Fix SSLv3 ClientAuth alert checking
authorMatt Caswell <matt@openssl.org>
Wed, 22 Jun 2016 18:41:03 +0000 (19:41 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 18 Jul 2016 13:30:14 +0000 (14:30 +0100)
In TLS during ClientAuth if the CA is not recognised you should get an
UnknownCA alert. In SSLv3 this does not exist and you should get a
BadCertificate alert.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
test/ssl-tests/04-client_auth.conf.in
test/ssl_test_ctx.c

index e1044f9..495db02 100644 (file)
@@ -26,7 +26,13 @@ sub generate_tests() {
     foreach (0..$#protocols) {
         my $protocol = $protocols[$_];
         my $protocol_name = $protocol || "flex";
+        my $caalert;
         if (!$is_disabled[$_]) {
+            if ($protocol_name eq "SSLv3") {
+                $caalert = "BadCertificate";
+            } else {
+                $caalert = "UnknownCA";
+            }
             # Sanity-check simple handshake.
             push @tests, {
                 name => "server-auth-${protocol_name}",
@@ -109,7 +115,7 @@ sub generate_tests() {
                 },
                 test   => {
                     "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => "UnknownCA",
+                    "ServerAlert" => $caalert,
                 },
             };
         }
index b06ab48..4d038d2 100644 (file)
@@ -83,6 +83,7 @@ static const test_enum ssl_alerts[] = {
     {"UnknownCA", SSL_AD_UNKNOWN_CA},
     {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
     {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+    {"BadCertificate", SSL_AD_BAD_CERTIFICATE}
 };
 
 __owur static int parse_alert(int *alert, const char *value)