Browse Source

Fix for DH prime test (extra leading spaces). Fix for new chain tests with CRL enabled. The current way of testing chain only loads root CA as trusted. The intermediate CA CRL isn't trusted or loaded and causes error.

David Garske 5 years ago
parent
commit
a358174b4b
3 changed files with 68 additions and 2 deletions
  1. 33 0
      tests/test-altchains.conf
  2. 33 0
      tests/test-chains.conf
  3. 2 2
      tests/test-dhprime.conf

+ 33 - 0
tests/test-altchains.conf

@@ -1,10 +1,14 @@
 # Tests will use complete chain with intermediate CA for testing
+# The tests with chains have the CRL checking disabled
+# CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted
+# For these tests we are loading root and sending intermediate and peer certs
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
 -l DHE-RSA-AES128-GCM-SHA256
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain.pem
+-V
 
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@@ -12,6 +16,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain.pem
+-C
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@@ -19,6 +24,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain.pem
+-V
 
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@@ -26,6 +32,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain.pem
+-C
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Chain
 -v 3
@@ -33,6 +40,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-ecc.pem
+-V
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Chain
 -v 3
@@ -40,6 +48,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-ecc.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Chain
 -v 4
@@ -47,6 +56,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Chain
 -v 4
@@ -54,6 +64,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Chain
 -v 4
@@ -61,6 +72,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-ecc.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Chain
 -v 4
@@ -68,6 +80,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-ecc.pem
+-C
 
 # Test will load intermediate CA as trusted and only present the peer cert (partial chain)
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
@@ -76,6 +89,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
+-V
 
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
@@ -83,6 +97,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
+-C
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
@@ -90,6 +105,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
+-V
 
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
@@ -97,6 +113,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
+-C
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
 -v 3
@@ -104,6 +121,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-int-ecc-cert.pem
+-V
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
 -v 3
@@ -111,6 +129,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-int-ecc-cert.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
 -v 4
@@ -118,6 +137,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
 -v 4
@@ -125,6 +145,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
 -v 4
@@ -132,6 +153,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-int-ecc-cert.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
 -v 4
@@ -139,6 +161,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-int-ecc-cert.pem
+-C
 
 # Test will use alternate chain where chain contains extra cert
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
@@ -147,6 +170,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain-alt.pem
+-V
 
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
 -v 3
@@ -154,6 +178,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain-alt.pem
+-C
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
 -v 3
@@ -161,6 +186,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain-alt.pem
+-V
 
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
 -v 3
@@ -168,6 +194,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain-alt.pem
+-C
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Alt Chain
 -v 3
@@ -175,6 +202,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-alt-ecc.pem
+-V
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Alt Chain
 -v 3
@@ -182,6 +210,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-alt-ecc.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Alt Chain
 -v 4
@@ -189,6 +218,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain-alt.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Alt Chain
 -v 4
@@ -196,6 +226,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain-alt.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Alt Chain
 -v 4
@@ -203,6 +234,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-alt-ecc.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Alt Chain
 -v 4
@@ -210,3 +242,4 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-alt-ecc.pem
+-C

+ 33 - 0
tests/test-chains.conf

@@ -1,10 +1,14 @@
 # Tests will use complete chain with intermediate CA for testing
+# The tests with chains have the CRL checking disabled
+# CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted
+# For these tests we are loading root and sending intermediate and peer certs
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
 -l DHE-RSA-AES128-GCM-SHA256
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain.pem
+-V
 
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@@ -12,6 +16,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain.pem
+-C
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@@ -19,6 +24,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain.pem
+-V
 
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@@ -26,6 +32,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain.pem
+-C
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Chain
 -v 3
@@ -33,6 +40,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-ecc.pem
+-V
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Chain
 -v 3
@@ -40,6 +48,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-ecc.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Chain
 -v 4
@@ -47,6 +56,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Chain
 -v 4
@@ -54,6 +64,7 @@
 -A ./certs/ca-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Chain
 -v 4
@@ -61,6 +72,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-ecc.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Chain
 -v 4
@@ -68,6 +80,7 @@
 -A ./certs/ca-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-ecc.pem
+-C
 
 # Test will load intermediate CA as trusted and only present the peer cert (partial chain)
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
@@ -76,6 +89,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
+-V
 
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
@@ -83,6 +97,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
+-C
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
@@ -90,6 +105,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
+-V
 
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
@@ -97,6 +113,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
+-C
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
 -v 3
@@ -104,6 +121,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-int-ecc-cert.pem
+-V
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
 -v 3
@@ -111,6 +129,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-int-ecc-cert.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
 -v 4
@@ -118,6 +137,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
 -v 4
@@ -125,6 +145,7 @@
 -A ./certs/intermediate/ca-int-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
 -v 4
@@ -132,6 +153,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-int-ecc-cert.pem
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
 -v 4
@@ -139,6 +161,7 @@
 -A ./certs/intermediate/ca-int-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-int-ecc-cert.pem
+-C
 
 # Test will use alternate chain where chain contains extra cert
 # These tests should fail
@@ -149,6 +172,7 @@
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain-alt.pem
 -H exitWithRet
+-V
 
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain Fail
 -v 3
@@ -157,6 +181,7 @@
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain-alt.pem
 -H exitWithRet
+-C
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Alt Chain Fail
 -v 3
@@ -165,6 +190,7 @@
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain-alt.pem
 -H exitWithRet
+-V
 
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Alt Chain Fail
 -v 3
@@ -173,6 +199,7 @@
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain-alt.pem
 -H exitWithRet
+-C
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Alt Chain Fail
 -v 3
@@ -181,6 +208,7 @@
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-alt-ecc.pem
 -H exitWithRet
+-V
 
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Alt Chain Fail
 -v 3
@@ -189,6 +217,7 @@
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-alt-ecc.pem
 -H exitWithRet
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Alt Chain Fail
 -v 4
@@ -197,6 +226,7 @@
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-chain-alt.pem
 -H exitWithRet
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Alt Chain Fail
 -v 4
@@ -205,6 +235,7 @@
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-chain-alt.pem
 -H exitWithRet
+-C
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Alt Chain Fail
 -v 4
@@ -213,6 +244,7 @@
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-chain-alt-ecc.pem
 -H exitWithRet
+-V
 
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Alt Chain Fail
 -v 4
@@ -221,3 +253,4 @@
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-chain-alt-ecc.pem
 -H exitWithRet
+-C

+ 2 - 2
tests/test-dhprime.conf

@@ -6,7 +6,7 @@
 -v 3
 -l DHE-RSA-AES128-SHA
 
- # server TLSv1.2 DHE AES256-SHA256 (DHE prime test)
+# server TLSv1.2 DHE AES256-SHA256 (DHE prime test)
 -v 3
 -l DHE-RSA-AES256-SHA256
 
@@ -15,7 +15,7 @@
 -l DHE-RSA-AES256-SHA256
 
 # server TLSv1.2 DHE-PSK-AES128-CBC-SHA256 (DHE prime test)
- -s
+-s
 -v 3
 -l DHE-PSK-AES128-CBC-SHA256