From 86c40c1b0d442d8fcef4441e8dbf229e184df45a Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 14 Jan 2026 15:49:33 +0000 Subject: [PATCH 01/13] Add new X509 verification result for 'not started' Add a new verification result bitflag MBEDTLS_X509_VERIFY_NOT_STARTED to use as a safe initial value for verify_result. This is better than the current initial value which is 0 (indicating success). Signed-off-by: David Horstmann --- include/mbedtls/x509.h | 1 + include/mbedtls/x509_crt.h | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 130c427c4f..b52c988386 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -104,6 +104,7 @@ #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */ #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */ +#define MBEDTLS_X509_VERIFY_NOT_STARTED 0x100000 /**< No verification has yet been performed (used as a safe initial value). */ /** \} name X509 Verify codes */ /** \} addtogroup x509_module */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 8ee7c464af..90f58ee552 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -207,7 +207,10 @@ mbedtls_x509_crt_profile; "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \ X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY, \ "MBEDTLS_X509_BADCRL_BAD_KEY", \ - "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).") + "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).") \ + X509_CRT_ERROR_INFO(MBEDTLS_X509_VERIFY_NOT_STARTED, \ + "MBEDTLS_X509_VERIFY_NOT_STARTED", \ + "No verification has yet been performed.") /** * Container for writing a certificate (CRT) From dea75cbb881dc1f64e8f353dd59d535425b57a39 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 3 Sep 2025 11:21:00 +0100 Subject: [PATCH 02/13] Set verify_result to failure by default At initialization, set the verify_result field of the ssl session to MBEDTLS_X509_VERIFY_NOT_STARTED, rather than 0 as it is by default currently. This prevents mbedtls_ssl_get_verify_result() from indicating that certificate verification has passed if it is called prior to the handshake happening. Signed-off-by: David Horstmann --- library/ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 54129891a7..2b8f8919c5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -954,6 +954,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) void mbedtls_ssl_session_init(mbedtls_ssl_session *session) { memset(session, 0, sizeof(mbedtls_ssl_session)); + /* Set verify_result to indicate failure by default. */ + session->verify_result = MBEDTLS_X509_VERIFY_NOT_STARTED; } MBEDTLS_CHECK_RETURN_CRITICAL From 0ecde06ce957c4629a7ed13a2ac37421505d4693 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 7 Oct 2025 16:07:57 +0100 Subject: [PATCH 03/13] Add non-regression test for verify_result init Write a testcase to get verify_result before we have performed a handshake and make sure that it is initialised to a failure value. Signed-off-by: David Horstmann --- tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 33 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6b9c73f11e..31baf27373 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3527,3 +3527,6 @@ ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTI TLS fatal alert getter ssl_get_alert_after_fatal + +Default verify_result before doing a handshake +verify_result_without_handshake diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d27d959232..a02051b704 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6040,3 +6040,36 @@ exit: USE_PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +void verify_result_without_handshake(void) +{ + /* Test the result of verification before we perform a handshake. */ + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + + PSA_INIT(); + + mbedtls_ssl_init(&ssl); + mbedtls_ssl_config_init(&conf); + + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), 0); + + mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_ca_chain(&conf, NULL, NULL); + + TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); + + uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl); + + TEST_EQUAL(verify_result, MBEDTLS_X509_VERIFY_NOT_STARTED); + +exit: + mbedtls_ssl_config_free(&conf); + mbedtls_ssl_free(&ssl); + PSA_DONE(); +} +/* END_CASE */ From e29d7be48e95647236275fb8dff936b4b565b544 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 8 Oct 2025 10:49:24 +0100 Subject: [PATCH 04/13] Add ChangeLog entry for verify_result hardening Signed-off-by: David Horstmann --- ChangeLog.d/verify-result-default-value.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/verify-result-default-value.txt diff --git a/ChangeLog.d/verify-result-default-value.txt b/ChangeLog.d/verify-result-default-value.txt new file mode 100644 index 0000000000..d85dfe2670 --- /dev/null +++ b/ChangeLog.d/verify-result-default-value.txt @@ -0,0 +1,5 @@ +Changes + * Harden mbedtls_ssl_get_verify_result() against misuse. + Return failure if the handshake has not yet been attempted. Previously + the result of verification was zero-initialized so the function would + return 0 (indicating success). From 687a1ba9070a6269c522075d92e5068ff9a90eae Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 28 Jan 2026 17:49:19 +0000 Subject: [PATCH 05/13] Switch to a default value of -1u Since we explicitly document the value 0xFFFFFFFF or -1u as representing 'result not available', we can use it as a sensible default value without creating an API change. Use this value instead of introducing a new verification result value. Signed-off-by: David Horstmann --- include/mbedtls/x509.h | 1 - include/mbedtls/x509_crt.h | 5 +---- library/ssl_tls.c | 4 ++-- tests/suites/test_suite_ssl.function | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index b52c988386..130c427c4f 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -104,7 +104,6 @@ #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */ #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */ -#define MBEDTLS_X509_VERIFY_NOT_STARTED 0x100000 /**< No verification has yet been performed (used as a safe initial value). */ /** \} name X509 Verify codes */ /** \} addtogroup x509_module */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 90f58ee552..8ee7c464af 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -207,10 +207,7 @@ mbedtls_x509_crt_profile; "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \ X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY, \ "MBEDTLS_X509_BADCRL_BAD_KEY", \ - "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).") \ - X509_CRT_ERROR_INFO(MBEDTLS_X509_VERIFY_NOT_STARTED, \ - "MBEDTLS_X509_VERIFY_NOT_STARTED", \ - "No verification has yet been performed.") + "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).") /** * Container for writing a certificate (CRT) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2b8f8919c5..ce93417d73 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -954,8 +954,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) void mbedtls_ssl_session_init(mbedtls_ssl_session *session) { memset(session, 0, sizeof(mbedtls_ssl_session)); - /* Set verify_result to indicate failure by default. */ - session->verify_result = MBEDTLS_X509_VERIFY_NOT_STARTED; + /* Set verify_result to -1u to indicate 'result not available'. */ + session->verify_result = 0xFFFFFFFF; } MBEDTLS_CHECK_RETURN_CRITICAL diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a02051b704..f002f468e9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6065,7 +6065,7 @@ void verify_result_without_handshake(void) uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl); - TEST_EQUAL(verify_result, MBEDTLS_X509_VERIFY_NOT_STARTED); + TEST_EQUAL(verify_result, 0xFFFFFFFF); exit: mbedtls_ssl_config_free(&conf); From ff51a1a1769ee1ec2f56b18aca5f34075c21552c Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 5 Feb 2026 14:17:47 +0000 Subject: [PATCH 06/13] Initialize verify_result in session free Initialize the verify_result field in mbedtls_ssl_session_free(). Previously we were just zeroising the entire session object, which would yield a default 'success' value if the same object were reused. Test that this initialisation is actually happening by setting verify_result manually to zero and calling mbedtls_ssl_session_free() on the session before checking its value. Signed-off-by: David Horstmann --- library/ssl_tls.c | 3 +++ tests/suites/test_suite_ssl.function | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ce93417d73..ceae9b9a3e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4571,6 +4571,9 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session) #endif mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); + + /* Set verify_result to -1u to indicate 'result not available'. */ + session->verify_result = 0xFFFFFFFF; } #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index f002f468e9..06fc4b3032 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6067,6 +6067,16 @@ void verify_result_without_handshake(void) TEST_EQUAL(verify_result, 0xFFFFFFFF); + /* Set the verify result manually and check that session_free resets it. */ + + /* Set the verify result to 0. */ + ssl.session_negotiate->verify_result = 0; + + mbedtls_ssl_session_free(ssl.session_negotiate); + + verify_result = mbedtls_ssl_get_verify_result(&ssl); + TEST_EQUAL(verify_result, 0xFFFFFFFF); + exit: mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); From 607f725563dc934e65487db6c41398027ca24d77 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 16 Feb 2026 10:57:09 +0000 Subject: [PATCH 07/13] Set verify_result in non-verification cases When we are using PSK or when authmode == MBEDTLS_SSL_VERIFY_NONE, we intentionally do not verify the certificate. In these cases, do not keep verify_result at -1u but set it to MBEDTLS_X509_BADCERT_SKIP_VERIFY to indicate that no certificate verification took place. Signed-off-by: David Horstmann --- library/ssl_tls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ceae9b9a3e..09e1ebf574 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2018,6 +2018,9 @@ int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } + /* Since we're not using a certificate, set verify_result to skipped */ + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; + /* Allow calling psa_destroy_key() on psk remove */ ssl->handshake->psk_opaque_is_internal = 1; return mbedtls_ssl_set_hs_psk_opaque(ssl, key); @@ -6980,6 +6983,7 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, ssl->handshake->ciphersuite_info; if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; return SSL_CERTIFICATE_SKIP; } @@ -8695,6 +8699,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, void *rs_ctx) { if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; return 0; } From 37e3dcf00d84f4783282d197549e85399a3ad7c7 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 16 Feb 2026 16:18:01 +0000 Subject: [PATCH 08/13] Reword ChangeLog entry We do not return failure, but return -1u which is documented as a value that indicates that the result is not available. Signed-off-by: David Horstmann --- ChangeLog.d/verify-result-default-value.