Fix TLSSocket tests

Kimmo Vaisanen · Kimmo Vaisanen · commit 986204f2699e · 2019-09-25T09:25:33.000+03:00
- set certs and keys after socket open() as required by offloaded TLSSocket
- Added more checks for invalid handshake test and removed google.com test as
  as some modems (e.g. BG96) might contains root CA for google.com
diff --git a/TESTS/netsocket/tls/main.cpp b/TESTS/netsocket/tls/main.cpp
@@ -84,15 +84,15 @@ nsapi_error_t tlssocket_connect_to_srv(TLSSocket &sock, uint16_t port)
 
     printf("MBED: Server '%s', port %d\n", tls_addr.get_ip_address(), tls_addr.get_port());
 
-    nsapi_error_t err = sock.set_root_ca_cert(tls_global::cert);
+    nsapi_error_t err = sock.open(NetworkInterface::get_default_instance());
     if (err != NSAPI_ERROR_OK) {
-        printf("Error from sock.set_root_ca_cert: %d\n", err);
+        printf("Error from sock.open: %d\n", err);
         return err;
     }
 
-    err = sock.open(NetworkInterface::get_default_instance());
+    err = sock.set_root_ca_cert(tls_global::cert);
     if (err != NSAPI_ERROR_OK) {
-        printf("Error from sock.open: %d\n", err);
+        printf("Error from sock.set_root_ca_cert: %d\n", err);
         return err;
     }
 
diff --git a/TESTS/netsocket/tls/tlssocket_endpoint_close.cpp b/TESTS/netsocket/tls/tlssocket_endpoint_close.cpp
@@ -48,6 +48,10 @@ static nsapi_error_t _tlssocket_connect_to_daytime_srv(TLSSocket &sock)
         return err;
     }
 
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.set_root_ca_cert(tls_global::cert));
+
+    sock.set_timeout(10000); // Set timeout for case TLSSocket does not support peer closed indication
+
     return sock.connect(tls_addr);
 }
 
@@ -62,7 +66,6 @@ void TLSSOCKET_ENDPOINT_CLOSE()
     tc_exec_time.start();
 
     TLSSocket sock;
-    TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.set_root_ca_cert(tls_global::cert));
     if (_tlssocket_connect_to_daytime_srv(sock) != NSAPI_ERROR_OK) {
         TEST_FAIL();
         return;
diff --git a/TESTS/netsocket/tls/tlssocket_handshake_invalid.cpp b/TESTS/netsocket/tls/tlssocket_handshake_invalid.cpp
@@ -28,12 +28,18 @@ using namespace utest::v1;
 
 void TLSSOCKET_HANDSHAKE_INVALID()
 {
+    const int https_port = 443;
     SKIP_IF_TCP_UNSUPPORTED();
     TLSSocket sock;
     TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.open(NetworkInterface::get_default_instance()));
     TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.set_root_ca_cert(tls_global::cert));
-    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE,
-                      sock.connect("google.com", 443)); // 443 is https port.
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("expired.badssl.com", https_port));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("wrong.host.badssl.com", https_port));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("self-signed.badssl.com", https_port));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("untrusted-root.badssl.com", https_port));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("revoked.badssl.com", https_port));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("pinning-test.badssl.com", https_port));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("sha1-intermediate.badssl.com", https_port));
     TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.close());
 }
 
