{ "DisabledTests": { "*-Async": "We don't support boringssl concept of async", "TLS-ECH-Client-Reject-NoClientCertificate-TLS12": "We won't attempt to negotiate 1.2 if ECH is enabled", "TLS-ECH-Client-Reject-TLS12": "We won't attempt to negotiate 1.2 if ECH is enabled", "TLS-ECH-Client-TLS12-RejectRetryConfigs": "We won't attempt to negotiate 1.2 if ECH is enabled", "TLS-ECH-Client-Rejected-OverrideName-TLS12": "We won't attempt to negotiate 1.2 if ECH is enabled", "TLS-ECH-Client-Reject-TLS12-NoFalseStart": "We won't attempt to negotiate 1.2 if ECH is enabled", "TLS-ECH-Client-TLS12SessionTicket": "We won't attempt to negotiate 1.2 if ECH is enabled", "TLS-ECH-Client-TLS12SessionID": "We won't attempt to negotiate 1.2 if ECH is enabled, and we don't support session ID resumption", "TLS-ECH-Client-Reject-ResumeInnerSession-TLS12": "We won't attempt to negotiate 1.2 if ECH is enabled (we could possibly test this if we had the ability to indicate not to send ECH on resumption?)", "TLS-ECH-Client-Reject-EarlyDataRejected": "Go does not support early (0-RTT) data", "TLS-ECH-Client-NoNPN": "We don't support NPN", "TLS-ECH-Client-ChannelID": "We don't support sending channel ID", "TLS-ECH-Client-Reject-NoChannelID-TLS13": "We don't support sending channel ID", "TLS-ECH-Client-Reject-NoChannelID-TLS12": "We don't support sending channel ID", "TLS-ECH-Client-GREASE-IgnoreHRRExtension": "We don't support ECH GREASE because we don't fallback to plaintext", "TLS-ECH-Client-NoSupportedConfigs-GREASE": "We don't support ECH GREASE because we don't fallback to plaintext", "TLS-ECH-Client-GREASEExtensions": "We don't support ECH GREASE because we don't fallback to plaintext", "TLS-ECH-Client-GREASE-NoOverrideName": "We don't support ECH GREASE because we don't fallback to plaintext", "TLS-ECH-Client-UnsolicitedInnerServerNameAck": "We don't allow sending empty SNI without skipping certificate verification, TODO: could add special flag to bogo to indicate 'empty sni'", "TLS-ECH-Client-NoSupportedConfigs": "We don't support fallback to cleartext when there are no valid ECH configs", "TLS-ECH-Client-SkipInvalidPublicName": "We don't support fallback to cleartext when there are no valid ECH configs", "TLS-ECH-Server-EarlyData": "Go does not support early (0-RTT) data", "TLS-ECH-Server-EarlyDataRejected": "Go does not support early (0-RTT) data", "MLKEMKeyShareIncludedSecond": "BoGo wants us to order the key shares based on its preference, but we don't support that", "MLKEMKeyShareIncludedThird": "BoGo wants us to order the key shares based on its preference, but we don't support that", "PostQuantumNotEnabledByDefaultInClients": "We do enable it by default!", "*-Kyber-TLS13": "We don't support Kyber, only ML-KEM (BoGo bug ignoring AllCurves?)", "*-RSA_PKCS1_SHA256_LEGACY-TLS13": "We don't support the legacy PKCS#1 v1.5 codepoint for TLS 1.3", "*-Verify-RSA_PKCS1_SHA256_LEGACY-TLS12": "Likewise, we don't know how to handle it in TLS 1.2, so we send the wrong alert", "*-VerifyDefault-*": "Our signature algorithms are not configurable, so there is no difference between default and supported", "Ed25519DefaultDisable-*": "We support Ed25519 by default", "NoCommonSignatureAlgorithms-TLS12-Fallback": "We don't support the legacy RSA exchange (without tlsrsakex=1)", "*_SHA1-TLS12": "We don't support SHA-1 in TLS 1.2 (without tlssha1=1)", "Agree-Digest-SHA1": "We don't support SHA-1 in TLS 1.2 (without tlssha1=1)", "ServerAuth-SHA1-Fallback*": "We don't support SHA-1 in TLS 1.2 (without tlssha1=1), so we fail if there are no signature_algorithms", "Agree-Digest-SHA256": "We select signature algorithms in peer preference order. We should consider changing this.", "V2ClientHello-*": "We don't support SSLv2", "SendV2ClientHello*": "We don't support SSLv2", "*QUIC*": "No QUIC support", "Compliance-fips*": "No FIPS", "*DTLS*": "No DTLS", "SendEmptyRecords*": "crypto/tls doesn't implement spam protections", "SendWarningAlerts*": "crypto/tls doesn't implement spam