{"name" : "test-record-size-limit.py",
"comment" : "changed extension after HRR is not supported #617",
"arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024",
- "--minimal-size", "512",
- "-e", "change size in TLS 1.2 resumption",
- "-e", "check if server accepts maximum size in TLS 1.0",
- "-e", "check if server accepts maximum size in TLS 1.1",
- "-e", "check if server accepts maximum size in TLS 1.2",
- "-e", "check if server accepts minimal size in TLS 1.0",
- "-e", "check if server accepts minimal size in TLS 1.1",
- "-e", "check if server accepts minimal size in TLS 1.2",
- "-e", "check interaction with sha256 prf",
- "-e", "check interaction with sha384 prf",
- "-e", "check server sent size in TLS 1.0",
- "-e", "check server sent size in TLS 1.1",
- "-e", "check server sent size in TLS 1.2",
- "-e", "drop extension in TLS 1.2 resumption",
- "-e", "modified extension in 2nd CH in HRR handshake",
- "-e", "renegotiation with changed limit",
- "-e", "renegotiation with dropped extension",
- "-e", "added extension in 2nd CH in HRR handshake",
- "-e", "check server sent size in TLS 1.0 with max_fragment_length",
- "-e", "check server sent size in TLS 1.1 with max_fragment_length",
- "-e", "check server sent size in TLS 1.2 with max_fragment_length",
- "-e", "removed extension in 2nd CH in HRR handshake"] },
+ "--minimal-size", "512",
+ "-e", "change size in TLS 1.2 resumption",
+ "-e", "check if server accepts maximum size in TLS 1.0",
+ "-e", "check if server accepts maximum size in TLS 1.1",
+ "-e", "check if server accepts maximum size in TLS 1.2",
+ "-e", "check if server accepts minimal size in TLS 1.0",
+ "-e", "check if server accepts minimal size in TLS 1.1",
+ "-e", "check if server accepts minimal size in TLS 1.2",
+ "-x", "check interaction with sha256 prf",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-e", "check server sent size in TLS 1.0",
+ "-e", "check server sent size in TLS 1.1",
+ "-e", "check server sent size in TLS 1.2",
+ "-e", "drop extension in TLS 1.2 resumption",
+ "-x", "modified extension in 2nd CH in HRR handshake",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-e", "renegotiation with dropped extension",
+ "-x", "added extension in 2nd CH in HRR handshake",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-e", "check server sent size in TLS 1.0 with max_fragment_length",
+ "-e", "check server sent size in TLS 1.1 with max_fragment_length",
+ "-e", "check server sent size in TLS 1.2 with max_fragment_length",
+ "-x", "removed extension in 2nd CH in HRR handshake",
+ "-X", "Unexpected message from peer: Handshake(server_hello)"] },
{"name" : "test-tls13-0rtt-garbage.py",
"arguments": ["-p", "@PORT@"]},
{"name" : "test-tls13-ccs.py",
"arguments": ["-p", "@PORT@", "-t", "2"]},
{"name" : "test-tls13-dhe-shared-secret-padding.py",
"arguments": ["-p", "@PORT@",
- "-n", "4"]},
+ "-n", "4"]},
{"name" : "test-tls13-ecdhe-curves.py",
"arguments": ["-p", "@PORT@"]},
{"name" : "test-tls13-ecdsa-support.py",
{"name" : "test-tls13-ffdhe-groups.py",
"comment" : "We do not check for duplicate entries",
"arguments": ["-p", "@PORT@",
- "-e", "ffdhe2048 - duplicated key share entry",
- "-e", "ffdhe3072 - duplicated key share entry",
- "-e", "ffdhe4096 - duplicated key share entry",
- "-e", "ffdhe6144 - duplicated key share entry",
- "-e", "ffdhe8192 - duplicated key share entry",
- "-t", "180"]},
+ "-x", "ffdhe2048 - duplicated key share entry",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-x", "ffdhe3072 - duplicated key share entry",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-x", "ffdhe4096 - duplicated key share entry",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-x", "ffdhe6144 - duplicated key share entry",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-x", "ffdhe8192 - duplicated key share entry",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-t", "180"]},
{"name" : "test-tls13-ffdhe-sanity.py",
"arguments": ["-p", "@PORT@",
- "-t", "180"]},
+ "-t", "180"]},
{"name" : "test-tls13-finished.py",
"comment" : "the disabled tests timeout very often due to slow tls-fuzzer implementation",
"arguments": ["-p", "@PORT@", "-n", "5",
"arguments": ["-p", "@PORT@"]},
{"name" : "test-tls13-invalid-ciphers.py",
"arguments": ["-p", "@PORT@",
- "-n", "5"]},
+ "-n", "5"]},
{"name" : "test-tls13-keyshare-omitted.py",
"arguments": ["-p", "@PORT@"]},
{"name" : "test-tls13-keyupdate.py",
"comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket",
- "arguments": ["-p", "@PORT@",
- "-n", "5",
- "-e", "app data split, conversation with KeyUpdate msg",
