Merge branch 'set_hs' into development
* set_hs:
Add tests for mbedtls_set_hs_ca_chain()
Add tests for mbedtls_ssl_set_hs_authmode()
Add support for SNI CA and authmode in ssl_server2
Add mbedtls_ssl_set_hs_authmode
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index abe7d28..5a3de90 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -166,6 +166,7 @@
#define MBEDTLS_SSL_VERIFY_NONE 0
#define MBEDTLS_SSL_VERIFY_OPTIONAL 1
#define MBEDTLS_SSL_VERIFY_REQUIRED 2
+#define MBEDTLS_SSL_VERIFY_UNSET 3 /* Used only for sni_authmode */
#define MBEDTLS_SSL_LEGACY_RENEGOTIATION 0
#define MBEDTLS_SSL_SECURE_RENEGOTIATION 1
@@ -1621,6 +1622,19 @@
mbedtls_x509_crl *ca_crl );
/**
+ * \brief Set authmode for the current handshake.
+ *
+ * \note Same as \c mbedtls_ssl_conf_authmode() but for use within
+ * the SNI callback.
+ *
+ * \param ssl SSL context
+ * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
+ * MBEDTLS_SSL_VERIFY_REQUIRED
+ */
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+ int authmode );
+
+/**
* \brief Set server side ServerName TLS extension callback
* (optional, server-side only).
*
@@ -1629,12 +1643,15 @@
* during a handshake. The ServerName callback has the
* following parameters: (void *parameter, mbedtls_ssl_context *ssl,
* const unsigned char *hostname, size_t len). If a suitable
- * certificate is found, the callback should set the
+ * certificate is found, the callback must set the
* certificate(s) and key(s) to use with \c
* mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
- * and optionally adjust the CA with \c
- * mbedtls_ssl_set_hs_ca_chain() and return 0. The callback
- * should return -1 to abort the handshake at this point.
+ * and may optionally adjust the CA and associated CRL with \c
+ * mbedtls_ssl_set_hs_ca_chain() as well as the client
+ * authentication mode with \c mbedtls_ssl_set_hs_authmode(),
+ * then must return 0. If no matching name is found, the
+ * callback must either set a default cert, or
+ * return non-zero to abort the handshake at this point.
*
* \param conf SSL configuration
* \param f_sni verification function
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index f9b0017..8d3a380 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -183,6 +183,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ int sni_authmode; /*!< authmode from SNI callback */
mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f09c916..02bc3db 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2349,16 +2349,24 @@
size_t ct_len, sa_len; /* including length bytes */
unsigned char *buf, *p;
const mbedtls_x509_crt *crt;
+ int authmode;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
ssl->state++;
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+ authmode = ssl->handshake->sni_authmode;
+ else
+#endif
+ authmode = ssl->conf->authmode;
+
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
- ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE )
+ authmode == MBEDTLS_SSL_VERIFY_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
return( 0 );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index bbec08a..8668329 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3855,6 +3855,7 @@
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t i, n;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ int authmode = ssl->conf->authmode;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
@@ -3869,8 +3870,20 @@
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
- ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) )
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+ ssl->state++;
+ return( 0 );
+ }
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+ authmode = ssl->handshake->sni_authmode;
+#endif
+
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ authmode == MBEDTLS_SSL_VERIFY_NONE )
{
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
@@ -3903,7 +3916,7 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
- if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
return( 0 );
else
return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
@@ -3924,10 +3937,10 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
- if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
- return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
- else
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
return( 0 );
+ else
+ return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
}
}
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@@ -4037,7 +4050,7 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
- if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE )
+ if( authmode != MBEDTLS_SSL_VERIFY_NONE )
{
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
@@ -4106,7 +4119,7 @@
