diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-16 16:05:15 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:37 +0100 |
commit | db486d97c53725fe7917f1a4cb272e7e83536021 (patch) | |
tree | f8d3c168cc3d46d2d47ee5fc921349a292abf7d1 /tests/ocsp-tests | |
parent | 8e96ba96acc105dc7882626e688d2602cc934474 (diff) | |
download | gnutls-db486d97c53725fe7917f1a4cb272e7e83536021.tar.gz |
tests: enhanced OCSP tests
* Run tests under TLS1.2 and TLS1.3
* Verify whether multiple OCSP responses are received in client
side, under TLS1.3.
* Verify that OCSP status responses can be sent by
client under TLS1.3
* Verify operation of gnutls_certificate_retrieve_function3
* Verify operation when multiple OCSP responses by file are set
Resolves #307
Resolves #291
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests/ocsp-tests')
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 3caf25535b..5ec896207d 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -203,7 +203,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -238,7 +238,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -274,7 +274,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -301,7 +301,7 @@ echo "=== Test 5: Server with valid certificate - expired staple ===" rm -f "${OCSP_RESPONSE_FILE}" # Generate an OCSP response which expires in 2 days and use it after -# a month. +# a month. gnutls server doesn't send such a staple to clients. ${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}" datefudge -s ${EXP_OCSP_DATE} \ ${OPENSSL} ocsp -index "${INDEXFILE}" -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}" -ndays 2 @@ -310,12 +310,29 @@ eval "${GETPORT}" # Port for gnutls-serv TLS_SERVER_PORT=$PORT PORT=${TLS_SERVER_PORT} + +TIMEOUT=$(which timeout) +if test -n "$TIMEOUT";then +${TIMEOUT} 30 "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${OCSP_RESPONSE_FILE}" +if test $? != 1;then + echo "Running gnutls-serv with an expired response, succeeds!" + exit ${rc} +fi +fi + +echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ===" + launch_bare_server $$ \ datefudge "${TESTDATE}" \ "${GNUTLS_SERV}" --echo --disable-client-cert \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ + --ignore-ocsp-response-errors \ --ocsp-response="${OCSP_RESPONSE_FILE}" TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -359,7 +376,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID |