@Test // Check that proxy auth fails if it is missing public void testHttpsProxyAuthFail() throws Exception { startProxy("username", ProxyType.HTTP); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).useProxy(ProxyType.HTTP).fail(); }
@Test public void testSNIWithServerNameTrustFallbackFail() throws Exception { testTLS(Cert.CLIENT_PEM_ROOT_CA, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.SNI_SERVER_OTHER_CA_FALLBACK) .serverSni() .requestOptions(new RequestOptions().setSsl(true) .setPort(4043) .setHost("host2.com")) .requiresClientAuth() .fail(); }
@Test // Test host verification with a CN NOT matching localhost public void testTLSVerifyNonMatchingHost() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_MIM, Trust.NONE).clientVerifyHost().fail(); }
@Test // Client specifies cert that the server does not trust via a revoked certificate of the CA public void testTLSRevokedClientCertServer() throws Exception { testTLS(Cert.CLIENT_PEM_ROOT_CA, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.CLIENT_PEM_ROOT_CA).requiresClientAuth().serverUsesCrl().fail(); }
@Test // Server specifies cert that the client does not trust via a revoked certificate of the CA public void testTLSClientRevokedServerCert() throws Exception { testTLS(Cert.NONE, Trust.SERVER_PEM_ROOT_CA, Cert.SERVER_PEM_ROOT_CA, Trust.NONE).clientUsesCrl().fail(); }
@Test // Server specifies cert that the client doesn't trust public void testTLSClientUntrustedServerPEM() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_PEM, Trust.NONE).fail(); }
@Test // Server specifies cert that the client doesn't trust public void testTLSClientUntrustedServer() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).fail(); }
@Test public void testSNISubjectAltenativeNameCNMatch1PEM() throws Exception { testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PEM, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .fail() .clientPeerCert(); }
@Test // Client provides SNI unknown to the server and server responds with the default certificate (first) public void testSNIUnknownServerName1() throws Exception { testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("unknown.com")).fail(); }
@Test // Specify some non matching TLS protocols public void testTLSNonMatchingProtocolVersions() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().serverEnabledSecureTransportProtocol(new String[]{"TLSv1.2"}).clientEnabledSecureTransportProtocol(new String[]{"SSLv2Hello", "TLSv1.1"}).fail(); }
@Test // Client specifies cert but it's not trusted public void testTLSClientCertClientNotTrusted() throws Exception { testTLS(Cert.CLIENT_JKS, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).requiresClientAuth().fail(); }
@Test // Client doesn't specify cert but it's required public void testTLSClientCertRequiredNoClientCert() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.CLIENT_JKS).requiresClientAuth().fail(); }
@Test public void testSNIDontSendServerNameForShortnames1() throws Exception { testTLS(Cert.NONE, Trust.SNI_JKS_HOST1, Cert.SNI_JKS, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host1")) .fail(); }
@Test public void testSNISubjectAltenativeNameCNMatch1PKCS12() throws Exception { testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PKCS12, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .fail() .clientPeerCert(); }
@Test public void testSNISubjectAltenativeNameCNMatch1() throws Exception { testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_JKS, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .fail() .clientPeerCert(); }
@Test // Server specifies intermediate cert that the client doesn't trust because it is missing the intermediate CA signed by the root CA public void testTLSClientUntrustedServerCertPEMRootCAWithPEMCA() throws Exception { testTLS(Cert.NONE, Trust.SERVER_PEM_ROOT_CA, Cert.SERVER_PEM_INT_CA, Trust.NONE).fail(); }
@Test public void testSNIWithServerNameTrustFail() throws Exception { testTLS(Cert.CLIENT_PEM_ROOT_CA, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.SNI_SERVER_ROOT_CA_AND_OTHER_CA_2).serverSni() .requestOptions(new RequestOptions().setSsl(true) .setPort(4043) .setHost("host2.com")) .requiresClientAuth() .fail(); }
@Test // Client provides SNI but server ignores it and provides a different cerficate public void testSNIServerIgnoresExtension1() throws Exception { testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.NONE) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .fail(); }
@Test // Test host verification with a CN NOT matching localhost public void testTLSVerifyNonMatchingHostOpenSSL() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_MIM, Trust.NONE).clientVerifyHost().clientOpenSSL().fail(); }
@Test // Specify some matching TLS protocols public void testTLSInvalidProtocolVersion() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().serverEnabledSecureTransportProtocol(new String[]{"HelloWorld"}).fail(); }