Test

esl · Nov 19, 2024 · bf6ff71 · bf6ff71
1 parent 656e976
commit bf6ff71
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/test/config_parser_SUITE.erl b/test/config_parser_SUITE.erl
@@ -1220,14 +1220,19 @@ test_just_tls_client_sni(ParentP, ParentT) ->
     ?err(T(#{<<"protocol">> => <<"http">>})).
 
 test_fast_tls_server(P, T) ->
-    ?cfg(P ++ [verify_mode], none, T(#{<<"verify_mode">> => <<"none">>})),
     M = tls_ca_raw(),
     ?cfg(P ++ [certfile], "priv/cert.pem", T(M#{<<"certfile">> => <<"priv/cert.pem">>})),
     ?cfg(P ++ [cacertfile], "priv/ca.pem", T(M)),
     ?cfg(P ++ [ciphers], "TLS_AES_256_GCM_SHA384",
          T(M#{<<"ciphers">> => <<"TLS_AES_256_GCM_SHA384">>})),
     ?cfg(P ++ [dhfile], "priv/dh.pem", T(M#{<<"dhfile">> => <<"priv/dh.pem">>})),
     ?cfg(P ++ [protocol_options], ["nosslv2"], T(M#{<<"protocol_options">> => [<<"nosslv2">>]})),
+    %% we do not require `cacertfile` when `verify_mode` is `none`
+    ?cfg(P ++ [verify_mode], none, T(#{<<"verify_mode">> => <<"none">>})),
+    %% we require `cacertfile` when `verify_mode` is `peer` (which is the default)
+    ?cfg(P ++ [cacertfile], "priv/ca.pem", T(M#{<<"verify_mode">> => <<"peer">>})),
+    ?err([#{reason := missing_cacertfile}], T(#{})),
+    ?err([#{reason := missing_cacertfile}], T(#{<<"verify_mode">> => <<"peer">>})),
     ?err(T(#{<<"verify_mode">> => <<"selfsigned_peer">>})), % value only for just_tls
     ?err(T(#{<<"crl_files">> => [<<"priv/cert.pem">>]})), % option only for just_tls
     ?err(T(#{<<"certfile">> => <<"no_such_file.pem">>})),