forked from quic-go/quic-go
don't force clients to use tls.Config.InsecureSkipVerify when using mint
mint recently implemented certificate verification.
This reverts commit d76f5a839c.
This commit is contained in:
Marten Seemann
@@ -79,8 +79,7 @@ var _ = Describe("Handshake tests", func() {
|
||||
})
|
||||
|
||||
Context("Certifiate validation", func() {
|
||||
// no need to run these tests with TLS. mint doesn't do certificate verification
|
||||
for _, v := range protocol.SupportedVersions {
|
||||
for _, v := range []protocol.VersionNumber{protocol.Version39, protocol.VersionTLS} {
|
||||
version := v
|
||||
|
||||
Context(fmt.Sprintf("using %s", version), func() {
|
||||
|
||||
@@ -16,8 +16,6 @@ import (
|
||||
"github.com/lucas-clemente/quic-go/internal/wire"
|
||||
)
|
||||
|
||||
var errMintIsInsecure = errors.New("mint currently DOES NOT support certificate verification (see https://github.com/bifurcation/mint/issues/161 for details). Set InsecureSkipVerify to acknowledge that no certificate verification will be performed, and the connection will be vulnerable to man-in-the-middle attacks")
|
||||
|
||||
type mintController struct {
|
||||
csc *handshake.CryptoStreamConn
|
||||
conn *mint.Conn
|
||||
@@ -75,9 +73,6 @@ func tlsToMintConfig(tlsConf *tls.Config, pers protocol.Perspective) (*mint.Conf
|
||||
},
|
||||
}
|
||||
if tlsConf != nil {
|
||||
if pers == protocol.PerspectiveClient && !tlsConf.InsecureSkipVerify {
|
||||
return nil, errMintIsInsecure
|
||||
}
|
||||
mconf.ServerName = tlsConf.ServerName
|
||||
mconf.Certificates = make([]*mint.Certificate, len(tlsConf.Certificates))
|
||||
for i, certChain := range tlsConf.Certificates {
|
||||
|
||||
@@ -43,10 +43,7 @@ var _ = Describe("Packing and unpacking Initial packets", func() {
|
||||
})
|
||||
|
||||
It("sets the server name", func() {
|
||||
conf := &tls.Config{
|
||||
ServerName: "www.example.com",
|
||||
InsecureSkipVerify: true,
|
||||
}
|
||||
conf := &tls.Config{ServerName: "www.example.com"}
|
||||
mintConf, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(mintConf.ServerName).To(Equal("www.example.com"))
|
||||
@@ -54,40 +51,25 @@ var _ = Describe("Packing and unpacking Initial packets", func() {
|
||||
|
||||
It("sets the certificate chain", func() {
|
||||
tlsConf := testdata.GetTLSConfig()
|
||||
tlsConf.InsecureSkipVerify = true
|
||||
mintConf, err := tlsToMintConfig(tlsConf, protocol.PerspectiveClient)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(mintConf.Certificates).ToNot(BeEmpty())
|
||||
Expect(mintConf.Certificates).To(HaveLen(len(tlsConf.Certificates)))
|
||||
})
|
||||
|
||||
It("forces the application to set InsecureSkipVerify, because mint is INSECURE", func() {
|
||||
conf := &tls.Config{
|
||||
ServerName: "www.example.com",
|
||||
InsecureSkipVerify: false,
|
||||
}
|
||||
_, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
|
||||
Expect(err).To(HaveOccurred())
|
||||
Expect(err).To(MatchError(errMintIsInsecure))
|
||||
})
|
||||
|
||||
It("requires client authentication", func() {
|
||||
conf := &tls.Config{ServerName: "localhost"} // mint forces us to set a ServerName for a server config, although this field is only used for clients
|
||||
mintConf, err := tlsToMintConfig(conf, protocol.PerspectiveServer)
|
||||
mintConf, err := tlsToMintConfig(nil, protocol.PerspectiveClient)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(mintConf.RequireClientAuth).To(BeFalse())
|
||||
conf = &tls.Config{
|
||||
ServerName: "localhost", // mint forces us to set a ServerName for a server config, although this field is only used for clients
|
||||
ClientAuth: tls.RequireAnyClientCert,
|
||||
}
|
||||
mintConf, err = tlsToMintConfig(conf, protocol.PerspectiveServer)
|
||||
conf := &tls.Config{ClientAuth: tls.RequireAnyClientCert}
|
||||
mintConf, err = tlsToMintConfig(conf, protocol.PerspectiveClient)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(mintConf.RequireClientAuth).To(BeTrue())
|
||||
})
|
||||
|
||||
It("rejects unsupported client auth types", func() {
|
||||
conf := &tls.Config{ClientAuth: tls.RequireAndVerifyClientCert}
|
||||
_, err := tlsToMintConfig(conf, protocol.PerspectiveServer)
|
||||
_, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
|
||||
Expect(err).To(MatchError("mint currently only support ClientAuthType RequireAnyClientCert"))
|
||||
})
|
||||
})
|
||||
|
||||
@@ -36,8 +36,7 @@ var _ = Describe("Stateless TLS handling", func() {
|
||||
Versions: []protocol.VersionNumber{protocol.VersionTLS},
|
||||
}
|
||||
var err error
|
||||
tlsConf := testdata.GetTLSConfig()
|
||||
server, sessionChan, err = newServerTLS(conn, config, nil, tlsConf)
|
||||
server, sessionChan, err = newServerTLS(conn, config, nil, testdata.GetTLSConfig())
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
server.newMintConn = func(bc *handshake.CryptoStreamConn, v protocol.VersionNumber) (handshake.MintTLS, <-chan handshake.TransportParameters, error) {
|
||||
mintReply = bc
|
||||
|
||||
Reference in New Issue
Block a user