diff --git a/config.json b/config.json index 7ed02ed..4b5f4e1 100644 --- a/config.json +++ b/config.json @@ -6,6 +6,8 @@ "SupportTicketsWithSessionID": "Session IDs not supported", "*-NoTickets-*": "Session IDs not supported", + "*-AES128-SHA256-*": "AES128-CBC-SHA256 not supported", + "*-AES256-SHA256-*": "AES256-CBC-SHA256 not supported", "*-AES256-SHA384-*": "AES256-CBC-SHA384 not supported", "BadRSAClientKeyExchange-4": "See comment in processClientKeyExchange", @@ -18,6 +20,63 @@ "Renegotiate-Server-Forbidden": "9b812d006d made OpenSSL tests lock up", + "SendEmptyRecords*": "client: no protection implemented against flood of empty records", + "SendWarningAlerts*": "client: no protection implemented against flood of warning alerts", + "SendBogusAlertType": "client: TODO send IllegalParam instead of UnexpectedMessage", + "SkipNewSessionTicket": "client: TODO enable session cache", + "InvalidCompressionMethod": "client: TODO send IllegalParam instead of UnexpectedMessage", + "LargeMessage": "client: TODO unexpected bad record MAC error / recordOverflow alert", + "TLS13-AEAD-CHACHA20-POLY1305-LargeRecord": "client: TODO unexpected record Overflow error", + "TLS13-AEAD-AES128-GCM-SHA256-LargeRecord": "client: TODO unexpected record Overflow error", + "TLS13-AEAD-AES256-GCM-SHA384-LargeRecord": "client: TODO unexpected record Overflow error", + "BadCBCPadding255": "client: TODO investigate", + "NoClientCertificate-TLS13": "client: TODO implement client certs", + "TLS13-Client-CertAuth-*": "client: TODO implement client certs", + "SupportedVersionSelection-TLS12": "client: TODO send Unexpected Extension if server sends SV", + "DuplicateExtensionClient-*": "TODO", + "UnsolicitedServerNameAck-*": "client: TODO send Unexpected Extension if SNI was not advertised", + "RenegotiationInfo-Forbidden-TLS13": "client: TODO reject ext", + "EMS-Forbidden-TLS13": "client: TODO reject ext", + + "SendUnsolicitedOCSPOnCertificate-TLS13": "client: N/A, we always send status_request", + "SendUnsolicitedSCTOnCertificate-TLS13": "client: N/A, we always send SCT", + "SendUnknownExtensionOnCertificate-TLS13": "client: TODO reject unknown exts", + "Resume-Client-CipherMismatch-TLS13": "client: TODO implement resumption", + "ExtendedMasterSecret-NoToNo-Client": "client: TODO implement resumption", + "Renegotiate-Client-Forbidden-1": "client: TODO correct alert was sent, but why is the local error EOF?", + "TLS13-Client-ClientAuth-*": "client: TODO implement client certs", + "ClientAuth-*-TLS13*": "client: TODO implement client certs", + "ClientAuth-SHA1-Fallback-*": "client: what to do on empty SigAlg ext?", + + "RSA-PSS-Default-Verify": "client: TODO enable PSS by default for TLS 1.2", + "ECDSACurveMismatch-Verify-TLS13": "client: we do advertise the SigAlg by default", + "Ed25519DefaultDisable-NoAccept": "client: expected IllegalParam instead of Unsupported Cert", + "UnofferedExtension-Client*": "client: TODO reject unadvertised extension", + "UnknownExtension-Client*": "client: TODO reject unadvertised extension", + "PointFormat-EncryptedExtensions-TLS13": "client: TODO reject forbidden extension", + "PointFormat-Client-MissingUncompressed": "client: TODO should reject", + "TLS13-TestBadTicketAge-Client": "client: TODO implement resumption", + "TLS13-DuplicateTicketEarlyDataInfo": "client: TODO implement resumption", + + "TLS13-WrongOuterRecord": "client: TODO reject wrong content type", + "Basic-Client-*":"client: TODO implement resumption", + "TLS13-1RTT-Client-*": "client: TODO implement resumption", + + "PartialEncryptedExtensionsWithServerHello": "client: TODO prevent overlap SH and EE exts", + "WrongMessageType-*": "client: TODO expected different alert", + "TrailingMessageData-*": "client: TODO expected different alert", + "EncryptedExtensionsWithKeyShare": "client: TODO reject invalid extension", + "EmptyEncryptedExtensions": "client: TODO require non-empty EE", + "TLS13-*PSKIdentity": "client: TODO", + "TLS13-ClientSkipCertificateVerify": "client: TODO implement client certs", + "CheckRecordVersion-*": "client: enforce record version", + "GarbageCertificate-Client-*": "client: TODO implement client certs", + + "OmitExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT", + "EmptyExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT", + + "ECDSAKeyUsage-*": "client: TODO reject cert with invalid KU", + "*V2ClientHello*": "Yeah, no.", "*SSL3*": "Fuck that.", "*SSLv3*": "Really." diff --git a/tls_shim.go b/tls_shim.go index 295c0f6..ddfcf4b 100644 --- a/tls_shim.go +++ b/tls_shim.go @@ -32,7 +32,7 @@ func main() { os.Exit(89) } } - if *dtls || !*server { + if *dtls { os.Exit(89) }