TclTLS: Hex Artifact Content

Artifact 952cadb5d39e81abd8af0c78dcbcb9362ab59b98df867ae484d60fe07f022243:

File tests/badssl.test — part of check-in [1266832b43] at 2024-02-28 02:40:26 on branch trunk — More badssl test case updates for OpenSSL 3 message changes (user: bohagan, size: 11173) [annotate] [blame] [check-ins using]
0000: 23 20 41 75 74 6f 20 67 65 6e 65 72 61 74 65 64  # Auto generated
0010: 20 74 65 73 74 20 63 61 73 65 73 20 66 6f 72 20   test cases for 
0020: 62 61 64 73 73 6c 2e 63 73 76 0a 0a 23 20 4c 6f  badssl.csv..# Lo
0030: 61 64 20 54 63 6c 20 54 65 73 74 20 70 61 63 6b  ad Tcl Test pack
0040: 61 67 65 0a 69 66 20 7b 5b 6c 73 65 61 72 63 68  age.if {[lsearch
0050: 20 5b 6e 61 6d 65 73 70 61 63 65 20 63 68 69 6c   [namespace chil
0060: 64 72 65 6e 5d 20 3a 3a 74 63 6c 74 65 73 74 5d  dren] ::tcltest]
0070: 20 3d 3d 20 2d 31 7d 20 7b 0a 09 70 61 63 6b 61   == -1} {..packa
0080: 67 65 20 72 65 71 75 69 72 65 20 74 63 6c 74 65  ge require tclte
0090: 73 74 0a 09 6e 61 6d 65 73 70 61 63 65 20 69 6d  st..namespace im
00a0: 70 6f 72 74 20 3a 3a 74 63 6c 74 65 73 74 3a 3a  port ::tcltest::
00b0: 2a 0a 7d 0a 0a 73 65 74 20 61 75 74 6f 5f 70 61  *.}..set auto_pa
00c0: 74 68 20 5b 63 6f 6e 63 61 74 20 5b 6c 69 73 74  th [concat [list
00d0: 20 5b 66 69 6c 65 20 64 69 72 6e 61 6d 65 20 5b   [file dirname [
00e0: 66 69 6c 65 20 64 69 72 6e 61 6d 65 20 5b 69 6e  file dirname [in
00f0: 66 6f 20 73 63 72 69 70 74 5d 5d 5d 5d 20 24 61  fo script]]]] $a
0100: 75 74 6f 5f 70 61 74 68 5d 0a 0a 70 61 63 6b 61  uto_path]..packa
0110: 67 65 20 72 65 71 75 69 72 65 20 74 6c 73 0a 23  ge require tls.#
0120: 20 43 6f 6e 73 74 72 61 69 6e 74 73 0a 73 6f 75   Constraints.sou
0130: 72 63 65 20 5b 66 69 6c 65 20 6a 6f 69 6e 20 5b  rce [file join [
0140: 66 69 6c 65 20 64 69 72 6e 61 6d 65 20 5b 69 6e  file dirname [in
0150: 66 6f 20 73 63 72 69 70 74 5d 5d 20 63 6f 6d 6d  fo script]] comm
0160: 6f 6e 2e 74 63 6c 5d 0a 23 20 48 65 6c 70 65 72  on.tcl].# Helper
0170: 20 66 75 6e 63 74 69 6f 6e 73 0a 70 72 6f 63 20   functions.proc 
0180: 62 61 64 73 73 6c 20 7b 75 72 6c 7d 20 7b 73 65  badssl {url} {se
0190: 74 20 70 6f 72 74 20 34 34 33 3b 6c 61 73 73 69  t port 443;lassi
01a0: 67 6e 20 5b 73 70 6c 69 74 20 24 75 72 6c 20 22  gn [split $url "
01b0: 3a 22 5d 20 75 72 6c 20 70 6f 72 74 3b 69 66 20  :"] url port;if 
01c0: 7b 24 70 6f 72 74 20 65 71 20 22 22 7d 20 7b 73  {$port eq ""} {s
01d0: 65 74 20 70 6f 72 74 20 34 34 33 7d 3b 73 65 74  et port 443};set
01e0: 20 63 6d 64 20 5b 6c 69 73 74 20 74 6c 73 3a 3a   cmd [list tls::
01f0: 73 6f 63 6b 65 74 20 2d 61 75 74 6f 73 65 72 76  socket -autoserv
0200: 65 72 6e 61 6d 65 20 31 20 2d 72 65 71 75 69 72  ername 1 -requir
0210: 65 20 31 5d 3b 69 66 20 7b 5b 69 6e 66 6f 20 65  e 1];if {[info e
0220: 78 69 73 74 73 20 3a 3a 65 6e 76 28 53 53 4c 5f  xists ::env(SSL_
0230: 43 45 52 54 5f 46 49 4c 45 29 5d 7d 20 7b 6c 61  CERT_FILE)]} {la
0240: 70 70 65 6e 64 20 63 6d 64 20 2d 63 61 66 69 6c  ppend cmd -cafil
0250: 65 20 24 3a 3a 65 6e 76 28 53 53 4c 5f 43 45 52  e $::env(SSL_CER
0260: 54 5f 46 49 4c 45 29 7d 3b 6c 61 70 70 65 6e 64  T_FILE)};lappend
0270: 20 63 6d 64 20 24 75 72 6c 20 24 70 6f 72 74 3b   cmd $url $port;
0280: 73 65 74 20 63 68 20 5b 65 76 61 6c 20 24 63 6d  set ch [eval $cm
0290: 64 5d 3b 69 66 20 7b 5b 63 61 74 63 68 20 7b 74  d];if {[catch {t
02a0: 6c 73 3a 3a 68 61 6e 64 73 68 61 6b 65 20 24 63  ls::handshake $c
02b0: 68 7d 20 65 72 72 5d 7d 20 7b 63 6c 6f 73 65 20  h} err]} {close 
02c0: 24 63 68 3b 72 65 74 75 72 6e 20 2d 63 6f 64 65  $ch;return -code
02d0: 20 65 72 72 6f 72 20 24 65 72 72 7d 20 65 6c 73   error $err} els
02e0: 65 20 7b 63 6c 6f 73 65 20 24 63 68 7d 7d 0a 23  e {close $ch}}.#
02f0: 20 42 61 64 53 53 4c 2e 63 6f 6d 20 54 65 73 74   BadSSL.com Test
0300: 73 0a 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  s...test BadSSL-
0310: 31 2e 31 20 7b 31 30 30 30 2d 73 61 6e 73 7d 20  1.1 {1000-sans} 
0320: 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20  -body {..badssl 
0330: 31 30 30 30 2d 73 61 6e 73 2e 62 61 64 73 73 6c  1000-sans.badssl
0340: 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75  .com.    } -resu
0350: 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61  lt {handshake fa
0360: 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61 74  iled: certificat
0370: 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64 20  e verify failed 
0380: 64 75 65 20 74 6f 20 22 63 65 72 74 69 66 69 63  due to "certific
0390: 61 74 65 20 68 61 73 20 65 78 70 69 72 65 64 22  ate has expired"
03a0: 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b  } -returnCodes {
03b0: 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  1}..test BadSSL-
03c0: 31 2e 32 20 7b 31 30 30 30 30 2d 73 61 6e 73 7d  1.2 {10000-sans}
03d0: 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c   -body {..badssl
03e0: 20 31 30 30 30 30 2d 73 61 6e 73 2e 62 61 64 73   10000-sans.bads
03f0: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
0400: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
0410: 66 61 69 6c 65 64 3a 20 65 78 63 65 73 73 69 76  failed: excessiv
0420: 65 20 6d 65 73 73 61 67 65 20 73 69 7a 65 7d 20  e message size} 
0430: 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d  -returnCodes {1}
0440: 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e  ..test BadSSL-1.
