From 52142f186f29a759157a12a6cdc4bbd18661a629 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 7 Dec 2016 10:01:30 +0000 Subject: [PATCH 1/4] Add SNI with DTLS tests to ssl-opt.sh script --- tests/ssl-opt.sh | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d33cc0f57..131dd09d4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2392,6 +2392,54 @@ run_test "SNI: CA override with CRL" \ -S "! The certificate is not correctly signed by the trusted CA" \ -s "The certificate has been revoked (is on a CRL)" +# Tests for SNI and DTLS + +run_test "SNI/DTLS: matching cert 1" \ + "$P_SRV debug_level=3 dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$P_CLI server_name=localhost dtls=1" \ + 0 \ + -s "parse ServerName extension" \ + -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ + -c "subject name *: C=NL, O=PolarSSL, CN=localhost" + +run_test "SNI/DTLS: CA override" \ + "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + ca_file=data_files/test-ca.crt \ + sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \ + "$P_CLI debug_level=3 server_name=localhost dtls=1 \ + crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + 0 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" \ + -S "x509_verify_cert() returned" \ + -S "! The certificate is not correctly signed by the trusted CA" \ + -S "The certificate has been revoked (is on a CRL)" + +run_test "SNI/DTLS: CA override with CRL" \ + "$P_SRV debug_level=3 auth_mode=optional \ + crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ + ca_file=data_files/test-ca.crt \ + sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \ + "$P_CLI debug_level=3 server_name=localhost dtls=1 \ + crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + 1 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" \ + -s "x509_verify_cert() returned" \ + -S "! The certificate is not correctly signed by the trusted CA" \ + -s "The certificate has been revoked (is on a CRL)" + # Tests for non-blocking I/O: exercise a variety of handshake flows run_test "Non-blocking I/O: basic handshake" \ From 021ad3dc38f995a5a75819b88ada6ac7562d1631 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 1 May 2018 20:26:47 +0100 Subject: [PATCH 2/4] Rename SNI/DTLS tests in ssl-opt.sh script --- tests/ssl-opt.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 131dd09d4..b126d677f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2394,7 +2394,7 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS -run_test "SNI/DTLS: matching cert 1" \ +run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -2404,7 +2404,7 @@ run_test "SNI/DTLS: matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -run_test "SNI/DTLS: CA override" \ +run_test "SNI: DTLS, CA override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ ca_file=data_files/test-ca.crt \ @@ -2422,7 +2422,7 @@ run_test "SNI/DTLS: CA override" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" -run_test "SNI/DTLS: CA override with CRL" \ +run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ ca_file=data_files/test-ca.crt \ From 0b8eaa899d2cee80f6703834d07bae06755bb930 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 1 May 2018 20:27:37 +0100 Subject: [PATCH 3/4] Add more SNI/DTLS tests Run the normal SNI/TLS tests over DTLS in ssl-opt.sh for greater coverage. --- tests/ssl-opt.sh | 88 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b126d677f..f3b978a7c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2394,6 +2394,15 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS +run_test "SNI: DTLS, no SNI callback" \ + "$P_SRV debug_level=3 dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_CLI server_name=localhost dtls=1" \ + 0 \ + -S "parse ServerName extension" \ + -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ + -c "subject name *: C=NL, O=PolarSSL, CN=localhost" + run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -2404,6 +2413,85 @@ run_test "SNI: DTLS, matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" +run_test "SNI: DTLS, matching cert 2" \ + "$P_SRV debug_level=3 dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$P_CLI server_name=polarssl.example dtls=1" \ + 0 \ + -s "parse ServerName extension" \ + -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ + -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" + +run_test "SNI: DTLS, no matching cert" \ + "$P_SRV debug_level=3 dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$P_CLI server_name=nonesuch.example dtls=1" \ + 1 \ + -s "parse ServerName extension" \ + -s "ssl_sni_wrapper() returned" \ + -s "mbedtls_ssl_handshake returned" \ + -c "mbedtls_ssl_handshake returned" \ + -c "SSL - A fatal alert message was received from our peer" + +run_test "SNI: DTLS, client auth no override: optional" \ + "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \ + "$P_CLI debug_level=3 server_name=localhost dtls=1" \ + 0 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" + +run_test "SNI: DTLS, client auth override: none -> optional" \ + "$P_SRV debug_level=3 auth_mode=none dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \ + "$P_CLI debug_level=3 server_name=localhost dtls=1" \ + 0 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" + +run_test "SNI: DTLS, client auth override: optional -> none" \ + "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \ + "$P_CLI debug_level=3 server_name=localhost dtls=1" \ + 0 \ + -s "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got no certificate request" \ + -c "skip write certificate" \ + -c "skip write certificate verify" \ + -s "skip parse certificate verify" + +run_test "SNI: DTLS, CA no override" \ + "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ + crt_file=data_files/server5.crt key_file=data_files/server5.key \ + ca_file=data_files/test-ca.crt \ + sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \ + "$P_CLI debug_level=3 server_name=localhost dtls=1 \ + crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + 1 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" \ + -s "x509_verify_cert() returned" \ + -s "! The certificate is not correctly signed by the trusted CA" \ + -S "The certificate has been revoked (is on a CRL)" + run_test "SNI: DTLS, CA override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ From 12826dfb83ce8e87a1292a83af2780458af02141 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Sat, 16 Jun 2018 19:46:52 +0100 Subject: [PATCH 4/4] Extend the timeout for SNI DTLS tests The following tests were timing out under valgrind so now have a much longer timeout: SNI: DTLS, CA no override SNI: DTLS, CA override with CRL --- tests/ssl-opt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f3b978a7c..a8adf9bb3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2474,6 +2474,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" +needs_more_time 4 run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -2510,6 +2511,7 @@ run_test "SNI: DTLS, CA override" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" +needs_more_time 4 run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \