PRBool             pingServerFirst = PR_FALSE;
     PRBool             clientSpeaksFirst = PR_FALSE;
@@ -459,26 +462,28 @@ int main(int argc, char **argv)
     PLOptStatus optstatus;
     PRStatus prStatus;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
-    optstate = PL_CreateOptState(argc, argv, "23Tfc:h:p:d:m:n:oqvw:x");
+    optstate = PL_CreateOptState(argc, argv, "23BTfc:h:p:d:m:n:oqvw:x");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '2': disableSSL2 = 1; 			break;
 
           case '3': disableSSL3 = 1; 			break;
 
+          case 'B': bypassPKCS11 = 1; 			break;
+
           case 'T': disableTLS  = 1; 			break;
 
           case 'c': cipherString = strdup(optstate->value); break;
 
           case 'h': host = strdup(optstate->value);	break;
 
           case 'f':  clientSpeaksFirst = PR_TRUE;       break;
 
@@ -696,16 +701,23 @@ int main(int argc, char **argv)
 
     /* disable ssl2 and ssl2-compatible client hellos. */
     rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "error disabling v2 compatibility");
 	return 1;
     }
 
+    /* enable PKCS11 bypass */
+    rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling PKCS11 bypass");
+	return 1;
+    }
+
     if (useCommandLinePassword) {
 	SSL_SetPKCS11PinArg(s, password);
     }
 
     SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
     if (override) {
 	SSL_BadCertHook(s, ownBadCertHandler, NULL);
     }
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -130,25 +130,27 @@ is_selfserv_alive()
   #fi
 }
 
 ########################### wait_for_selfserv ##########################
 # local shell function to wait until selfserver is running and initialized
 ########################################################################
 wait_for_selfserv()
 {
-  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
+  echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_BYPASS} -q \\"
   echo "        -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
   #echo "tstclnt -q started at `date`"
-  tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
+  tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_BYPASS} -q \
+          -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
   if [ $? -ne 0 ]; then
       html_failed "<TR><TD> Wait for Server "
-      echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
+      echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_BYPASS} -q \\"
       echo "               -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
-      tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
+      tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_BYPASS} -q \
+              -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
   elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then
       html_passed "<TR><TD> Wait for Server"
   fi
   is_selfserv_alive
 }
 
 ########################### kill_selfserv ##############################
 # local shell function to kill the selfserver after the tests are done
@@ -181,25 +183,25 @@ kill_selfserv()
 # also: wait until the server is up and running
 ########################################################################
 start_selfserv()
 {
   if [ -n "$testname" ] ; then
       echo "$SCRIPTNAME: $testname ----"
   fi
   sparam=`echo $sparam | sed -e 's;_; ;g'`
-  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\"
+  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_BYPASS} \\"
   echo "         -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
   echo "selfserv started at `date`"
   if [ ${fileout} -eq 1 ]; then
-      selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
+      selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_BYPASS} \
                -w nss ${sparam} -i ${R_SERVERPID} $verbose \
                > ${SERVEROUTFILE} 2>&1 &
   else
-      selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
+      selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_BYPASS} \
                -w nss ${sparam} -i ${R_SERVERPID} $verbose &
   fi
   # The PID $! returned by the MKS or Cygwin shell is not the PID of
   # the real background process, but rather the PID of a helper
   # process (sh.exe).  MKS's kill command has a bug: invoking kill
   # on the helper process does not terminate the real background
   # process.  Our workaround has been to have selfserv save its PID
   # in the ${SERVERPID} file and "kill" that PID instead.  But this
@@ -213,43 +215,43 @@ start_selfserv()
   wait_for_selfserv
 }
 
 ############################## ssl_cov #################################
 # local shell function to perform SSL Cipher Coverage tests
 ########################################################################
 ssl_cov()
 {
-  html_head "SSL Cipher Coverage $NORM_EXT"
+  html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING"
 
   testname=""
   sparam="-c ABCDEFabcdefghijklmnvyz"
   start_selfserv # Launch the server
                
   p=""
 
   while read tls param testname
   do
       p=`echo "$testname" | sed -e "s/ .*//"`   #sonmi, only run extended test on SSL3 and TLS
       
-      if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
+      if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       elif [ "$tls" != "#" ] ; then
           echo "$SCRIPTNAME: running $testname ----------------------------"
           TLS_FLAG=-T
           if [ $tls = "TLS" ]; then
               TLS_FLAG=""
           fi
 
           is_selfserv_alive
-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\"
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_BYPASS} \\"
           echo "        -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
 
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \
+          tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_BYPASS} -f \
                   -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
                   >${TMP}/$HOST.tmp.$$  2>&1
           ret=$?
           cat ${TMP}/$HOST.tmp.$$ 
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
           html_msg $ret 0 "${testname}"
       fi
   done < ${SSLCOV}
@@ -258,28 +260,28 @@ ssl_cov()
   html "</TABLE><BR>"
 }
 