0450: 33 20 7b 33 64 65 73 7d 20 2d 62 6f 64 79 20 7b  3 {3des} -body {
0460: 0a 09 62 61 64 73 73 6c 20 33 64 65 73 2e 62 61  ..badssl 3des.ba
0470: 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d  dssl.com.    } -
0480: 6d 61 74 63 68 20 7b 67 6c 6f 62 7d 20 2d 72 65  match {glob} -re
0490: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
04a0: 66 61 69 6c 65 64 3a 20 2a 20 61 6c 65 72 74 20  failed: * alert 
04b0: 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 75 72  handshake failur
04c0: 65 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  e} -returnCodes 
04d0: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
04e0: 2d 31 2e 34 20 7b 63 61 70 74 69 76 65 2d 70 6f  -1.4 {captive-po
04f0: 72 74 61 6c 7d 20 2d 63 6f 6e 73 74 72 61 69 6e  rtal} -constrain
0500: 74 73 20 7b 6f 6c 64 5f 61 70 69 7d 20 2d 62 6f  ts {old_api} -bo
0510: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 63 61 70  dy {..badssl cap
0520: 74 69 76 65 2d 70 6f 72 74 61 6c 2e 62 61 64 73  tive-portal.bads
0530: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
0540: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
0550: 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63  failed: certific
0560: 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65  ate verify faile
0570: 64 20 64 75 65 20 74 6f 20 22 48 6f 73 74 6e 61  d due to "Hostna
0580: 6d 65 20 6d 69 73 6d 61 74 63 68 22 7d 20 2d 72  me mismatch"} -r
0590: 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a  eturnCodes {1}..
05a0: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 35 20  test BadSSL-1.5 
05b0: 7b 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 7d  {captive-portal}
05c0: 20 2d 63 6f 6e 73 74 72 61 69 6e 74 73 20 7b 6e   -constraints {n
05d0: 65 77 5f 61 70 69 7d 20 2d 62 6f 64 79 20 7b 0a  ew_api} -body {.
05e0: 09 62 61 64 73 73 6c 20 63 61 70 74 69 76 65 2d  .badssl captive-
05f0: 70 6f 72 74 61 6c 2e 62 61 64 73 73 6c 2e 63 6f  portal.badssl.co
0600: 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20  m.    } -result 
0610: 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65  {handshake faile
0620: 64 3a 20 63 65 72 74 69 66 69 63 61 74 65 20 76  d: certificate v
0630: 65 72 69 66 79 20 66 61 69 6c 65 64 20 64 75 65  erify failed due
0640: 20 74 6f 20 22 68 6f 73 74 6e 61 6d 65 20 6d 69   to "hostname mi
0650: 73 6d 61 74 63 68 22 7d 20 2d 72 65 74 75 72 6e  smatch"} -return
0660: 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20  Codes {1}..test 
0670: 42 61 64 53 53 4c 2d 31 2e 36 20 7b 63 62 63 7d  BadSSL-1.6 {cbc}
0680: 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c   -body {..badssl
0690: 20 63 62 63 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a   cbc.badssl.com.
06a0: 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53      }..test BadS
06b0: 53 4c 2d 31 2e 37 20 7b 63 6c 69 65 6e 74 2d 63  SL-1.7 {client-c
06c0: 65 72 74 2d 6d 69 73 73 69 6e 67 7d 20 2d 62 6f  ert-missing} -bo
06d0: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 63 6c 69  dy {..badssl cli
06e0: 65 6e 74 2d 63 65 72 74 2d 6d 69 73 73 69 6e 67  ent-cert-missing
06f0: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
0700: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
0710: 2e 38 20 7b 63 6c 69 65 6e 74 7d 20 2d 62 6f 64  .8 {client} -bod
0720: 79 20 7b 0a 09 62 61 64 73 73 6c 20 63 6c 69 65  y {..badssl clie
0730: 6e 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  nt.badssl.com.  
0740: 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c    }..test BadSSL
0750: 2d 31 2e 39 20 7b 64 68 2d 63 6f 6d 70 6f 73 69  -1.9 {dh-composi
0760: 74 65 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74 73  te} -constraints
0770: 20 7b 6f 6c 64 5f 61 70 69 7d 20 2d 62 6f 64 79   {old_api} -body
0780: 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 2d 63 6f   {..badssl dh-co
0790: 6d 70 6f 73 69 74 65 2e 62 61 64 73 73 6c 2e 63  mposite.badssl.c
07a0: 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42  om.    }..test B
07b0: 61 64 53 53 4c 2d 31 2e 31 30 20 7b 64 68 2d 63  adSSL-1.10 {dh-c
07c0: 6f 6d 70 6f 73 69 74 65 7d 20 2d 63 6f 6e 73 74  omposite} -const
07d0: 72 61 69 6e 74 73 20 7b 6e 65 77 5f 61 70 69 7d  raints {new_api}
07e0: 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c   -body {..badssl
07f0: 20 64 68 2d 63 6f 6d 70 6f 73 69 74 65 2e 62 61   dh-composite.ba
0800: 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d  dssl.com.    } -
0810: 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b  result {handshak
0820: 65 20 66 61 69 6c 65 64 3a 20 64 68 20 6b 65 79  e failed: dh key
0830: 20 74 6f 6f 20 73 6d 61 6c 6c 7d 20 2d 72 65 74   too small} -ret
0840: 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65  urnCodes {1}..te
0850: 73 74 20 42 61 64 53 53 4c 2d 31 2e 31 31 20 7b  st BadSSL-1.11 {
0860: 64 68 2d 73 6d 61 6c 6c 2d 73 75 62 67 72 6f 75  dh-small-subgrou
0870: 70 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  p} -body {..bads
0880: 73 6c 20 64 68 2d 73 6d 61 6c 6c 2d 73 75 62 67  sl dh-small-subg
0890: 72 6f 75 70 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  roup.badssl.com.
08a0: 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53      }..test BadS
08b0: 53 4c 2d 31 2e 31 32 20 7b 64 68 34 38 30 7d 20  SL-1.12 {dh480} 
08c0: 2d 63 6f 6e 73 74 72 61 69 6e 74 73 20 7b 6f 6c  -constraints {ol
08d0: 64 5f 61 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09  d_api} -body {..
08e0: 62 61 64 73 73 6c 20 64 68 34 38 30 2e 62 61 64  badssl dh480.bad
08f0: 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72  ssl.com.    } -r
0900: 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65  esult {handshake
0910: 20 66 61 69 6c 65 64 3a 20 64 68 20 6b 65 79 20   failed: dh key 
0920: 74 6f 6f 20 73 6d 61 6c 6c 7d 20 2d 72 65 74 75  too small} -retu
0930: 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73  rnCodes {1}..tes
0940: 74 20 42 61 64 53 53 4c 2d 31 2e 31 33 20 7b 64  t BadSSL-1.13 {d
0950: 68 34 38 30 7d 20 2d 63 6f 6e 73 74 72 61 69 6e  h480} -constrain
0960: 74 73 20 7b 6e 65 77 5f 61 70 69 7d 20 2d 62 6f  ts {new_api} -bo
0970: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 34  dy {..badssl dh4
0980: 38 30 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  80.badssl.com.  
