Let the client retry longer, to make sure the server will time out before the
client gives up. Make it really longer to get a deterministic client exit
status (make sure it has time to reconnect after the server timeout).
Don't depend on srv.c in config.h, but add explicit checks. This is more
in line with other options that only make sense server-side, and also it
allows to test full config minus srv.c more easily.
Use a custom function that minimally parses the message an creates a reply
without the overhead of a full SSL context.
Also fix dependencies: needs DTLS_HELLO_VERIFY for the cookie types, and let's
also depend on SRV_C as is doesn't make sense on client.
- interrupt the connection abruptly (no close_notify)
- reconnect from the same port while server sill has an active connection from
this port.
Some real-world clients do that, see section 4.2.8 of RFC 6347.
This helps in the case where an intermediate certificate is directly trusted.
In that case we want to ignore what comes after it in the chain, not only for
performance but also to avoid false negatives (eg an old root being no longer
trusted while the newer intermediate is directly trusted).
closes#220
As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain.
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
Tends to cause spurious failures on buildbots due to peer timing out.
Anyway, those tests are mainly for interop, any memory error is most likely
catched by some earlier self-op test. (Also, we'll run these tests with ASan
anyway.)
