source: mod_gnutls/test/tests/35_client_reauth/test.yml @ c33b0ea

proxy-ticket
Last change on this file since c33b0ea was c33b0ea, checked in by Fiona Klute <fiona.klute@…>, 10 months ago

Test per-directory "GnuTLSClientVerify request"

The request must always be allowed, and SSL_CLIENT_VERIFY set to the
appropriate status.

  • Property mode set to 100644
File size: 3.0 KB
Line 
1- !connection
2  description: >-
3    There's no authentication needed on handshake, but the server will
4    require reauth to serve the second request.
5  gnutls_params:
6    - x509cafile=authority/x509.pem
7    - x509keyfile=authority/client/secret.key
8    - x509certfile=authority/client/x509.pem
9    - post-handshake-auth
10  actions:
11    - !request
12      path: /test.txt
13      expect:
14        status: 200
15        body:
16          exactly: |
17            test
18    - !request
19      method: POST
20      path: /secret/mirror.cgi
21      body: |
22        GNUTLS_E_GOT_APPLICATION_DATA can (randomly, depending on
23        timing) happen with a request containing a body. According to
24        https://tools.ietf.org/html/rfc8446#appendix-E.1.2
25        post-handshake authentication proves that the authenticated
26        party is the one that did the handshake, so caching the data
27        is appropriate.
28      expect:
29        status: 200
30        body:
31          exactly: |
32            GNUTLS_E_GOT_APPLICATION_DATA can (randomly, depending on
33            timing) happen with a request containing a body. According to
34            https://tools.ietf.org/html/rfc8446#appendix-E.1.2
35            post-handshake authentication proves that the authenticated
36            party is the one that did the handshake, so caching the data
37            is appropriate.
38    - !request
39      path: /dump.cgi
40      expect:
41        status: 200
42        body:
43          contains:
44            - |
45              ----Verification Status:----
46              SUCCESS
47            - |
48              ----SubjectAltName:----
49              RFC822NAME:test0@modgnutls.test
50- !connection
51  description: >-
52    This client has no certificate, so the the second request will
53    receive 403 Forbidden.
54  gnutls_params:
55    - x509cafile=authority/x509.pem
56    - post-handshake-auth
57  actions:
58    - !request
59      path: /test.txt
60      expect:
61        status: 200
62        body:
63          exactly: |
64            test
65    - !request
66      method: GET
67      path: /secret/test.txt
68      expect:
69        status: 403
70        body:
71          contains: Forbidden
72    - !request
73      path: /dump.cgi
74      expect:
75        status: 200
76        body:
77          contains: |
78            ----Verification Status:----
79            NONE
80- !connection
81  description: >-
82    This client has an untrusted certificate, so the the second
83    request will receive 403 Forbidden.
84  gnutls_params:
85    - x509cafile=authority/x509.pem
86    - x509keyfile=rogueca/rogueclient/secret.key
87    - x509certfile=rogueca/rogueclient/x509.pem
88    - post-handshake-auth
89  actions:
90    - !request
91      path: /test.txt
92      expect:
93        status: 200
94        body:
95          exactly: |
96            test
97    - !request
98      method: GET
99      path: /secret/test.txt
100      expect:
101        status: 403
102        body:
103          contains: Forbidden
104    - !request
105      path: /dump.cgi
106      expect:
107        status: 200
108        body:
109          contains: |
110            ----Verification Status:----
111            FAILED
Note: See TracBrowser for help on using the repository browser.