protections", "SendUserCanceledAlerts-TooMany-TLS13": "crypto/tls doesn't implement spam protections", "TooManyKeyUpdates": "crypto/tls doesn't implement spam protections (TODO: I think?)", "KyberNotEnabledByDefaultInClients": "crypto/tls intentionally enables it", "JustConfiguringKyberWorks": "we always send a X25519 key share with Kyber", "KyberKeyShareIncludedSecond": "we always send the Kyber key share first", "KyberKeyShareIncludedThird": "we always send the Kyber key share first", "GREASE-Server-TLS13": "We don't send GREASE extensions", "SendBogusAlertType": "sending wrong alert type", "*Client-P-224*": "no P-224 support", "*Server-P-224*": "no P-224 support", "CurveID-Resume*": "unexposed curveID is not stored in the ticket yet", "BadRSAClientKeyExchange-4": "crypto/tls doesn't check the version number in the premaster secret - see processClientKeyExchange comment", "BadRSAClientKeyExchange-5": "crypto/tls doesn't check the version number in the premaster secret - see processClientKeyExchange comment", "SupportTicketsWithSessionID": "We don't support session ID resumption", "ResumeTLS12SessionID-TLS13": "We don't support session ID resumption", "TrustAnchors-*": "We don't support draft-beck-tls-trust-anchor-ids", "PAKE-Extension-*": "We don't support PAKE", "*TicketFlags": "We don't support draft-ietf-tls-tlsflags", "CheckLeafCurve": "TODO: first pass, this should be fixed", "KeyUpdate-RequestACK": "TODO: first pass, this should be fixed", "SupportedVersionSelection-TLS12": "TODO: first pass, this should be fixed", "UnsolicitedServerNameAck-TLS-TLS1": "TODO: first pass, this should be fixed", "TicketSessionIDLength-33-TLS-TLS1": "TODO: first pass, this should be fixed", "UnsolicitedServerNameAck-TLS-TLS11": "TODO: first pass, this should be fixed", "TicketSessionIDLength-33-TLS-TLS11": "TODO: first pass, this should be fixed", "UnsolicitedServerNameAck-TLS-TLS12": "TODO: first pass, this should be fixed", "TicketSessionIDLength-33-TLS-TLS12": "TODO: first pass, this should be fixed", "UnsolicitedServerNameAck-TLS-TLS13": "TODO: first pass, this should be fixed", "RenegotiationInfo-Forbidden-TLS13": "TODO: first pass, this should be fixed", "EMS-Forbidden-TLS13": "TODO: first pass, this should be fixed", "SendUnsolicitedOCSPOnCertificate-TLS13": "TODO: first pass, this should be fixed", "SendUnsolicitedSCTOnCertificate-TLS13": "TODO: first pass, this should be fixed", "SendUnknownExtensionOnCertificate-TLS13": "TODO: first pass, this should be fixed", "Resume-Server-NoTickets-TLS1-TLS1-TLS": "TODO: first pass, this should be fixed", "Resume-Server-NoTickets-TLS11-TLS11-TLS": "TODO: first pass, this should be fixed", "Resume-Server-NoTickets-TLS12-TLS12-TLS": "TODO: first pass, this should be fixed", "Resume-Server-NoPSKBinder": "TODO: first pass, this should be fixed", "Resume-Server-PSKBinderFirstExtension": "TODO: first pass, this should be fixed", "Resume-Server-PSKBinderFirstExtension-SecondBinder": "TODO: first pass, this should be fixed", "Resume-Server-NoPSKBinder-SecondBinder": "TODO: first pass, this should be fixed", "Resume-Server-OmitPSKsOnSecondClientHello": "TODO: first pass, this should be fixed", "Renegotiate-Server-Forbidden": "TODO: first pass, this should be fixed", "Renegotiate-Client-Forbidden-1": "TODO: first pass, this should be fixed", "UnknownExtension-Client": "TODO: first pass, this should be fixed", "UnknownUnencryptedExtension-Client-TLS13": "TODO: first pass, this should be fixed", "UnofferedExtension-Client-TLS13": "TODO: first pass, this should be fixed", "UnknownExtension-Client-TLS13": "TODO: first pass, this should be fixed", "SendClientVersion-RSA": "TODO: first pass, this should be fixed", "NoCommonCurves": "TODO: first pass, this should be fixed", "PointFormat-EncryptedExtensions-TLS13": "TODO: first pass, this should be fixed", "TLS13-SendNoKEMModesWithPSK-Server": "TODO: first pass, this should be fixed", "TLS13-DuplicateTicketEarlyDataSupport": "TODO: first pass, this should be fixed", "Basic-Client-NoTicket-TLS-Sync": "TODO: first pass, this