0990: 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e    } -result {han
09a0: 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 6d  dshake failed: m
09b0: 6f 64 75 6c 75 73 20 74 6f 6f 20 73 6d 61 6c 6c  odulus too small
09c0: 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b  } -returnCodes {
09d0: 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  1}..test BadSSL-
09e0: 31 2e 31 34 20 7b 64 68 35 31 32 7d 20 2d 63 6f  1.14 {dh512} -co
09f0: 6e 73 74 72 61 69 6e 74 73 20 7b 6f 6c 64 5f 61  nstraints {old_a
0a00: 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64  pi} -body {..bad
0a10: 73 73 6c 20 64 68 35 31 32 2e 62 61 64 73 73 6c  ssl dh512.badssl
0a20: 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75  .com.    } -resu
0a30: 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61  lt {handshake fa
0a40: 69 6c 65 64 3a 20 64 68 20 6b 65 79 20 74 6f 6f  iled: dh key too
0a50: 20 73 6d 61 6c 6c 7d 20 2d 72 65 74 75 72 6e 43   small} -returnC
0a60: 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42  odes {1}..test B
0a70: 61 64 53 53 4c 2d 31 2e 31 35 20 7b 64 68 35 31  adSSL-1.15 {dh51
0a80: 32 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74 73 20  2} -constraints 
0a90: 7b 6d 61 63 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  {mac} -body {..b
0aa0: 61 64 73 73 6c 20 64 68 35 31 32 2e 62 61 64 73  adssl dh512.bads
0ab0: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
0ac0: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
0ad0: 66 61 69 6c 65 64 3a 20 75 6e 6b 6e 6f 77 6e 20  failed: unknown 
0ae0: 73 65 63 75 72 69 74 79 20 62 69 74 73 7d 20 2d  security bits} -
0af0: 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a  returnCodes {1}.
0b00: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 31  .test BadSSL-1.1
0b10: 36 20 7b 64 68 31 30 32 34 7d 20 2d 63 6f 6e 73  6 {dh1024} -cons
0b20: 74 72 61 69 6e 74 73 20 7b 6f 6c 64 5f 61 70 69  traints {old_api
0b30: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
0b40: 6c 20 64 68 31 30 32 34 2e 62 61 64 73 73 6c 2e  l dh1024.badssl.
0b50: 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20  com.    }..test 
0b60: 42 61 64 53 53 4c 2d 31 2e 31 37 20 7b 64 68 31  BadSSL-1.17 {dh1
0b70: 30 32 34 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74  024} -constraint
0b80: 73 20 7b 6e 65 77 5f 61 70 69 7d 20 2d 62 6f 64  s {new_api} -bod
0b90: 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 31 30  y {..badssl dh10
0ba0: 32 34 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  24.badssl.com.  
0bb0: 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e    } -result {han
0bc0: 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 64  dshake failed: d
0bd0: 68 20 6b 65 79 20 74 6f 6f 20 73 6d 61 6c 6c 7d  h key too small}
0be0: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
0bf0: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
0c00: 2e 31 38 20 7b 64 68 32 30 34 38 7d 20 2d 62 6f  .18 {dh2048} -bo
0c10: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 64 68 32  dy {..badssl dh2
0c20: 30 34 38 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  048.badssl.com. 
0c30: 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53     }..test BadSS
0c40: 4c 2d 31 2e 31 39 20 7b 64 73 64 74 65 73 74 70  L-1.19 {dsdtestp
0c50: 72 6f 76 69 64 65 72 7d 20 2d 62 6f 64 79 20 7b  rovider} -body {
0c60: 0a 09 62 61 64 73 73 6c 20 64 73 64 74 65 73 74  ..badssl dsdtest
0c70: 70 72 6f 76 69 64 65 72 2e 62 61 64 73 73 6c 2e  provider.badssl.
0c80: 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c  com.    } -resul
0c90: 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69  t {handshake fai
0ca0: 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65  led: certificate
0cb0: 20 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64   verify failed d
0cc0: 75 65 20 74 6f 20 22 75 6e 61 62 6c 65 20 74 6f  ue to "unable to
0cd0: 20 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75 65   get local issue
0ce0: 72 20 63 65 72 74 69 66 69 63 61 74 65 22 7d 20  r certificate"} 
0cf0: 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d  -returnCodes {1}
0d00: 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e  ..test BadSSL-1.
0d10: 32 30 20 7b 65 63 63 32 35 36 7d 20 2d 62 6f 64  20 {ecc256} -bod
0d20: 79 20 7b 0a 09 62 61 64 73 73 6c 20 65 63 63 32  y {..badssl ecc2
0d30: 35 36 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20  56.badssl.com.  
0d40: 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c    }..test BadSSL
0d50: 2d 31 2e 32 31 20 7b 65 63 63 33 38 34 7d 20 2d  -1.21 {ecc384} -
0d60: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 65  body {..badssl e
0d70: 63 63 33 38 34 2e 62 61 64 73 73 6c 2e 63 6f 6d  cc384.badssl.com
0d80: 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64  .    }..test Bad
0d90: 53 53 4c 2d 31 2e 32 32 20 7b 65 64 65 6c 6c 72  SSL-1.22 {edellr
0da0: 6f 6f 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  oot} -body {..ba
0db0: 64 73 73 6c 20 65 64 65 6c 6c 72 6f 6f 74 2e 62  dssl edellroot.b
0dc0: 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20  adssl.com.    } 
0dd0: 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61  -result {handsha
0de0: 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69  ke failed: certi
0df0: 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66 61  ficate verify fa
0e00: 69 6c 65 64 20 64 75 65 20 74 6f 20 22 75 6e 61  iled due to "una
0e10: 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f 63 61 6c  ble to get local
0e20: 20 69 73 73 75 65 72 20 63 65 72 74 69 66 69 63   issuer certific
0e30: 61 74 65 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64  ate"} -returnCod
0e40: 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64  es {1}..test Bad
0e50: 53 53 4c 2d 31 2e 32 33 20 7b 65 78 70 69 72 65  SSL-1.23 {expire
0e60: 64 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  d} -body {..bads
0e70: 73 6c 20 65 78 70 69 72 65 64 2e 62 61 64 73 73  sl expired.badss
0e80: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73  l.com.    } -res
0e90: 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66  ult {handshake f
0ea0: 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61  ailed: certifica
0eb0: 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64  te verify failed
0ec0: 20 64 75 65 20 74 6f 20 22 63 65 72 74 69 66 69   due to "certifi
0ed0: 63 61 74 65 20 68 61 73 20 65 78 70 69 72 65 64  cate has expired
0ee0: 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  "} -returnCodes 
0ef0: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
0f00: 2d 31 2e 32 34 20 7b 65 78 74 65 6e 64 65 64 2d  -1.24 {extended-
0f10: 76 61 6c 69 64 61 74 69 6f 6e 7d 20 2d 62 6f 64  validation} -bod
0f20: 79 20 7b 0a 09 62 61 64 73 73 6c 20 65 78 74 65  y {..badssl exte
0f30: 6e 64 65 64 2d 76 61 6c 69 64 61 74 69 6f 6e 2e  nded-validation.
0f40: 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d  badssl.com.    }
0f50: 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68   -result {handsh
0f60: 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74  ake failed: cert
0f70: 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66  ificate verify f
0f80: 61 69 6c 65 64 20 64 75 65 20 74 6f 20 22 63 65  ailed due to "ce
0f90: 72 74 69 66 69 63 61 74 65 20 68 61 73 20 65 78  rtificate has ex
0fa0: 70 69 72 65 64 22 7d 20 2d 72 65 74 75 72 6e 43  pired"} -returnC
0fb0: 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42  odes {1}..test B
0fc0: 61 64 53 53 4c 2d 31 2e 32 35 20 7b 68 73 74 73  adSSL-1.25 {hsts
0fd0: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
0fe0: 6c 20 68 73 74 73 2e 62 61 64 73 73 6c 2e 63 6f  l hsts.badssl.co
0ff0: 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61  m.    }..test Ba
1000: 64 53 53 4c 2d 31 2e 32 36 20 7b 68 74 74 70 73  dSSL-1.26 {https
1010: 2d 65 76 65 72 79 77 68 65 72 65 7d 20 2d 62 6f  -everywhere} -bo
1020: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 68 74 74  dy {..badssl htt
1030: 70 73 2d 65 76 65 72 79 77 68 65 72 65 2e 62 61  ps-everywhere.ba
1040: 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a  dssl.com.    }..
