crypto-tls-bogo-shim/config.json

{
	"DisabledTests": {
		"*HelloRetryRequest*": "HelloRetryRequest not implemented yet",
		"*HRR*": "HelloRetryRequest not implemented yet",
		"*SecondClientHello*": "HelloRetryRequest not implemented yet",

		"SupportTicketsWithSessionID": "Session IDs not supported",
		"*-NoTickets-*": "Session IDs not supported",
		"*-AES128-SHA256-*": "AES128-CBC-SHA256 not supported",
		"*-AES256-SHA256-*": "AES256-CBC-SHA256 not supported",
		"*-AES256-SHA384-*": "AES256-CBC-SHA384 not supported",

		"BadRSAClientKeyExchange-4": "See comment in processClientKeyExchange",

		"GREASE-Server-TLS13": "TODO",
		"DuplicateExtensionServer-*": "TODO",
		"DuplicateKeyShares": "TODO",
		"SkipEarlyData-TooMuchData": "TODO",
		"KeyUpdate-*": "TODO",

		"Renegotiate-Server-Forbidden": "9b812d006d made OpenSSL tests lock up",

		"SendEmptyRecords*": "client: no protection implemented against flood of empty records",
		"SendWarningAlerts*": "client: no protection implemented against flood of warning alerts",
		"SendBogusAlertType": "client: TODO send IllegalParam instead of UnexpectedMessage",
		"SkipNewSessionTicket": "client: TODO enable session cache",
		"InvalidCompressionMethod": "client: TODO send IllegalParam instead of UnexpectedMessage",
		"LargeMessage": "client: bogo violates draft -21 and sends a too large message",
		"TLS13-AEAD-*-LargeRecord": "client: bogo violates draft -21 and sends a too large message",
		"NoClientCertificate-TLS13": "client: TODO implement client certs",
		"TLS13-Client-CertAuth-*": "client: TODO implement client certs",
		"SupportedVersionSelection-TLS12": "client: TODO send Unexpected Extension if server sends SV",
		"DuplicateExtensionClient-*": "TODO",
		"UnsolicitedServerNameAck-*": "client: TODO send Unexpected Extension if SNI was not advertised",
		"RenegotiationInfo-Forbidden-TLS13": "client: TODO reject ext",
		"EMS-Forbidden-TLS13": "client: TODO reject ext",

		"SendUnsolicitedOCSPOnCertificate-TLS13": "client: N/A, we always send status_request",
		"SendUnsolicitedSCTOnCertificate-TLS13": "client: N/A, we always send SCT",
		"SendUnknownExtensionOnCertificate-TLS13": "client: TODO reject unknown exts",
		"Resume-Client-CipherMismatch-TLS13": "client: TODO implement resumption",
		"ExtendedMasterSecret-NoToNo-Client": "client: TODO implement resumption",
		"Renegotiate-Client-Forbidden-1": "client: TODO correct alert was sent, but why is the local error EOF?",
		"TLS13-Client-ClientAuth-*": "client: TODO implement client certs",
		"ClientAuth-*-TLS13*": "client: TODO implement client certs",
		"ClientAuth-SHA1-Fallback-*": "client: what to do on empty SigAlg ext?",

		"RSA-PSS-Default-Verify": "client: TODO enable PSS by default for TLS 1.2",
		"ECDSACurveMismatch-Verify-TLS13": "client: we do advertise the SigAlg by default",
		"Ed25519DefaultDisable-NoAccept": "client: expected IllegalParam instead of Unsupported Cert",
		"UnofferedExtension-Client*": "client: TODO reject unadvertised extension",
		"UnknownExtension-Client*": "client: TODO reject unadvertised extension",
		"PointFormat-EncryptedExtensions-TLS13": "client: TODO reject forbidden extension",
		"PointFormat-Client-MissingUncompressed": "client: TODO should reject",
		"TLS13-TestBadTicketAge-Client": "client: TODO implement resumption",
		"TLS13-DuplicateTicketEarlyDataInfo": "client: TODO implement resumption",

		"TLS13-WrongOuterRecord": "client: checking record content type is not a MUST",
		"Basic-Client-*":"client: TODO implement resumption",
		"TLS13-1RTT-Client-*": "client: TODO implement resumption",

		"PartialEncryptedExtensionsWithServerHello": "client: TODO prevent overlap SH and EE exts",
		"WrongMessageType-*": "client: TODO expected different alert",
		"TrailingMessageData-*": "client: TODO expected different alert",
		"EncryptedExtensionsWithKeyShare": "client: TODO reject invalid extension",
		"EmptyEncryptedExtensions": "client: TODO require non-empty EE",
		"TLS13-*PSKIdentity": "client: TODO",
		"TLS13-ClientSkipCertificateVerify": "client: TODO implement client certs",
		"CheckRecordVersion-*": "client: enforce record version",
		"GarbageCertificate-Client-*": "client: TODO implement client certs",

		"OmitExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT",
		"EmptyExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT",

		"ECDSAKeyUsage-*": "client: TODO reject cert with invalid KU",

		"*V2ClientHello*": "Unsupported version",
		"*SSL3*": "Unsupported version",
		"*SSLv3*": "Unsupported version"
	}
}
First shim that does... nothing 2017-01-09 21:47:43 +00:00			`{`
			`"DisabledTests": {`
Switch to Tris and get basic server tests to run 2017-01-09 23:24:36 +00:00			`"HelloRetryRequest": "HelloRetryRequest not implemented yet",`
			`"HRR": "HelloRetryRequest not implemented yet",`
			`"SecondClientHello": "HelloRetryRequest not implemented yet",`

Reach 0 failed / 217 passed on Tris 2017-01-18 17:47:47 +00:00			`"SupportTicketsWithSessionID": "Session IDs not supported",`
Switch to Tris and get basic server tests to run 2017-01-09 23:24:36 +00:00			`"-NoTickets-": "Session IDs not supported",`
Enable client tests Tested with the initial tls-tris client support branch which includes basic RSASSA-PSS support. Coverage changed from ... to ...: 0/3509/3692/3692/4136 0/2784/3195/3195/4136 2017-10-02 16:54:31 +01:00			`"-AES128-SHA256-": "AES128-CBC-SHA256 not supported",`
			`"-AES256-SHA256-": "AES256-CBC-SHA256 not supported",`
Switch to Tris and get basic server tests to run 2017-01-09 23:24:36 +00:00			`"-AES256-SHA384-": "AES256-CBC-SHA384 not supported",`

Reach 0 failed / 217 passed on Tris 2017-01-18 17:47:47 +00:00			`"BadRSAClientKeyExchange-4": "See comment in processClientKeyExchange",`

			`"GREASE-Server-TLS13": "TODO",`
			`"DuplicateExtensionServer-*": "TODO",`
			`"DuplicateKeyShares": "TODO",`
			`"SkipEarlyData-TooMuchData": "TODO",`
Disable KeyUpdate tests KeyUpdate is not implemented in tls-tris yet 2017-09-04 16:18:58 +01:00			`"KeyUpdate-*": "TODO",`
Reach 0 failed / 217 passed on Tris 2017-01-18 17:47:47 +00:00
Temporarily ignore the renegotiation tests 2017-01-24 13:22:51 +00:00			`"Renegotiate-Server-Forbidden": "9b812d006d made OpenSSL tests lock up",`

Enable client tests Tested with the initial tls-tris client support branch which includes basic RSASSA-PSS support. Coverage changed from ... to ...: 0/3509/3692/3692/4136 0/2784/3195/3195/4136 2017-10-02 16:54:31 +01:00			`"SendEmptyRecords*": "client: no protection implemented against flood of empty records",`
			`"SendWarningAlerts*": "client: no protection implemented against flood of warning alerts",`
			`"SendBogusAlertType": "client: TODO send IllegalParam instead of UnexpectedMessage",`
			`"SkipNewSessionTicket": "client: TODO enable session cache",`
			`"InvalidCompressionMethod": "client: TODO send IllegalParam instead of UnexpectedMessage",`
Fold LargeRecord tests See https://github.com/cloudflare/tls-tris/issues/46, current implementations may send one byte too much since they do not include the content type in the calculation. 2017-10-03 18:46:07 +01:00			`"LargeMessage": "client: bogo violates draft -21 and sends a too large message",`
			`"TLS13-AEAD-*-LargeRecord": "client: bogo violates draft -21 and sends a too large message",`
Enable client tests Tested with the initial tls-tris client support branch which includes basic RSASSA-PSS support. Coverage changed from ... to ...: 0/3509/3692/3692/4136 0/2784/3195/3195/4136 2017-10-02 16:54:31 +01:00			`"NoClientCertificate-TLS13": "client: TODO implement client certs",`
			`"TLS13-Client-CertAuth-*": "client: TODO implement client certs",`
			`"SupportedVersionSelection-TLS12": "client: TODO send Unexpected Extension if server sends SV",`
			`"DuplicateExtensionClient-*": "TODO",`
			`"UnsolicitedServerNameAck-*": "client: TODO send Unexpected Extension if SNI was not advertised",`
			`"RenegotiationInfo-Forbidden-TLS13": "client: TODO reject ext",`
			`"EMS-Forbidden-TLS13": "client: TODO reject ext",`

