From 10e6d235494f69365914f959f83b448b0b21dca2 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 22 Jun 2016 19:41:03 +0100 Subject: [PATCH] Fix SSLv3 ClientAuth alert checking MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In TLS during ClientAuth if the CA is not recognised you should get an UnknownCA alert. In SSLv3 this does not exist and you should get a BadCertificate alert. Reviewed-by: Emilia Käsper --- test/ssl-tests/04-client_auth.conf.in | 8 +++++++- test/ssl_test_ctx.c | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index e1044f9ebc..495db02c5f 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -26,7 +26,13 @@ sub generate_tests() { foreach (0..$#protocols) { my $protocol = $protocols[$_]; my $protocol_name = $protocol || "flex"; + my $caalert; if (!$is_disabled[$_]) { + if ($protocol_name eq "SSLv3") { + $caalert = "BadCertificate"; + } else { + $caalert = "UnknownCA"; + } # Sanity-check simple handshake. push @tests, { name => "server-auth-${protocol_name}", @@ -109,7 +115,7 @@ sub generate_tests() { }, test => { "ExpectedResult" => "ServerFail", - "ServerAlert" => "UnknownCA", + "ServerAlert" => $caalert, }, }; } diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index b06ab4828c..4d038d2c23 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -83,6 +83,7 @@ static const test_enum ssl_alerts[] = { {"UnknownCA", SSL_AD_UNKNOWN_CA}, {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE}, {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME}, + {"BadCertificate", SSL_AD_BAD_CERTIFICATE} }; __owur static int parse_alert(int *alert, const char *value) -- 2.25.1