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/verify-result-default-value.txt b/ChangeLog.d/verify-result-default-value.txt index d85dfe2670..2cf3f0c21b 100644 --- a/ChangeLog.d/verify-result-default-value.txt +++ b/ChangeLog.d/verify-result-default-value.txt @@ -1,5 +1,5 @@ Changes * Harden mbedtls_ssl_get_verify_result() against misuse. - Return failure if the handshake has not yet been attempted. Previously - the result of verification was zero-initialized so the function would - return 0 (indicating success). + If the handshake has not yet been attempted, return -1u to indicate + that the result is not available. Previously the result of verification + was zero-initialized so the function would return 0 (indicating success). From 624fc2e0de8e28f687cb3de0ebfb3f830db02ee9 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 10 Mar 2026 15:08:04 +0000 Subject: [PATCH 09/13] Move TLS 1.3 verify-result setting for PSK When we are doing PSK, we'd like to set verify_result to MBEDTLS_X509_BADCERT_SKIP_VERIFY. Previously this was done in mbedtls_ssl_set_hs_psk() but this is inadequate since this function may be called for early data (where certificate verification happens later in the handshake. Instead, set this value after writing / processing the encrypted extensions on the server / client respectively, so that we know whether we are doing certificate verification or not for sure. This change is effective only for TLS 1.3 as TLS 1.2 sets verify_result for PSK in ssl_parse_certificate_coordinate(). Signed-off-by: David Horstmann --- library/ssl_tls.c | 3 --- library/ssl_tls13_client.c | 3 +++ library/ssl_tls13_server.c | 3 +++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 09e1ebf574..bf459b473e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2018,9 +2018,6 @@ int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } - /* Since we're not using a certificate, set verify_result to skipped */ - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; - /* Allow calling psa_destroy_key() on psk remove */ ssl->handshake->psk_opaque_is_internal = 1; return mbedtls_ssl_set_hs_psk_opaque(ssl, key); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b7b075cc97..9b7ca82f91 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2264,6 +2264,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); + + /* Since we're not using a certificate, set verify_result to skipped */ + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; } else { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 982e6f8c3b..270dcd0e6e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2616,6 +2616,9 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); + + /* Since we're not using a certificate, set verify_result to skipped */ + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; } else { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); } From c6e1d67b1b91e203b3046add717be221cbfe80a2 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 11 Mar 2026 09:55:41 +0000 Subject: [PATCH 10/13] ssl-opt.sh: Check for cert verify skipped Check that the message "! Certificate verification was skipped" is present in the output when auth_mode=none. This indicates that the certificate verify flag MBEDTLS_X509_BADCERT_SKIP_VERIFY was correctly set. Signed-off-by: David Horstmann --- tests/ssl-opt.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ab727e6a48..4222768949 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5772,6 +5772,7 @@ run_test "Authentication: server badcert, client none" \ key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 auth_mode=none" \ 0 \ + -c "! Certificate verification was skipped" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ @@ -5783,12 +5784,14 @@ run_test "Authentication: server badcert, client none (1.2)" \ key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \ 0 \ + -c "! Certificate verification was skipped" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ -C "X509 - Certificate verification failed" + run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ @@ -5837,6 +5840,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \ 0 \ + -c "! Certificate verification was skipped" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ @@ -5844,11 +5848,13 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \ -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" \ "$P_SRV" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \ 0 \ + -c "! Certificate verification was skipped" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ @@ -5856,6 +5862,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" + # The next few tests check what happens if the server has a valid certificate # that does not match its name (impersonation). @@ -5939,12 +5946,14 @@ run_test "Authentication: hostname mismatch, client none" \ "$P_SRV" \ "$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \ 0 \ + -c "! Certificate verification was skipped" \ -C "does not match with the expected CN" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "X509 - Certificate verification failed" + run_test "Authentication: hostname null, client required" \ "$P_SRV" \ "$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \ @@ -5970,12 +5979,14 @@ run_test "Authentication: hostname null, client none" \ "$P_SRV" \ "$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \ 0 \ + -c "! Certificate verification was skipped" \ -C "does not match with the expected CN" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "X509 - Certificate verification failed" + run_test "Authentication: hostname unset, client required" \ "$P_SRV" \ "$P_CLI auth_mode=required set_hostname=no debug_level=2" \ @@ -6015,6 +6026,7 @@ run_test "Authentication: hostname unset, client none" \ "$P_SRV" \ "$P_CLI auth_mode=none set_hostname=no debug_level=2" \ 0 \ + -c "! Certificate verification was skipped" \ -C "does not match with the expected