TclTLS: Hex Artifact Content

Artifact 66893a8fa7427396384376b046a1d029d075f81440fa5a49669d7d3d5dc08d05:

File tests/badssl.test — part of check-in [6729942f38] at 2023-09-10 22:43:18 on branch trunk — Added test cases to check for badssl.com certificate error conditions (user: bohagan, size: 8881) [annotate] [blame] [check-ins using]
0000: 23 20 41 75 74 6f 20 67 65 6e 65 72 61 74 65 64  # Auto generated
0010: 20 74 65 73 74 20 63 61 73 65 73 20 66 6f 72 20   test cases for 
0020: 62 61 64 73 73 6c 2e 63 73 76 0a 0a 23 20 4c 6f  badssl.csv..# Lo
0030: 61 64 20 54 63 6c 20 54 65 73 74 20 70 61 63 6b  ad Tcl Test pack
0040: 61 67 65 0a 69 66 20 7b 5b 6c 73 65 61 72 63 68  age.if {[lsearch
0050: 20 5b 6e 61 6d 65 73 70 61 63 65 20 63 68 69 6c   [namespace chil
0060: 64 72 65 6e 5d 20 3a 3a 74 63 6c 74 65 73 74 5d  dren] ::tcltest]
0070: 20 3d 3d 20 2d 31 7d 20 7b 0a 09 70 61 63 6b 61   == -1} {..packa
0080: 67 65 20 72 65 71 75 69 72 65 20 74 63 6c 74 65  ge require tclte
0090: 73 74 0a 09 6e 61 6d 65 73 70 61 63 65 20 69 6d  st..namespace im
00a0: 70 6f 72 74 20 3a 3a 74 63 6c 74 65 73 74 3a 3a  port ::tcltest::
00b0: 2a 0a 7d 0a 0a 73 65 74 20 61 75 74 6f 5f 70 61  *.}..set auto_pa
00c0: 74 68 20 5b 63 6f 6e 63 61 74 20 5b 6c 69 73 74  th [concat [list
00d0: 20 5b 66 69 6c 65 20 64 69 72 6e 61 6d 65 20 5b   [file dirname [
00e0: 66 69 6c 65 20 64 69 72 6e 61 6d 65 20 5b 69 6e  file dirname [in
00f0: 66 6f 20 73 63 72 69 70 74 5d 5d 5d 5d 20 24 61  fo script]]]] $a
0100: 75 74 6f 5f 70 61 74 68 5d 0a 0a 70 61 63 6b 61  uto_path]..packa
0110: 67 65 20 72 65 71 75 69 72 65 20 74 6c 73 0a 0a  ge require tls..
0120: 23 20 46 69 6e 64 20 64 65 66 61 75 6c 74 20 43  # Find default C
0130: 41 20 63 65 72 74 69 66 69 63 61 74 65 73 20 64  A certificates d
0140: 69 72 65 63 74 6f 72 79 0a 69 66 20 7b 5b 69 6e  irectory.if {[in
0150: 66 6f 20 65 78 69 73 74 73 20 3a 3a 65 6e 76 28  fo exists ::env(
0160: 53 53 4c 5f 43 45 52 54 5f 46 49 4c 45 29 5d 7d  SSL_CERT_FILE)]}
0170: 20 7b 73 65 74 20 3a 3a 63 61 66 69 6c 65 20 24   {set ::cafile $
0180: 3a 3a 65 6e 76 28 53 53 4c 5f 43 45 52 54 5f 46  ::env(SSL_CERT_F
0190: 49 4c 45 29 7d 20 65 6c 73 65 20 7b 73 65 74 20  ILE)} else {set 
01a0: 3a 3a 63 61 66 69 6c 65 20 5b 66 69 6c 65 20 6e  ::cafile [file n
01b0: 6f 72 6d 61 6c 69 7a 65 20 7b 43 3a 5c 55 73 65  ormalize {C:\Use
01c0: 72 73 5c 42 72 69 61 6e 5c 44 6f 63 75 6d 65 6e  rs\Brian\Documen
01d0: 74 73 5c 53 6f 75 72 63 65 5c 42 75 69 6c 64 5c  ts\Source\Build\
01e0: 53 53 4c 2d 31 2e 31 5c 63 65 72 74 73 5c 63 61  SSL-1.1\certs\ca
01f0: 63 65 72 74 2e 70 65 6d 7d 5d 7d 0a 0a 23 20 43  cert.pem}]}..# C
0200: 6f 6e 73 74 72 61 69 6e 74 73 0a 73 65 74 20 70  onstraints.set p
0210: 72 6f 74 6f 63 6f 6c 73 20 5b 6c 69 73 74 20 73  rotocols [list s
0220: 73 6c 32 20 73 73 6c 33 20 74 6c 73 31 20 74 6c  sl2 ssl3 tls1 tl
0230: 73 31 2e 31 20 74 6c 73 31 2e 32 20 74 6c 73 31  s1.1 tls1.2 tls1
0240: 2e 33 5d 0a 66 6f 72 65 61 63 68 20 70 72 6f 74  .3].foreach prot
0250: 6f 63 6f 6c 20 24 70 72 6f 74 6f 63 6f 6c 73 20  ocol $protocols 
0260: 7b 3a 3a 74 63 6c 74 65 73 74 3a 3a 74 65 73 74  {::tcltest::test
0270: 43 6f 6e 73 74 72 61 69 6e 74 20 24 70 72 6f 74  Constraint $prot
0280: 6f 63 6f 6c 20 30 7d 0a 66 6f 72 65 61 63 68 20  ocol 0}.foreach 
0290: 70 72 6f 74 6f 63 6f 6c 20 5b 3a 3a 74 6c 73 3a  protocol [::tls:
02a0: 3a 70 72 6f 74 6f 63 6f 6c 73 5d 20 7b 3a 3a 74  :protocols] {::t
02b0: 63 6c 74 65 73 74 3a 3a 74 65 73 74 43 6f 6e 73  cltest::testCons
02c0: 74 72 61 69 6e 74 20 24 70 72 6f 74 6f 63 6f 6c  traint $protocol
02d0: 20 31 7d 0a 0a 23 20 48 65 6c 70 65 72 20 66 75   1}..# Helper fu
02e0: 6e 63 74 69 6f 6e 73 0a 70 72 6f 63 20 62 61 64  nctions.proc bad
02f0: 73 73 6c 20 7b 75 72 6c 7d 20 7b 73 65 74 20 70  ssl {url} {set p
0300: 6f 72 74 20 34 34 33 3b 6c 61 73 73 69 67 6e 20  ort 443;lassign 
0310: 5b 73 70 6c 69 74 20 24 75 72 6c 20 22 3a 22 5d  [split $url ":"]
0320: 20 75 72 6c 20 70 6f 72 74 3b 69 66 20 7b 24 70   url port;if {$p
0330: 6f 72 74 20 65 71 20 22 22 7d 20 7b 73 65 74 20  ort eq ""} {set 
0340: 70 6f 72 74 20 34 34 33 7d 3b 73 65 74 20 63 68  port 443};set ch
