Check-in [6fd974ebf0]
Overview
Comment:Updated test cases for OpenSSL 3.0
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 6fd974ebf0516f17bfe776c51caedc71d9094209abd5dcc5ddfe7d3b164f7e72
User & Date: bohagan on 2024-02-10 03:37:46
Other Links: manifest | tags
Context
2024-02-10
20:37
Refactored set default CA certificates path and file to allow env vars to override defaults. check-in: cdb6cd6aa6 user: bohagan tags: trunk
03:37
Updated test cases for OpenSSL 3.0 check-in: 6fd974ebf0 user: bohagan tags: trunk
2024-02-09
20:06
Updated badssl.com test cases for error message format and CA file on Unix. check-in: 347e9a4852 user: bohagan tags: trunk
Changes
366
367
368
369
370
371
372


373
374
375
376
377
378
379
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381







+
+







	    break;

	case SSL_ERROR_SSL:
	    /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
	    dprintf("SSL error, indicating that the connection has been aborted");
	    if (backingError != 0) {
		Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
	    } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) {
		Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)));
	    } else {
		Tls_Error(statePtr, "Unknown SSL error");
	    }
	    *errorCodePtr = ECONNABORTED;
	    bytesRead = -1;

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
579
580
581
582
583
584
585


586
587
588
589
590
591
592
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596







+
+







	    break;

	case SSL_ERROR_SSL:
	    /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
	    dprintf("SSL error, indicating that the connection has been aborted");
	    if (backingError != 0) {
		Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
	    } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) {
		Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)));
	    } else {
		Tls_Error(statePtr, "Unknown SSL error");
	    }
	    *errorCodePtr = ECONNABORTED;
	    written = -1;
	    break;

1
2
3
4
5
6
7
8
9
10
11
12
13
14


15
16
17
18


19
20


21
22


23
24
25
26
27
28
29
1
2
3
4
5
6
7
8
9
10
11
12
13

14
15
16
17
18

19
20
21

22
23
24

25
26
27
28
29
30
31
32
33













-
+
+



-
+
+

-
+
+

-
+
+







# Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes
command,package require tls,,,,,,,,,
,,,,,,,,,,
command,# Constraints,,,,,,,,,
command,source [file join [file dirname [info script]] common.tcl],,,,,,,,,
,,,,,,,,,,
command,# Helper functions,,,,,,,,,
command,"proc badssl {url} {set port 443;lassign [split $url "":""] url port;if {$port eq """"} {set port 443};set cmd [list tls::socket -autoservername 1 -require 1];if {[info exists ::env(SSL_CERT_FILE)]} {lappend cmd -cafile $::env(SSL_CERT_FILE)};lappend cmd $url $port;set ch [eval $cmd];if {[catch {tls::handshake $ch} err]} {close $ch;return -code error $err} else {close $ch}}",,,,,,,,,
,,,,,,,,,,
command,# BadSSL.com Tests,,,,,,,,,
BadSSL,1000-sans,,,badssl 1000-sans.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,10000-sans,,,badssl 10000-sans.badssl.com,,,handshake failed: excessive message size,,,1
BadSSL,3des,,,badssl 3des.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,captive-portal,,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,captive-portal,old_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,captive-portal,new_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1
BadSSL,cbc,,,badssl cbc.badssl.com,,,,,,
BadSSL,client-cert-missing,,,badssl client-cert-missing.badssl.com,,,,,,
BadSSL,client,,,badssl client.badssl.com,,,,,,
BadSSL,dh-composite,,,badssl dh-composite.badssl.com,,,,,,
BadSSL,dh-composite,old_api,,badssl dh-composite.badssl.com,,,,,,
BadSSL,dh-composite,new_api,,badssl dh-composite.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh-small-subgroup,,,badssl dh-small-subgroup.badssl.com,,,,,,
BadSSL,dh480,,,badssl dh480.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh480,old_api,,badssl dh480.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh480,new_api,,badssl dh480.badssl.com,,,handshake failed: modulus too small,,,1
BadSSL,dh512,,,badssl dh512.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh1024,,,badssl dh1024.badssl.com,,,,,,
BadSSL,dh1024,old_api,,badssl dh1024.badssl.com,,,,,,
BadSSL,dh1024,new_api,,badssl dh1024.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh2048,,,badssl dh2048.badssl.com,,,,,,
BadSSL,dsdtestprovider,,,badssl dsdtestprovider.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,ecc256,,,badssl ecc256.badssl.com,,,,,,
BadSSL,ecc384,,,badssl ecc384.badssl.com,,,,,,
BadSSL,edellroot,,,badssl edellroot.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,expired,,,badssl expired.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,extended-validation,,,badssl extended-validation.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
43
44
45
46
47
48
49
50


51
52


53
54
55
56
57
58


59
60
61




62
63


64
65
66


67
47
48
49
50
51
52
53

54
55
56

57
58
59
60
61
62
63

64
65
66


67
68
69
70
71

72
73
74
75

76
77
78







-
+
+

-
+
+





-
+
+

-
-
+
+
+
+

-
+
+


-
+
+

BadSSL,preloaded-hsts,,,badssl preloaded-hsts.badssl.com,,,,,,
BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,rc4,,,badssl rc4.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,revoked,,,badssl revoked.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,rsa2048,,,badssl rsa2048.badssl.com,,,,,,
BadSSL,rsa4096,,,badssl rsa4096.badssl.com,,,,,,
BadSSL,rsa8192,,,badssl rsa8192.badssl.com,,,,,,
BadSSL,self-signed,,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate""",,,1
BadSSL,self-signed,old_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate""",,,1
BadSSL,self-signed,new_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self-signed certificate""",,,1
BadSSL,sha1-2016,,,badssl sha1-2016.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,sha1-2017,,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,sha1-2017,old_api,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,sha1-2017,new_api,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""CA signature digest algorithm too weak""",,,1
BadSSL,sha1-intermediate,,,badssl sha1-intermediate.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,sha256,,,badssl sha256.badssl.com,,,,,,
BadSSL,sha384,,,badssl sha384.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,sha512,,,badssl sha512.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,static-rsa,,,badssl static-rsa.badssl.com,,,,,,
BadSSL,subdomain.preloaded-hsts,,,badssl subdomain.preloaded-hsts.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,subdomain.preloaded-hsts,old_api,,badssl subdomain.preloaded-hsts.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,subdomain.preloaded-hsts,new_api,,badssl subdomain.preloaded-hsts.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1
BadSSL,superfish,,,badssl superfish.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,tls-v1-0:1010,tls1,,badssl tls-v1-0.badssl.com:1010,,,,,,
BadSSL,tls-v1-1:1011,tls1.1,,badssl tls-v1-1.badssl.com:1011,,,,,,
BadSSL,tls-v1-0:1010,tls1 old_api,,badssl tls-v1-0.badssl.com:1010,,,,,,
BadSSL,tls-v1-0:1010,tls1 new_api,,badssl tls-v1-0.badssl.com:1010,,,handshake failed: unsupported protocol,,,1
BadSSL,tls-v1-1:1011,tls1.1 old_api,,badssl tls-v1-1.badssl.com:1011,,,,,,
BadSSL,tls-v1-1:1011,tls1.1 new_api,,badssl tls-v1-1.badssl.com:1011,,,handshake failed: unsupported protocol,,,1
BadSSL,tls-v1-2:1012,tls1.2,,badssl tls-v1-2.badssl.com:1012,,,,,,
BadSSL,untrusted-root,,,badssl untrusted-root.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate in certificate chain""",,,1
BadSSL,untrusted-root,old_api,,badssl untrusted-root.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate in certificate chain""",,,1
BadSSL,untrusted-root,new_api,,badssl untrusted-root.badssl.com,,,"handshake failed: certificate verify failed due to ""self-signed certificate in certificate chain""",,,1
BadSSL,upgrade,,,badssl upgrade.badssl.com,,,,,,
BadSSL,webpack-dev-server,,,badssl webpack-dev-server.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,wrong.host,,,badssl wrong.host.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,wrong.host,old_api,,badssl wrong.host.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,wrong.host,new_api,,badssl wrong.host.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1
BadSSL,mozilla-modern,,,badssl mozilla-modern.badssl.com,,,,,,
27
28
29
30
31
32
33
34