should be fixed", "Basic-Server-RSA-TLS-Sync": "TODO: first pass, this should be fixed", "Basic-Client-NoTicket-TLS-Sync-SplitHandshakeRecords": "TODO: first pass, this should be fixed", "Basic-Server-RSA-TLS-Sync-SplitHandshakeRecords": "TODO: first pass, this should be fixed", "Basic-Client-NoTicket-TLS-Sync-PackHandshake": "TODO: first pass, this should be fixed", "Basic-Server-RSA-TLS-Sync-PackHandshake": "TODO: first pass, this should be fixed", "PartialSecondClientHelloAfterFirst": "TODO: first pass, this should be fixed", "PartialServerHelloWithHelloRetryRequest": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Server-TLS1": "TODO: first pass, this should be fixed", "PartialClientKeyExchangeWithClientHello": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Server-TLS1": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Client-TLS11": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Client-TLS1": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Client-TLS11": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Client-TLS12": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Client-TLS13": "TODO: first pass, this should be fixed", "PartialNewSessionTicketWithServerHelloDone": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Server-TLS11": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Server-TLS12": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Server-TLS11": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Client-TLS12": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Server-TLS12": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Client-TLS13": "TODO: first pass, this should be fixed", "TrailingDataWithFinished-Resume-Client-TLS1": "TODO: first pass, this should be fixed", "TrailingMessageData-ClientHello-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ServerHello-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ServerCertificate-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ServerHelloDone-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ServerKeyExchange-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-CertificateRequest-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-CertificateVerify-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ServerFinished-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ClientKeyExchange-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-ClientHello-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ClientFinished-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-NewSessionTicket-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-ClientCertificate-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-CertificateRequest-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-ServerCertificateVerify-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-EncryptedExtensions-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-ClientCertificate-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-ClientCertificateVerify-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-ServerCertificate-TLS": "TODO: first pass, this should be fixed", "SkipEarlyData-TLS13": "TODO: first pass, this should be fixed", "DuplicateKeyShares-TLS13": "TODO: first pass, this should be fixed", "Server-TooLongSessionID-TLS13": "TODO: first pass, this should be fixed", "Client-TooLongSessionID": "TODO: first pass, this should be fixed", "Client-ShortSessionID": "TODO: first pass, this should be fixed", "TLS12NoSessionID-TLS13": "TODO: first pass, this should be fixed", "Server-TooLongSessionID-TLS12": "TODO: first pass, this should be fixed", "EmptyEncryptedExtensions-TLS13": "TODO: first pass, this should be fixed", "SkipEarlyData-SecondClientHelloEarlyData-TLS13": "TODO: first pass, this should be fixed", "EncryptedExtensionsWithKeyShare-TLS13": "TODO: first pass, this should be fixed", "HelloRetryRequest-DuplicateCurve-TLS13": "TODO: first pass, this should be fixed", "HelloRetryRequest-DuplicateCookie-TLS13": "TODO: first pass, this should be