0350: 20 5b 74 6c 73 3a 3a 73 6f 63 6b 65 74 20 2d 61   [tls::socket -a
0360: 75 74 6f 73 65 72 76 65 72 6e 61 6d 65 20 31 20  utoservername 1 
0370: 2d 72 65 71 75 69 72 65 20 31 20 2d 63 61 66 69  -require 1 -cafi
0380: 6c 65 20 24 3a 3a 63 61 66 69 6c 65 20 24 75 72  le $::cafile $ur
0390: 6c 20 24 70 6f 72 74 5d 3b 69 66 20 7b 5b 63 61  l $port];if {[ca
03a0: 74 63 68 20 7b 74 6c 73 3a 3a 68 61 6e 64 73 68  tch {tls::handsh
03b0: 61 6b 65 20 24 63 68 7d 20 65 72 72 5d 7d 20 7b  ake $ch} err]} {
03c0: 63 6c 6f 73 65 20 24 63 68 3b 72 65 74 75 72 6e  close $ch;return
03d0: 20 2d 63 6f 64 65 20 65 72 72 6f 72 20 24 65 72   -code error $er
03e0: 72 7d 20 65 6c 73 65 20 7b 63 6c 6f 73 65 20 24  r} else {close $
03f0: 63 68 7d 7d 0a 0a 23 20 42 61 64 53 53 4c 2e 63  ch}}..# BadSSL.c
0400: 6f 6d 20 54 65 73 74 73 0a 0a 0a 74 65 73 74 20  om Tests...test 
0410: 42 61 64 53 53 4c 2d 31 2e 31 20 7b 31 30 30 30  BadSSL-1.1 {1000
0420: 2d 73 61 6e 73 7d 20 2d 62 6f 64 79 20 7b 0a 09  -sans} -body {..
0430: 62 61 64 73 73 6c 20 31 30 30 30 2d 73 61 6e 73  badssl 1000-sans
0440: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
0450: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
0460: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72  hake failed: cer
0470: 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20  tificate verify 
0480: 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 63  failed due to: c
0490: 65 72 74 69 66 69 63 61 74 65 20 68 61 73 20 65  ertificate has e
04a0: 78 70 69 72 65 64 7d 20 2d 72 65 74 75 72 6e 43  xpired} -returnC
04b0: 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42  odes {1}..test B
04c0: 61 64 53 53 4c 2d 31 2e 32 20 7b 31 30 30 30 30  adSSL-1.2 {10000
04d0: 2d 73 61 6e 73 7d 20 2d 62 6f 64 79 20 7b 0a 09  -sans} -body {..
04e0: 62 61 64 73 73 6c 20 31 30 30 30 30 2d 73 61 6e  badssl 10000-san
04f0: 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  s.badssl.com.   
0500: 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64   } -result {hand
0510: 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 65 78  shake failed: ex
0520: 63 65 73 73 69 76 65 20 6d 65 73 73 61 67 65 20  cessive message 
0530: 73 69 7a 65 7d 20 2d 72 65 74 75 72 6e 43 6f 64  size} -returnCod
0540: 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64  es {1}..test Bad
0550: 53 53 4c 2d 31 2e 33 20 7b 33 64 65 73 7d 20 2d  SSL-1.3 {3des} -
0560: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 33  body {..badssl 3
0570: 64 65 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  des.badssl.com. 
0580: 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61     } -result {ha
0590: 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20  ndshake failed: 
05a0: 73 73 6c 76 33 20 61 6c 65 72 74 20 68 61 6e 64  sslv3 alert hand
05b0: 73 68 61 6b 65 20 66 61 69 6c 75 72 65 7d 20 2d  shake failure} -
05c0: 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a  returnCodes {1}.
05d0: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 34  .test BadSSL-1.4
05e0: 20 7b 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c   {captive-portal
05f0: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
0600: 6c 20 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c  l captive-portal
0610: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
0620: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
0630: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72  hake failed: cer
0640: 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20  tificate verify 
0650: 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 48  failed due to: H
0660: 6f 73 74 6e 61 6d 65 20 6d 69 73 6d 61 74 63 68  ostname mismatch
0670: 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b  } -returnCodes {
0680: 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  1}..test BadSSL-
0690: 31 2e 35 20 7b 63 62 63 7d 20 2d 62 6f 64 79 20  1.5 {cbc} -body 
06a0: 7b 0a 09 62 61 64 73 73 6c 20 63 62 63 2e 62 61  {..badssl cbc.ba
06b0: 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a  dssl.com.    }..
