summaryrefslogtreecommitdiffstats
path: root/test/ssl-tests/04-client_auth.conf.in
blob: cd3d42f41628fa30e1be3d1416fed386fec2737f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# -*- mode: perl; -*-

## SSL test configurations

package ssltests;

use strict;
use warnings;

use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled);
setup("no_test_here");

# We test version-flexible negotiation (undef) and each protocol version.
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");

my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");

our @tests = ();

my $dir_sep = $^O ne "VMS" ? "/" : "";

sub generate_tests() {

    foreach (0..$#protocols) {
        my $protocol = $protocols[$_];
        my $protocol_name = $protocol || "flex";
        my $caalert;
        if (!$is_disabled[$_]) {
            if ($protocol_name eq "SSLv3") {
                $caalert = "BadCertificate";
            } else {
                $caalert = "UnknownCA";
            }
            # Sanity-check simple handshake.
            push @tests, {
                name => "server-auth-${protocol_name}",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                test   => { "ExpectedResult" => "Success" },
            };

            # Handshake with client cert requested but not required or received.
            push @tests, {
                name => "client-auth-${protocol_name}-request",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyMode" => "Request"
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                test   => { "ExpectedResult" => "Success" },
            };

            # Handshake with client cert required but not present.
            push @tests, {
                name => "client-auth-${protocol_name}-require-fail",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
                    "VerifyMode" => "Require",
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                test   => {
                    "ExpectedResult" => "ServerFail",
                    "ExpectedServerAlert" => "HandshakeFailure",
                },
            };

            # Successful handshake with client authentication.
            push @tests, {
                name => "client-auth-${protocol_name}-require",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
                    "VerifyMode" => "Request",
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
                },
                test   => { "ExpectedResult" => "Success" },
            };

            # Handshake with client authentication but without the root certificate.
            push @tests, {
                name => "client-auth-${protocol_name}-noroot",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyMode" => "Require",
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
                },
                test   => {
                    "ExpectedResult" => "ServerFail",
                    "ExpectedServerAlert" => $caalert,
                },
            };
        }
    }
}
 
generate_tests();