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
}
- if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_REQUIRED )
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
ret = 0;
}
@@ -4860,6 +4873,10 @@
#if defined(MBEDTLS_ECDH_C)
mbedtls_ecdh_init( &handshake->ecdh_ctx );
#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
}
static void ssl_transform_init( mbedtls_ssl_transform *transform )
@@ -5364,6 +5381,12 @@
ssl->handshake->sni_ca_chain = ca_chain;
ssl->handshake->sni_ca_crl = ca_crl;
}
+
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+ int authmode )
+{
+ ssl->handshake->sni_authmode = authmode;
+}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index de51d45..6ac2406 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -210,8 +210,8 @@
#if defined(SNI_OPTION)
#define USAGE_SNI \
- " sni=%%s name1,cert1,key1[,name2,cert2,key2[,...]]\n" \
- " default: disabled\n"
+ " sni=%%s name1,cert1,key1,ca1,crl1,auth1[,...]\n" \
+ " default: disabled\n"
#else
#define USAGE_SNI ""
#endif /* SNI_OPTION */
@@ -437,6 +437,21 @@
}
/*
+ * Return authmode from string, or -1 on error
+ */
+static int get_auth_mode( const char *s )
+{
+ if( strcmp( s, "none" ) == 0 )
+ return( MBEDTLS_SSL_VERIFY_NONE );
+ if( strcmp( s, "optional" ) == 0 )
+ return( MBEDTLS_SSL_VERIFY_OPTIONAL );
+ if( strcmp( s, "required" ) == 0 )
+ return( MBEDTLS_SSL_VERIFY_REQUIRED );
+
+ return( -1 );
+}
+
+/*
* Used by sni_parse and psk_parse to handle coma-separated lists
*/
#define GET_ITEM( dst ) \
@@ -453,6 +468,9 @@
const char *name;
mbedtls_x509_crt *cert;
mbedtls_pk_context *key;
+ mbedtls_x509_crt* ca;
+ mbedtls_x509_crl* crl;
+ int authmode;
sni_entry *next;
};
@@ -468,6 +486,12 @@
mbedtls_pk_free( cur->key );
mbedtls_free( cur->key );
+ mbedtls_x509_crt_free( cur->ca );
+ mbedtls_free( cur->ca );
+
+ mbedtls_x509_crl_free( cur->crl );
+ mbedtls_free( cur->crl );
+
next = cur->next;
mbedtls_free( cur );
cur = next;
@@ -475,8 +499,9 @@
}
/*
- * Parse a string of triplets name1,crt1,key1[,name2,crt2,key2[,...]]
- * into a usable sni_entry list.
+ * Parse a string of sextuples name1,crt1,key1,ca1,crl1,auth1[,...]
+ * into a usable sni_entry list. For ca1, crl1, auth1, the special value
+ * '-' means unset. If ca1 is unset, then crl1 is ignored too.
*
* Modifies the input string! This is not production quality!
*/
@@ -485,7 +510,7 @@
sni_entry *cur = NULL, *new = NULL;
char *p = sni_string;
char *end = p;
- char *crt_file, *key_file;
+ char *crt_file, *key_file, *ca_file, *crl_file, *auth_str;
while( *end != '\0' )
++end;
@@ -499,30 +524,54 @@
return( NULL );
}
- memset( new, 0, sizeof( sni_entry ) );
+ GET_ITEM( new->name );
+ GET_ITEM( crt_file );
+ GET_ITEM( key_file );
+ GET_ITEM( ca_file );
+ GET_ITEM( crl_file );
+ GET_ITEM( auth_str );
if( ( new->cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL ||
( new->key = mbedtls_calloc( 1, sizeof( mbedtls_pk_context ) ) ) == NULL )
- {
- mbedtls_free( new->cert );
- mbedtls_free( new );
- sni_free( cur );
- return( NULL );
- }
+ goto error;
mbedtls_x509_crt_init( new->cert );
mbedtls_pk_init( new->key );
- GET_ITEM( new->name );
- GET_ITEM( crt_file );
- GET_ITEM( key_file );
-
if( mbedtls_x509_crt_parse_file( new->cert, crt_file ) != 0 ||
mbedtls_pk_parse_keyfile( new->key, key_file, "" ) != 0 )
- {
goto error;
+
+ if( strcmp( ca_file, "-" ) != 0 )
+ {
+ if( ( new->ca = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
+ goto error;
+
+ mbedtls_x509_crt_init( new->ca );
+
+ if( mbedtls_x509_crt_parse_file( new->ca, ca_file ) != 0 )
+ goto error;
}
+ if( strcmp( crl_file, "-" ) != 0 )
+ {
+ if( ( new->crl = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ) ) == NULL )
+ goto error;
+
+ mbedtls_x509_crl_init( new->crl );
+
+ if( mbedtls_x509_crl_parse_file( new->crl, crl_file ) != 0 )
+ goto error;
+ }
+
+ if( strcmp( auth_str, "-" ) != 0 )
+ {
+ if( ( new->authmode = get_auth_mode( auth_str ) ) < 0 )
+ goto error;
+ }
+ else
+ new->authmode = DFL_AUTH_MODE;
+
new->next = cur;
cur = new;
}
@@ -541,13 +590,19 @@
int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len )
{
- sni_entry *cur = (sni_entry *) p_info;
+ const sni_entry *cur = (const sni_entry *) p_info;
while( cur != NULL )
{
if( name_len == strlen( cur->name ) &&
memcmp( name, cur->name, name_len ) == 0 )
{
+ if( cur->ca != NULL )
+ mbedtls_ssl_set_hs_ca_chain( ssl, cur->ca, cur->crl );
+
+ if( cur->authmode != DFL_AUTH_MODE )
+ mbedtls_ssl_set_hs_authmode( ssl, cur->authmode );
+
return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) );
}
@@ -1055,13 +1110,7 @@
}
else if( strcmp( p, "auth_mode" ) == 0 )
{
- if( strcmp( q, "none" ) == 0 )
- opt.auth_mode = MBEDTLS_SSL_VERIFY_NONE;
- else if( strcmp( q, "optional" ) == 0 )