			`"SendUnsolicitedOCSPOnCertificate-TLS13": "client: N/A, we always send status_request",`
			`"SendUnsolicitedSCTOnCertificate-TLS13": "client: N/A, we always send SCT",`
			`"SendUnknownExtensionOnCertificate-TLS13": "client: TODO reject unknown exts",`
			`"Resume-Client-CipherMismatch-TLS13": "client: TODO implement resumption",`
			`"ExtendedMasterSecret-NoToNo-Client": "client: TODO implement resumption",`
			`"Renegotiate-Client-Forbidden-1": "client: TODO correct alert was sent, but why is the local error EOF?",`
			`"TLS13-Client-ClientAuth-*": "client: TODO implement client certs",`
			`"ClientAuth--TLS13": "client: TODO implement client certs",`
			`"ClientAuth-SHA1-Fallback-*": "client: what to do on empty SigAlg ext?",`

			`"RSA-PSS-Default-Verify": "client: TODO enable PSS by default for TLS 1.2",`
			`"ECDSACurveMismatch-Verify-TLS13": "client: we do advertise the SigAlg by default",`
			`"Ed25519DefaultDisable-NoAccept": "client: expected IllegalParam instead of Unsupported Cert",`
			`"UnofferedExtension-Client*": "client: TODO reject unadvertised extension",`
			`"UnknownExtension-Client*": "client: TODO reject unadvertised extension",`
			`"PointFormat-EncryptedExtensions-TLS13": "client: TODO reject forbidden extension",`
			`"PointFormat-Client-MissingUncompressed": "client: TODO should reject",`
			`"TLS13-TestBadTicketAge-Client": "client: TODO implement resumption",`
			`"TLS13-DuplicateTicketEarlyDataInfo": "client: TODO implement resumption",`

Document TLS13-WrongOuterRecord The spec only says that the "opaque_type" field is always set to 23 (application_data), but that is not a MUST check. https://github.com/cloudflare/tls-tris/issues/47 2017-10-04 15:06:11 +01:00			`"TLS13-WrongOuterRecord": "client: checking record content type is not a MUST",`
Enable client tests Tested with the initial tls-tris client support branch which includes basic RSASSA-PSS support. Coverage changed from ... to ...: 0/3509/3692/3692/4136 0/2784/3195/3195/4136 2017-10-02 16:54:31 +01:00			`"Basic-Client-*":"client: TODO implement resumption",`
			`"TLS13-1RTT-Client-*": "client: TODO implement resumption",`

			`"PartialEncryptedExtensionsWithServerHello": "client: TODO prevent overlap SH and EE exts",`
			`"WrongMessageType-*": "client: TODO expected different alert",`
			`"TrailingMessageData-*": "client: TODO expected different alert",`
			`"EncryptedExtensionsWithKeyShare": "client: TODO reject invalid extension",`
			`"EmptyEncryptedExtensions": "client: TODO require non-empty EE",`
			`"TLS13-*PSKIdentity": "client: TODO",`
			`"TLS13-ClientSkipCertificateVerify": "client: TODO implement client certs",`
			`"CheckRecordVersion-*": "client: enforce record version",`
			`"GarbageCertificate-Client-*": "client: TODO implement client certs",`

			`"OmitExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT",`
			`"EmptyExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT",`

			`"ECDSAKeyUsage-*": "client: TODO reject cert with invalid KU",`

Improve description for some disabled tests 2017-10-03 12:52:34 +01:00			`"V2ClientHello": "Unsupported version",`
			`"SSL3": "Unsupported version",`
			`"SSLv3": "Unsupported version"`
First shim that does... nothing 2017-01-09 21:47:43 +00:00			`}`
			`}`