CN" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ @@ -6173,6 +6185,7 @@ run_test "Authentication: client badcert, server none" \ "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ key_file=$DATA_FILES_PATH/server5.key" \ 0 \ + -s "! Certificate verification was skipped" \ -s "skip write certificate request" \ -C "skip parse certificate request" \ -c "got no certificate request" \ @@ -6280,6 +6293,7 @@ run_test "Authentication: server max_int+1 chain, client none" \ "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \ auth_mode=none" \ 0 \ + -c "! Certificate verification was skipped" \ -C "X509 - A fatal error occurred" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA From 708b401697b70bd8c5bca84b47ff0c1487482c54 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 11 Mar 2026 11:39:35 +0000 Subject: [PATCH 11/13] ssl-opt.sh Check for cert verify skipped In testcases in opt-testcases/tls13kex-modes.sh, check for the setting of the failure flag MBEDTLS_X509_BADCERT_SKIP_VERIFY by looking for the string "! Certificate verification was skipped" in the output in cases where the key exchange is negotiated to use PSK. Note that this check for output is only added to the success cases since the negative tests fail before this string is printed. Signed-off-by: David Horstmann --- tests/opt-testcases/tls13-kex-modes.sh | 170 +++++++++++++++++-------- 1 file changed, 119 insertions(+), 51 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 1bb251fdb8..8229dd01ae 100644 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -26,7 +26,8 @@ run_test "TLS 1.3: G->m: all/psk, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" \ requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -87,7 +88,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -148,7 +150,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -209,7 +212,8 @@ run_test "TLS 1.3: G->m: all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -290,7 +294,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -354,7 +359,8 @@ run_test "TLS 1.3: G->m: all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -418,7 +424,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_all, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -916,7 +923,8 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(secp256r1) check, good" \ -s "write selected_group: secp256r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -933,7 +941,8 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(secp384r1) check, good" \ -s "write selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -950,7 +959,8 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(secp521r1) check, good" \ -s "write selected_group: secp521r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -967,7 +977,8 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(x25519) check, good" \ -s "write selected_group: x25519" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -984,7 +995,8 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(x448) check, good" \ -s "write selected_group: x448" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1022,7 +1034,8 @@ run_test "TLS 1.3: O->m: all/psk, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1080,7 +1093,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1138,7 +1152,8 @@ run_test "TLS 1.3: O->m: all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1197,7 +1212,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1258,7 +1274,8 @@ run_test "TLS 1.3: O->m: all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1628,7 +1645,8 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp256r1) check, good" \ -s "write selected_group: secp256r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1645,7 +1663,8 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp384r1) check, good" \ -s "write selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1662,7 +1681,8 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp521r1) check, good" \ -s "write selected_group: secp521r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1679,7 +1699,8 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(x25519) check, good" \ -s "write selected_group: x25519" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1696,7 +1717,8 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(x448) check, good" \ -s "write selected_group: x448" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1713,7 +1735,8 @@ run_test "TLS 1.3 O->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ -s "HRR selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_gnutls_next_no_ticket @@ -1732,7 +1755,8 @@ run_test "TLS 1.3 G->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ -s "HRR selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" # Add psk test cases for mbedtls client code @@ -1751,7 +1775,9 @@ run_test "TLS 1.3: m->m: psk/psk, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1835,7 +1861,9 @@ run_test "TLS 1.3: m->m: psk/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1880,7 +1908,9 @@ run_test "TLS 1.3: m->m: psk/all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1940,7 +1970,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_ephemeral, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1995,7 +2027,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2038,7 +2072,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2083,7 +2119,9 @@ run_test "TLS 1.3: m->m: psk_ephemeral/all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2215,7 +2253,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_ephemeral, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2319,7 +2359,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2413,7 +2455,9 @@ run_test "TLS 1.3: m->m: psk_all/psk, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2456,7 +2500,9 @@ run_test "TLS 1.3: m->m: psk_all/psk_ephemeral, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2515,7 +2561,9 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2560,7 +2608,9 @@ run_test "TLS 1.3: m->m: psk_all/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2605,7 +2655,9 @@ run_test "TLS 1.3: m->m: psk_all/all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2652,7 +2704,9 @@ run_test "TLS 1.3: m->m: all/psk, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2699,7 +2753,9 @@ run_test "TLS 1.3: m->m: all/psk_ephemeral, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2810,7 +2866,9 @@ run_test "TLS 1.3: m->m: all/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2906,7 +2964,8 @@ run_test "TLS 1.3: m->O: psk/all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2941,7 +3000,8 @@ run_test "TLS 1.3: m->O: psk_all/all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2959,7 +3019,8 @@ run_test "TLS 1.3: m->O: psk_all/ephemeral_all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" #OPENSSL-SERVER psk_ephemeral mode requires_openssl_tls1_3_with_compatible_ephemeral @@ -2977,7 +3038,8 @@ run_test "TLS 1.3: m->O: psk_ephemeral/all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2994,7 +3056,8 @@ run_test "TLS 1.3: m->O: psk_ephemeral/ephemeral_all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" #OPENSSL-SERVER ephemeral mode requires_openssl_tls1_3_with_compatible_ephemeral @@ -3115,7 +3178,8 @@ run_test "TLS 1.3: m->G: psk/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3154,7 +3218,8 @@ run_test "TLS 1.3: m->G: psk_all/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3174,7 +3239,8 @@ run_test "TLS 1.3: m->G: psk_all/ephemeral_all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" #GNUTLS-SERVER psk_ephemeral mode requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3194,7 +3260,8 @@ run_test "TLS 1.3: m->G: psk_ephemeral/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3213,7 +3280,8 @@ run_test "TLS 1.3: m->G: psk_ephemeral/ephemeral_all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" #GNUTLS-SERVER ephemeral mode requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 From 868bea42a17339fcafa782e363e0a800284296ce Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 12 Mar 2026 17:50:03 +0000 Subject: [PATCH 12/13] Only check for verify skipped if we have certs Check for the 'Certificate verification was skipped' message only when the testcase depends on MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED since in other cases certificates may not be enabled at all and this message will not be printed in the output. Signed-off-by: David Horstmann --- tests/opt-testcases/tls13-kex-modes.sh | 275 +++++++++++++------------ 1 file changed, 139 insertions(+), 136 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 8229dd01ae..f0984c5fb2 100644 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -26,8 +26,7 @@ run_test "TLS 1.3: G->m: all/psk, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" \ + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -88,8 +87,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -150,8 +148,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -212,8 +209,7 @@ run_test "TLS 1.3: G->m: all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -294,8 +290,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -359,8 +354,7 @@ run_test "TLS 1.3: G->m: all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -424,8 +418,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_all, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -489,7 +482,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -510,7 +504,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good, key id mismatch, -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -531,7 +526,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, fail, key material mism -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -553,7 +549,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -574,7 +571,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good, key id mismatch, dhe." \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -595,7 +593,8 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -618,7 +617,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -641,7 +641,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -663,7 +664,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good, key id mismatch, dhe." \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -685,7 +687,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -708,7 +711,8 @@ run_test "TLS 1.3: G->m: all/all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -730,7 +734,8 @@ run_test "TLS 1.3: G->m: all/all, good, key id mismatch, dhe." \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -752,7 +757,8 @@ run_test "TLS 1.3: G->m: all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -775,7 +781,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -797,7 +804,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -820,7 +828,8 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -842,7 +851,8 @@ run_test "TLS 1.3: G->m: all/psk_or_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -863,7 +873,8 @@ run_test "TLS 1.3: G->m: all/psk_or_ephemeral, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -885,7 +896,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -906,7 +918,8 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, fail, key materia -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -923,8 +936,7 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(secp256r1) check, good" \ -s "write selected_group: secp256r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -941,8 +953,7 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(secp384r1) check, good" \ -s "write selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -959,8 +970,7 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(secp521r1) check, good" \ -s "write selected_group: secp521r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -977,8 +987,7 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(x25519) check, good" \ -s "write selected_group: x25519" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -995,8 +1004,7 @@ run_test "TLS 1.3: G->m: psk_ephemeral group(x448) check, good" \ -s "write selected_group: x448" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1034,8 +1042,7 @@ run_test "TLS 1.3: O->m: all/psk, good" \ -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1093,8 +1100,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1152,8 +1158,7 @@ run_test "TLS 1.3: O->m: all/psk_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1212,8 +1217,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1274,8 +1278,7 @@ run_test "TLS 1.3: O->m: all/psk_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1336,7 +1339,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1356,7 +1360,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good, key id mismatch, -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1376,7 +1381,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, fail, key material mism -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1397,7 +1403,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1417,7 +1424,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good, key id mismatch, dhe." \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1437,7 +1445,8 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1459,7 +1468,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1480,7 +1490,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good, key id mismatch, dhe." \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1501,7 +1512,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1523,7 +1535,8 @@ run_test "TLS 1.3: O->m: all/all, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1544,7 +1557,8 @@ run_test "TLS 1.3: O->m: all/all, good, key id mismatch, dhe." \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1565,7 +1579,8 @@ run_test "TLS 1.3: O->m: all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1587,7 +1602,8 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \ -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1608,7 +1624,8 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, good" \ -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -s "key exchange mode: ephemeral" + -s "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1628,7 +1645,8 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" + -S "key exchange mode: ephemeral" \ + -s "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1645,8 +1663,7 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp256r1) check, good" \ -s "write selected_group: secp256r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1663,8 +1680,7 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp384r1) check, good" \ -s "write selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1681,8 +1697,7 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp521r1) check, good" \ -s "write selected_group: secp521r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1699,8 +1714,7 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(x25519) check, good" \ -s "write selected_group: x25519" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1717,8 +1731,7 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(x448) check, good" \ -s "write selected_group: x448" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1735,8 +1748,7 @@ run_test "TLS 1.3 O->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ -s "HRR selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_gnutls_next_no_ticket @@ -1755,8 +1767,7 @@ run_test "TLS 1.3 G->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ -s "HRR selected_group: secp384r1" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" # Add psk test cases for mbedtls client code @@ -1775,9 +1786,7 @@ run_test "TLS 1.3: m->m: psk/psk, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1861,9 +1870,7 @@ run_test "TLS 1.3: m->m: psk/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1970,9 +1977,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_ephemeral, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2072,9 +2077,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2314,7 +2317,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/ephemeral_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2408,7 +2413,9 @@ run_test "TLS 1.3: m->m: ephemeral_all/all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2455,9 +2462,7 @@ run_test "TLS 1.3: m->m: psk_all/psk, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2500,9 +2505,7 @@ run_test "TLS 1.3: m->m: psk_all/psk_ephemeral, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2608,9 +2611,7 @@ run_test "TLS 1.3: m->m: psk_all/psk_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" \ - -s "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2818,7 +2819,9 @@ run_test "TLS 1.3: m->m: all/ephemeral_all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2915,7 +2918,9 @@ run_test "TLS 1.3: m->m: all/all, good" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" \ + -s "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2964,8 +2969,7 @@ run_test "TLS 1.3: m->O: psk/all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 ok" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 ok" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3000,8 +3004,7 @@ run_test "TLS 1.3: m->O: psk_all/all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 ok" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3019,8 +3022,7 @@ run_test "TLS 1.3: m->O: psk_all/ephemeral_all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 ok" #OPENSSL-SERVER psk_ephemeral mode requires_openssl_tls1_3_with_compatible_ephemeral @@ -3038,8 +3040,7 @@ run_test "TLS 1.3: m->O: psk_ephemeral/all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 ok" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3056,8 +3057,7 @@ run_test "TLS 1.3: m->O: psk_ephemeral/ephemeral_all, good" \ -c "client hello, adding PSK binder list" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 ok" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 ok" #OPENSSL-SERVER ephemeral mode requires_openssl_tls1_3_with_compatible_ephemeral @@ -3101,7 +3101,8 @@ run_test "TLS 1.3: m->O: ephemeral_all/all, good" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ -c "<= write client hello" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3119,7 +3120,8 @@ run_test "TLS 1.3: m->O: ephemeral_all/ephemeral_all, good" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ -c "<= write client hello" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" #OPENSSL-SERVER all mode requires_openssl_tls1_3_with_compatible_ephemeral @@ -3139,7 +3141,8 @@ run_test "TLS 1.3: m->O: all/all, good" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ -c "<= write client hello" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3158,7 +3161,8 @@ run_test "TLS 1.3: m->O: all/ephemeral_all, good" \ -c "client hello, adding PSK binder list" \ -c "Selected key exchange mode: psk_ephemeral" \ -c "<= write client hello" \ - -c "HTTP/1.0 200 ok" + -c "HTTP/1.0 200 ok" \ + -c "! Certificate verification was skipped" #GNUTLS-SERVER psk mode requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3178,8 +3182,7 @@ run_test "TLS 1.3: m->G: psk/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk$" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3218,8 +3221,7 @@ run_test "TLS 1.3: m->G: psk_all/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3239,8 +3241,7 @@ run_test "TLS 1.3: m->G: psk_all/ephemeral_all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" #GNUTLS-SERVER psk_ephemeral mode requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3260,8 +3261,7 @@ run_test "TLS 1.3: m->G: psk_ephemeral/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3280,8 +3280,7 @@ run_test "TLS 1.3: m->G: psk_ephemeral/ephemeral_all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" \ - -c "! Certificate verification was skipped" + -c "HTTP/1.0 200 OK" #GNUTLS-SERVER ephemeral mode requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3327,7 +3326,8 @@ run_test "TLS 1.3: m->G: ephemeral_all/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3347,7 +3347,8 @@ run_test "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" #GNUTLS-SERVER all mode requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -3369,7 +3370,8 @@ run_test "TLS 1.3: m->G: all/all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_gnutls_tls1_3 @@ -3390,4 +3392,5 @@ run_test "TLS 1.3: m->G: all/ephemeral_all, good" \ -s "Parsing extension 'Pre Shared Key/41'" \ -c "<= write client hello" \ -c "Selected key exchange mode: psk_ephemeral" \ - -c "HTTP/1.0 200 OK" + -c "HTTP/1.0 200 OK" \ + -c "! Certificate verification was skipped" From 937c70ac903bdc8fe0263e33dbcfca4b7bc0031b Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 13 Mar 2026 18:04:16 +0000 Subject: [PATCH 13/13] Do not check fail cases for verify skipped In testcases where we are expecting handshake failure the message "Certificate verification was skipped" is not printed, so do not check for it. Signed-off-by: David Horstmann --- tests/opt-testcases/tls13-kex-modes.sh | 36 +++++++++----------------- 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index f0984c5fb2..a8864559e8 100644 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -526,8 +526,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, fail, key material mism -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -593,8 +592,7 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -687,8 +685,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -757,8 +754,7 @@ run_test "TLS 1.3: G->m: all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -804,8 +800,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -873,8 +868,7 @@ run_test "TLS 1.3: G->m: all/psk_or_ephemeral, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -918,8 +912,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, fail, key materia -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1381,8 +1374,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, fail, key material mism -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1445,8 +1437,7 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1512,8 +1503,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1579,8 +1569,7 @@ run_test "TLS 1.3: O->m: all/all, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1645,8 +1634,7 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, fail, key material mismatch" \ -s "Invalid binder." \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" \ - -s "! Certificate verification was skipped" + -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3