$proxy->serverflags("-servername localhost");
$proxy->sessionfile($session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 6;
+plan tests => 7;
ok(TLSProxy::Message->success(), "Initial connection");
#Test 2: Attempt a resume with PSK not in last place. Should fail
$proxy->start();
ok(TLSProxy::Message->success(), "Too many PSKs");
+my $proxy2 = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ undef, # Deliberately set to no_cert to force a PSK-only server
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}),
+ have_IPv6()
+);
+
+#Test 7: Attempt an invalid resume, with a server that can only do PSK.
+# Should be treated the same as an invalid binder (decrypt_error)
+# as per RFC8446 Appendix E.6
+$proxy2->clear();
+$proxy2->clientflags("-sess_in ".$session);
+$proxy2->serverflags("-psk ffeeddccbbaa99887766554433221100 -no_ticket");
+$proxy2->start() or die "Failed to start proxy2";
+ok(is_decode_error_server_alert(), "Bad PSK with no handshake fallback");
+
unlink $session;
+sub is_decode_error_server_alert
+{
+ return 0 unless TLSProxy::Message->fail();
+
+ my $alert = TLSProxy::Message->alert();
+ return 1 if $alert->server()
+ && $alert->description()
+ == TLSProxy::Message::AL_DESC_DECRYPT_ERROR;
+ return 0;
+}
+
sub modify_psk_filter
{
my $proxy = shift;
AL_DESC_BAD_CERTIFICATE => 42,
AL_DESC_ILLEGAL_PARAMETER => 47,
AL_DESC_DECODE_ERROR => 50,
+ AL_DESC_DECRYPT_ERROR => 51,
AL_DESC_PROTOCOL_VERSION => 70,
AL_DESC_NO_RENEGOTIATION => 100,
AL_DESC_MISSING_EXTENSION => 109
#different one that doesn't get confused.
." -ext_cache"
." -accept $self->{server_addr}:0"
- ." -cert ".$self->cert." -cert2 ".$self->cert
." -naccept ".$self->serverconnects;
+ if (defined $self->cert) {
+ $execcmd .= " -cert ".$self->cert." -cert2 ".$self->cert;
+ } else {
+ $execcmd .= " -nocert";
+ }
+
if ($self->{isdtls}) {
$execcmd .= " -dtls -max_protocol DTLSv1.2"
# TLSProxy does not support message fragmentation. So
projects / thirdparty / openssl.git / commitdiff