35
36
37
38





39
40
41
42

43
44
45
46

47
48
49
50

51
52
53




54

55
56
57
58

59
60
61




62

63
64
65
66

67
68
69




70

71
72
73
74

75
76
77
78

79
80
81
82

83
84
85
86

87
88
89
90

91
92
93
94

95
96
97
98

99
100
101
102

103
104
105
106

107
108
109
110

111
112
113
114

115
116
117
118

119
120
121
122

123
124
125
126

127
128
129
130

131
132
133
134

135
136
137
138

139
140
141
142

143
144
145
146

147
148
149
150

151
152
153
154

155
156
157
158

159
160
161
162

163
164
165
166

167
168
169
170

171
172
173
174

175
176
177
178

179
180
181




182

183
184
185
186

187
188
189




190

191
192
193
194

195
196
197
198

199
200
201
202

203
204
205
206

207
208
209
210

211
212
213




214

215
216
217
218

219
220
221




222

223
224
225




226

227
228
229
230

231
232
233




234

235
236
237
238

239
240
241
242

243
244
245




246

247
248
249
250
251
252
27
28
29
30
31
32
33

34
35
36
37

38
39
40
41
42
43
44
45

46
47
48
49

50
51
52
53

54
55
56
57
58
59
60
61

62
63
64
65

66
67
68
69
70
71
72
73

74
75
76
77

78
79
80
81
82
83
84
85

86
87
88
89

90
91
92
93

94
95
96
97

98
99
100
101

102
103
104
105

106
107
108
109

110
111
112
113

114
115
116
117

118
119
120
121

122
123
124
125

126
127
128
129

130
131
132
133

134
135
136
137

138
139
140
141

142
143
144
145

146
147
148
149

150
151
152
153

154
155
156
157

158
159
160
161

162
163
164
165

166
167
168
169

170
171
172
173

174
175
176
177

178
179
180
181

182
183
184
185

186
187
188
189

190
191
192
193

194
195
196
197
198
199
200
201

202
203
204
205

206
207
208
209
210
211
212
213

214
215
216
217

218
219
220
221

222
223
224
225

226
227
228
229

230
231
232
233

234
235
236
237
238
239
240
241

242
243
244
245

246
247
248
249
250
251
252
253

254
255
256
257
258
259
260
261

262
263
264
265

266
267
268
269
270
271
272
273

274
275
276
277

278
279
280
281

282
283
284
285
286
287
288
289

290
291
292
293
294
295
296







-
+



-
+
+
+
+
+



-
+



-
+



-
+



+
+
+
+
-
+



-
+



+
+
+
+
-
+



-
+



+
+
+
+
-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



+
+
+
+
-
+



-
+



+
+
+
+
-
+



-
+



-
+



-
+



-
+



-
+



+
+
+
+
-
+



-
+



+
+
+
+
-
+



+
+
+
+
-
+



-
+



+
+
+
+
-
+



-
+



-
+



+
+
+
+
-
+






	badssl 10000-sans.badssl.com
    } -result {handshake failed: excessive message size} -returnCodes {1}

test BadSSL-1.3 {3des} -body {
	badssl 3des.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}

test BadSSL-1.4 {captive-portal} -body {
test BadSSL-1.4 {captive-portal} -constraints {old_api} -body {
	badssl captive-portal.badssl.com
    } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1}

test BadSSL-1.5 {cbc} -body {
test BadSSL-1.5 {captive-portal} -constraints {new_api} -body {
	badssl captive-portal.badssl.com
    } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1}

test BadSSL-1.6 {cbc} -body {
	badssl cbc.badssl.com
    }

test BadSSL-1.6 {client-cert-missing} -body {
test BadSSL-1.7 {client-cert-missing} -body {
	badssl client-cert-missing.badssl.com
    }

test BadSSL-1.7 {client} -body {
test BadSSL-1.8 {client} -body {
	badssl client.badssl.com
    }

test BadSSL-1.8 {dh-composite} -body {
test BadSSL-1.9 {dh-composite} -constraints {old_api} -body {
	badssl dh-composite.badssl.com
    }

test BadSSL-1.10 {dh-composite} -constraints {new_api} -body {
	badssl dh-composite.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.9 {dh-small-subgroup} -body {
test BadSSL-1.11 {dh-small-subgroup} -body {
	badssl dh-small-subgroup.badssl.com
    }

test BadSSL-1.10 {dh480} -body {
test BadSSL-1.12 {dh480} -constraints {old_api} -body {
	badssl dh480.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.13 {dh480} -constraints {new_api} -body {
	badssl dh480.badssl.com
    } -result {handshake failed: modulus too small} -returnCodes {1}

test BadSSL-1.11 {dh512} -body {
test BadSSL-1.14 {dh512} -body {
	badssl dh512.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.12 {dh1024} -body {
test BadSSL-1.15 {dh1024} -constraints {old_api} -body {
	badssl dh1024.badssl.com
    }

