openssl/test/ssl-tests/01-simple.cnf.in
Matt Caswell 752aa4a6f0 Add a TLS test for name constraints with an EE cert without a SAN
It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.

Test for CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-12-14 13:48:34 +00:00

55 lines
1.5 KiB
Perl

# -*- mode: perl; -*-
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## SSL test configurations
package ssltests;
our @tests = (
{
name => "default",
server => { },
client => { },
test => { "ExpectedResult" => "Success" },
},
{
name => "Server signature algorithms bug",
# Should have no effect as we aren't doing client auth
server => { "ClientSignatureAlgorithms" => "PSS+SHA512:RSA+SHA512" },
client => { "SignatureAlgorithms" => "PSS+SHA256:RSA+SHA256" },
test => { "ExpectedResult" => "Success" },
},
{
name => "verify-cert",
server => { },
client => {
# Don't set up the client root file.
"VerifyCAFile" => undef,
},
test => {
"ExpectedResult" => "ClientFail",
"ExpectedClientAlert" => "UnknownCA",
},
},
{
name => "name-constraints-no-san-in-ee",
server => {
"Certificate" => test_pem("goodcn2-chain.pem"),
"PrivateKey" => test_pem("goodcn2-key.pem"),
},
client => {
"VerifyCAFile" => test_pem("root-cert.pem"),
},
test => { "ExpectedResult" => "Success" },
},
);