1050: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 32 37  test BadSSL-1.27
1060: 20 7b 69 6e 63 6f 6d 70 6c 65 74 65 2d 63 68 61   {incomplete-cha
1070: 69 6e 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64  in} -body {..bad
1080: 73 73 6c 20 69 6e 63 6f 6d 70 6c 65 74 65 2d 63  ssl incomplete-c
1090: 68 61 69 6e 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  hain.badssl.com.
10a0: 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68      } -result {h
10b0: 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a  andshake failed:
10c0: 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72   certificate ver
10d0: 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74  ify failed due t
10e0: 6f 20 22 75 6e 61 62 6c 65 20 74 6f 20 67 65 74  o "unable to get
10f0: 20 6c 6f 63 61 6c 20 69 73 73 75 65 72 20 63 65   local issuer ce
1100: 72 74 69 66 69 63 61 74 65 22 7d 20 2d 72 65 74  rtificate"} -ret
1110: 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65  urnCodes {1}..te
1120: 73 74 20 42 61 64 53 53 4c 2d 31 2e 32 38 20 7b  st BadSSL-1.28 {
1130: 69 6e 76 61 6c 69 64 2d 65 78 70 65 63 74 65 64  invalid-expected
1140: 2d 73 63 74 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  -sct} -body {..b
1150: 61 64 73 73 6c 20 69 6e 76 61 6c 69 64 2d 65 78  adssl invalid-ex
1160: 70 65 63 74 65 64 2d 73 63 74 2e 62 61 64 73 73  pected-sct.badss
1170: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73  l.com.    } -res
1180: 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66  ult {handshake f
1190: 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61  ailed: certifica
11a0: 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64  te verify failed
11b0: 20 64 75 65 20 74 6f 20 22 75 6e 61 62 6c 65 20   due to "unable 
11c0: 74 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69 73 73  to get local iss
11d0: 75 65 72 20 63 65 72 74 69 66 69 63 61 74 65 22  uer certificate"
11e0: 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b  } -returnCodes {
11f0: 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d  1}..test BadSSL-
1200: 31 2e 32 39 20 7b 6c 6f 6e 67 2d 65 78 74 65 6e  1.29 {long-exten
1210: 64 65 64 2d 73 75 62 64 6f 6d 61 69 6e 2d 6e 61  ded-subdomain-na
1220: 6d 65 2d 63 6f 6e 74 61 69 6e 69 6e 67 2d 6d 61  me-containing-ma
1230: 6e 79 2d 6c 65 74 74 65 72 73 2d 61 6e 64 2d 64  ny-letters-and-d
1240: 61 73 68 65 73 7d 20 2d 62 6f 64 79 20 7b 0a 09  ashes} -body {..
1250: 62 61 64 73 73 6c 20 6c 6f 6e 67 2d 65 78 74 65  badssl long-exte
1260: 6e 64 65 64 2d 73 75 62 64 6f 6d 61 69 6e 2d 6e  nded-subdomain-n
1270: 61 6d 65 2d 63 6f 6e 74 61 69 6e 69 6e 67 2d 6d  ame-containing-m
1280: 61 6e 79 2d 6c 65 74 74 65 72 73 2d 61 6e 64 2d  any-letters-and-
1290: 64 61 73 68 65 73 2e 62 61 64 73 73 6c 2e 63 6f  dashes.badssl.co
12a0: 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61  m.    }..test Ba
12b0: 64 53 53 4c 2d 31 2e 33 30 20 7b 6c 6f 6e 67 65  dSSL-1.30 {longe
12c0: 78 74 65 6e 64 65 64 73 75 62 64 6f 6d 61 69 6e  xtendedsubdomain
12d0: 6e 61 6d 65 77 69 74 68 6f 75 74 64 61 73 68 65  namewithoutdashe
12e0: 73 69 6e 6f 72 64 65 72 74 6f 74 65 73 74 77 6f  sinordertotestwo
12f0: 72 64 77 72 61 70 70 69 6e 67 7d 20 2d 62 6f 64  rdwrapping} -bod
1300: 79 20 7b 0a 09 62 61 64 73 73 6c 20 6c 6f 6e 67  y {..badssl long
1310: 65 78 74 65 6e 64 65 64 73 75 62 64 6f 6d 61 69  extendedsubdomai
1320: 6e 6e 61 6d 65 77 69 74 68 6f 75 74 64 61 73 68  nnamewithoutdash
1330: 65 73 69 6e 6f 72 64 65 72 74 6f 74 65 73 74 77  esinordertotestw
1340: 6f 72 64 77 72 61 70 70 69 6e 67 2e 62 61 64 73  ordwrapping.bads
1350: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65  sl.com.    }..te
1360: 73 74 20 42 61 64 53 53 4c 2d 31 2e 33 31 20 7b  st BadSSL-1.31 {
1370: 6d 69 74 6d 2d 73 6f 66 74 77 61 72 65 7d 20 2d  mitm-software} -
1380: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 6d  body {..badssl m
1390: 69 74 6d 2d 73 6f 66 74 77 61 72 65 2e 62 61 64  itm-software.bad
13a0: 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72  ssl.com.    } -r
13b0: 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65  esult {handshake
13c0: 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69   failed: certifi
13d0: 63 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c  cate verify fail
13e0: 65 64 20 64 75 65 20 74 6f 20 22 75 6e 61 62 6c  ed due to "unabl
13f0: 65 20 74 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69  e to get local i
1400: 73 73 75 65 72 20 63 65 72 74 69 66 69 63 61 74  ssuer certificat
1410: 65 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73  e"} -returnCodes
1420: 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53   {1}..test BadSS
1430: 4c 2d 31 2e 33 32 20 7b 6e 6f 2d 63 6f 6d 6d 6f  L-1.32 {no-commo
1440: 6e 2d 6e 61 6d 65 7d 20 2d 62 6f 64 79 20 7b 0a  n-name} -body {.
1450: 09 62 61 64 73 73 6c 20 6e 6f 2d 63 6f 6d 6d 6f  .badssl no-commo
1460: 6e 2d 6e 61 6d 65 2e 62 61 64 73 73 6c 2e 63 6f  n-name.badssl.co
1470: 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20  m.    } -result 
1480: 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65  {handshake faile
1490: 64 3a 20 63 65 72 74 69 66 69 63 61 74 65 20 76  d: certificate v
14a0: 65 72 69 66 79 20 66 61 69 6c 65 64 20 64 75 65  erify failed due
14b0: 20 74 6f 20 22 63 65 72 74 69 66 69 63 61 74 65   to "certificate
14c0: 20 68 61 73 20 65 78 70 69 72 65 64 22 7d 20 2d   has expired"} -
14d0: 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a  returnCodes {1}.
14e0: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 33  .test BadSSL-1.3
14f0: 33 20 7b 6e 6f 2d 73 63 74 7d 20 2d 62 6f 64 79  3 {no-sct} -body
1500: 20 7b 0a 09 62 61 64 73 73 6c 20 6e 6f 2d 73 63   {..badssl no-sc
1510: 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  t.badssl.com.   
1520: 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64   } -result {hand
1530: 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65  shake failed: ce
1540: 72 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79  rtificate verify
1550: 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f 20 22   failed due to "
1560: 75 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f  unable to get lo
1570: 63 61 6c 20 69 73 73 75 65 72 20 63 65 72 74 69  cal issuer certi
1580: 66 69 63 61 74 65 22 7d 20 2d 72 65 74 75 72 6e  ficate"} -return
1590: 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20  Codes {1}..test 
15a0: 42 61 64 53 53 4c 2d 31 2e 33 34 20 7b 6e 6f 2d  BadSSL-1.34 {no-
15b0: 73 75 62 6a 65 63 74 7d 20 2d 62 6f 64 79 20 7b  subject} -body {
15c0: 0a 09 62 61 64 73 73 6c 20 6e 6f 2d 73 75 62 6a  ..badssl no-subj
15d0: 65 63 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  ect.badssl.com. 