test BadSSL-1.16 {dh1024} -constraints {new_api} -body {
	badssl dh1024.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.13 {dh2048} -body {
test BadSSL-1.17 {dh2048} -body {
	badssl dh2048.badssl.com
    }

test BadSSL-1.14 {dsdtestprovider} -body {
test BadSSL-1.18 {dsdtestprovider} -body {
	badssl dsdtestprovider.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.15 {ecc256} -body {
test BadSSL-1.19 {ecc256} -body {
	badssl ecc256.badssl.com
    }

test BadSSL-1.16 {ecc384} -body {
test BadSSL-1.20 {ecc384} -body {
	badssl ecc384.badssl.com
    }

test BadSSL-1.17 {edellroot} -body {
test BadSSL-1.21 {edellroot} -body {
	badssl edellroot.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.18 {expired} -body {
test BadSSL-1.22 {expired} -body {
	badssl expired.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.19 {extended-validation} -body {
test BadSSL-1.23 {extended-validation} -body {
	badssl extended-validation.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.20 {hsts} -body {
test BadSSL-1.24 {hsts} -body {
	badssl hsts.badssl.com
    }

test BadSSL-1.21 {https-everywhere} -body {
test BadSSL-1.25 {https-everywhere} -body {
	badssl https-everywhere.badssl.com
    }

test BadSSL-1.22 {incomplete-chain} -body {
test BadSSL-1.26 {incomplete-chain} -body {
	badssl incomplete-chain.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.23 {invalid-expected-sct} -body {
test BadSSL-1.27 {invalid-expected-sct} -body {
	badssl invalid-expected-sct.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.24 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body {
test BadSSL-1.28 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body {
	badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com
    }

test BadSSL-1.25 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body {
test BadSSL-1.29 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body {
	badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com
    }

test BadSSL-1.26 {mitm-software} -body {
test BadSSL-1.30 {mitm-software} -body {
	badssl mitm-software.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.27 {no-common-name} -body {
test BadSSL-1.31 {no-common-name} -body {
	badssl no-common-name.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.28 {no-sct} -body {
test BadSSL-1.32 {no-sct} -body {
	badssl no-sct.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.29 {no-subject} -body {
test BadSSL-1.33 {no-subject} -body {
	badssl no-subject.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.30 {null} -body {
test BadSSL-1.34 {null} -body {
	badssl null.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}

test BadSSL-1.31 {pinning-test} -body {
test BadSSL-1.35 {pinning-test} -body {
	badssl pinning-test.badssl.com
    }

test BadSSL-1.32 {preact-cli} -body {
test BadSSL-1.36 {preact-cli} -body {
	badssl preact-cli.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.33 {preloaded-hsts} -body {
test BadSSL-1.37 {preloaded-hsts} -body {
	badssl preloaded-hsts.badssl.com
    }

test BadSSL-1.34 {rc4-md5} -body {
test BadSSL-1.38 {rc4-md5} -body {
	badssl rc4-md5.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}

test BadSSL-1.35 {rc4} -body {
test BadSSL-1.39 {rc4} -body {
	badssl rc4.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}

test BadSSL-1.36 {revoked} -body {
test BadSSL-1.40 {revoked} -body {
	badssl revoked.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.37 {rsa2048} -body {
test BadSSL-1.41 {rsa2048} -body {
	badssl rsa2048.badssl.com
    }

test BadSSL-1.38 {rsa4096} -body {
test BadSSL-1.42 {rsa4096} -body {
	badssl rsa4096.badssl.com
    }

test BadSSL-1.39 {rsa8192} -body {
test BadSSL-1.43 {rsa8192} -body {
	badssl rsa8192.badssl.com
    }

test BadSSL-1.40 {self-signed} -body {
test BadSSL-1.44 {self-signed} -constraints {old_api} -body {
	badssl self-signed.badssl.com
    } -result {handshake failed: certificate verify failed due to "self signed certificate"} -returnCodes {1}

test BadSSL-1.45 {self-signed} -constraints {new_api} -body {
	badssl self-signed.badssl.com
    } -result {handshake failed: certificate verify failed due to "self-signed certificate"} -returnCodes {1}

test BadSSL-1.41 {sha1-2016} -body {
test BadSSL-1.46 {sha1-2016} -body {
	badssl sha1-2016.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.42 {sha1-2017} -body {
test BadSSL-1.47 {sha1-2017} -constraints {old_api} -body {
	badssl sha1-2017.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.48 {sha1-2017} -constraints {new_api} -body {
	badssl sha1-2017.badssl.com
    } -result {handshake failed: certificate verify failed due to "CA signature digest algorithm too weak"} -returnCodes {1}

