mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-07 06:07:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

don't force clients to use tls.Config.InsecureSkipVerify when using mint

Browse source 
mint recently implemented certificate verification.
This reverts commit d76f5a839c.
This commit is contained in:
Marten Seemann 2018-02-01 10:59:53 +08:00
parent 1cc209e4fb
commit d671cf134c
4 changed files with 7 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

28
mint_utils_test.go
View file

@ -43,10 +43,7 @@ var _ = Describe("Packing and unpacking Initial packets", func() {
})
It("sets the server name", func() {
conf := &tls.Config{
ServerName: "www.example.com",
InsecureSkipVerify: true,
}
conf := &tls.Config{ServerName: "www.example.com"}
mintConf, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
Expect(err).ToNot(HaveOccurred())
Expect(mintConf.ServerName).To(Equal("www.example.com"))
@ -54,40 +51,25 @@ var _ = Describe("Packing and unpacking Initial packets", func() {
It("sets the certificate chain", func() {
tlsConf := testdata.GetTLSConfig()
tlsConf.InsecureSkipVerify = true
mintConf, err := tlsToMintConfig(tlsConf, protocol.PerspectiveClient)
Expect(err).ToNot(HaveOccurred())
Expect(mintConf.Certificates).ToNot(BeEmpty())
Expect(mintConf.Certificates).To(HaveLen(len(tlsConf.Certificates)))
})
It("forces the application to set InsecureSkipVerify, because mint is INSECURE", func() {
conf := &tls.Config{
ServerName: "www.example.com",
InsecureSkipVerify: false,
}
_, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
Expect(err).To(HaveOccurred())
Expect(err).To(MatchError(errMintIsInsecure))
})
It("requires client authentication", func() {
conf := &tls.Config{ServerName: "localhost"} // mint forces us to set a ServerName for a server config, although this field is only used for clients
mintConf, err := tlsToMintConfig(conf, protocol.PerspectiveServer)
mintConf, err := tlsToMintConfig(nil, protocol.PerspectiveClient)
Expect(err).ToNot(HaveOccurred())
Expect(mintConf.RequireClientAuth).To(BeFalse())
conf = &tls.Config{
ServerName: "localhost", // mint forces us to set a ServerName for a server config, although this field is only used for clients
ClientAuth: tls.RequireAnyClientCert,
}
mintConf, err = tlsToMintConfig(conf, protocol.PerspectiveServer)
conf := &tls.Config{ClientAuth: tls.RequireAnyClientCert}
mintConf, err = tlsToMintConfig(conf, protocol.PerspectiveClient)
Expect(err).ToNot(HaveOccurred())
Expect(mintConf.RequireClientAuth).To(BeTrue())
})
It("rejects unsupported client auth types", func() {
conf := &tls.Config{ClientAuth: tls.RequireAndVerifyClientCert}
_, err := tlsToMintConfig(conf, protocol.PerspectiveServer)
_, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
Expect(err).To(MatchError("mint currently only support ClientAuthType RequireAnyClientCert"))
})
})