Fix SSLv3 ClientAuth alert checking

In TLS during ClientAuth if the CA is not recognised you should get an
UnknownCA alert. In SSLv3 this does not exist and you should get a
BadCertificate alert.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index e1044f9ebc446ee91d16c78aff18038b889f2ea1..495db02c5f9b3d840c199c77aac07dab84cd3ef2 100644 (file)
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -26,7 +26,13 @@ sub generate_tests() {
     foreach (0..$#protocols) {
         my $protocol = $protocols[$_];
         my $protocol_name = $protocol || "flex";
+        my $caalert;
         if (!$is_disabled[$_]) {
+            if ($protocol_name eq "SSLv3") {
+                $caalert = "BadCertificate";
+            } else {
+                $caalert = "UnknownCA";
+            }
             # Sanity-check simple handshake.
             push @tests, {
                 name => "server-auth-${protocol_name}",
@@ -109,7 +115,7 @@ sub generate_tests() {
                 },
                 test   => {
                     "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => "UnknownCA",
+                    "ServerAlert" => $caalert,
                 },
             };
         }

diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index b06ab4828c57cf745448b2113313ca9ad7bbd5aa..4d038d2c23b2c7dd37ab717e29c79d809ab5aa41 100644 (file)
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -83,6 +83,7 @@ static const test_enum ssl_alerts[] = {
     {"UnknownCA", SSL_AD_UNKNOWN_CA},
     {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
     {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+    {"BadCertificate", SSL_AD_BAD_CERTIFICATE}
 };
 
 __owur static int parse_alert(int *alert, const char *value)