15e0: 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61     } -result {ha
15f0: 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20  ndshake failed: 
1600: 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72 69  certificate veri
1610: 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f  fy failed due to
1620: 20 22 63 65 72 74 69 66 69 63 61 74 65 20 68 61   "certificate ha
1630: 73 20 65 78 70 69 72 65 64 22 7d 20 2d 72 65 74  s expired"} -ret
1640: 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65  urnCodes {1}..te
1650: 73 74 20 42 61 64 53 53 4c 2d 31 2e 33 35 20 7b  st BadSSL-1.35 {
1660: 6e 75 6c 6c 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  null} -body {..b
1670: 61 64 73 73 6c 20 6e 75 6c 6c 2e 62 61 64 73 73  adssl null.badss
1680: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 6d 61 74  l.com.    } -mat
1690: 63 68 20 7b 67 6c 6f 62 7d 20 2d 72 65 73 75 6c  ch {glob} -resul
16a0: 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69  t {handshake fai
16b0: 6c 65 64 3a 20 2a 20 61 6c 65 72 74 20 68 61 6e  led: * alert han
16c0: 64 73 68 61 6b 65 20 66 61 69 6c 75 72 65 7d 20  dshake failure} 
16d0: 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d  -returnCodes {1}
16e0: 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e  ..test BadSSL-1.
16f0: 33 36 20 7b 70 69 6e 6e 69 6e 67 2d 74 65 73 74  36 {pinning-test
1700: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
1710: 6c 20 70 69 6e 6e 69 6e 67 2d 74 65 73 74 2e 62  l pinning-test.b
1720: 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a  adssl.com.    }.
1730: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 33  .test BadSSL-1.3
1740: 37 20 7b 70 72 65 61 63 74 2d 63 6c 69 7d 20 2d  7 {preact-cli} -
1750: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 70  body {..badssl p
1760: 72 65 61 63 74 2d 63 6c 69 2e 62 61 64 73 73 6c  react-cli.badssl
1770: 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75  .com.    } -resu
1780: 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61  lt {handshake fa
1790: 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61 74  iled: certificat
17a0: 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64 20  e verify failed 
17b0: 64 75 65 20 74 6f 20 22 75 6e 61 62 6c 65 20 74  due to "unable t
17c0: 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75  o get local issu
17d0: 65 72 20 63 65 72 74 69 66 69 63 61 74 65 22 7d  er certificate"}
17e0: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
17f0: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
1800: 2e 33 38 20 7b 70 72 65 6c 6f 61 64 65 64 2d 68  .38 {preloaded-h
1810: 73 74 73 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  sts} -body {..ba
1820: 64 73 73 6c 20 70 72 65 6c 6f 61 64 65 64 2d 68  dssl preloaded-h
1830: 73 74 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  sts.badssl.com. 
1840: 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53     }..test BadSS
1850: 4c 2d 31 2e 33 39 20 7b 72 63 34 2d 6d 64 35 7d  L-1.39 {rc4-md5}
1860: 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c   -body {..badssl
1870: 20 72 63 34 2d 6d 64 35 2e 62 61 64 73 73 6c 2e   rc4-md5.badssl.
1880: 63 6f 6d 0a 20 20 20 20 7d 20 2d 6d 61 74 63 68  com.    } -match
1890: 20 7b 67 6c 6f 62 7d 20 2d 72 65 73 75 6c 74 20   {glob} -result 
18a0: 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65  {handshake faile
18b0: 64 3a 20 2a 20 61 6c 65 72 74 20 68 61 6e 64 73  d: * alert hands
18c0: 68 61 6b 65 20 66 61 69 6c 75 72 65 7d 20 2d 72  hake failure} -r
18d0: 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a  eturnCodes {1}..
18e0: 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 34 30  test BadSSL-1.40
18f0: 20 7b 72 63 34 7d 20 2d 62 6f 64 79 20 7b 0a 09   {rc4} -body {..
1900: 62 61 64 73 73 6c 20 72 63 34 2e 62 61 64 73 73  badssl rc4.badss
1910: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 6d 61 74  l.com.    } -mat
1920: 63 68 20 7b 67 6c 6f 62 7d 20 2d 72 65 73 75 6c  ch {glob} -resul
1930: 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69  t {handshake fai
1940: 6c 65 64 3a 20 2a 20 61 6c 65 72 74 20 68 61 6e  led: * alert han
1950: 64 73 68 61 6b 65 20 66 61 69 6c 75 72 65 7d 20  dshake failure} 
1960: 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d  -returnCodes {1}
1970: 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e  ..test BadSSL-1.
1980: 34 31 20 7b 72 65 76 6f 6b 65 64 7d 20 2d 62 6f  41 {revoked} -bo
1990: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 72 65 76  dy {..badssl rev
19a0: 6f 6b 65 64 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  oked.badssl.com.
19b0: 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68      } -result {h
19c0: 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a  andshake failed:
19d0: 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72   certificate ver
19e0: 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74  ify failed due t
19f0: 6f 20 22 63 65 72 74 69 66 69 63 61 74 65 20 68  o "certificate h
1a00: 61 73 20 65 78 70 69 72 65 64 22 7d 20 2d 72 65  as expired"} -re
1a10: 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74  turnCodes {1}..t
1a20: 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 34 32 20  est BadSSL-1.42 
1a30: 7b 72 73 61 32 30 34 38 7d 20 2d 62 6f 64 79 20  {rsa2048} -body 
1a40: 7b 0a 09 62 61 64 73 73 6c 20 72 73 61 32 30 34  {..badssl rsa204
1a50: 38 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20  8.badssl.com.   
1a60: 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d   }..test BadSSL-
1a70: 31 2e 34 33 20 7b 72 73 61 34 30 39 36 7d 20 2d  1.43 {rsa4096} -
1a80: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 72  body {..badssl r
1a90: 73 61 34 30 39 36 2e 62 61 64 73 73 6c 2e 63 6f  sa4096.badssl.co
1aa0: 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61  m.    }..test Ba
1ab0: 64 53 53 4c 2d 31 2e 34 34 20 7b 72 73 61 38 31  dSSL-1.44 {rsa81
1ac0: 39 32 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64  92} -body {..bad
1ad0: 73 73 6c 20 72 73 61 38 31 39 32 2e 62 61 64 73  ssl rsa8192.bads
1ae0: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74 65  sl.com.    }..te
1af0: 73 74 20 42 61 64 53 53 4c 2d 31 2e 34 35 20 7b  st BadSSL-1.45 {
1b00: 73 65 6c 66 2d 73 69 67 6e 65 64 7d 20 2d 63 6f  self-signed} -co
1b10: 6e 73 74 72 61 69 6e 74 73 20 7b 6f 6c 64 5f 61  nstraints {old_a
1b20: 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64  pi} -body {..bad
1b30: 73 73 6c 20 73 65 6c 66 2d 73 69 67 6e 65 64 2e  ssl self-signed.
1b40: 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d  badssl.com.    }
1b50: 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68   -result {handsh
1b60: 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74  ake failed: cert
1b70: 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66  ificate verify f
1b80: 61 69 6c 65 64 20 64 75 65 20 74 6f 20 22 73 65  ailed due to "se
1b90: 6c 66 20 73 69 67 6e 65 64 20 63 65 72 74 69 66  lf signed certif
1ba0: 69 63 61 74 65 22 7d 20 2d 72 65 74 75 72 6e 43  icate"} -returnC
1bb0: 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42  odes {1}..test B
1bc0: 61 64 53 53 4c 2d 31 2e 34 36 20 7b 73 65 6c 66  adSSL-1.46 {self
1bd0: 2d 73 69 67 6e 65 64 7d 20 2d 63 6f 6e 73 74 72  -signed} -constr
1be0: 61 69 6e 74 73 20 7b 6e 65 77 5f 61 70 69 7d 20  aints {new_api} 
1bf0: 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20  -body {..badssl 
1c00: 73 65 6c 66 2d 73 69 67 6e 65 64 2e 62 61 64 73  self-signed.bads
1c10: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
1c20: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
1c30: 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63  failed: certific
1c40: 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65  ate verify faile
1c50: 64 20 64 75 65 20 74 6f 20 22 73 65 6c 66 2d 73  d due to "self-s
1c60: 69 67 6e 65 64 20 63 65 72 74 69 66 69 63 61 74  igned certificat
1c70: 65 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73  e"} -returnCodes
1c80: 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53   {1}..test BadSS
1c90: 4c 2d 31 2e 34 37 20 7b 73 68 61 31 2d 32 30 31  L-1.47 {sha1-201
1ca0: 36 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  6} -body {..bads
1cb0: 73 6c 20 73 68 61 31 2d 32 30 31 36 2e 62 61 64  sl sha1-2016.bad
1cc0: 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72  ssl.com.    } -r
1cd0: 65 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65  esult {handshake
1ce0: 20 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69   failed: certifi
1cf0: 63 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c  cate verify fail
1d00: 65 64 20 64 75 65 20 74 6f 20 22 75 6e 61 62 6c  ed due to "unabl
1d10: 65 20 74 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69  e to get local i
1d20: 73 73 75 65 72 20 63 65 72 74 69 66 69 63 61 74  ssuer certificat
1d30: 65 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73  e"} -returnCodes
1d40: 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53   {1}..test BadSS
1d50: 4c 2d 31 2e 34 38 20 7b 73 68 61 31 2d 32 30 31  L-1.48 {sha1-201
1d60: 37 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74 73 20  7} -constraints 
1d70: 7b 6f 6c 64 5f 61 70 69 7d 20 2d 62 6f 64 79 20  {old_api} -body 
1d80: 7b 0a 09 62 61 64 73 73 6c 20 73 68 61 31 2d 32  {..badssl sha1-2
1d90: 30 31 37 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  017.badssl.com. 
1da0: 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61     } -result {ha
1db0: 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20  ndshake failed: 
1dc0: 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72 69  certificate veri
1dd0: 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f  fy failed due to
1de0: 20 22 63 65 72 74 69 66 69 63 61 74 65 20 68 61   "certificate ha
1df0: 73 20 65 78 70 69 72 65 64 22 7d 20 2d 72 65 74  s expired"} -ret
1e00: 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65  urnCodes {1}..te
1e10: 73 74 20 42 61 64 53 53 4c 2d 31 2e 34 39 20 7b  st BadSSL-1.49 {
1e20: 73 68 61 31 2d 32 30 31 37 7d 20 2d 63 6f 6e 73  sha1-2017} -cons
1e30: 74 72 61 69 6e 74 73 20 7b 6e 65 77 5f 61 70 69  traints {new_api
1e40: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
1e50: 6c 20 73 68 61 31 2d 32 30 31 37 2e 62 61 64 73  l sha1-2017.bads
1e60: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
1e70: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
1e80: 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63  failed: certific
1e90: 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65  ate verify faile
1ea0: 64 20 64 75 65 20 74 6f 20 22 43 41 20 73 69 67  d due to "CA sig
1eb0: 6e 61 74 75 72 65 20 64 69 67 65 73 74 20 61 6c  nature digest al
1ec0: 67 6f 72 69 74 68 6d 20 74 6f 6f 20 77 65 61 6b  gorithm too weak
1ed0: 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  "} -returnCodes 
1ee0: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
1ef0: 2d 31 2e 35 30 20 7b 73 68 61 31 2d 69 6e 74 65  -1.50 {sha1-inte
1f00: 72 6d 65 64 69 61 74 65 7d 20 2d 62 6f 64 79 20  rmediate} -body 
1f10: 7b 0a 09 62 61 64 73 73 6c 20 73 68 61 31 2d 69  {..badssl sha1-i
1f20: 6e 74 65 72 6d 65 64 69 61 74 65 2e 62 61 64 73  ntermediate.bads
1f30: 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65  sl.com.    } -re
1f40: 73 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20  sult {handshake 
1f50: 66 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63  failed: certific
1f60: 61 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65  ate verify faile
1f70: 64 20 64 75 65 20 74 6f 20 22 75 6e 61 62 6c 65  d due to "unable
1f80: 20 74 6f 20 67 65 74 20 6c 6f 63 61 6c 20 69 73   to get local is
1f90: 73 75 65 72 20 63 65 72 74 69 66 69 63 61 74 65  suer certificate
1fa0: 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  "} -returnCodes 
1fb0: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
1fc0: 2d 31 2e 35 31 20 7b 73 68 61 32 35 36 7d 20 2d  -1.51 {sha256} -
1fd0: 62 6f 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 73  body {..badssl s
1fe0: 68 61 32 35 36 2e 62 61 64 73 73 6c 2e 63 6f 6d  ha256.badssl.com
1ff0: 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64  .    }..test Bad
2000: 53 53 4c 2d 31 2e 35 32 20 7b 73 68 61 33 38 34  SSL-1.52 {sha384
2010: 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73 73  } -body {..badss
2020: 6c 20 73 68 61 33 38 34 2e 62 61 64 73 73 6c 2e  l sha384.badssl.
2030: 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c  com.    } -resul
2040: 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69  t {handshake fai
2050: 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65  led: certificate
2060: 20 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64   verify failed d
2070: 75 65 20 74 6f 20 22 63 65 72 74 69 66 69 63 61  ue to "certifica
2080: 74 65 20 68 61 73 20 65 78 70 69 72 65 64 22 7d  te has expired"}
2090: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
20a0: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
20b0: 2e 35 33 20 7b 73 68 61 35 31 32 7d 20 2d 62 6f  .53 {sha512} -bo
20c0: 64 79 20 7b 0a 09 62 61 64 73 73 6c 20 73 68 61  dy {..badssl sha
20d0: 35 31 32 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  512.badssl.com. 
20e0: 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61     } -result {ha
20f0: 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20  ndshake failed: 
2100: 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72 69  certificate veri
2110: 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f  fy failed due to
2120: 20 22 63 65 72 74 69 66 69 63 61 74 65 20 68 61   "certificate ha
2130: 73 20 65 78 70 69 72 65 64 22 7d 20 2d 72 65 74  s expired"} -ret
2140: 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a 0a 74 65  urnCodes {1}..te
2150: 73 74 20 42 61 64 53 53 4c 2d 31 2e 35 34 20 7b  st BadSSL-1.54 {
2160: 73 74 61 74 69 63 2d 72 73 61 7d 20 2d 62 6f 64  static-rsa} -bod
2170: 79 20 7b 0a 09 62 61 64 73 73 6c 20 73 74 61 74  y {..badssl stat
2180: 69 63 2d 72 73 61 2e 62 61 64 73 73 6c 2e 63 6f  ic-rsa.badssl.co
2190: 6d 0a 20 20 20 20 7d 0a 0a 74 65 73 74 20 42 61  m.    }..test Ba
21a0: 64 53 53 4c 2d 31 2e 35 35 20 7b 73 75 62 64 6f  dSSL-1.55 {subdo
21b0: 6d 61 69 6e 2e 70 72 65 6c 6f 61 64 65 64 2d 68  main.preloaded-h
21c0: 73 74 73 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74  sts} -constraint
21d0: 73 20 7b 6f 6c 64 5f 61 70 69 7d 20 2d 62 6f 64  s {old_api} -bod
21e0: 79 20 7b 0a 09 62 61 64 73 73 6c 20 73 75 62 64  y {..badssl subd
21f0: 6f 6d 61 69 6e 2e 70 72 65 6c 6f 61 64 65 64 2d  omain.preloaded-
2200: 68 73 74 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  hsts.badssl.com.