- "-e", "multiple KeyUpdate messages"]},
+ "arguments": ["-p", "@PORT@", "-n", "5",
+ "-e", "app data split, conversation with KeyUpdate msg",
+ "-e", "multiple KeyUpdate messages"]},
{"name" : "test-tls13-large-number-of-extensions.py",
"comment" : "This test assumes that 22 (EtM) is unassigned which is incorrect - see #632",
- "arguments": ["-p", "@PORT@",
- "-n", "5",
- "--exc", "11",
- "--exc", "12",
- "--exc", "22",
- "--exc", "23"]},
+ "arguments": ["-p", "@PORT@", "-n", "5"]},
{"name" : "test-tls13-legacy-version.py",
"arguments": ["-p", "@PORT@"]},
{"name" : "test-tls13-nociphers.py",
{"name" : "test-tls13-signature-algorithms.py",
"comment" : "gnutls doesn't handle well duplicated signature algorithms; this is not an issue in practice",
"arguments": ["-p", "@PORT@",
- "-e", "213 invalid schemes",
- "-e", "2353 invalid schemes",
- "-e", "8130 invalid schemes",
- "-e", "23752 invalid schemes",
- "-e", "32715 invalid schemes"]},
+ "-x", "213 invalid schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "2353 invalid schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "8130 invalid schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "23752 invalid schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "32715 invalid schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)"]},
{"name" : "test-tls13-symetric-ciphers.py",
"arguments": ["-p", "@PORT@",
"-n", "5"]},
{"name" : "test-downgrade-protection.py",
"comment" : "1/n-1 splitting in TLS 1.0 is not supported",
"arguments": ["-p", "@PORT@", "--server-max-protocol", "TLSv1.3",
- "-e", "TLS 1.3 downgrade check for Protocol (3, 1)"]}
+ "-x", "TLS 1.3 downgrade check for Protocol (3, 1)",
+ "-X", "Unexpected message from peer: Alert(fatal, protocol_version)"]}
]
}
]
{"name" : "test-ecdsa-sig-flexibility.py",
"comment" : "we do not support SHA224",
"arguments" : ["-p", "@PORT@",
- "-e", "connect with sha224+ecdsa only"] },
+ "-x", "connect with sha224+ecdsa only",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)"] },
{"name" : "test-encrypt-then-mac.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-ocsp-stapling.py",
"arguments" : ["-p", "@PORT@",
"--no-status"] },
{"name" : "test-encrypt-then-mac-renegotiation.py",
- "comment" : "we are not strict in EtM required behavior in renegotiation",
- "arguments" : ["-p", "@PORT@",
- "-e", "Encrypt-then-MAC renegotiation crash"]},
+ "arguments" : ["-p", "@PORT@"]},
{"name" : "test-x25519.py",
"arguments" : ["-p", "@PORT@"]},
{"name" : "test-cve-2016-7054.py",
- "arguments" : ["-p", "@PORT@",
- "-e", "sanity"]},
+ "arguments" : ["-p", "@PORT@"]},
{"name" : "test-cve-2016-6309.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-invalid-server-name-extension.py",
"comment" : "we don't parse past the first valid name, and we don't validate input received",
"arguments" : ["-p", "@PORT@",
- "-e", "SNI name with UTF-8",
- "-e", "multiple host_names in SNI, RFC 6066 compliance",
- "-e", "incorrect SNI"]},
+ "-x", "multiple host_names in SNI, RFC 6066 compliance",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-x", "incorrect SNI",
+ "-X", "Unexpected message from peer: Handshake(server_hello)"]},
{"name" : "test-invalid-server-name-extension-resumption.py",
- "comment" : "we don't follow the RFC precisely on SNI resumption, we cache the SNI and ignore the extensions",
- "arguments" : ["-p", "@PORT@",
- "-e", "Sanity check, bad SNI",
- "-e", "session resume with different SNI",
- "-e", "session resume with malformed SNI"]},
+ "arguments" : ["-p", "@PORT@"] },
{"name" : "test-chacha20.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-aes-gcm-nonces.py",
{"name" : "test-clienthello-md5.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-client-compatibility.py",
+ "comment": "skipping over these that need SSL3 support, see gnutls-nocert-ssl3",
"arguments" : ["-p", "@PORT@",
"-e", "18: IE 6 on XP",
"-e", "52: YandexBot 3.0 on unknown",
{"name" : "test-client-hello-max-size.py",
"comment" : "FIXME: we fail with: Handshake buffer length is 131400 (max: 131072)",
"arguments" : ["-p", "@PORT@",
- "-e", "max client hello"]},
+ "-x", "max client hello",
+ "-X", "Unexpected message from peer: Alert(fatal, decode_error)"
+ ]},
{"name" : "test-atypical-padding.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-ffdhe-negotiation.py" ,
"comment" : ["we don't prefer DHE over RSA if RSA is preferred by peer"],
"arguments" : ["-p", "@PORT@",
- "-e", "Check if DHE preferred",
+ "-x", "Check if DHE preferred",
+ "-X", "Server selected unexpected ciphersuite. Expected: 51, received: 47.",
"--alert", "handshake_failure",