fixed", "HelloRetryRequest-Unknown-TLS13": "TODO: first pass, this should be fixed", "SendPostHandshakeChangeCipherSpec-TLS13": "TODO: first pass, this should be fixed", "ECDSAKeyUsage-Server-TLS12": "TODO: first pass, this should be fixed", "ECDSAKeyUsage-Server-TLS13": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantEncipherment-GotEnciphermentTLS1": "TODO: first pass, this should be fixed", "RSAKeyUsage-Server-WantSignature-GotEncipherment-TLS1": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantSignature-GotSignature-TLS1": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantEncipherment-GotEnciphermentTLS11": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantSignature-GotSignature-TLS11": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantEncipherment-GotEnciphermentTLS12": "TODO: first pass, this should be fixed", "RSAKeyUsage-Server-WantSignature-GotEncipherment-TLS12": "TODO: first pass, this should be fixed", "RSAKeyUsage-Server-WantSignature-GotEncipherment-TLS11": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantSignature-GotSignature-TLS12": "TODO: first pass, this should be fixed", "RSAKeyUsage-Client-WantSignature-GotSignature-TLS13": "TODO: first pass, this should be fixed", "RSAKeyUsage-Server-WantSignature-GotEncipherment-TLS13": "TODO: first pass, this should be fixed", "EmptyExtensions-ClientHello-TLS1": "TODO: first pass, this should be fixed", "OmitExtensions-ClientHello-TLS1": "TODO: first pass, this should be fixed", "EmptyExtensions-ClientHello-TLS12": "TODO: first pass, this should be fixed", "OmitExtensions-ClientHello-TLS12": "TODO: first pass, this should be fixed", "EmptyExtensions-ClientHello-TLS11": "TODO: first pass, this should be fixed", "OmitExtensions-ClientHello-TLS11": "TODO: first pass, this should be fixed", "DuplicateCertCompressionExt-TLS12": "TODO: first pass, this should be fixed", "DuplicateCertCompressionExt-TLS13": "TODO: first pass, this should be fixed", "Client-RejectJDK11DowngradeRandom": "TODO: first pass, this should be fixed", "CheckClientCertificateTypes": "TODO: first pass, this should be fixed", "CheckECDSACurve-TLS12": "TODO: first pass, this should be fixed", "ALPNClient-RejectUnknown-TLS-TLS1": "TODO: first pass, this should be fixed", "ALPNClient-RejectUnknown-TLS-TLS11": "TODO: first pass, this should be fixed", "ALPNClient-RejectUnknown-TLS-TLS12": "TODO: first pass, this should be fixed", "ALPNClient-RejectUnknown-TLS-TLS13": "TODO: first pass, this should be fixed", "ClientHelloPadding": "TODO: first pass, this should be fixed", "TLS13-ExpectTicketEarlyDataSupport": "TODO: first pass, this should be fixed", "TLS13-EarlyData-TooMuchData-Client-TLS-Sync": "TODO: first pass, this should be fixed", "TLS13-EarlyData-TooMuchData-Client-TLS-Sync-SplitHandshakeRecords": "TODO: first pass, this should be fixed", "TLS13-EarlyData-TooMuchData-Client-TLS-Sync-PackHandshake": "TODO: first pass, this should be fixed", "WrongMessageType-TLS13-EndOfEarlyData-TLS": "TODO: first pass, this should be fixed", "TrailingMessageData-TLS13-EndOfEarlyData-TLS": "TODO: first pass, this should be fixed", "SendHelloRetryRequest-2-TLS13": "TODO: first pass, this should be fixed", "EarlyData-SkipEndOfEarlyData-TLS13": "TODO: first pass, this should be fixed", "EarlyData-Server-BadFinished-TLS13": "TODO: first pass, this should be fixed", "EarlyData-UnexpectedHandshake-Server-TLS13": "TODO: first pass, this should be fixed", "EarlyData-CipherMismatch-Client-TLS13": "TODO: first pass, this should be fixed", "Resume-Server-UnofferedCipher-TLS13": "TODO: first pass, this should be fixed", "GarbageCertificate-Server-TLS13": "TODO: 2025/06 BoGo update, should be fixed", "WrongMessageType-TLS13-ClientCertificate-TLS": "TODO: 2025/06 BoGo update, should be fixed", "KeyUpdate-Requested": "TODO: 2025/06 BoGo update, should be fixed", "AppDataBeforeTLS13KeyChange-*": "TODO: 2025/06 BoGo update, should be fixed" }, "AllCurves": [ 23, 24, 25, 29, 4588 ], "ErrorMap": { ":ECH_REJECTED:": ["tls: server rejected ECH"] } }