From a9f124378d746405fa3a666737daf67d5b6316ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 29 Jan 2016 14:47:09 +0100 Subject: [PATCH] x509: IP in SAN: integration tests with SSL/TLS --- include/mbedtls/ssl.h | 8 +++++--- tests/ssl-opt.sh | 46 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index ff5f3897f..57fb6fd77 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1633,12 +1633,14 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, #if defined(MBEDTLS_X509_CRT_PARSE_C) /** - * \brief Set hostname for ServerName TLS extension - * (client-side only) - * + * \brief Set hostname for ServerName TLS extension and verification + * of the server's certificate (client-side only) * * \param ssl SSL context * \param hostname the server hostname + * Usually a DNS hostname, but other options are available, + * see the \c exp_name parameter of \c + * mbedtls_x509_crt_verify_with_profile() * * \return 0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c0b6f94d6..13068281f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1691,6 +1691,52 @@ run_test "Authentication: client no cert, ssl3" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" +# tests for IP adresses in subjectAlternativeName + +requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT +run_test "IP address in SAN: IPv4, good" \ + "$P_SRV crt_file=data_files/server5-san-ip.crt \ + key_file=data_files/server5.key" \ + "$P_CLI debug_level=1 auth_mode=required server_name=IP:127.0.0.1" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" + +requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT +run_test "IP address in SAN: IPv4, bad" \ + "$P_SRV crt_file=data_files/server5-san-ip.crt \ + key_file=data_files/server5.key" \ + "$P_CLI debug_level=1 auth_mode=required server_name=IP:127.0.0.2" \ + 1 \ + -c "x509_verify_cert() returned" \ + -c "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \ + -c "! mbedtls_ssl_handshake returned" \ + -c "X509 - Certificate verification failed" + +requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT +run_test "IP address in SAN: IPv6, good" \ + "$P_SRV crt_file=data_files/server5-san-ip.crt \ + key_file=data_files/server5.key" \ + "$P_CLI debug_level=1 auth_mode=required server_name=IP:fe80:0000:0000:0000:0000:0000:0000:0001" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" + +requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT +run_test "IP address in SAN: IPv6, bad" \ + "$P_SRV crt_file=data_files/server5-san-ip.crt \ + key_file=data_files/server5.key" \ + "$P_CLI debug_level=1 auth_mode=required server_name=IP:fe80:0000:0000:0000:0000:0000:0000:0002" \ + 1 \ + -c "x509_verify_cert() returned" \ + -c "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \ + -c "! mbedtls_ssl_handshake returned" \ + -c "X509 - Certificate verification failed" + # Tests for certificate selection based on SHA verson run_test "Certificate hash: client TLS 1.2 -> SHA-2" \