"-t", "180"]},
{"name" : "test-cve-2016-2107.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-dhe-key-share-random.py",
+ "comment" : "skip SSL3.0 here, see gnutls-nocert-ssl3",
"arguments" : ["-p", "@PORT@",
"-e", "Protocol (3, 0)",
"-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
"-z"]},
{"name" : "test-dhe-no-shared-secret-padding.py",
"arguments" : ["-p", "@PORT@",
- "-e", "Protocol (3, 0)",
- "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+ "-x", "Protocol (3, 0)",
+ "-X", "Unexpected message from peer: Alert(fatal, protocol_version)",
+ "-x", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+ "-X", "Unexpected message from peer: Alert(fatal, protocol_version)",
"-n", "5",
"-z"]},
{"name" : "test-dhe-rsa-key-exchange.py",
{"name" : "test-dhe-rsa-key-exchange-signatures.py",
"comment" : "gnutls no longer allows sha224",
"arguments" : ["-p", "@PORT@",
- "-e", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature",
- "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha224 signature",
- "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha224 signature",
- "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha224 signature",
- "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha224 signature"]
+ "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha224 signature",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha224 signature",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha224 signature",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha224 signature",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)"]
},
{"name" : "test-dhe-rsa-key-exchange-with-bad-messages.py",
"arguments" : ["-p", "@PORT@"] },
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-ecdhe-padded-shared-secret.py",
"arguments" : ["-p", "@PORT@",
- "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
- "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
- "-e", "Protocol (3, 0)",
+ "-x", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+ "-X", "Unexpected message from peer: Alert(fatal, protocol_version)",
+ "-x", "Protocol (3, 0)",
+ "-X", "Unexpected message from peer: Alert(fatal, protocol_version)",
"-z",
"-n", "5"]},
{"name" : "test-ecdhe-rsa-key-exchange.py",
{"name" : "test-ecdhe-rsa-key-share-random.py",
"arguments" : ["-p", "@PORT@",
"-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
- "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
"-e", "Protocol (3, 0)",
"-z",
"-n", "5"]},
{"name" : "test-empty-extensions.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-export-ciphers-rejected.py",
- "comment" : "disable SSL3.0 here, will be tested separately",
+ "comment" : "skip SSL3.0 here, see gnutls-nocert-ssl3",
"arguments" : ["-p", "@PORT@",
"-e", "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3",
"-e", "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 with AES_128 in SSLv3",
"-e", "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA with AES_128 in SSLv3",
"-e", "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA with AES_128 in SSLv3",
"-e", "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 with AES_128 in SSLv3",
- "-e", "TLS_RSA_EXPORT_WITH_RC4_40_MD5 with AES_128 in SSLv3"] },
+ "-e", "TLS_RSA_EXPORT_WITH_RC4_40_MD5 with AES_128 in SSLv3"
+ ] },
{"name" : "test-extensions.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-extended-master-secret-extension.py",
"comment" : "gnutls does not allow switching from EMS to no EMS, and w/ECDHE test is incomplete",
"arguments" : ["-p", "@PORT@",
- "-e", "renegotiate without EMS in session with EMS",
- "-e", "EMS with session resume without extension"]},
+ "-x", "renegotiate without EMS in session with EMS",
+ "-X", "Unexpected message from peer: Alert(fatal, bad_record_mac)",
+ "-x", "EMS with session resume without extension",
+ "-X", "Unexpected message from peer: Handshake(server_hello)"]},
{"name" : "test-fallback-scsv.py",
"arguments" : ["-p", "@PORT@",
"--tls-1.3"]},
"exp_pass" : false,
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-record-layer-fragmentation.py",
- "comment" : "These tests rely on fragmenting the first bytes of the handshake header. Gnutls is limited on that, and doesn't accept handshake header fragmentation.",
- "arguments" : ["-p", "@PORT@",
- "-e", "non fragmented, over fragmentation limit: 65535 fragment - 16332B extension",
- "-e", "small, maximum fragmentation: 1 fragment - 20B extension",
- "-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]},
+ "comment" : "seems fixed with !708",
+ "arguments" : ["-p", "@PORT@"] },
