Commit 10e6d235 authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix SSLv3 ClientAuth alert checking 



In TLS during ClientAuth if the CA is not recognised you should get an
UnknownCA alert. In SSLv3 this does not exist and you should get a
BadCertificate alert.

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
parent 78cbe94f

test/ssl-tests/04-client_auth.conf.in

+7 −1
Original line number Diff line number Diff line
@@ -26,7 +26,13 @@ sub generate_tests() { 
    foreach (0..$#protocols) {

        my $protocol = $protocols[$_];

        my $protocol_name = $protocol || "flex";

        my $caalert;

        if (!$is_disabled[$_]) {

            if ($protocol_name eq "SSLv3") {

                $caalert = "BadCertificate";

            } else {

                $caalert = "UnknownCA";

            }

            # Sanity-check simple handshake.

            push @tests, {

                name => "server-auth-${protocol_name}",
@@ -109,7 +115,7 @@ sub generate_tests() { 
                },

                test   => {

                    "ExpectedResult" => "ServerFail",

                    "ServerAlert" => "UnknownCA",

                    "ServerAlert" => $caalert,

                },

            };

        }

test/ssl_test_ctx.c

+1 −0
Original line number Diff line number Diff line
@@ -83,6 +83,7 @@ static const test_enum ssl_alerts[] = { 
    {"UnknownCA", SSL_AD_UNKNOWN_CA},

    {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},

    {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},

    {"BadCertificate", SSL_AD_BAD_CERTIFICATE}

};



__owur static int parse_alert(int *alert, const char *value)