summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/nss_bogo_shim/config.json
blob: fa38a68eaade9652fbd4a601756e79e85baf1e1f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
{
    "DisabledTests": {
        "####################":"####################",
        "### Failures due to Bogo/NSS specifics":"",
        "####################":"####################",

        "SendEmptyRecords":"Bogo allows only 32 empty records to be sent before other TLS messages.",
        "SendUserCanceledAlerts-TooMany-TLS13":"Bogo allows only 5 user canceled alerts to be sent.",
        "SendWarningAlerts-TooMany":"Bogo allows only 5 warning alerts to be sent.",
        "TooManyKeyUpdates":"Bogo allows only 32 KeyUpdate messages to be sent.",
        "UnsolicitedServerNameAck-TLS*":"Boring wants us to fail with an unexpected_extension alert, we simply ignore ssl_server_name_xtn.",
        "DuplicateCertCompressionExt*":"BoGo expects that an alert is sent if more than one compression algorithm is sent.",
        "*Auth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty.",
        "NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2",
        "SkipEarlyData-*TooMuchData*":"Test of internal BoGo features (see Bug 1339373).",
        "Client-RejectJDK11DowngradeRandom":"This random is not specified in RFC8446.",
        "Renegotiate-Server-Forbidden":"TLS 1.2 test, renegotiation is allowed in NSS.",
        "EmptySessionID-TLS13":"This test also asserts BoringSSL always sending CCS messages for compatibility mode.",
        "Http*":"Test sends http string to socket before handshake. his data is interpreted as a record header and leads to different IO errors in NSS.",
        "V2ClientHello*":"Prefix data before V2 ClientHello leads to IO errors in NSS.",
        "Server-JDK11-NoWorkaround-3":"Unexpected Bogo crash.",
        "Resume-Server-UnofferedCipher-TLS13":"Bogo rejects resumption if client offers previously not used ciphersuites with equal hash algorithm (no 0Rtt).",
        "EarlyData-FirstTicket-Server-TLS13":"Bogo provides specific early data logging which is the only check in this test but not supported by NSS.",

        "*Ed25519*":"Add Ed25519 support (Bug 1325335)",
        "*NoSSL3*":"Test passes but only because of handshake failure, NSS only rejects SSL3 immediately in TLS1.3 clients/servers.",
        "SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
        "CheckRecordVersion-TLS1":"NSS doesn't check record version field. Bug 1317634",
        "CheckRecordVersion-TLS11":"NSS doesn't check record version field. Bug 1317634",
        "CheckRecordVersion-TLS12":"NSS doesn't check record version field. Bug 1317634",
        "GarbageInitialRecordVersion-TLS*":"NSS doesn't strictly check the ClientHello record version.",
        "DuplicateKeyShares*":"NSS doesn't check for duplicates. Bug 1304578",
        "PointFormat-Client-MissingUncompressed":"NSS ignores ec_point_formats extensions sent by servers.",
        "SkipEarlyData-Interleaved-TLS13":"NSS ignores invalid early data records by default since ssl_0rtt_ignore_trial is default. Bug 1336916",
        "ECDSAKeyUsage*":"NSS only checks KeyUsage on server setup and with delegated credential verification. Bug 1338194",
        "RSAKeyUsage-*-WantSignature-GotEncipherment-*":"NSS only checks KeyUsage on server setup and with delegated credential verification. See Bug 1338194",
        "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"NSS Server side bug. Don't send ticket when not permitted by KE modes (Bug 1317635)",
        "Resume-Server-OmitPSKsOnSecondClientHello":"NSS Server side bug. It does not detect ClientHello dropping of PSK extension (after HRR).",
        "Renegotiate-Client-Forbidden-1":"By default NSS allows renegotiation with extension contrary to bogo.",
        "TrailingData*":"NSS does only check for trailing data on possible key change handshake messages in TLS 1.3",
        "Partial*":"See TrailingData* description.",
        "QUIC-ECH*":"NSS does not support QUIC.",
        "*ECH*SkipInvalidPublicName*":"NSS allows hostnames to include underscores in contrary to the spec. Bug 1136616",
        "*ECH*CompressSupportedVersions":"NSS never compresses supported versions, Bogo does if CHOuter is TLS 1.3 only (equal to CHInner).",
        "*ECH*NoSupportedConfigs*":"NSS throws error if unsupported but well formed retry configs could not be set on client, Bogo just does not offer ECH.",
        "*ECH*RandomHRR*":"NSS sends real ECH in CH2 after receiving HRR rejcting ECH formally, Bogo expects instant ech_required alert. Bug 1779357",
        "*ECH*UnsolicitedInnerServerNameAck":"NSS always sends SNI in CHInner, Bogo tests if the client detects an unsolicited SNI in SH if CHInner did not include it. Bug 1781224",
        "CorruptTicket-TLS-TLS12":"NSS sends an alert on reception of a corrupted session ticket instead of falling back to full handshake. Bug 1783812",

        "FalseStart-ALPN*":"TODO - Implementing TLS 1.2 only FalseStart has low priority.",

        "####################":"####################",
        "### TLS1/11 failures due to unsupported signature algorithms":"",
        "####################":"####################",

        "FallbackSCSV":"",
        "TicketSessionIDLength*":"",
        "NoExtendedMasterSecret-TLS1-Server":"",
        "NoExtendedMasterSecret-TLS11-Server":"",
        "TLS1-Server-ClientAuth*":"",
        "TLS11-Server-ClientAuth*":"",
        "Resume-Server-TLS1-TLS1-TLS":"",
        "Resume-Server-TLS11-TLS11-TLS":"",
        "Resume-Server-NoTickets-TLS1-TLS1-TLS":"",
        "Resume-Server-NoTickets-TLS11-TLS11-TLS":"",
        "VersionNegotiation-Server*-TLS1-TLS":"",
        "VersionNegotiation-Server*-TLS11-TLS":"",
        "MinimumVersion-Server*-TLS1-TLS1-TLS":"",
        "MinimumVersion-Server*-TLS1-TLS11-TLS":"",
        "MinimumVersion-Server*-TLS11-TLS11-TLS":"",
        "GarbageCertificate-Server-TLS1":"",
        "GarbageCertificate-Server-TLS11":"",
        "LooseInitialRecordVersion-TLS1":"",
        "LooseInitialRecordVersion-TLS11":"",
        "*Certificate-TLS1":"",
        "*Certificate-TLS11":"",
        "CorruptTicket*TLS1":"",
        "CorruptTicket*TLS11":"",
        "Resume-Server*TLS1-*":"",
        "Resume-Server*TLS11-*":"",
        "BadRSAClientKeyExchange-*":"This is a TLS11 only test.",
        "RSAKeyUsage-Server-WantSignature-GotSignature-TLS1":"Only Server side of TLS 1 fails",
        "RSAKeyUsage-Server-WantSignature-GotSignature-TLS11":"Only Server side of TLS 11 fails",

        "":""
    },
    "ErrorMap" : {
    }
}