diff options
| author | Emilia Kasper <emilia@openssl.org> | 2016-06-20 17:20:25 +0200 |
|---|---|---|
| committer | Emilia Kasper <emilia@openssl.org> | 2016-06-28 17:26:24 +0200 |
| commit | d2b23cd2b077de8507c49f632e20dfcdb653a35b (patch) | |
| tree | 3a8a980e199c680d7e296468439c6f53d05fa1a0 /test/ssl-tests | |
| parent | 2cdce3e32f0f70470d676352410557b626bc9d01 (diff) | |
SSL test framework: port SNI tests
Observe that the old tests were partly ill-defined:
setting sn_server1 but not sn_server2 in ssltest_old.c does not enable
the SNI callback.
Fix this, and also explicitly test both flavours of SNI mismatch (ignore
/ fatal alert). Tests still pass.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'test/ssl-tests')
| -rw-r--r-- | test/ssl-tests/05-sni.conf | 180 | ||||
| -rw-r--r-- | test/ssl-tests/05-sni.conf.in | 57 | ||||
| -rw-r--r-- | test/ssl-tests/06-sni-ticket.conf | 32 | ||||
| -rw-r--r-- | test/ssl-tests/06-sni-ticket.conf.in | 3 |
4 files changed, 259 insertions, 13 deletions
diff --git a/test/ssl-tests/05-sni.conf b/test/ssl-tests/05-sni.conf index be219d519c..ef6db27ca1 100644 --- a/test/ssl-tests/05-sni.conf +++ b/test/ssl-tests/05-sni.conf @@ -1,35 +1,193 @@ # Generated with generate_ssl_tests.pl -num_tests = 1 +num_tests = 6 -test-0 = 0-SNI-default +test-0 = 0-SNI-switch-context +test-1 = 1-SNI-keep-context +test-2 = 2-SNI-no-server-support +test-3 = 3-SNI-no-client-support +test-4 = 4-SNI-bad-sni-ignore-mismatch +test-5 = 5-SNI-bad-sni-reject-mismatch # =========================================================== -[0-SNI-default] -ssl_conf = 0-SNI-default-ssl +[0-SNI-switch-context] +ssl_conf = 0-SNI-switch-context-ssl -[0-SNI-default-ssl] -server = 0-SNI-default-server -server2 = 0-SNI-default-server2 -client = 0-SNI-default-client +[0-SNI-switch-context-ssl] +server = 0-SNI-switch-context-server +server2 = 0-SNI-switch-context-server2 +client = 0-SNI-switch-context-client -[0-SNI-default-server] +[0-SNI-switch-context-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-SNI-default-server2] +[0-SNI-switch-context-server2] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-SNI-default-client] +[0-SNI-switch-context-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[1-SNI-keep-context] +ssl_conf = 1-SNI-keep-context-ssl + +[1-SNI-keep-context-ssl] +server = 1-SNI-keep-context-server +server2 = 1-SNI-keep-context-server2 +client = 1-SNI-keep-context-client + +[1-SNI-keep-context-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-SNI-keep-context-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-SNI-keep-context-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +ExpectedServerName = server1 +ServerName = server1 +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[2-SNI-no-server-support] +ssl_conf = 2-SNI-no-server-support-ssl + +[2-SNI-no-server-support-ssl] +server = 2-SNI-no-server-support-server +client = 2-SNI-no-server-support-client + +[2-SNI-no-server-support-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-SNI-no-server-support-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = Success +ServerName = server1 + + +# =========================================================== + +[3-SNI-no-client-support] +ssl_conf = 3-SNI-no-client-support-ssl + +[3-SNI-no-client-support-ssl] +server = 3-SNI-no-client-support-server +server2 = 3-SNI-no-client-support-server2 +client = 3-SNI-no-client-support-client + +[3-SNI-no-client-support-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-SNI-no-client-support-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-SNI-no-client-support-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success +ExpectedServerName = server1 +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[4-SNI-bad-sni-ignore-mismatch] +ssl_conf = 4-SNI-bad-sni-ignore-mismatch-ssl + +[4-SNI-bad-sni-ignore-mismatch-ssl] +server = 4-SNI-bad-sni-ignore-mismatch-server +server2 = 4-SNI-bad-sni-ignore-mismatch-server2 +client = 4-SNI-bad-sni-ignore-mismatch-client + +[4-SNI-bad-sni-ignore-mismatch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-SNI-bad-sni-ignore-mismatch-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-SNI-bad-sni-ignore-mismatch-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedResult = Success +ExpectedServerName = server1 +ServerName = invalid +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[5-SNI-bad-sni-reject-mismatch] +ssl_conf = 5-SNI-bad-sni-reject-mismatch-ssl + +[5-SNI-bad-sni-reject-mismatch-ssl] +server = 5-SNI-bad-sni-reject-mismatch-server +server2 = 5-SNI-bad-sni-reject-mismatch-server2 +client = 5-SNI-bad-sni-reject-mismatch-client + +[5-SNI-bad-sni-reject-mismatch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-SNI-bad-sni-reject-mismatch-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-SNI-bad-sni-reject-mismatch-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = ServerFail +ServerAlert = UnrecognizedName +ServerName = invalid +ServerNameCallback = RejectMismatch diff --git a/test/ssl-tests/05-sni.conf.in b/test/ssl-tests/05-sni.conf.in index de8dc77863..635ce9ae47 100644 --- a/test/ssl-tests/05-sni.conf.in +++ b/test/ssl-tests/05-sni.conf.in @@ -16,11 +16,64 @@ package ssltests; our @tests = ( { - name => "SNI-default", + name => "SNI-switch-context", server => { }, server2 => { }, client => { }, test => { "ServerName" => "server2", - "ExpectedResult" => "Success" }, + "ExpectedServerName" => "server2", + "ServerNameCallback" => "IgnoreMismatch", + "ExpectedResult" => "Success" }, + }, + { + name => "SNI-keep-context", + server => { }, + server2 => { }, + client => { }, + test => { "ServerName" => "server1", + "ExpectedServerName" => "server1", + "ServerNameCallback" => "IgnoreMismatch", + "ExpectedResult" => "Success" }, + }, + { + name => "SNI-no-server-support", + server => { }, + client => { }, + test => { "ServerName" => "server1", + "ExpectedResult" => "Success" }, + }, + { + name => "SNI-no-client-support", + server => { }, + server2 => { }, + client => { }, + test => { + # We expect that the callback is still called + # to let the application decide whether they tolerate + # missing SNI (as our test callback does). + "ExpectedServerName" => "server1", + "ServerNameCallback" => "IgnoreMismatch", + "ExpectedResult" => "Success" + }, + }, + { + name => "SNI-bad-sni-ignore-mismatch", + server => { }, + server2 => { }, + client => { }, + test => { "ServerName" => "invalid", + "ExpectedServerName" => "server1", + "ServerNameCallback" => "IgnoreMismatch", + "ExpectedResult" => "Success" }, + }, + { + name => "SNI-bad-sni-reject-mismatch", + server => { }, + server2 => { }, + client => { }, + test => { "ServerName" => "invalid", + "ServerNameCallback" => "RejectMismatch", + "ExpectedResult" => "ServerFail", + "ServerAlert" => "UnrecognizedName"}, }, ); diff --git a/test/ssl-tests/06-sni-ticket.conf b/test/ssl-tests/06-sni-ticket.conf index 99484ed4c8..b3bfda0b91 100644 --- a/test/ssl-tests/06-sni-ticket.conf +++ b/test/ssl-tests/06-sni-ticket.conf @@ -83,7 +83,9 @@ VerifyMode = Peer [test-1] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = Yes @@ -117,7 +119,9 @@ VerifyMode = Peer [test-2] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = Yes @@ -151,7 +155,9 @@ VerifyMode = Peer [test-3] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = Yes @@ -185,7 +191,9 @@ VerifyMode = Peer [test-4] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -219,7 +227,9 @@ VerifyMode = Peer [test-5] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -253,7 +263,9 @@ VerifyMode = Peer [test-6] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -287,7 +299,9 @@ VerifyMode = Peer [test-7] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -321,7 +335,9 @@ VerifyMode = Peer [test-8] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -355,7 +371,9 @@ VerifyMode = Peer [test-9] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -389,7 +407,9 @@ VerifyMode = Peer [test-10] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -423,7 +443,9 @@ VerifyMode = Peer [test-11] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -457,7 +479,9 @@ VerifyMode = Peer [test-12] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -491,7 +515,9 @@ VerifyMode = Peer [test-13] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -525,7 +551,9 @@ VerifyMode = Peer [test-14] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -559,7 +587,9 @@ VerifyMode = Peer [test-15] ExpectedResult = Success +ExpectedServerName = server1 ServerName = server1 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No @@ -593,7 +623,9 @@ VerifyMode = Peer [test-16] ExpectedResult = Success +ExpectedServerName = server2 ServerName = server2 +ServerNameCallback = IgnoreMismatch SessionTicketExpected = No diff --git a/test/ssl-tests/06-sni-ticket.conf.in b/test/ssl-tests/06-sni-ticket.conf.in index 6cd57b61ad..8c95827a52 100644 --- a/test/ssl-tests/06-sni-ticket.conf.in +++ b/test/ssl-tests/06-sni-ticket.conf.in @@ -36,6 +36,9 @@ sub generate_tests() { }, "test" => { "ServerName" => $n, + "ExpectedServerName" => $n, + # We don't test mismatch here. + "ServerNameCallback" => "IgnoreMismatch", "ExpectedResult" => "Success", "SessionTicketExpected" => $result, } |