2210: 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68      } -result {h
2220: 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a  andshake failed:
2230: 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72   certificate ver
2240: 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74  ify failed due t
2250: 6f 20 22 48 6f 73 74 6e 61 6d 65 20 6d 69 73 6d  o "Hostname mism
2260: 61 74 63 68 22 7d 20 2d 72 65 74 75 72 6e 43 6f  atch"} -returnCo
2270: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
2280: 64 53 53 4c 2d 31 2e 35 36 20 7b 73 75 62 64 6f  dSSL-1.56 {subdo
2290: 6d 61 69 6e 2e 70 72 65 6c 6f 61 64 65 64 2d 68  main.preloaded-h
22a0: 73 74 73 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74  sts} -constraint
22b0: 73 20 7b 6e 65 77 5f 61 70 69 7d 20 2d 62 6f 64  s {new_api} -bod
22c0: 79 20 7b 0a 09 62 61 64 73 73 6c 20 73 75 62 64  y {..badssl subd
22d0: 6f 6d 61 69 6e 2e 70 72 65 6c 6f 61 64 65 64 2d  omain.preloaded-
22e0: 68 73 74 73 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  hsts.badssl.com.
22f0: 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68      } -result {h
2300: 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a  andshake failed:
2310: 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72   certificate ver
2320: 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74  ify failed due t
2330: 6f 20 22 68 6f 73 74 6e 61 6d 65 20 6d 69 73 6d  o "hostname mism
2340: 61 74 63 68 22 7d 20 2d 72 65 74 75 72 6e 43 6f  atch"} -returnCo
2350: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
2360: 64 53 53 4c 2d 31 2e 35 37 20 7b 73 75 70 65 72  dSSL-1.57 {super
2370: 66 69 73 68 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  fish} -body {..b
2380: 61 64 73 73 6c 20 73 75 70 65 72 66 69 73 68 2e  adssl superfish.
2390: 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d  badssl.com.    }
23a0: 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73 68   -result {handsh
23b0: 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72 74  ake failed: cert
23c0: 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20 66  ificate verify f
23d0: 61 69 6c 65 64 20 64 75 65 20 74 6f 20 22 75 6e  ailed due to "un
23e0: 61 62 6c 65 20 74 6f 20 67 65 74 20 6c 6f 63 61  able to get loca
23f0: 6c 20 69 73 73 75 65 72 20 63 65 72 74 69 66 69  l issuer certifi
2400: 63 61 74 65 22 7d 20 2d 72 65 74 75 72 6e 43 6f  cate"} -returnCo
2410: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
2420: 64 53 53 4c 2d 31 2e 35 38 20 7b 74 6c 73 2d 76  dSSL-1.58 {tls-v
2430: 31 2d 30 3a 31 30 31 30 7d 20 2d 63 6f 6e 73 74  1-0:1010} -const
2440: 72 61 69 6e 74 73 20 7b 74 6c 73 31 20 6f 6c 64  raints {tls1 old
2450: 5f 61 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  _api} -body {..b
2460: 61 64 73 73 6c 20 74 6c 73 2d 76 31 2d 30 2e 62  adssl tls-v1-0.b
2470: 61 64 73 73 6c 2e 63 6f 6d 3a 31 30 31 30 0a 20  adssl.com:1010. 
2480: 20 20 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53     }..test BadSS
2490: 4c 2d 31 2e 35 39 20 7b 74 6c 73 2d 76 31 2d 30  L-1.59 {tls-v1-0
24a0: 3a 31 30 31 30 7d 20 2d 63 6f 6e 73 74 72 61 69  :1010} -constrai
24b0: 6e 74 73 20 7b 74 6c 73 31 20 6e 65 77 5f 61 70  nts {tls1 new_ap
24c0: 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  i} -body {..bads
24d0: 73 6c 20 74 6c 73 2d 76 31 2d 30 2e 62 61 64 73  sl tls-v1-0.bads
24e0: 73 6c 2e 63 6f 6d 3a 31 30 31 30 0a 20 20 20 20  sl.com:1010.    
24f0: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
2500: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 75 6e 73  hake failed: uns
2510: 75 70 70 6f 72 74 65 64 20 70 72 6f 74 6f 63 6f  upported protoco
2520: 6c 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  l} -returnCodes 
2530: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
2540: 2d 31 2e 36 30 20 7b 74 6c 73 2d 76 31 2d 31 3a  -1.60 {tls-v1-1:
2550: 31 30 31 31 7d 20 2d 63 6f 6e 73 74 72 61 69 6e  1011} -constrain
2560: 74 73 20 7b 74 6c 73 31 2e 31 20 6f 6c 64 5f 61  ts {tls1.1 old_a
2570: 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64  pi} -body {..bad
2580: 73 73 6c 20 74 6c 73 2d 76 31 2d 31 2e 62 61 64  ssl tls-v1-1.bad
2590: 73 73 6c 2e 63 6f 6d 3a 31 30 31 31 0a 20 20 20  ssl.com:1011.   
25a0: 20 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d   }..test BadSSL-
25b0: 31 2e 36 31 20 7b 74 6c 73 2d 76 31 2d 31 3a 31  1.61 {tls-v1-1:1
25c0: 30 31 31 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74  011} -constraint
25d0: 73 20 7b 74 6c 73 31 2e 31 20 6e 65 77 5f 61 70  s {tls1.1 new_ap
25e0: 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61 64 73  i} -body {..bads
25f0: 73 6c 20 74 6c 73 2d 76 31 2d 31 2e 62 61 64 73  sl tls-v1-1.bads
2600: 73 6c 2e 63 6f 6d 3a 31 30 31 31 0a 20 20 20 20  sl.com:1011.    
2610: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
2620: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 75 6e 73  hake failed: uns
2630: 75 70 70 6f 72 74 65 64 20 70 72 6f 74 6f 63 6f  upported protoco
2640: 6c 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  l} -returnCodes 
2650: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
2660: 2d 31 2e 36 32 20 7b 74 6c 73 2d 76 31 2d 32 3a  -1.62 {tls-v1-2:
2670: 31 30 31 32 7d 20 2d 63 6f 6e 73 74 72 61 69 6e  1012} -constrain
2680: 74 73 20 7b 74 6c 73 31 2e 32 7d 20 2d 62 6f 64  ts {tls1.2} -bod
2690: 79 20 7b 0a 09 62 61 64 73 73 6c 20 74 6c 73 2d  y {..badssl tls-
26a0: 76 31 2d 32 2e 62 61 64 73 73 6c 2e 63 6f 6d 3a  v1-2.badssl.com:
26b0: 31 30 31 32 0a 20 20 20 20 7d 0a 0a 74 65 73 74  1012.    }..test
26c0: 20 42 61 64 53 53 4c 2d 31 2e 36 33 20 7b 75 6e   BadSSL-1.63 {un
26d0: 74 72 75 73 74 65 64 2d 72 6f 6f 74 7d 20 2d 63  trusted-root} -c
26e0: 6f 6e 73 74 72 61 69 6e 74 73 20 7b 6f 6c 64 5f  onstraints {old_
26f0: 61 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  api} -body {..ba
2700: 64 73 73 6c 20 75 6e 74 72 75 73 74 65 64 2d 72  dssl untrusted-r
2710: 6f 6f 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20  oot.badssl.com. 