test BadSSL-1.43 {sha1-intermediate} -body {
test BadSSL-1.49 {sha1-intermediate} -body {
	badssl sha1-intermediate.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.44 {sha256} -body {
test BadSSL-1.50 {sha256} -body {
	badssl sha256.badssl.com
    }

test BadSSL-1.45 {sha384} -body {
test BadSSL-1.51 {sha384} -body {
	badssl sha384.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.46 {sha512} -body {
test BadSSL-1.52 {sha512} -body {
	badssl sha512.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.47 {static-rsa} -body {
test BadSSL-1.53 {static-rsa} -body {
	badssl static-rsa.badssl.com
    }

test BadSSL-1.48 {subdomain.preloaded-hsts} -body {
test BadSSL-1.54 {subdomain.preloaded-hsts} -constraints {old_api} -body {
	badssl subdomain.preloaded-hsts.badssl.com
    } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1}

test BadSSL-1.55 {subdomain.preloaded-hsts} -constraints {new_api} -body {
	badssl subdomain.preloaded-hsts.badssl.com
    } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1}

test BadSSL-1.49 {superfish} -body {
test BadSSL-1.56 {superfish} -body {
	badssl superfish.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.50 {tls-v1-0:1010} -constraints {tls1} -body {
test BadSSL-1.57 {tls-v1-0:1010} -constraints {tls1 old_api} -body {
	badssl tls-v1-0.badssl.com:1010
    }

test BadSSL-1.58 {tls-v1-0:1010} -constraints {tls1 new_api} -body {
	badssl tls-v1-0.badssl.com:1010
    } -result {handshake failed: unsupported protocol} -returnCodes {1}

test BadSSL-1.51 {tls-v1-1:1011} -constraints {tls1.1} -body {
test BadSSL-1.59 {tls-v1-1:1011} -constraints {tls1.1 old_api} -body {
	badssl tls-v1-1.badssl.com:1011
    }

test BadSSL-1.60 {tls-v1-1:1011} -constraints {tls1.1 new_api} -body {
	badssl tls-v1-1.badssl.com:1011
    } -result {handshake failed: unsupported protocol} -returnCodes {1}

test BadSSL-1.52 {tls-v1-2:1012} -constraints {tls1.2} -body {
test BadSSL-1.61 {tls-v1-2:1012} -constraints {tls1.2} -body {
	badssl tls-v1-2.badssl.com:1012
    }

test BadSSL-1.53 {untrusted-root} -body {
test BadSSL-1.62 {untrusted-root} -constraints {old_api} -body {
	badssl untrusted-root.badssl.com
    } -result {handshake failed: certificate verify failed due to "self signed certificate in certificate chain"} -returnCodes {1}

test BadSSL-1.63 {untrusted-root} -constraints {new_api} -body {
	badssl untrusted-root.badssl.com
    } -result {handshake failed: certificate verify failed due to "self-signed certificate in certificate chain"} -returnCodes {1}

test BadSSL-1.54 {upgrade} -body {
test BadSSL-1.64 {upgrade} -body {
	badssl upgrade.badssl.com
    }

test BadSSL-1.55 {webpack-dev-server} -body {
test BadSSL-1.65 {webpack-dev-server} -body {
	badssl webpack-dev-server.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.56 {wrong.host} -body {
test BadSSL-1.66 {wrong.host} -constraints {old_api} -body {
	badssl wrong.host.badssl.com
    } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1}

test BadSSL-1.67 {wrong.host} -constraints {new_api} -body {
	badssl wrong.host.badssl.com
    } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1}

test BadSSL-1.57 {mozilla-modern} -body {
test BadSSL-1.68 {mozilla-modern} -body {
	badssl mozilla-modern.badssl.com
    }

# Cleanup
::tcltest::cleanupTests
return
16
17
18
19
20
21
22






16
17
18
19
20
21
22
23
24
25
26
27
28







+
+
+
+
+
+

# OpenSSL version
::tcltest::testConstraint OpenSSL [string match "OpenSSL*" [::tls::version]]

# Legacy OpenSSL v1.1.1 vs new v3.x
scan [lindex [split [::tls::version]] 1] %f version
::tcltest::testConstraint new_api [expr {$version >= 3.0}]
::tcltest::testConstraint old_api [expr {$version < 3.0}]

# Load legacy provider
if {$version >= 3.0} {
    tls::provider legacy
}