06c0: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 36 20  test BadSSL-1.6 
06d0: 7b 63 6c 69 65 6e 74 2d 63 65 72 74 2d 6d 69 73  {client-cert-mis
06e0: 73 69 6e 67 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  sing} -body {..b
06f0: 61 64 73 73 6c 20 63 6c 69 65 6e 74 2d 63 65 72  adssl client-cer
0700: 74 2d 6d 69 73 73 69 6e 67 2e 62 61 64 73 73 6c  t-missing.badssl
0710: 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74  .com.    }..test
0720: 20 42 61 64 53 53 4c 2d 31 2e 37 20 7b 63 6c 69   BadSSL-1.7 {cli
0730: 65 6e 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  ent} -body {..ba
0740: 64 73 73 6c 20 63 6c 69 65 6e 74 2e 62 61 64 73  dssl client.bads
0750: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65  sl.com.    }..te
0760: 73 74 20 42 61 64 53 53 4c 2d 31 2e 38 20 7b 64  st BadSSL-1.8 {d
0770: 68 2d 63 6f 6d 70 6f 73 69 74 65 7d 20 2d 62 6f  h-composite} -bo
0780: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 2d  dy {..badssl dh-
0790: 63 6f 6d 70 6f 73 69 74 65 2e 62 61 64 73 73 6c  composite.badssl
07a0: 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74  .com.    }..test
07b0: 20 42 61 64 53 53 4c 2d 31 2e 39 20 7b 64 68 2d   BadSSL-1.9 {dh-
07c0: 73 6d 61 6c 6c 2d 73 75 62 67 72 6f 75 70 7d 20  small-subgroup} 
07d0: 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20  -body {..badssl 
07e0: 64 68 2d 73 6d 61 6c 6c 2d 73 75 62 67 72 6f 75  dh-small-subgrou
07f0: 70 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  p.badssl.com.   
0800: 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d   }..test BadSSL-
0810: 31 2e 31 30 20 7b 64 68 34 38 30 7d 20 2d 62 6f  1.10 {dh480} -bo
0820: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 34  dy {..badssl dh4
0830: 38 30 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  80.badssl.com.  
0840: 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e    } -result {han
0850: 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 64  dshake failed: d
0860: 68 20 6b 65 79 20 74 6f 6f 20 73 6d 61 6c 6c 7d  h key too small}
0870: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
0880: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
0890: 2e 31 31 20 7b 64 68 35 31 32 7d 20 2d 62 6f 64  .11 {dh512} -bod
08a0: 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 35 31  y {..badssl dh51
08b0: 32 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  2.badssl.com.   
08c0: 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64   } -result {hand
08d0: 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 64 68  shake failed: dh
08e0: 20 6b 65 79 20 74 6f 6f 20 73 6d 61 6c 6c 7d 20   key too small} 
08f0: 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d  -returnCodes {1}
0900: 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e  ..test BadSSL-1.
0910: 31 32 20 7b 64 68 31 30 32 34 7d 20 2d 62 6f 64  12 {dh1024} -bod
0920: 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 31 30  y {..badssl dh10
0930: 32 34 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  24.badssl.com.  
0940: 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c    }..test BadSSL
0950: 2d 31 2e 31 33 20 7b 64 68 32 30 34 38 7d 20 2d  -1.13 {dh2048} -
0960: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 64  body {..badssl d
0970: 68 32 30 34 38 2e 62 61 64 73 73 6c 2e 63 6f 6d  h2048.badssl.com
0980: 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64  .    }..test Bad
0990: 53 53 4c 2d 31 2e 31 34 20 7b 64 73 64 74 65 73  SSL-1.14 {dsdtes
09a0: 74 70 72 6f 76 69 64 65 72 7d 20 2d 62 6f 64 79  tprovider} -body
09b0: 20 7b 0a 09 62 61 64 73 73 6c 20 64 73 64 74 65   {..badssl dsdte
09c0: 73 74 70 72 6f 76 69 64 65 72 2e 62 61 64 73 73  stprovider.badss
09d0: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73  l.com.    } -res
09e0: 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66  ult {handshake f
09f0: 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61  ailed: certifica
0a00: 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64  te verify failed
0a10: 20 64 75 65 20 74 6f 3a 20 75 6e 61 62 6c 65 20   due to: unable 
0a20: 74 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69 73 73  to get local iss
0a30: 75 65 72 20 63 65 72 74 69 66 69 63 61 74 65 7d  uer certificate}
0a40: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
0a50: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
0a60: 2e 31 35 20 7b 65 63 63 32 35 36 7d 20 2d 62 6f  .15 {ecc256} -bo
0a70: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 65 63 63  dy {..badssl ecc
0a80: 32 35 36 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  256.badssl.com. 
0a90: 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53     }..test BadSS
0aa0: 4c 2d 31 2e 31 36 20 7b 65 63 63 33 38 34 7d 20  L-1.16 {ecc384} 
0ab0: 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20  -body {..badssl 
0ac0: 65 63 63 33 38 34 2e 62 61 64 73 73 6c 2e 63 6f  ecc384.badssl.co
0ad0: 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61  m.    }..test Ba
0ae0: 64 53 53 4c 2d 31 2e 31 37 20 7b 65 64 65 6c 6c  dSSL-1.17 {edell
0af0: 72 6f 6f 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  root} -body {..b
0b00: 61 64 73 73 6c 20 65 64 65 6c 6c 72 6f 6f 74 2e  adssl edellroot.
