10e6d23549
In TLS during ClientAuth if the CA is not recognised you should get an UnknownCA alert. In SSLv3 this does not exist and you should get a BadCertificate alert. Reviewed-by: Emilia Käsper <emilia@openssl.org>
125 lines
4.3 KiB
Perl
125 lines
4.3 KiB
Perl
# -*- mode: perl; -*-
|
|
|
|
## SSL test configurations
|
|
|
|
package ssltests;
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use OpenSSL::Test;
|
|
use OpenSSL::Test::Utils qw(anydisabled);
|
|
setup("no_test_here");
|
|
|
|
# We test version-flexible negotiation (undef) and each protocol version.
|
|
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
|
|
|
|
my @is_disabled = (0);
|
|
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
|
|
|
|
our @tests = ();
|
|
|
|
my $dir_sep = $^O ne "VMS" ? "/" : "";
|
|
|
|
sub generate_tests() {
|
|
|
|
foreach (0..$#protocols) {
|
|
my $protocol = $protocols[$_];
|
|
my $protocol_name = $protocol || "flex";
|
|
my $caalert;
|
|
if (!$is_disabled[$_]) {
|
|
if ($protocol_name eq "SSLv3") {
|
|
$caalert = "BadCertificate";
|
|
} else {
|
|
$caalert = "UnknownCA";
|
|
}
|
|
# Sanity-check simple handshake.
|
|
push @tests, {
|
|
name => "server-auth-${protocol_name}",
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
test => { "ExpectedResult" => "Success" },
|
|
};
|
|
|
|
# Handshake with client cert requested but not required or received.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-request",
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyMode" => "Request"
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
test => { "ExpectedResult" => "Success" },
|
|
};
|
|
|
|
# Handshake with client cert required but not present.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-require-fail",
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
|
|
"VerifyMode" => "Require",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "ServerFail",
|
|
"ServerAlert" => "HandshakeFailure",
|
|
},
|
|
};
|
|
|
|
# Successful handshake with client authentication.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-require",
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
|
|
"VerifyMode" => "Request",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
|
|
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
|
|
},
|
|
test => { "ExpectedResult" => "Success" },
|
|
};
|
|
|
|
# Handshake with client authentication but without the root certificate.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-noroot",
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyMode" => "Require",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
|
|
"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "ServerFail",
|
|
"ServerAlert" => $caalert,
|
|
},
|
|
};
|
|
}
|
|
}
|
|
}
|
|
|
|
generate_tests();
|