@Test // SNI without server name should use the first keystore entry public void testSniWithoutServerNameUsesTheFirstKeyStoreEntry1() throws Exception { TLSTest test = new TLSTest() .clientTrust(Trust.SERVER_JKS) .serverCert(Cert.SNI_JKS).sni(true); test.run(true); await(); assertEquals("localhost", cnOf(test.clientPeerCert())); }
@Test public void testSNISubjectAlternativeNameMatch2PKCS12() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST4, Cert.SNI_PKCS12, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host4.com")) .pass() .clientPeerCert(); assertEquals("host4.com certificate", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameMatch2PEM() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST4, Cert.SNI_PEM, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host4.com")) .pass() .clientPeerCert(); assertEquals("host4.com certificate", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameMatch1() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST4, Cert.SNI_JKS, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host4.com")) .pass() .clientPeerCert(); assertEquals("host4.com certificate", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameMatch2() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST4, Cert.SNI_JKS, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host4.com")) .pass() .clientPeerCert(); assertEquals("host4.com certificate", TestUtils.cnOf(cert)); }
@Test // Client provides SNI and server responds with a matching certificate for the indicated server name public void testSNITrustPEM() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_PEM, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertEquals("host2.com", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameMatch1PEM() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST4, Cert.SNI_PEM, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host4.com")) .pass() .clientPeerCert(); assertEquals("host4.com certificate", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameWildcardMatch() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_JKS, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test // Client provides SNI and server responds with a matching certificate for the indicated server name public void testSNITrustPKCS12() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_PKCS12, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertEquals("host2.com", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameWildcardMatchPKCS12() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PKCS12, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameWildcardMatchPEM() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PEM, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test public void testSniImplicitServerNameDisabledForShortname2() throws Exception { TLSTest test = new TLSTest() .clientTrust(Trust.SERVER_JKS) .address(SocketAddress.inetSocketAddress(4043, "host1")) .serverCert(Cert.SNI_JKS).sni(true); test.run(true); await(); assertEquals("localhost", cnOf(test.clientPeerCert())); }
@Test public void testSniOverrideServerName() throws Exception { TLSTest test = new TLSTest() .clientTrust(Trust.SNI_JKS_HOST2) .address(SocketAddress.inetSocketAddress(4043, "example.com")) .serverName("host2.com") .serverCert(Cert.SNI_JKS).sni(true); test.run(true); await(); assertEquals("host2.com", cnOf(test.clientPeerCert())); }
@Test public void testSNISubjectAltenativeNameCNMatch2() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test public void testSniImplicitServerName() throws Exception { TLSTest test = new TLSTest() .clientTrust(Trust.SNI_JKS_HOST2) .address(SocketAddress.inetSocketAddress(4043, "host2.com")) .serverCert(Cert.SNI_JKS).sni(true); test.run(true); await(); assertEquals("host2.com", cnOf(test.clientPeerCert())); assertEquals("host2.com", test.indicatedServerName); }
@Test public void testSniForceShortname() throws Exception { TLSTest test = new TLSTest() .clientTrust(Trust.SNI_JKS_HOST1) .address(SocketAddress.inetSocketAddress(4043, "host1")) .serverName("host1") .serverCert(Cert.SNI_JKS).sni(true); test.run(true); await(); assertEquals("host1", cnOf(test.clientPeerCert())); }
@Test // Client provides SNI unknown to the server and server responds with the default certificate (first) public void testSNIUnknownServerName2() throws Exception { TLSTest test = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("unknown.com")) .pass(); assertEquals("localhost", TestUtils.cnOf(test.clientPeerCert())); assertEquals("unknown.com", test.indicatedServerName); }
@Test public void testSNIWithALPN() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientUsesAlpn() .serverUsesAlpn() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertEquals("host2.com", TestUtils.cnOf(cert)); }
@Test public void testSNIWithOpenSSL() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.NONE) .clientOpenSSL() .serverOpenSSL() .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertEquals("host2.com", TestUtils.cnOf(cert)); }
private void testProxyWithSNI(ProxyType proxyType) throws Exception { startProxy(null, proxyType); X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.NONE) .serverSni() .useProxy(proxyType) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "host2.com:4043", proxy.getLastUri()); assertEquals("host2.com", TestUtils.cnOf(cert)); }