0b10: 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d  badssl.com.    }
0b20: 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68   -result {handsh
0b30: 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74  ake failed: cert
0b40: 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66  ificate verify f
0b50: 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 75 6e  ailed due to: un
0b60: 61 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f 63 61  able to get loca
0b70: 6c 20 69 73 73 75 65 72 20 63 65 72 74 69 66 69  l issuer certifi
0b80: 63 61 74 65 7d 20 2d 72 65 74 75 72 6e 43 6f 64  cate} -returnCod
0b90: 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64  es {1}..test Bad
0ba0: 53 53 4c 2d 31 2e 31 38 20 7b 65 78 70 69 72 65  SSL-1.18 {expire
0bb0: 64 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  d} -body {..bads
0bc0: 73 6c 20 65 78 70 69 72 65 64 2e 62 61 64 73 73  sl expired.badss
0bd0: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73  l.com.    } -res
0be0: 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66  ult {handshake f
0bf0: 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61  ailed: certifica
0c00: 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64  te verify failed
0c10: 20 64 75 65 20 74 6f 3a 20 63 65 72 74 69 66 69   due to: certifi
0c20: 63 61 74 65 20 68 61 73 20 65 78 70 69 72 65 64  cate has expired
0c30: 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b  } -returnCodes {
0c40: 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  1}..test BadSSL-
0c50: 31 2e 31 39 20 7b 65 78 74 65 6e 64 65 64 2d 76  1.19 {extended-v
0c60: 61 6c 69 64 61 74 69 6f 6e 7d 20 2d 62 6f 64 79  alidation} -body
0c70: 20 7b 0a 09 62 61 64 73 73 6c 20 65 78 74 65 6e   {..badssl exten
0c80: 64 65 64 2d 76 61 6c 69 64 61 74 69 6f 6e 2e 62  ded-validation.b
0c90: 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20  adssl.com.    } 
0ca0: 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61  -result {handsha
0cb0: 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69  ke failed: certi
0cc0: 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66 61  ficate verify fa
0cd0: 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 63 65 72  iled due to: cer
0ce0: 74 69 66 69 63 61 74 65 20 68 61 73 20 65 78 70  tificate has exp
0cf0: 69 72 65 64 7d 20 2d 72 65 74 75 72 6e 43 6f 64  ired} -returnCod
0d00: 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64  es {1}..test Bad
0d10: 53 53 4c 2d 31 2e 32 30 20 7b 68 73 74 73 7d 20  SSL-1.20 {hsts} 
0d20: 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20  -body {..badssl 
0d30: 68 73 74 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  hsts.badssl.com.
0d40: 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53      }..test BadS
0d50: 53 4c 2d 31 2e 32 31 20 7b 68 74 74 70 73 2d 65  SL-1.21 {https-e
0d60: 76 65 72 79 77 68 65 72 65 7d 20 2d 62 6f 64 79  verywhere} -body
0d70: 20 7b 0a 09 62 61 64 73 73 6c 20 68 74 74 70 73   {..badssl https
0d80: 2d 65 76 65 72 79 77 68 65 72 65 2e 62 61 64 73  -everywhere.bads
0d90: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65  sl.com.    }..te
0da0: 73 74 20 42 61 64 53 53 4c 2d 31 2e 32 32 20 7b  st BadSSL-1.22 {
0db0: 69 6e 63 6f 6d 70 6c 65 74 65 2d 63 68 61 69 6e  incomplete-chain
0dc0: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
0dd0: 6c 20 69 6e 63 6f 6d 70 6c 65 74 65 2d 63 68 61  l incomplete-cha
0de0: 69 6e 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  in.badssl.com.  
0df0: 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e    } -result {han
0e00: 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63  dshake failed: c
0e10: 65 72 74 69 66 69 63 61 74 65 20 76 65 72 69 66  ertificate verif
0e20: 79 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a  y failed due to:
0e30: 20 75 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 6c   unable to get l
0e40: 6f 63 61 6c 20 69 73 73 75 65 72 20 63 65 72 74  ocal issuer cert
0e50: 69 66 69 63 61 74 65 7d 20 2d 72 65 74 75 72 6e  ificate} -return
0e60: 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20  Codes {1}..test 
0e70: 42 61 64 53 53 4c 2d 31 2e 32 33 20 7b 69 6e 76  BadSSL-1.23 {inv
0e80: 61 6c 69 64 2d 65 78 70 65 63 74 65 64 2d 73 63  alid-expected-sc
0e90: 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  t} -body {..bads
0ea0: 73 6c 20 69 6e 76 61 6c 69 64 2d 65 78 70 65 63  sl invalid-expec
0eb0: 74 65 64 2d 73 63 74 2e 62 61 64 73 73 6c 2e 63  ted-sct.badssl.c
0ec0: 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74  om.    } -result
0ed0: 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c   {handshake fail
0ee0: 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65 20  ed: certificate 
0ef0: 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64 75  verify failed du
0f00: 65 20 74 6f 3a 20 75 6e 61 62 6c 65 20 74 6f 20  e to: unable to 
0f10: 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75 65 72  get local issuer
0f20: 20 63 65 72 74 69 66 69 63 61 74 65 7d 20 2d 72   certificate} -r
0f30: 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a  eturnCodes {1}..
0f40: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 32 34  test BadSSL-1.24
0f50: 20 7b 6c 6f 6e 67 2d 65 78 74 65 6e 64 65 64 2d   {long-extended-
0f60: 73 75 62 64 6f 6d 61 69 6e 2d 6e 61 6d 65 2d 63  subdomain-name-c
0f70: 6f 6e 74 61 69 6e 69 6e 67 2d 6d 61 6e 79 2d 6c  ontaining-many-l
0f80: 65 74 74 65 72 73 2d 61 6e 64 2d 64 61 73 68 65  etters-and-dashe
0f90: 73 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  s} -body {..bads
0fa0: 73 6c 20 6c 6f 6e 67 2d 65 78 74 65 6e 64 65 64  sl long-extended
0fb0: 2d 73 75 62 64 6f 6d 61 69 6e 2d 6e 61 6d 65 2d  -subdomain-name-
0fc0: 63 6f 6e 74 61 69 6e 69 6e 67 2d 6d 61 6e 79 2d  containing-many-
0fd0: 6c 65 74 74 65 72 73 2d 61 6e 64 2d 64 61 73 68  letters-and-dash
0fe0: 65 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  es.badssl.com.  
0ff0: 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c    }..test BadSSL
1000: 2d 31 2e 32 35 20 7b 6c 6f 6e 67 65 78 74 65 6e  -1.25 {longexten
1010: 64 65 64 73 75 62 64 6f 6d 61 69 6e 6e 61 6d 65  dedsubdomainname
1020: 77 69 74 68 6f 75 74 64 61 73 68 65 73 69 6e 6f  withoutdashesino
1030: 72 64 65 72 74 6f 74 65 73 74 77 6f 72 64 77 72  rdertotestwordwr
1040: 61 70 70 69 6e 67 7d 20 2d 62 6f 64 79 20 7b 0a  apping} -body {.
1050: 09 62 61 64 73 73 6c 20 6c 6f 6e 67 65 78 74 65  .badssl longexte
1060: 6e 64 65 64 73 75 62 64 6f 6d 61 69 6e 6e 61 6d  ndedsubdomainnam
1070: 65 77 69 74 68 6f 75 74 64 61 73 68 65 73 69 6e  ewithoutdashesin
1080: 6f 72 64 65 72 74 6f 74 65 73 74 77 6f 72 64 77  ordertotestwordw
1090: 72 61 70 70 69 6e 67 2e 62 61 64 73 73 6c 2e 63  rapping.badssl.c
10a0: 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42  om.    }..test B
10b0: 61 64 53 53 4c 2d 31 2e 32 36 20 7b 6d 69 74 6d  adSSL-1.26 {mitm
10c0: 2d 73 6f 66 74 77 61 72 65 7d 20 2d 62 6f 64 79  -software} -body
10d0: 20 7b 0a 09 62 61 64 73 73 6c 20 6d 69 74 6d 2d   {..badssl mitm-
10e0: 73 6f 66 74 77 61 72 65 2e 62 61 64 73 73 6c 2e  software.badssl.
10f0: 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c  com.    } -resul
1100: 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69  t {handshake fai
1110: 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65  led: certificate
1120: 20 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64   verify failed d
1130: 75 65 20 74 6f 3a 20 75 6e 61 62 6c 65 20 74 6f  ue to: unable to
1140: 20 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75 65   get local issue
1150: 72 20 63 65 72 74 69 66 69 63 61 74 65 7d 20 2d  r certificate} -
1160: 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a  returnCodes {1}.
1170: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 32  .test BadSSL-1.2
1180: 37 20 7b 6e 6f 2d 63 6f 6d 6d 6f 6e 2d 6e 61 6d  7 {no-common-nam
1190: 65 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  e} -body {..bads
11a0: 73 6c 20 6e 6f 2d 63 6f 6d 6d 6f 6e 2d 6e 61 6d  sl no-common-nam
11b0: 65 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  e.badssl.com.   
11c0: 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64   } -result {hand
11d0: 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65  shake failed: ce
11e0: 72 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79  rtificate verify
11f0: 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20   failed due to: 
1200: 63 65 72 74 69 66 69 63 61 74 65 20 68 61 73 20  certificate has 
1210: 65 78 70 69 72 65 64 7d 20 2d 72 65 74 75 72 6e  expired} -return
1220: 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20  Codes {1}..test 
1230: 42 61 64 53 53 4c 2d 31 2e 32 38 20 7b 6e 6f 2d  BadSSL-1.28 {no-
1240: 73 63 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  sct} -body {..ba
1250: 64 73 73 6c 20 6e 6f 2d 73 63 74 2e 62 61 64 73  dssl no-sct.bads
1260: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
1270: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
1280: 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63  failed: certific
1290: 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65  ate verify faile
12a0: 64 20 64 75 65 20 74 6f 3a 20 75 6e 61 62 6c 65  d due to: unable
12b0: 20 74 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69 73   to get local is
12c0: 73 75 65 72 20 63 65 72 74 69 66 69 63 61 74 65  suer certificate
12d0: 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b  } -returnCodes {
12e0: 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  1}..test BadSSL-
12f0: 31 2e 32 39 20 7b 6e 6f 2d 73 75 62 6a 65 63 74  1.29 {no-subject
1300: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
1310: 6c 20 6e 6f 2d 73 75 62 6a 65 63 74 2e 62 61 64  l no-subject.bad
1320: 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72  ssl.com.    } -r
1330: 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65  esult {handshake
1340: 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69   failed: certifi
1350: 63 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c  cate verify fail
1360: 65 64 20 64 75 65 20 74 6f 3a 20 63 65 72 74 69  ed due to: certi
1370: 66 69 63 61 74 65 20 68 61 73 20 65 78 70 69 72  ficate has expir
1380: 65 64 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73  ed} -returnCodes
1390: 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53   {1}..test BadSS
13a0: 4c 2d 31 2e 33 30 20 7b 6e 75 6c 6c 7d 20 2d 62  L-1.30 {null} -b
13b0: 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 6e 75  ody {..badssl nu
13c0: 6c 6c 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  ll.badssl.com.  
13d0: 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e    } -result {han
13e0: 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 73  dshake failed: s
13f0: 73 6c 76 33 20 61 6c 65 72 74 20 68 61 6e 64 73  slv3 alert hands
1400: 68 61 6b 65 20 66 61 69 6c 75 72 65 7d 20 2d 72  hake failure} -r
1410: 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a  eturnCodes {1}..
1420: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 33 31  test BadSSL-1.31
1430: 20 7b 70 69 6e 6e 69 6e 67 2d 74 65 73 74 7d 20   {pinning-test} 
1440: 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20  -body {..badssl 
1450: 70 69 6e 6e 69 6e 67 2d 74 65 73 74 2e 62 61 64  pinning-test.bad
1460: 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74  ssl.com.    }..t
1470: 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 33 32 20  est BadSSL-1.32 
1480: 7b 70 72 65 61 63 74 2d 63 6c 69 7d 20 2d 62 6f  {preact-cli} -bo
1490: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 70 72 65  dy {..badssl pre
14a0: 61 63 74 2d 63 6c 69 2e 62 61 64 73 73 6c 2e 63  act-cli.badssl.c
14b0: 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74  om.    } -result
14c0: 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c   {handshake fail
14d0: 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65 20  ed: certificate 
14e0: 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64 75  verify failed du
14f0: 65 20 74 6f 3a 20 75 6e 61 62 6c 65 20 74 6f 20  e to: unable to 
1500: 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75 65 72  get local issuer
1510: 20 63 65 72 74 69 66 69 63 61 74 65 7d 20 2d 72   certificate} -r
1520: 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a  eturnCodes {1}..
