Files
wolfssl/tests/test-fails.conf
T
Juliusz Sosinowicz 061311d6ca zd/21661: harden X.509 chain validation, session ticket identity binding, and peer cert restore
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert;
  verify leaf signature even when verify_cb overrides INVALID_CA
- x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79)
  so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80
  and extend error_test() missing-value table for the new gaps
- asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries
- internal: re-verify restored ticket peer cert against trust store with
  CRL/OCSP checks; clear stale state from session cache on verification
  failure
- ticket: bind SNI and ALPN into session ticket via compile-time selected
  hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both
  TLS 1.3 and TLS 1.2 paths
- ticket: defer SNI/ALPN binding check until after extensions are parsed
  by consolidating into VerifyTicketBinding(), called once after
  ALPN_Select in DoTls13ClientHello and DoClientHello; the early
  per-call sites ran before extensions were parsed and rejected valid
  resumptions in nginx, haproxy, grpc, and CPython integration tests
- ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before
  overwrite
- examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048
  to support larger tickets
- tests: update SAN NUL fixtures and add parse-time rejection coverage;
  add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip
  it under WOLFSSL_NO_DEF_TICKET_ENC_CB
2026-05-06 16:45:58 +02:00

201 lines
3.6 KiB
Plaintext

# server bad certificate common name has null
# DG: Have not found a way to properly encode null in common name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-k ./certs/server-key.pem
-c ./certs/test/server-badcnnull.pem
-d
# client bad certificate common name has null
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-badcnnull.pem
-m
-x
# server nomatch common name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-k ./certs/server-key.pem
-c ./certs/test/server-badcn.pem
-d
# client nomatch common name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-badcn.pem
-m
-x
# server nomatch alternate name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-k ./certs/server-key.pem
-c ./certs/test/server-badaltname.pem
-d
# client nomatch alternate name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-badaltname.pem
-m
-x
# server RSA no signer error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
# client RSA no signer error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/client-cert.pem
# server ECC no signer error
#-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client ECC no signer error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/client-ecc-cert.pem
# server RSA bad sig error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-rsa-badsig.pem
# client RSA bad sig error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
# server ECC bad sig error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-ecc-badsig.pem
# client ECC bad sig error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
# server missing CN from alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-garbage.pem
# client missing CN from alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-garbage.pem
-m
# Verify Callback Failure Tests
# no error going into callback, return error
# server
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
# client verify should fail
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
# server verify should fail
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
# client
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
# server
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
# client verify should fail
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
# server verify should fail
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
# client
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
# error going into callback, return error
# server
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-rsa-badsig.pem
-k ./certs/server-key.pem
-H verifyFail
# client verify should fail
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
# server
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-ecc-badsig.pem
-k ./certs/ecc-key.pem
-H verifyFail
# client verify should fail
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
# Client is using RSA certificate with ECDSA cipher suite. Server will fail.
# server
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-A ./certs/client-cert.pem
-H verifyFail
-H exitWithRet
# client
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/client-cert.pem
-k ./certs/client-key.pem
-A ./certs/ca-ecc-cert.pem
-H exitWithRet
# server send alert on no mutual authentication
-v 3
-F
-H verifyFail
# client send alert on no mutual authentication
-v 3
-x
-H verifyFail
# server TLSv1.3 fail on no client certificate
# server always sets WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT unless using -d
-v 4
-l TLS13-AES128-GCM-SHA256
# client TLSv1.3 no client certificate
-v 4
-l TLS13-AES128-GCM-SHA256
-x