|
25 | 25 |
|
26 | 26 | import pytest |
27 | 27 | import wolfssl |
| 28 | +from wolfssltestserver import wolfSSLTestServer |
| 29 | +from threading import Thread |
28 | 30 |
|
29 | 31 | HOST = "www.python.org" |
30 | 32 | PORT = 443 |
@@ -89,3 +91,64 @@ def test_get_version(ssl_server, ssl_version, tcp_socket): |
89 | 91 | assert secure_socket.version() == protocol_name |
90 | 92 | secure_socket.write(b'hello wolfssl') |
91 | 93 | secure_socket.read(1024) |
| 94 | + |
| 95 | + |
| 96 | +def test_client_cert_verification_failure(): |
| 97 | + """ |
| 98 | + Test that a connection fails when the server requires client certificates |
| 99 | + but the server's CA (globalsign) does not verify the client's certificate. |
| 100 | + """ |
| 101 | + import socket |
| 102 | + import time |
| 103 | + |
| 104 | + # Create a server with CERT_REQUIRED and globalsign CA |
| 105 | + # This server will require client certificates but won't accept |
| 106 | + # certificates signed by a different CA |
| 107 | + port = 11111 |
| 108 | + with wolfSSLTestServer( |
| 109 | + ('localhost', port), |
| 110 | + version=wolfssl.PROTOCOL_TLS, |
| 111 | + verify=wolfssl.CERT_REQUIRED |
| 112 | + ) as server: |
| 113 | + server_thread = Thread(target=server.handle_request) |
| 114 | + server_thread.daemon = True |
| 115 | + server_thread.start() |
| 116 | + |
| 117 | + # Give the server a moment to start |
| 118 | + time.sleep(0.1) |
| 119 | + |
| 120 | + # Create a client socket |
| 121 | + client_tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 122 | + |
| 123 | + # Create a client context |
| 124 | + client_ctx = wolfssl.SSLContext(wolfssl.PROTOCOL_TLS) |
| 125 | + |
| 126 | + # Wrap the socket with the client context |
| 127 | + # Set do_handshake_on_connect=False so we can explicitly call do_handshake() |
| 128 | + # and catch the error |
| 129 | + client_socket = client_ctx.wrap_socket( |
| 130 | + client_tcp_socket, |
| 131 | + do_handshake_on_connect=False |
| 132 | + ) |
| 133 | + |
| 134 | + # Connect the TCP socket first |
| 135 | + client_socket.connect(('127.0.0.1', port)) |
| 136 | + |
| 137 | + # Attempt handshake - this should fail because the client does not |
| 138 | + # send a cert/key. |
| 139 | + with pytest.raises(wolfssl.SSLError) as exc_info: |
| 140 | + client_socket.do_handshake() |
| 141 | + # Handshake appeared to succeed, try to read/write to trigger the error |
| 142 | + # The server should reject the connection due to certificate verification failure |
| 143 | + client_socket.write(b'hello') |
| 144 | + client_socket.read(1024) |
| 145 | + |
| 146 | + # Clean up (errors during close are expected if connection failed) |
| 147 | + try: |
| 148 | + client_socket.close() |
| 149 | + except Exception: |
| 150 | + pass |
| 151 | + try: |
| 152 | + client_tcp_socket.close() |
| 153 | + except Exception: |
| 154 | + pass |
0 commit comments