2720: 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61     } -result {ha
2730: 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a 20  ndshake failed: 
2740: 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72 69  certificate veri
2750: 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74 6f  fy failed due to
2760: 20 22 73 65 6c 66 20 73 69 67 6e 65 64 20 63 65   "self signed ce
2770: 72 74 69 66 69 63 61 74 65 20 69 6e 20 63 65 72  rtificate in cer
2780: 74 69 66 69 63 61 74 65 20 63 68 61 69 6e 22 7d  tificate chain"}
2790: 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31   -returnCodes {1
27a0: 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31  }..test BadSSL-1
27b0: 2e 36 34 20 7b 75 6e 74 72 75 73 74 65 64 2d 72  .64 {untrusted-r
27c0: 6f 6f 74 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74  oot} -constraint
27d0: 73 20 7b 6e 65 77 5f 61 70 69 7d 20 2d 62 6f 64  s {new_api} -bod
27e0: 79 20 7b 0a 09 62 61 64 73 73 6c 20 75 6e 74 72  y {..badssl untr
27f0: 75 73 74 65 64 2d 72 6f 6f 74 2e 62 61 64 73 73  usted-root.badss
2800: 6c 2e 63 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73  l.com.    } -res
2810: 75 6c 74 20 7b 68 61 6e 64 73 68 61 6b 65 20 66  ult {handshake f
2820: 61 69 6c 65 64 3a 20 63 65 72 74 69 66 69 63 61  ailed: certifica
2830: 74 65 20 76 65 72 69 66 79 20 66 61 69 6c 65 64  te verify failed
2840: 20 64 75 65 20 74 6f 20 22 73 65 6c 66 2d 73 69   due to "self-si
2850: 67 6e 65 64 20 63 65 72 74 69 66 69 63 61 74 65  gned certificate
2860: 20 69 6e 20 63 65 72 74 69 66 69 63 61 74 65 20   in certificate 
2870: 63 68 61 69 6e 22 7d 20 2d 72 65 74 75 72 6e 43  chain"} -returnC
2880: 6f 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42  odes {1}..test B
2890: 61 64 53 53 4c 2d 31 2e 36 35 20 7b 75 70 67 72  adSSL-1.65 {upgr
28a0: 61 64 65 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  ade} -body {..ba
28b0: 64 73 73 6c 20 75 70 67 72 61 64 65 2e 62 61 64  dssl upgrade.bad
28c0: 73 73 6c 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 74  ssl.com.    }..t
28d0: 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 36 36 20  est BadSSL-1.66 
28e0: 7b 77 65 62 70 61 63 6b 2d 64 65 76 2d 73 65 72  {webpack-dev-ser
28f0: 76 65 72 7d 20 2d 62 6f 64 79 20 7b 0a 09 62 61  ver} -body {..ba
2900: 64 73 73 6c 20 77 65 62 70 61 63 6b 2d 64 65 76  dssl webpack-dev
2910: 2d 73 65 72 76 65 72 2e 62 61 64 73 73 6c 2e 63  -server.badssl.c
2920: 6f 6d 0a 20 20 20 20 7d 20 2d 72 65 73 75 6c 74  om.    } -result
2930: 20 7b 68 61 6e 64 73 68 61 6b 65 20 66 61 69 6c   {handshake fail
2940: 65 64 3a 20 63 65 72 74 69 66 69 63 61 74 65 20  ed: certificate 
2950: 76 65 72 69 66 79 20 66 61 69 6c 65 64 20 64 75  verify failed du
2960: 65 20 74 6f 20 22 75 6e 61 62 6c 65 20 74 6f 20  e to "unable to 
2970: 67 65 74 20 6c 6f 63 61 6c 20 69 73 73 75 65 72  get local issuer
2980: 20 63 65 72 74 69 66 69 63 61 74 65 22 7d 20 2d   certificate"} -
2990: 72 65 74 75 72 6e 43 6f 64 65 73 20 7b 31 7d 0a  returnCodes {1}.
29a0: 0a 74 65 73 74 20 42 61 64 53 53 4c 2d 31 2e 36  .test BadSSL-1.6
29b0: 37 20 7b 77 72 6f 6e 67 2e 68 6f 73 74 7d 20 2d  7 {wrong.host} -
29c0: 63 6f 6e 73 74 72 61 69 6e 74 73 20 7b 6f 6c 64  constraints {old
29d0: 5f 61 70 69 7d 20 2d 62 6f 64 79 20 7b 0a 09 62  _api} -body {..b
29e0: 61 64 73 73 6c 20 77 72 6f 6e 67 2e 68 6f 73 74  adssl wrong.host
29f0: 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a 20 20 20 20  .badssl.com.    
2a00: 7d 20 2d 72 65 73 75 6c 74 20 7b 68 61 6e 64 73  } -result {hands
2a10: 68 61 6b 65 20 66 61 69 6c 65 64 3a 20 63 65 72  hake failed: cer
2a20: 74 69 66 69 63 61 74 65 20 76 65 72 69 66 79 20  tificate verify 
2a30: 66 61 69 6c 65 64 20 64 75 65 20 74 6f 20 22 48  failed due to "H
2a40: 6f 73 74 6e 61 6d 65 20 6d 69 73 6d 61 74 63 68  ostname mismatch
2a50: 22 7d 20 2d 72 65 74 75 72 6e 43 6f 64 65 73 20  "} -returnCodes 
2a60: 7b 31 7d 0a 0a 74 65 73 74 20 42 61 64 53 53 4c  {1}..test BadSSL
2a70: 2d 31 2e 36 38 20 7b 77 72 6f 6e 67 2e 68 6f 73  -1.68 {wrong.hos
2a80: 74 7d 20 2d 63 6f 6e 73 74 72 61 69 6e 74 73 20  t} -constraints 
2a90: 7b 6e 65 77 5f 61 70 69 7d 20 2d 62 6f 64 79 20  {new_api} -body 
2aa0: 7b 0a 09 62 61 64 73 73 6c 20 77 72 6f 6e 67 2e  {..badssl wrong.
2ab0: 68 6f 73 74 2e 62 61 64 73 73 6c 2e 63 6f 6d 0a  host.badssl.com.
2ac0: 20 20 20 20 7d 20 2d 72 65 73 75 6c 74 20 7b 68      } -result {h
2ad0: 61 6e 64 73 68 61 6b 65 20 66 61 69 6c 65 64 3a  andshake failed:
2ae0: 20 63 65 72 74 69 66 69 63 61 74 65 20 76 65 72   certificate ver
2af0: 69 66 79 20 66 61 69 6c 65 64 20 64 75 65 20 74  ify failed due t
2b00: 6f 20 22 68 6f 73 74 6e 61 6d 65 20 6d 69 73 6d  o "hostname mism
2b10: 61 74 63 68 22 7d 20 2d 72 65 74 75 72 6e 43 6f  atch"} -returnCo
2b20: 64 65 73 20 7b 31 7d 0a 0a 74 65 73 74 20 42 61  des {1}..test Ba
2b30: 64 53 53 4c 2d 31 2e 36 39 20 7b 6d 6f 7a 69 6c  dSSL-1.69 {mozil
2b40: 6c 61 2d 6d 6f 64 65 72 6e 7d 20 2d 62 6f 64 79  la-modern} -body
2b50: 20 7b 0a 09 62 61 64 73 73 6c 20 6d 6f 7a 69 6c   {..badssl mozil
2b60: 6c 61 2d 6d 6f 64 65 72 6e 2e 62 61 64 73 73 6c  la-modern.badssl
2b70: 2e 63 6f 6d 0a 20 20 20 20 7d 0a 0a 23 20 43 6c  .com.    }..# Cl
2b80: 65 61 6e 75 70 0a 3a 3a 74 63 6c 74 65 73 74 3a  eanup.::tcltest:
2b90: 3a 63 6c 65 61 6e 75 70 54 65 73 74 73 0a 72 65  :cleanupTests.re
2ba0: 74 75 72 6e 0a                                   turn.