@Test // Access https server via socks proxy with a hostname that doesn't resolve // the hostname may resolve at the proxy if that is accessing another DNS // we simulate this by mapping the hostname to localhost:xxx in the test proxy code public void testSocksProxyUnknownHost() throws Exception { startProxy(null, ProxyType.SOCKS5); proxy.setForceUri("localhost:4043"); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).useProxy(ProxyType.SOCKS5) .connectHostname("doesnt-resolve.host-name").clientTrustAll().clientVerifyHost(false).pass(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "doesnt-resolve.host-name:4043", proxy.getLastUri()); } }
@Test public void testSNISubjectAltenativeNameCNMatch2PEM() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PEM, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test // Client provides SNI unknown to the server and server responds with the default certificate (first) public void testSNIUnknownServerName2() throws Exception { TLSTest test = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("unknown.com")) .pass(); assertEquals("localhost", TestUtils.cnOf(test.clientPeerCert())); assertEquals("unknown.com", test.indicatedServerName); }
@Test public void testSNIDontSendServerNameForShortnames2() throws Exception { TLSTest test = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .clientVerifyHost(false) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host1")) .pass(); assertEquals(null, test.indicatedServerName); }
@Test // Test host verification with a CN matching localhost public void testTLSVerifyMatchingHost() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientVerifyHost().pass(); }
@Test public void testSNISubjectAltenativeNameCNMatch2() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test // Test host verification with a CN NOT matching localhost public void testTLSVerifyNonMatchingHostOpenSSL() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_MIM, Trust.NONE).clientVerifyHost().clientOpenSSL().fail(); }
@Test // Test host verification with a CN matching localhost public void testTLSVerifyMatchingHostOpenSSL() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientVerifyHost().clientOpenSSL().pass(); }
@Test // Access https server via connect proxy with a hostname that doesn't resolve // the hostname may resolve at the proxy if that is accessing another DNS // we simulate this by mapping the hostname to localhost:xxx in the test proxy code public void testHttpsProxyUnknownHost() throws Exception { startProxy(null, ProxyType.HTTP); proxy.setForceUri("localhost:4043"); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).useProxy(ProxyType.HTTP) .connectHostname("doesnt-resolve.host-name").clientTrustAll().clientVerifyHost(false).pass(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "doesnt-resolve.host-name:4043", proxy.getLastUri()); assertEquals("Host header doesn't contain target host", "doesnt-resolve.host-name:4043", proxy.getLastRequestHeaders().get("Host")); assertEquals("Host header doesn't contain target host", HttpMethod.CONNECT, proxy.getLastMethod()); }
@Test // Access https server via socks proxy with a hostname that doesn't resolve // the hostname may resolve at the proxy if that is accessing another DNS // we simulate this by mapping the hostname to localhost:xxx in the test proxy code public void testSocksProxyUnknownHost() throws Exception { startProxy(null, ProxyType.SOCKS5); proxy.setForceUri("localhost:4043"); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).useProxy(ProxyType.SOCKS5) .connectHostname("doesnt-resolve.host-name").clientTrustAll().clientVerifyHost(false).pass(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "doesnt-resolve.host-name:4043", proxy.getLastUri()); } }
@Test public void testSNISubjectAltenativeNameCNMatch2PEM() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PEM, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAltenativeNameCNMatch2PKCS12() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PKCS12, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test // Client provides SNI but server ignores it and provides a different cerficate - check we get a certificate public void testSNIServerIgnoresExtension2() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertEquals("localhost", TestUtils.cnOf(cert)); }
@Test public void testSNIDontSendServerNameForShortnames2() throws Exception { TLSTest test = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .clientVerifyHost(false) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host1")) .pass(); assertEquals(null, test.indicatedServerName); }
@Test // Test host verification with a CN NOT matching localhost public void testTLSVerifyNonMatchingHostOpenSSL() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_MIM, Trust.NONE).clientVerifyHost().clientOpenSSL().fail(); }
@Test // Test host verification with a CN matching localhost public void testTLSVerifyMatchingHostOpenSSL() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientVerifyHost().clientOpenSSL().pass(); }
@Test // Test host verification with a CN matching localhost public void testTLSVerifyMatchingHost() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientVerifyHost().pass(); }
@Test // Client provides SNI unknown to the server and server responds with the default certificate (first) public void testSNIUnknownServerName2() throws Exception { TLSTest test = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("unknown.com")) .pass(); assertEquals("localhost", TestUtils.cnOf(test.clientPeerCert())); assertEquals("unknown.com", test.indicatedServerName); }
@Test // Test host verification with a CN NOT matching localhost public void testTLSVerifyNonMatchingHost() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_MIM, Trust.NONE).clientVerifyHost().fail(); }
@Test public void testSNISubjectAltenativeNameCNMatch2() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }