test: confirm tls server suite default is its own
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially. PR-URL: https://github.com/nodejs/node/pull/24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
This commit is contained in:
Sam Roberts
parent
a745b1bdd0
commit
13a6798001
@ -1,41 +1,38 @@
|
|||||||
'use strict';
|
'use strict';
|
||||||
const common = require('../common');
|
const common = require('../common');
|
||||||
const fixtures = require('../common/fixtures');
|
const fixtures = require('../common/fixtures');
|
||||||
|
|
||||||
|
// Test the honorCipherOrder property
|
||||||
|
|
||||||
if (!common.hasCrypto)
|
if (!common.hasCrypto)
|
||||||
common.skip('missing crypto');
|
common.skip('missing crypto');
|
||||||
|
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
const mustCall = common.mustCall;
|
||||||
const tls = require('tls');
|
const tls = require('tls');
|
||||||
|
const util = require('util');
|
||||||
let nconns = 0;
|
|
||||||
|
|
||||||
// We explicitly set TLS version to 1.2 so as to be safe when the
|
// We explicitly set TLS version to 1.2 so as to be safe when the
|
||||||
// default method is updated in the future
|
// default method is updated in the future
|
||||||
const SSL_Method = 'TLSv1_2_method';
|
const SSL_Method = 'TLSv1_2_method';
|
||||||
const localhost = '127.0.0.1';
|
const localhost = '127.0.0.1';
|
||||||
|
|
||||||
process.on('exit', function() {
|
function test(honorCipherOrder, clientCipher, expectedCipher, defaultCiphers) {
|
||||||
assert.strictEqual(nconns, 6);
|
|
||||||
});
|
|
||||||
|
|
||||||
function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
|
|
||||||
const soptions = {
|
const soptions = {
|
||||||
secureProtocol: SSL_Method,
|
secureProtocol: SSL_Method,
|
||||||
key: fixtures.readKey('agent2-key.pem'),
|
key: fixtures.readKey('agent2-key.pem'),
|
||||||
cert: fixtures.readKey('agent2-cert.pem'),
|
cert: fixtures.readKey('agent2-cert.pem'),
|
||||||
ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' +
|
ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' +
|
||||||
'ECDHE-RSA-AES128-GCM-SHA256',
|
'ECDHE-RSA-AES128-GCM-SHA256',
|
||||||
honorCipherOrder: !!honorCipherOrder
|
honorCipherOrder: honorCipherOrder,
|
||||||
};
|
};
|
||||||
|
|
||||||
const server = tls.createServer(soptions, function(cleartextStream) {
|
const server = tls.createServer(soptions, mustCall(function(clearTextStream) {
|
||||||
nconns++;
|
|
||||||
|
|
||||||
// End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
|
// End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
|
||||||
// it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
|
// it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
|
||||||
cleartextStream.end();
|
clearTextStream.end();
|
||||||
});
|
}));
|
||||||
server.listen(0, localhost, function() {
|
server.listen(0, localhost, mustCall(function() {
|
||||||
const coptions = {
|
const coptions = {
|
||||||
rejectUnauthorized: false,
|
rejectUnauthorized: false,
|
||||||
secureProtocol: SSL_Method
|
secureProtocol: SSL_Method
|
||||||
@ -44,54 +41,50 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
|
|||||||
coptions.ciphers = clientCipher;
|
coptions.ciphers = clientCipher;
|
||||||
}
|
}
|
||||||
const port = this.address().port;
|
const port = this.address().port;
|
||||||
const client = tls.connect(port, localhost, coptions, function() {
|
const savedDefaults = tls.DEFAULT_CIPHERS;
|
||||||
|
tls.DEFAULT_CIPHERS = defaultCiphers || savedDefaults;
|
||||||
|
const client = tls.connect(port, localhost, coptions, mustCall(function() {
|
||||||
const cipher = client.getCipher();
|
const cipher = client.getCipher();
|
||||||
client.end();
|
client.end();
|
||||||
server.close();
|
server.close();
|
||||||
assert.strictEqual(cipher.name, expectedCipher);
|
const msg = util.format(
|
||||||
if (cb) cb();
|
'honorCipherOrder=%j, clientCipher=%j, expect=%j, got=%j',
|
||||||
});
|
honorCipherOrder, clientCipher, expectedCipher, cipher.name);
|
||||||
});
|
assert.strictEqual(cipher.name, expectedCipher, msg);
|
||||||
|
}));
|
||||||
|
tls.DEFAULT_CIPHERS = savedDefaults;
|
||||||
|
}));
|
||||||
}
|
}
|
||||||
|
|
||||||
test1();
|
// Client explicitly has the preference of cipher suites, not the default.
|
||||||
|
|
||||||
function test1() {
|
|
||||||
// Client has the preference of cipher suites by default
|
|
||||||
test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
|
test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
|
||||||
'AES128-GCM-SHA256', test2);
|
'AES128-GCM-SHA256');
|
||||||
}
|
|
||||||
|
|
||||||
function test2() {
|
|
||||||
// Server has the preference of cipher suites, and AES256-SHA256 is
|
// Server has the preference of cipher suites, and AES256-SHA256 is
|
||||||
// the server's top choice.
|
// the server's top choice.
|
||||||
test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
|
test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
|
||||||
'AES256-SHA256', test3);
|
'AES256-SHA256');
|
||||||
}
|
test(undefined, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
|
||||||
|
'AES256-SHA256');
|
||||||
|
|
||||||
function test3() {
|
|
||||||
// Server has the preference of cipher suites. AES128-GCM-SHA256 is given
|
// Server has the preference of cipher suites. AES128-GCM-SHA256 is given
|
||||||
// higher priority over AES128-SHA256 among client cipher suites.
|
// higher priority over AES128-SHA256 among client cipher suites.
|
||||||
test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4);
|
test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256');
|
||||||
|
test(undefined, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256');
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
function test4() {
|
|
||||||
// As client has only one cipher, server has no choice, irrespective
|
// As client has only one cipher, server has no choice, irrespective
|
||||||
// of honorCipherOrder.
|
// of honorCipherOrder.
|
||||||
test(true, 'AES128-SHA256', 'AES128-SHA256', test5);
|
test(true, 'AES128-SHA256', 'AES128-SHA256');
|
||||||
}
|
test(undefined, 'AES128-SHA256', 'AES128-SHA256');
|
||||||
|
|
||||||
function test5() {
|
|
||||||
// Client did not explicitly set ciphers and client offers
|
// Client did not explicitly set ciphers and client offers
|
||||||
// tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
|
// tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
|
||||||
// default list so the negotiated cipher is selected according to the
|
// default list so the negotiated cipher is selected according to the
|
||||||
// server's top preference of AES256-SHA256.
|
// server's top preference of AES256-SHA256.
|
||||||
test(true, null, 'AES256-SHA256', test6);
|
test(true, tls.DEFAULT_CIPHERS, 'AES256-SHA256');
|
||||||
}
|
test(true, null, 'AES256-SHA256');
|
||||||
|
test(undefined, null, 'AES256-SHA256');
|
||||||
|
|
||||||
function test6() {
|
// Ensure that `tls.DEFAULT_CIPHERS` is used when its a limited cipher set.
|
||||||
// Ensure that `tls.DEFAULT_CIPHERS` is used
|
test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256');
|
||||||
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256';
|
|
||||||
test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256');
|
|
||||||
}
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user