|
The current state of the SSL integration tests are lacking when it comes to testing the expected behavior of the server with various combinations of TLS options.
For instance, there should be tests (both negative and positive) to verify that client certificate validation works as expected when the server is configured with 1. only the CAFile, 2. only the clusterCAFile, and 3. with both CAFile and clusterCAFile. If neither CAFile nor clusterCAFile is provided, we need to have a test to ensure that a proper startup warning is emitted in the logs, and that client certificates using bad certificates can indeed connect to the server.
We should also have a test to verify the cases when the server uses the system CA store to validate ingress connections. For example, in Windows, specifying a certificateSelector or clusterCertificateSelector without specifying a CA PEM file, will cause the server to use the system CA store to validate client certificates.
|