1530: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 33 33  test BadSSL-1.33
1540: 20 7b 70 72 65 6c 6f 61 64 65 64 2d 68 73 74 73   {preloaded-hsts
1550: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
1560: 6c 20 70 72 65 6c 6f 61 64 65 64 2d 68 73 74 73  l preloaded-hsts
1570: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
1580: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
1590: 2e 33 34 20 7b 72 63 34 2d 6d 64 35 7d 20 2d 62  .34 {rc4-md5} -b
15a0: 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 72 63  ody {..badssl rc
15b0: 34 2d 6d 64 35 2e 62 61 64 73 73 6c 2e 63 6f 6d  4-md5.badssl.com
15c0: 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b  .    } -result {
15d0: 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64  handshake failed
15e0: 3a 20 73 73 6c 76 33 20 61 6c 65 72 74 20 68 61  : sslv3 alert ha
15f0: 6e 64 73 68 61 6b 65 20 66 61 69 6c 75 72 65 7d  ndshake failure}
1600: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
1610: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
1620: 2e 33 35 20 7b 72 63 34 7d 20 2d 62 6f 64 79 20  .35 {rc4} -body 
1630: 7b 0a 09 62 61 64 73 73 6c 20 72 63 34 2e 62 61  {..badssl rc4.ba
1640: 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d  dssl.com.    } -
1650: 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b  result {handshak
1660: 65 20 66 61 69 6c 65 64 3a 20 73 73 6c 76 33 20  e failed: sslv3 
1670: 61 6c 65 72 74 20 68 61 6e 64 73 68 61 6b 65 20  alert handshake 
1680: 66 61 69 6c 75 72 65 7d 20 2d 72 65 74 75 72 6e  failure} -return
1690: 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20  Codes {1}..test 
16a0: 42 61 64 53 53 4c 2d 31 2e 33 36 20 7b 72 65 76  BadSSL-1.36 {rev
16b0: 6f 6b 65 64 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  oked} -body {..b
16c0: 61 64 73 73 6c 20 72 65 76 6f 6b 65 64 2e 62 61  adssl revoked.ba
16d0: 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d  dssl.com.    } -
16e0: 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b  result {handshak
16f0: 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66  e failed: certif
1700: 69 63 61 74 65 20 76 65 72 69 66 79 20 66 61 69  icate verify fai
1710: 6c 65 64 20 64 75 65 20 74 6f 3a 20 63 65 72 74  led due to: cert
1720: 69 66 69 63 61 74 65 20 68 61 73 20 65 78 70 69  ificate has expi
1730: 72 65 64 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65  red} -returnCode
1740: 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53  s {1}..test BadS
1750: 53 4c 2d 31 2e 33 37 20 7b 72 73 61 32 30 34 38  SL-1.37 {rsa2048
1760: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
1770: 6c 20 72 73 61 32 30 34 38 2e 62 61 64 73 73 6c  l rsa2048.badssl
1780: 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74  .com.    }..test
1790: 20 42 61 64 53 53 4c 2d 31 2e 33 38 20 7b 72 73   BadSSL-1.38 {rs
17a0: 61 34 30 39 36 7d 20 2d 62 6f 64 79 20 7b 0a 09  a4096} -body {..
17b0: 62 61 64 73 73 6c 20 72 73 61 34 30 39 36 2e 62  badssl rsa4096.b
17c0: 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a  adssl.com.    }.
17d0: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 33  .test BadSSL-1.3
17e0: 39 20 7b 72 73 61 38 31 39 32 7d 20 2d 62 6f 64  9 {rsa8192} -bod
17f0: 79 20 7b 0a 09 62 61 64 73 73 6c 20 72 73 61 38  y {..badssl rsa8
1800: 31 39 32 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  192.badssl.com. 
1810: 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53     }..test BadSS
1820: 4c 2d 31 2e 34 30 20 7b 73 65 6c 66 2d 73 69 67  L-1.40 {self-sig
1830: 6e 65 64 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  ned} -body {..ba
1840: 64 73 73 6c 20 73 65 6c 66 2d 73 69 67 6e 65 64  dssl self-signed
1850: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
1860: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
1870: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72  hake failed: cer
1880: 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20  tificate verify 
1890: 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 73  failed due to: s
18a0: 65 6c 66 20 73 69 67 6e 65 64 20 63 65 72 74 69  elf signed certi
18b0: 66 69 63 61 74 65 7d 20 2d 72 65 74 75 72 6e 43  ficate} -returnC
18c0: 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42  odes {1}..test B
18d0: 61 64 53 53 4c 2d 31 2e 34 31 20 7b 73 68 61 31  adSSL-1.41 {sha1
18e0: 2d 32 30 31 36 7d 20 2d 62 6f 64 79 20 7b 0a 09  -2016} -body {..
18f0: 62 61 64 73 73 6c 20 73 68 61 31 2d 32 30 31 36  badssl sha1-2016
1900: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
1910: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
1920: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72  hake failed: cer
1930: 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20  tificate verify 
1940: 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 75  failed due to: u
1950: 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f 63  nable to get loc
1960: 61 6c 20 69 73 73 75 65 72 20 63 65 72 74 69 66  al issuer certif
1970: 69 63 61 74 65 7d 20 2d 72 65 74 75 72 6e 43 6f  icate} -returnCo
1980: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
1990: 64 53 53 4c 2d 31 2e 34 32 20 7b 73 68 61 31 2d  dSSL-1.42 {sha1-
19a0: 32 30 31 37 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  2017} -body {..b
19b0: 61 64 73 73 6c 20 73 68 61 31 2d 32 30 31 37 2e  adssl sha1-2017.
