diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d4c73fc8d..e13c7cba7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -470,7 +470,7 @@ int ca_callback( void *data, mbedtls_x509_crt const *child, * set of trusted certificates (such as a hashtable) and only * return those trusted certificates which satisfy basic * parental checks, such as the matching of child `Issuer` - * and parent `Subject` field. */ + * and parent `Subject` field or matching key identifiers. */ ((void) child); first = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6f967da40..e9322ec0b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -947,10 +947,6 @@ run_test "CA callback on client" \ "$P_CLI ca_callback=1 debug_level=3 " \ 0 \ -c "use CA callback for X.509 CRT verification"\ - -s "Protocol is TLSv1.2" \ - -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \ - -s "client hello v3, signature_algorithm ext: 6" \ - -s "ECDHE curve: secp521r1" \ -S "error" \ -C "error" @@ -2602,7 +2598,8 @@ run_test "DER format: with 9 trailing random bytes" \ 0 \ -c "Handshake was completed" \ -# Tests for auth_mode +# Tests for auth_mode, there are duplicated tests using ca callback for authentication +# When updating these tests, modify the matching authentication tests accordingly run_test "Authentication: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ @@ -2981,7 +2978,8 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" -# Tests for auth_mode, using CA callback +# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests +# When updating these tests, modify the matching authentication tests accordingly requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server badcert, client required" \