{"name" : "test-record-size-limit.py",
- "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0",
+ "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0",
"arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024",
"--minimal-size", "512",
- "-e", "check if server accepts maximum size in TLS 1.0",
"-e", "check if server accepts maximum size in TLS 1.3",
- "-e", "check if server accepts minimal size in TLS 1.0",
"-e", "check if server accepts minimal size in TLS 1.3",
"-e", "check if server omits extension for unrecognized size 64 in TLS 1.3",
"-e", "check if server omits extension for unrecognized size 511 in TLS 1.3",
- "-e", "check server sent size in TLS 1.0",
"-e", "check server sent size in TLS 1.3",
- "-e", "HRR sanity",
"-e", "too large record payload in TLS 1.3",
"-e", "change size in TLS 1.3 session resumption",
"-e", "drop extension in TLS 1.3 session resumption",
- "-e", "modified extension in 2nd CH in HRR handshake",
- "-e", "added extension in 2nd CH in HRR handshake",
- "-e", "check server sent size in TLS 1.0 with max_fragment_length",
"-e", "check server sent size in TLS 1.3 with max_fragment_length",
- "-e", "removed extension in 2nd CH in HRR handshake"] },
+ "-x", "check if server accepts maximum size in TLS 1.0",
+ "-X", "ApplicationData of unexpected size: 1024, expected: 1",
+ "-x", "check if server accepts minimal size in TLS 1.0",
+ "-X", "ApplicationData of unexpected size: 512, expected: 1",
+ "-x", "check server sent size in TLS 1.0",
+ "-X", "ApplicationData of unexpected size: 1024, expected: 1",
+ "-x", "modified extension in 2nd CH in HRR handshake",
+ "-X", "Unexpected message from peer: Handshake(server_hello",
+ "-x", "added extension in 2nd CH in HRR handshake",
+ "-X", "Unexpected message from peer: Handshake(server_hello)",
+ "-x", "check server sent size in TLS 1.0 with max_fragment_length",
+ "-X", "ApplicationData of unexpected size: 1024, expected: 1",
+ "-x", "removed extension in 2nd CH in HRR handshake",
+ "-X", "Unexpected message from peer: Handshake(server_hello)"
+ ] },
{"name" : "test-sessionID-resumption.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-serverhello-random.py",
+ "comment": "different alerts whether SSLv3 is compiled in",
"arguments" : ["-p", "@PORT@",
"-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
"-e", "Protocol (3, 0)",
"-n", "6"]},
{"name" : "test-sig-algs.py",
"arguments" : ["-p", "@PORT@",
- "-e", "rsa_pss_pss_sha256 only",
- "-e", "rsa_pss_pss_sha384 only",
- "-e", "rsa_pss_pss_sha512 only"] },
+ "-x", "rsa_pss_pss_sha256 only",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "rsa_pss_pss_sha384 only",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "rsa_pss_pss_sha512 only",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)"
+ ] },
{"name" : "test-signature-algorithms.py",
"comment" : "gnutls doesn't handle well duplicated sign algorithms; this is not an issue in practice",
"arguments" : ["-p", "@PORT@",
- "-e", "duplicated 202 non-rsa schemes",
- "-e", "duplicated 2342 non-rsa schemes",
- "-e", "duplicated 8119 non-rsa schemes",
- "-e", "duplicated 23741 non-rsa schemes",
- "-e", "duplicated 32744 non-rsa schemes",
- "-e", "tolerance max (32764) number of methods"]
+ "-x", "duplicated 202 non-rsa schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "duplicated 2342 non-rsa schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "duplicated 8119 non-rsa schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "duplicated 23741 non-rsa schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "duplicated 32744 non-rsa schemes",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)",
+ "-x", "tolerance max (32764) number of methods",
+ "-X", "Unexpected message from peer: Alert(fatal, handshake_failure)"
+ ]
},
{"name" : "test-sslv2-connection.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-sslv2-force-export-cipher.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-sslv2hello-protocol.py",
- "comment" : "https://gitlab.com/gnutls/gnutls/issues/771",
+ "comment" : "https://gitlab.com/gnutls/gnutls/issues/771; skipping conversations that time out",
"arguments" : ["-p", "@PORT@", "--no-ssl2",
"-e", "Empty SSLv2 record - type 0",
"-e", "Empty SSLv2 record - type 1",
"-e", "Just version in SSLv2 hello",
- "-e", "SSLv2 Client Hello"] },
+ "-x", "SSLv2 Client Hello",
+ "-X", "Unexpected message from peer: Handshake(server_hello)"] },
{"name" : "test-TLSv1_2-rejected-without-TLSv1_2.py",
"arguments" : ["-p", "@PORT@"] },
{"name" : "test-truncating-of-client-hello.py",
projects / thirdparty / gnutls.git / commitdiff
