From cbb7bb28c9f4d209e17a68d6f1f2d97bef07192e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 1 Apr 2014 11:57:30 +0200 Subject: [PATCH] Added check for connection with incorrect certificate --- tests/Makefile.am | 4 ++-- tests/test-pass-cert | 8 ++++++- tests/{test2.config => test-user-cert.config} | 2 +- tests/user-cert-wrong.pem | 21 +++++++++++++++++++ 4 files changed, 31 insertions(+), 4 deletions(-) rename tests/{test2.config => test-user-cert.config} (99%) create mode 100644 tests/user-cert-wrong.pem diff --git a/tests/Makefile.am b/tests/Makefile.am index 1e174536..8d427563 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -1,7 +1,7 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.config \ - test1.passwd test2.config user-cert.pem user-key.pem test3.config test-iroute.config \ + test1.passwd test-user-cert.config user-cert.pem user-key.pem test3.config test-iroute.config \ user-config/test test-pass-script.config test-multi-cookie.config test-pam.config \ - test-stress.config + test-stress.config user-cert-wrong.pem dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ test-multi-cookie test-pam test-stress diff --git a/tests/test-pass-cert b/tests/test-pass-cert index da28e513..edd8bfce 100755 --- a/tests/test-pass-cert +++ b/tests/test-pass-cert @@ -26,7 +26,7 @@ PORT=4445 echo "Testing local backend with username-password and certificate... " -launch_server -d -f -c test2.config & PID=$! +launch_server -d -f -c test-user-cert.config & PID=$! wait_server $PID echo -n "Connecting to obtain cookie (without certificate)... " @@ -41,6 +41,12 @@ echo -n "Connecting to obtain cookie (with certificate)... " echo ok +echo -n "Connecting to obtain cookie (with incorrect certificate)... " +( echo "test" | openconnect -q localhost:$PORT --sslkey ./user-key.pem -c ./user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should not have connected with wrong certificate!" + +echo ok + #echo "Normal connection... " #( echo "test" | openconnect -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || diff --git a/tests/test2.config b/tests/test-user-cert.config similarity index 99% rename from tests/test2.config rename to tests/test-user-cert.config index 1c88a6db..6dcffe9f 100644 --- a/tests/test2.config +++ b/tests/test-user-cert.config @@ -180,5 +180,5 @@ route = 192.168.1.0/255.255.255.0 # certificate even if they are authenticating via a previously granted # cookie. Legacy CISCO clients do not do that, and thus this option # should be set for them. -#always-require-cert = false +cisco-client-compat = true diff --git a/tests/user-cert-wrong.pem b/tests/user-cert-wrong.pem new file mode 100644 index 00000000..e87f44fd --- /dev/null +++ b/tests/user-cert-wrong.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhTCCAj2gAwIBAgIEUzqMojANBgkqhkiG9w0BAQsFADAnMQ8wDQYDVQQDEwZB +IHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MCIYDzIwMTQwNDAxMDk1MzM5WhgP +OTk5OTEyMzEyMzU5NTlaMCcxDzANBgNVBAMTBkEgdXNlcjEUMBIGCgmSJomT8ixk +AQETBHRlc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCrVJj8qcYV +lZ2mwZSElJF5HnjbLUhRmWUBAsBAUkld63C8Ju9oOR4EkeLby2+TQEUeIo5xWliJ +KHleGjIlPoudOzR/GfjQLze3YjK3U6VDLMVd7Kz5NfoUKzRm8danodCDmlb0GYO8 +vxF0MC2oKFuiq3rGzZxc+FHpqQxI23G7sTR39+7eXXjASAo3DWUeOysUA4ly8lLt +XwDFBmDqgCDQQ+xmvNIm2/ApPmr5YiC+WCZEuteMb3amBSDkmLfEcnpd308NI+wu +nHHsMPkUX8h1C6tn9n37TXZkSqXV+rQIUJ0Tx4/CebC0Pi+J0zMnTZ+L02AkB6uy +cj0ppcRK7DwE0kk+JhvsehA9ykVagItNKpZjTy1jKA87R0fKfCwVQTLV4Mm+pVUs +s2tGKlaxG+0pAgMBAAGjVTBTMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYB +BQUHAwIwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUiwEJSzuR7OMhuR3sjWtM +XZ5AgF4wDQYJKoZIhvcNAQELBQADggExAKQPYC2zh0Hjf9KypFNJkkdLJGbpb3cX +vgaCuDo+PHJJqvdlq3Zg1N4u5oVaEd5IzDXWiAMZobr7V/x8adABumfrMf8Y4vvt +PMjAqhGykwrn5vvf+AUMnnIVLPwwy99Nn7JE6Gxw6LHKi1nJ0KXeuZrVSM4DqWe8 +0cwjwfwcajwuNJ76J0B8lDlQ0Q6yWi3QyE2Gg8VLaauVownAp0BUELAxDq7VKEXW +owE1eXpL6Yjyim+6UI/i7ruI8KhqSWTz+QAuCZmwhFvNwPFJCSp/aJnDJJyikPhu +KoV0PFu7o6X5TTwldajlzD5IdH6CyTwMAct1HFT66vedEQ4cf/G90epg/lD6IHZU +U9Gio9QQTX5Cdz0VpeYB3cYZ4qP4bHx2nRnWuBrtZYaEw34xeAvGLK4= +-----END CERTIFICATE-----