proxy-ticket
|
Last change
on this file since 44188aa was
44188aa,
checked in by Fiona Klute <fiona.klute@…>, 10 months ago
|
|
Test post-handshake authentication with an untrusted certificate
|
-
Property mode set to
100644
|
|
File size:
2.3 KB
|
| Line | |
|---|
| 1 | - !connection |
|---|
| 2 | description: >- |
|---|
| 3 | There's no authentication needed on handshake, but the server will |
|---|
| 4 | require reauth to serve the second request. |
|---|
| 5 | gnutls_params: |
|---|
| 6 | - x509cafile=authority/x509.pem |
|---|
| 7 | - x509keyfile=authority/client/secret.key |
|---|
| 8 | - x509certfile=authority/client/x509.pem |
|---|
| 9 | - post-handshake-auth |
|---|
| 10 | actions: |
|---|
| 11 | - !request |
|---|
| 12 | path: /test.txt |
|---|
| 13 | expect: |
|---|
| 14 | status: 200 |
|---|
| 15 | body: |
|---|
| 16 | exactly: | |
|---|
| 17 | test |
|---|
| 18 | - !request |
|---|
| 19 | method: POST |
|---|
| 20 | path: /secret/mirror.cgi |
|---|
| 21 | body: | |
|---|
| 22 | GNUTLS_E_GOT_APPLICATION_DATA can (randomly, depending on |
|---|
| 23 | timing) happen with a request containing a body. According to |
|---|
| 24 | https://tools.ietf.org/html/rfc8446#appendix-E.1.2 |
|---|
| 25 | post-handshake authentication proves that the authenticated |
|---|
| 26 | party is the one that did the handshake, so caching the data |
|---|
| 27 | is appropriate. |
|---|
| 28 | expect: |
|---|
| 29 | status: 200 |
|---|
| 30 | body: |
|---|
| 31 | exactly: | |
|---|
| 32 | GNUTLS_E_GOT_APPLICATION_DATA can (randomly, depending on |
|---|
| 33 | timing) happen with a request containing a body. According to |
|---|
| 34 | https://tools.ietf.org/html/rfc8446#appendix-E.1.2 |
|---|
| 35 | post-handshake authentication proves that the authenticated |
|---|
| 36 | party is the one that did the handshake, so caching the data |
|---|
| 37 | is appropriate. |
|---|
| 38 | - !connection |
|---|
| 39 | description: >- |
|---|
| 40 | This client has no certificate, so the the second request will |
|---|
| 41 | receive 403 Forbidden. |
|---|
| 42 | gnutls_params: |
|---|
| 43 | - x509cafile=authority/x509.pem |
|---|
| 44 | - post-handshake-auth |
|---|
| 45 | actions: |
|---|
| 46 | - !request |
|---|
| 47 | path: /test.txt |
|---|
| 48 | expect: |
|---|
| 49 | status: 200 |
|---|
| 50 | body: |
|---|
| 51 | exactly: | |
|---|
| 52 | test |
|---|
| 53 | - !request |
|---|
| 54 | method: GET |
|---|
| 55 | path: /secret/test.txt |
|---|
| 56 | expect: |
|---|
| 57 | status: 403 |
|---|
| 58 | body: |
|---|
| 59 | contains: Forbidden |
|---|
| 60 | - !connection |
|---|
| 61 | description: >- |
|---|
| 62 | This client has an untrusted certificate, so the the second |
|---|
| 63 | request will receive 403 Forbidden. |
|---|
| 64 | gnutls_params: |
|---|
| 65 | - x509cafile=authority/x509.pem |
|---|
| 66 | - x509keyfile=rogueca/rogueclient/secret.key |
|---|
| 67 | - x509certfile=rogueca/rogueclient/x509.pem |
|---|
| 68 | - post-handshake-auth |
|---|
| 69 | actions: |
|---|
| 70 | - !request |
|---|
| 71 | path: /test.txt |
|---|
| 72 | expect: |
|---|
| 73 | status: 200 |
|---|
| 74 | body: |
|---|
| 75 | exactly: | |
|---|
| 76 | test |
|---|
| 77 | - !request |
|---|
| 78 | method: GET |
|---|
| 79 | path: /secret/test.txt |
|---|
| 80 | expect: |
|---|
| 81 | status: 403 |
|---|
| 82 | body: |
|---|
| 83 | contains: Forbidden |
|---|
Note: See
TracBrowser
for help on using the repository browser.