 ############################## ssl_auth ################################
 # local shell function to perform SSL  Client Authentication tests
 ########################################################################
 ssl_auth()
 {
-  html_head "SSL Client Authentication $NORM_EXT"
+  html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING"
 
   while read value sparam cparam testname
   do
       if [ $value != "#" ]; then
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
           start_selfserv
 
-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\"
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_BYPASS} \\"
 	  echo "        ${cparam}  < ${REQUEST_FILE}"
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+          tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_BYPASS} \
                   -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
                   >${TMP}/$HOST.tmp.$$  2>&1
           ret=$?
           cat ${TMP}/$HOST.tmp.$$ 
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 
           html_msg $ret $value "${testname}" \
                    "produced a returncode of $ret, expected is $value"
@@ -291,35 +293,35 @@ ssl_auth()
 }
 
 
 ############################## ssl_stress ##############################
 # local shell function to perform SSL stress test
 ########################################################################
 ssl_stress()
 {
-  html_head "SSL Stress Test $NORM_EXT"
+  html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING"
 
   while read value sparam cparam testname
   do
       p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"`   #sonmi, only run extended test on SSL3 and TLS
-      if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
+      if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       elif [ $value != "#" ]; then
           cparam=`echo $cparam | sed -e 's;_; ;g'`
           start_selfserv
           if [ `uname -n` = "sjsu" ] ; then
               echo "debugging disapering selfserv... ps -ef | grep selfserv"
               ps -ef | grep selfserv
           fi
 
-          echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\"
+          echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_BYPASS} -w nss $cparam \\"
           echo "         $verbose ${HOSTADDR}"
           echo "strsclnt started at `date`"
-          strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \
+          strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_BYPASS} -w nss $cparam \
                    $verbose ${HOSTADDR}
           ret=$?
           echo "strsclnt completed at `date`"
           html_msg $ret $value "${testname}"
           if [ `uname -n` = "sjsu" ] ; then
               echo "debugging disapering selfserv... ps -ef | grep selfserv"
               ps -ef | grep selfserv
           fi
@@ -337,32 +339,80 @@ ssl_stress()
 ########################################################################
 ssl_cleanup()
 {
   rm $SERVERPID 2>/dev/null
   cd ${QADIR}
   . common/cleanup.sh
 }
 
-################## main #################################################
 
-#this script may be sourced from the distributed stress test - in this case do nothing...
+############################## ssl_run ### #############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run()
+{
+    ssl_init
 
-if [ -z  "$DO_REM_ST" -a -z  "$DO_DIST_ST" ] ; then
-    ssl_init
     ssl_cov
     ssl_auth
     ssl_stress
 
     SERVERDIR=$EXT_SERVERDIR
     CLIENTDIR=$EXT_CLIENTDIR
     R_SERVERDIR=$R_EXT_SERVERDIR
     R_CLIENTDIR=$R_EXT_CLIENTDIR
     P_R_SERVERDIR=$P_R_EXT_SERVERDIR
     P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
     USER_NICKNAME=ExtendedSSLUser
-    NORM_EXT="Extended test"
+    NORM_EXT="Extended Test"
     cd ${CLIENTDIR}
     ssl_cov
     ssl_auth
     ssl_stress
+
+    # the next round off ssl tests will only run if these vars are reset
+    SERVERDIR=$ORIG_SERVERDIR
+    CLIENTDIR=$ORIG_CLIENTDIR
+    R_SERVERDIR=$ORIG_R_SERVERDIR
+    R_CLIENTDIR=$ORIG_R_CLIENTDIR
+    P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+    P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+    USER_NICKNAME=TestIser
+    NORM_EXT=
+    cd ${QADIR}/ssl
     ssl_cleanup
+}
+
+################## main #################################################
+
+#this script may be sourced from the distributed stress test - in this case do nothing...
+
+if [ -z  "$DO_REM_ST" -a -z  "$DO_DIST_ST" ] ; then
+
+
+    # save the directories as setup by init.sh
+    ORIG_SERVERDIR=$SERVERDIR
+    ORIG_CLIENTDIR=$CLIENTDIR
+    ORIG_R_SERVERDIR=$R_SERVERDIR
+    ORIG_R_CLIENTDIR=$R_CLIENTDIR
+    ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+    ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+
+    # Test all combinations of server bypass and client bypass
+    BYPASS_STRING="No Bypass"
+    ssl_run
+    CLIENT_BYPASS="-B"
+    BYPASS_STRING="Client Bypass"
+    ssl_run
+    SERVER_BYPASS="-B"
+    CLIENT_BYPASS=""
+    BYPASS_STRING="Server Bypass"
+    ssl_run
+    CLIENT_BYPASS="-B"
+    BYPASS_STRING="Server and Client Bypass"
+    ssl_run
+
+    # clear bypass strings
+    CLIENT_BYPASS=""
+    SERVER_BYPASS=""
+
 fi