- opt.auth_mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- else if( strcmp( q, "required" ) == 0 )
- opt.auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
- else
+ if( ( opt.auth_mode = get_auth_mode( q ) ) < 0 )
goto usage;
}
else if( strcmp( p, "max_frag_len" ) == 0 )
@@ -1892,6 +1941,19 @@
else if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
+ {
+ char vrfy_buf[512];
+ uint32_t flags = mbedtls_ssl_get_verify_result( &ssl );
+
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
+
+ mbedtls_printf( "%s\n", vrfy_buf );
+ }
+#endif
+
goto reset;
}
else /* ret == 0 */
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
index 2077f3a..b68ae51 100644
--- a/tests/data_files/Readme-x509.txt
+++ b/tests/data_files/Readme-x509.txt
@@ -72,7 +72,7 @@
Signing CA in parentheses (same meaning as certificates).
-- crl-ec-sha*: (2) server6.crt
+- crl-ec-sha*.pem: (2) server6.crt
- crl-future.pem: (2) server6.crt + unknown
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6b0df56..f87ede5 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1597,7 +1597,7 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
- -S "! The certificate is not correctly signed by the trusted CA" \
+ -s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
@@ -1750,42 +1750,135 @@
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
"$P_CLI server_name=localhost" \
- 0 \
- -S "parse ServerName extension" \
- -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
- -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
+ 0 \
+ -S "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
- sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=localhost" \
- 0 \
- -s "parse ServerName extension" \
- -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
- -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
+ 0 \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
- sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=polarssl.example" \
- 0 \
- -s "parse ServerName extension" \
- -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
- -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
+ 0 \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
run_test "SNI: no matching cert" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
- sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
"$P_CLI server_name=nonesuch.example" \
- 1 \
- -s "parse ServerName extension" \
- -s "ssl_sni_wrapper() returned" \
- -s "mbedtls_ssl_handshake returned" \
- -c "mbedtls_ssl_handshake returned" \
- -c "SSL - A fatal alert message was received from our peer"
+ 1 \
+ -s "parse ServerName extension" \
+ -s "ssl_sni_wrapper() returned" \
+ -s "mbedtls_ssl_handshake returned" \
+ -c "mbedtls_ssl_handshake returned" \
+ -c "SSL - A fatal alert message was received from our peer"
+
+run_test "SNI: client auth no override: optional" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
+ "$P_CLI debug_level=3 server_name=localhost" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify"
+
+run_test "SNI: client auth override: none -> optional" \
+ "$P_SRV debug_level=3 auth_mode=none \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
+ "$P_CLI debug_level=3 server_name=localhost" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify"
+
+run_test "SNI: client auth override: optional -> none" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
+ "$P_CLI debug_level=3 server_name=localhost" \
+ 0 \
+ -s "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got no certificate request" \
+ -c "skip write certificate" \
+ -c "skip write certificate verify" \
+ -s "skip parse certificate verify"
+
+run_test "SNI: CA no override" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
+ "$P_CLI debug_level=3 server_name=localhost \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 1 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -s "x509_verify_cert() returned" \
+ -s "! The certificate is not correctly signed by the trusted CA" \
+ -S "The certificate has been revoked (is on a CRL)"
+
+run_test "SNI: CA override" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
+ "$P_CLI debug_level=3 server_name=localhost \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -S "x509_verify_cert() returned" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
+ -S "The certificate has been revoked (is on a CRL)"
+
+run_test "SNI: CA override with CRL" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
+ "$P_CLI debug_level=3 server_name=localhost \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 1 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -s "x509_verify_cert() returned" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
+ -s "The certificate has been revoked (is on a CRL)"
# Tests for non-blocking I/O: exercise a variety of handshake flows