TestClientCredsHandshakeFailure verifies different handshake failure cases.
(t *testing.T)
| 500 | |
| 501 | // TestClientCredsHandshakeFailure verifies different handshake failure cases. |
| 502 | func (s) TestClientCredsHandshakeFailure(t *testing.T) { |
| 503 | tests := []struct { |
| 504 | desc string |
| 505 | handshakeFunc testHandshakeFunc |
| 506 | rootProvider certprovider.Provider |
| 507 | san string |
| 508 | sni string |
| 509 | validateSANUsingSNI bool |
| 510 | enableSNIFlag bool |
| 511 | wantErr string |
| 512 | }{ |
| 513 | { |
| 514 | desc: "cert validation failure", |
| 515 | handshakeFunc: testServerTLSHandshake, |
| 516 | rootProvider: makeRootProvider(t, "x509/client_ca_cert.pem"), |
| 517 | san: defaultTestCertSAN, |
| 518 | wantErr: "x509: certificate signed by unknown authority", |
| 519 | }, |
| 520 | { |
| 521 | desc: "SAN mismatch", |
| 522 | handshakeFunc: testServerTLSHandshake, |
| 523 | rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), |
| 524 | san: "bad-san", |
| 525 | wantErr: "do not match any of the accepted SANs", |
| 526 | }, |
| 527 | { |
| 528 | desc: "SNI SAN mismatch", |
| 529 | handshakeFunc: testServerTLSHandshake, |
| 530 | rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), |
| 531 | sni: "bad-sni", |
| 532 | validateSANUsingSNI: true, |
| 533 | wantErr: "do not match the SNI", |
| 534 | enableSNIFlag: true, |
| 535 | }, |
| 536 | { |
| 537 | desc: "SNI set, AutoSniSanValidation disabled with SAN mismatch", |
| 538 | handshakeFunc: testServerTLSHandshake, |
| 539 | rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), |
| 540 | sni: defaultTestCertSAN, |
| 541 | san: "bad-san", |
| 542 | validateSANUsingSNI: false, |
| 543 | wantErr: "do not match any of the accepted SANs", |
| 544 | enableSNIFlag: true, |
| 545 | }, |
| 546 | { |
| 547 | desc: "SNI set with SAN mismatch and AutoSniSanValidation enabled, environment variable disabled", |
| 548 | handshakeFunc: testServerTLSHandshake, |
| 549 | rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), |
| 550 | sni: defaultTestCertSAN, |
| 551 | san: "bad-san", |
| 552 | validateSANUsingSNI: true, |
| 553 | wantErr: "do not match any of the accepted SANs", |
| 554 | }, |
| 555 | { |
| 556 | desc: "SNI empty, AutoSniSanValidation enabled with SAN mismatch", |
| 557 | handshakeFunc: testServerTLSHandshake, |
| 558 | rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), |
| 559 | sni: "", |
nothing calls this directly
no test coverage detected