19c0: 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d  badssl.com.    }
19d0: 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68   -result {handsh
19e0: 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74  ake failed: cert
19f0: 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66  ificate verify f
1a00: 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 63 65  ailed due to: ce
1a10: 72 74 69 66 69 63 61 74 65 20 68 61 73 20 65 78  rtificate has ex
1a20: 70 69 72 65 64 7d 20 2d 72 65 74 75 72 6e 43 6f  pired} -returnCo
1a30: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
1a40: 64 53 53 4c 2d 31 2e 34 33 20 7b 73 68 61 31 2d  dSSL-1.43 {sha1-
1a50: 69 6e 74 65 72 6d 65 64 69 61 74 65 7d 20 2d 62  intermediate} -b
1a60: 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 73 68  ody {..badssl sh
1a70: 61 31 2d 69 6e 74 65 72 6d 65 64 69 61 74 65 2e  a1-intermediate.
1a80: 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d  badssl.com.    }
1a90: 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68   -result {handsh
1aa0: 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74  ake failed: cert
1ab0: 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66  ificate verify f
1ac0: 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 75 6e  ailed due to: un
1ad0: 61 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f 63 61  able to get loca
1ae0: 6c 20 69 73 73 75 65 72 20 63 65 72 74 69 66 69  l issuer certifi
1af0: 63 61 74 65 7d 20 2d 72 65 74 75 72 6e 43 6f 64  cate} -returnCod
1b00: 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64  es {1}..test Bad
1b10: 53 53 4c 2d 31 2e 34 34 20 7b 73 68 61 32 35 36  SSL-1.44 {sha256
1b20: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
1b30: 6c 20 73 68 61 32 35 36 2e 62 61 64 73 73 6c 2e  l sha256.badssl.
1b40: 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20  com.    }..test 
1b50: 42 61 64 53 53 4c 2d 31 2e 34 35 20 7b 73 68 61  BadSSL-1.45 {sha
1b60: 33 38 34 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  384} -body {..ba
1b70: 64 73 73 6c 20 73 68 61 33 38 34 2e 62 61 64 73  dssl sha384.bads
1b80: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
1b90: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
1ba0: 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63  failed: certific
1bb0: 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65  ate verify faile
1bc0: 64 20 64 75 65 20 74 6f 3a 20 63 65 72 74 69 66  d due to: certif
1bd0: 69 63 61 74 65 20 68 61 73 20 65 78 70 69 72 65  icate has expire
1be0: 64 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  d} -returnCodes 
1bf0: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
1c00: 2d 31 2e 34 36 20 7b 73 68 61 35 31 32 7d 20 2d  -1.46 {sha512} -
1c10: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 73  body {..badssl s
1c20: 68 61 35 31 32 2e 62 61 64 73 73 6c 2e 63 6f 6d  ha512.badssl.com
1c30: 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b  .    } -result {
1c40: 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64  handshake failed
1c50: 3a 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65  : certificate ve
1c60: 72 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20  rify failed due 
1c70: 74 6f 3a 20 63 65 72 74 69 66 69 63 61 74 65 20  to: certificate 
1c80: 68 61 73 20 65 78 70 69 72 65 64 7d 20 2d 72 65  has expired} -re
1c90: 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74  turnCodes {1}..t
1ca0: 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 34 37 20  est BadSSL-1.47 
1cb0: 7b 73 74 61 74 69 63 2d 72 73 61 7d 20 2d 62 6f  {static-rsa} -bo
1cc0: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 73 74 61  dy {..badssl sta
1cd0: 74 69 63 2d 72 73 61 2e 62 61 64 73 73 6c 2e 63  tic-rsa.badssl.c
1ce0: 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42  om.    }..test B
1cf0: 61 64 53 53 4c 2d 31 2e 34 38 20 7b 73 75 62 64  adSSL-1.48 {subd
1d00: 6f 6d 61 69 6e 2e 70 72 65 6c 6f 61 64 65 64 2d  omain.preloaded-
1d10: 68 73 74 73 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  hsts} -body {..b
1d20: 61 64 73 73 6c 20 73 75 62 64 6f 6d 61 69 6e 2e  adssl subdomain.
1d30: 70 72 65 6c 6f 61 64 65 64 2d 68 73 74 73 2e 62  preloaded-hsts.b
1d40: 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20  adssl.com.    } 
1d50: 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61  -result {handsha
1d60: 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69  ke failed: certi
1d70: 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66 61  ficate verify fa
1d80: 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 48 6f 73  iled due to: Hos
1d90: 74 6e 61 6d 65 20 6d 69 73 6d 61 74 63 68 7d 20  tname mismatch} 
1da0: 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d  -returnCodes {1}
1db0: 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e  ..test BadSSL-1.
1dc0: 34 39 20 7b 73 75 70 65 72 66 69 73 68 7d 20 2d  49 {superfish} -
1dd0: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 73  body {..badssl s
1de0: 75 70 65 72 66 69 73 68 2e 62 61 64 73 73 6c 2e  uperfish.badssl.
1df0: 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c  com.    } -resul
1e00: 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69  t {handshake fai
1e10: 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65  led: certificate
1e20: 20 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64   verify failed d
1e30: 75 65 20 74 6f 3a 20 75 6e 61 62 6c 65 20 74 6f  ue to: unable to
1e40: 20 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75 65   get local issue
1e50: 72 20 63 65 72 74 69 66 69 63 61 74 65 7d 20 2d  r certificate} -
1e60: 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a  returnCodes {1}.
