summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/nss_bogo_shim/config.json
blob: 5c7a2e3481923fb6b17e3b50ed41325fd4dabac3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
{
    "DisabledTests": {
        "### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
        "*TLS13Draft*":"NSS supports RFC 8446 only.",
        "IgnoreClientVersionOrder":"Uses draft23",
        "DuplicateCertCompressionExt*":"BoGo expects that an alert is sent if more than one compression algorithm is sent.",
        "ServerBogusVersion":"Check that SH.legacy_version=TLS12 when the server picks TLS 1.3 (Bug 1443761)",
        "DummyPQPadding-Server*":"Boring is testing a dummy PQ padding extension",
        "VerifyPreferences-Enforced":"NSS sends alerts in response to errors in protected handshake messages in the clear",
        "Draft-Downgrade-Server":"Boring implements a draft downgrade sentinel used for measurements.",
        "FilterExtraAlgorithms":"NSS doesn't allow sending unsupported signature algorithms",
        "SendBogusAlertType":"Unexpected TLS alerts should abort connections (Bug 1438263)",
        "VerifyPreferences-Ed25519":"Add Ed25519 support (Bug 1325335)",
        "Ed25519DefaultDisable*":"Add Ed25519 support (Bug 1325335)",
        "ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
        "GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
        "SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
        "Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
        "Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
        "CheckRecordVersion-TLS*":"Bug 1317634",
        "GarbageInitialRecordVersion-TLS*":"NSS doesn't strictly check the ClientHello record version",
        "GREASE-Server-TLS13":"BoringSSL GREASEs without a flag, but we ignore it",
        "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"Bug in NSS. Don't send ticket when not permitted by KE modes (Bug 1317635)",
        "*KeyUpdate*":"KeyUpdate Unimplemented",
        "ClientAuth-NoFallback-TLS13":"Disagreement about alerts. Bug 1294975",
        "SendWarningAlerts-TLS13":"NSS needs to trigger on warning alerts",
        "NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2 and expects the wrong alert for TLS 1.3",
        "SendEmptyRecords":"Tests a non-spec behavior in BoGo where it chokes on too many empty records",
        "LargePlaintext":"NSS needs to check for over-long records. Bug 1294978",
        "TLS13-RC4-MD5-server":"This fails properly but returns an unexpected error. Not a bug but needs cleanup",
        "*SSL3*":"NSS disables SSLv3",
        "*SSLv3*":"NSS disables SSLv3",
        "*AES256*":"Inconsistent support for AES256",
        "*AES128-SHA256*":"No support for Suite B ciphers",
        "DuplicateExtension*":"NSS sends unexpected_extension alert",
        "WeakDH":"NSS supports 768-bit DH",
        "SillyDH":"NSS supports 4097-bit DH",
        "SendWarningAlerts":"This appears to be Boring-specific",
        "TLS12-AES128-GCM-client":"Bug 1292895",
        "*TLS12-AES128-GCM-LargeRecord*":"Bug 1292895",
        "Renegotiate-Client-Forbidden-1":"Bug 1292898",
        "Renegotiate-Server-Forbidden":"NSS doesn't disable renegotiation by default",
        "Renegotiate-Client-NoIgnore":"NSS doesn't disable renegotiation by default",
        "StrayHelloRequest*":"NSS doesn't disable renegotiation by default",
        "NoSupportedCurves-TLS13":"wanted SSL_ERROR_NO_CYPHER_OVERLAP, got missing extension error",
        "FragmentedClientVersion":"received a malformed Client Hello handshake message",
        "WrongMessageType-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
        "TrailingMessageData-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
        "UnofferedExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
        "UnknownExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
        "WrongMessageType-TLS13-CertificateRequest":"Boring expects CCS (Bugs 1481209, 1304603)",
        "WrongMessageType-TLS13-ServerCertificateVerify":"Boring expects CCS (Bugs 1481209, 1304603)",
        "WrongMessageType-TLS13-ServerCertificate":"Boring expects CCS (Bugs 1481209, 1304603)",
        "WrongMessageType-TLS13-ServerFinished":"Boring expects CCS (Bugs 1481209, 1304603)",
        "TrailingMessageData-*": "Bug 1304575",
        "DuplicateKeyShares":"Bug 1304578",
        "Resume-Server-TLS13-TLS13":"Bug 1314351",
        "SkipEarlyData-Interleaved":"Bug 1336916",
        "ECDSAKeyUsage-TLS1*":"Bug 1338194",
        "PointFormat-Client-MissingUncompressed":"We ignore ec_point_formats extensions sent by servers.",
        "SkipEarlyData-SecondClientHelloEarlyData":"Boring doesn't reject early_data in the 2nd CH but fails later with bad_record_mac.",
        "SkipEarlyData-*TooMuchData":"Bug 1339373",
        "UnsolicitedServerNameAck-TLS1*":"Boring wants us to fail with an unexpected_extension alert, we simply ignore ssl_server_name_xtn.",
        "RequireAnyClientCertificate-TLS1*":"Bug 1339387",
        "SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
        "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
        "P224-Server":"NSS doesn't support P-224",
        "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
    },
    "ErrorMap" : {
        ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
        ":UNKNOWN_CIPHER_RETURNED:":"SSL_ERROR_NO_CYPHER_OVERLAP",
        ":OLD_SESSION_CIPHER_NOT_RETURNED:":"SSL_ERROR_RX_MALFORMED_SERVER_HELLO",
        ":NO_SHARED_CIPHER:":"SSL_ERROR_NO_CYPHER_OVERLAP",
        ":DIGEST_CHECK_FAILED:":"SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE"
    }
}