// server1: host 'agent1', signed by ca1
makeReq('/inv1', port1, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
makeReq('/inv1-ca1', port1,
- 'Hostname/IP doesn\'t match certificate\'s altnames',
+ 'Hostname/IP doesn\'t match certificate\'s altnames: ' +
+ '"Host: localhost. is not cert\'s CN: agent1"',
null, ca1);
makeReq('/inv1-ca1ca2', port1,
- 'Hostname/IP doesn\'t match certificate\'s altnames',
+ 'Hostname/IP doesn\'t match certificate\'s altnames: ' +
+ '"Host: localhost. is not cert\'s CN: agent1"',
null, [ca1, ca2]);
makeReq('/val1-ca1', port1, null, 'agent1', ca1);
makeReq('/val1-ca1ca2', port1, null, 'agent1', [ca1, ca2]);
// server3: host 'agent3', signed by ca2
makeReq('/inv3', port3, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
makeReq('/inv3-ca2', port3,
- 'Hostname/IP doesn\'t match certificate\'s altnames',
+ 'Hostname/IP doesn\'t match certificate\'s altnames: ' +
+ '"Host: localhost. is not cert\'s CN: agent3"',
null, ca2);
makeReq('/inv3-ca1ca2', port3,
- 'Hostname/IP doesn\'t match certificate\'s altnames',
+ 'Hostname/IP doesn\'t match certificate\'s altnames: ' +
+ '"Host: localhost. is not cert\'s CN: agent3"',
null, [ca1, ca2]);
makeReq('/val3-ca2', port3, null, 'agent3', ca2);
makeReq('/val3-ca1ca2', port3, null, 'agent3', [ca1, ca2]);
var tests = [
// Basic CN handling
- { host: 'a.com', cert: { subject: { CN: 'a.com' } }, result: true },
- { host: 'a.com', cert: { subject: { CN: 'A.COM' } }, result: true },
- { host: 'a.com', cert: { subject: { CN: 'b.com' } }, result: false },
- { host: 'a.com', cert: { subject: { CN: 'a.com.' } }, result: true },
+ { host: 'a.com', cert: { subject: { CN: 'a.com' } } },
+ { host: 'a.com', cert: { subject: { CN: 'A.COM' } } },
+ {
+ host: 'a.com',
+ cert: { subject: { CN: 'b.com' } },
+ error: 'Host: a.com. is not cert\'s CN: b.com'
+ },
+ { host: 'a.com', cert: { subject: { CN: 'a.com.' } } },
// Wildcards in CN
- { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } }, result: true },
+ { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
{ host: 'b.a.com', cert: {
subjectaltname: 'DNS:omg.com',
subject: { CN: '*.a.com' } },
- result: false
+ error: 'Host: b.a.com. is not in the cert\'s altnames: ' +
+ 'DNS:omg.com'
},
// Multiple CN fields
{
host: 'foo.com', cert: {
subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com;
- },
- result: true
+ }
},
// DNS names and CN
subjectaltname: 'DNS:*',
subject: { CN: 'b.com' }
},
- result: false
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*'
},
{
host: 'a.com', cert: {
subjectaltname: 'DNS:*.com',
subject: { CN: 'b.com' }
},
- result: false
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.com'
},
{
host: 'a.co.uk', cert: {
subjectaltname: 'DNS:*.co.uk',
subject: { CN: 'b.com' }
- },
- result: true
+ }
},
{
host: 'a.com', cert: {
subjectaltname: 'DNS:*.a.com',
subject: { CN: 'a.com' }
},
- result: false
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
},
{
host: 'a.com', cert: {
subjectaltname: 'DNS:*.a.com',
subject: { CN: 'b.com' }
},
- result: false
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
},
{
host: 'a.com', cert: {
subjectaltname: 'DNS:a.com',
subject: { CN: 'b.com' }
- },
- result: true
+ }
},
{
host: 'a.com', cert: {
subjectaltname: 'DNS:A.COM',
subject: { CN: 'b.com' }
- },
- result: true
+ }
},
// DNS names
subjectaltname: 'DNS:*.a.com',
subject: {}
},
- result: false
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
},
{
host: 'b.a.com', cert: {
subjectaltname: 'DNS:*.a.com',
subject: {}
- },
- result: true
+ }
},
{
host: 'c.b.a.com', cert: {
subjectaltname: 'DNS:*.a.com',
subject: {}
},
- result: false
+ error: 'Host: c.b.a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
},
{
host: 'b.a.com', cert: {
subjectaltname: 'DNS:*b.a.com',
subject: {}
- },
- result: true
+ }
},
{
host: 'a-cb.a.com', cert: {
subjectaltname: 'DNS:*b.a.com',
subject: {}
- },
- result: true
+ }
},
{
host: 'a.b.a.com', cert: {
subjectaltname: 'DNS:*b.a.com',
subject: {}
},
- result: false
+ error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*b.a.com'
},
// Mutliple DNS names
{
host: 'a.b.a.com', cert: {
subjectaltname: 'DNS:*b.a.com, DNS:a.b.a.com',
subject: {}
- },
- result: true
+ }
},
// URI names
{
host: 'a.b.a.com', cert: {
subjectaltname: 'URI:http://a.b.a.com/',
subject: {}
- },
- result: true
+ }
},
{
host: 'a.b.a.com', cert: {
subjectaltname: 'URI:http://*.b.a.com/',
subject: {}
},
- result: false
+ error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
+ 'URI:http://*.b.a.com/'
},
// IP addresses
{
subjectaltname: 'IP Address:127.0.0.1',
subject: {}
},
- result: false
+ error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
+ 'IP Address:127.0.0.1'
},
{
host: '127.0.0.1', cert: {
subjectaltname: 'IP Address:127.0.0.1',
subject: {}
- },
- result: true
+ }
},
{
host: '127.0.0.2', cert: {
subjectaltname: 'IP Address:127.0.0.1',
subject: {}
},
- result: false
+ error: 'IP: 127.0.0.2 is not in the cert\'s list: ' +
+ '127.0.0.1'
},
{
host: '127.0.0.1', cert: {
subjectaltname: 'DNS:a.com',
subject: {}
},
- result: false
+ error: 'IP: 127.0.0.1 is not in the cert\'s list: '
},
{
host: 'localhost', cert: {
subjectaltname: 'DNS:a.com',
subject: { CN: 'localhost' }
},
- result: false
+ error: 'Host: localhost. is not in the cert\'s altnames: ' +
+ 'DNS:a.com'
},
];
tests.forEach(function(test, i) {
- assert.equal(tls.checkServerIdentity(test.host, test.cert),
- test.result,
- 'Test#' + i + ' failed: ' + util.inspect(test));
+ var err = tls.checkServerIdentity(test.host, test.cert);
+ assert.equal(err && err.reason,
+ test.error,
+ 'Test#' + i + ' failed: ' + util.inspect(test) + '\n' +
+ test.error + ' != ' + (err && err.reason));
});