1e70: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 35  .test BadSSL-1.5
1e80: 30 20 7b 74 6c 73 2d 76 31 2d 30 3a 31 30 31 30  0 {tls-v1-0:1010
1e90: 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74 73 20 7b  } -constraints {
1ea0: 74 6c 73 31 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  tls1} -body {..b
1eb0: 61 64 73 73 6c 20 74 6c 73 2d 76 31 2d 30 2e 62  adssl tls-v1-0.b
1ec0: 61 64 73 73 6c 2e 63 6f 6d 3a 31 30 31 30 0a 20  adssl.com:1010. 
1ed0: 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53     }..test BadSS
1ee0: 4c 2d 31 2e 35 31 20 7b 74 6c 73 2d 76 31 2d 31  L-1.51 {tls-v1-1
1ef0: 3a 31 30 31 31 7d 20 2d 63 6f 6e 73 74 72 61 69  :1011} -constrai
1f00: 6e 74 73 20 7b 74 6c 73 31 2e 31 7d 20 2d 62 6f  nts {tls1.1} -bo
1f10: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 74 6c 73  dy {..badssl tls
1f20: 2d 76 31 2d 31 2e 62 61 64 73 73 6c 2e 63 6f 6d  -v1-1.badssl.com
1f30: 3a 31 30 31 31 0a 20 20 20 20 7d 0a 0a 74 65 73  :1011.    }..tes
1f40: 74 20 42 61 64 53 53 4c 2d 31 2e 35 32 20 7b 74  t BadSSL-1.52 {t
1f50: 6c 73 2d 76 31 2d 32 3a 31 30 31 32 7d 20 2d 63  ls-v1-2:1012} -c
1f60: 6f 6e 73 74 72 61 69 6e 74 73 20 7b 74 6c 73 31  onstraints {tls1
1f70: 2e 32 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64  .2} -body {..bad
1f80: 73 73 6c 20 74 6c 73 2d 76 31 2d 32 2e 62 61 64  ssl tls-v1-2.bad
1f90: 73 73 6c 2e 63 6f 6d 3a 31 30 31 32 0a 20 20 20  ssl.com:1012.   
1fa0: 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d   }..test BadSSL-
1fb0: 31 2e 35 33 20 7b 75 6e 74 72 75 73 74 65 64 2d  1.53 {untrusted-
1fc0: 72 6f 6f 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  root} -body {..b
1fd0: 61 64 73 73 6c 20 75 6e 74 72 75 73 74 65 64 2d  adssl untrusted-
1fe0: 72 6f 6f 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  root.badssl.com.
1ff0: 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68      } -result {h
2000: 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a  andshake failed:
2010: 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72   certificate ver
2020: 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74  ify failed due t
2030: 6f 3a 20 73 65 6c 66 20 73 69 67 6e 65 64 20 63  o: self signed c
2040: 65 72 74 69 66 69 63 61 74 65 20 69 6e 20 63 65  ertificate in ce
2050: 72 74 69 66 69 63 61 74 65 20 63 68 61 69 6e 7d  rtificate chain}
2060: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
2070: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
2080: 2e 35 34 20 7b 75 70 67 72 61 64 65 7d 20 2d 62  .54 {upgrade} -b
2090: 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 75 70  ody {..badssl up
20a0: 67 72 61 64 65 2e 62 61 64 73 73 6c 2e 63 6f 6d  grade.badssl.com
20b0: 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64  .    }..test Bad
20c0: 53 53 4c 2d 31 2e 35 35 20 7b 77 65 62 70 61 63  SSL-1.55 {webpac
20d0: 6b 2d 64 65 76 2d 73 65 72 76 65 72 7d 20 2d 62  k-dev-server} -b
20e0: 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 77 65  ody {..badssl we
20f0: 62 70 61 63 6b 2d 64 65 76 2d 73 65 72 76 65 72  bpack-dev-server
2100: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
2110: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
2120: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72  hake failed: cer
2130: 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20  tificate verify 
2140: 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20 75  failed due to: u
2150: 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f 63  nable to get loc
2160: 61 6c 20 69 73 73 75 65 72 20 63 65 72 74 69 66  al issuer certif
2170: 69 63 61 74 65 7d 20 2d 72 65 74 75 72 6e 43 6f  icate} -returnCo
2180: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
2190: 64 53 53 4c 2d 31 2e 35 36 20 7b 77 72 6f 6e 67  dSSL-1.56 {wrong
21a0: 2e 68 6f 73 74 7d 20 2d 62 6f 64 79 20 7b 0a 09  .host} -body {..
21b0: 62 61 64 73 73 6c 20 77 72 6f 6e 67 2e 68 6f 73  badssl wrong.hos
21c0: 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  t.badssl.com.   
21d0: 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64   } -result {hand
21e0: 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65  shake failed: ce
21f0: 72 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79  rtificate verify
2200: 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f 3a 20   failed due to: 
2210: 48 6f 73 74 6e 61 6d 65 20 6d 69 73 6d 61 74 63  Hostname mismatc
2220: 68 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  h} -returnCodes 
2230: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
2240: 2d 31 2e 35 37 20 7b 6d 6f 7a 69 6c 6c 61 2d 6d  -1.57 {mozilla-m
2250: 6f 64 65 72 6e 7d 20 2d 62 6f 64 79 20 7b 0a 09  odern} -body {..
2260: 62 61 64 73 73 6c 20 6d 6f 7a 69 6c 6c 61 2d 6d  badssl mozilla-m
2270: 6f 64 65 72 6e 2e 62 61 64 73 73 6c 2e 63 6f 6d  odern.badssl.com
2280: 0a 20 20 20 20 7d 0a 0a 23 20 43 6c 65 61 6e 75  .    }..# Cleanu
2290: 70 0a 3a 3a 74 63 6c 74 65 73 74 3a 3a 63 6c 65  p.::tcltest::cle
22a0: 61 6e 75 70 54 65 73 74 73 0a 72 65 74 75 72 6e  anupTests.return
22b0: 0a                                               .