diff options
author | Krasimir Angelov <kangelov@gitlab.com> | 2019-05-28 12:46:50 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-05-28 12:46:50 +0300 |
commit | 1050f11598642b017486fc655561399d3766efb5 (patch) | |
tree | c559fced12a012af3f680512e3869b2e4454176c /acceptance_test.go | |
parent | ef7fff4fa64c9cb3ca57faef3f26fa59f4f51ecb (diff) |
Add config flags to specify TLS versions
Introduce two new configuration options -tls-min-version and
-tls-max-version to control which TLS versions will be supported by the
server. Accepted values are ssl3, tls1.0, tls1.1, tls1.2, and tls1.3.
Closing https://gitlab.com/gitlab-org/gitlab-pages/issues/187
Diffstat (limited to 'acceptance_test.go')
-rw-r--r-- | acceptance_test.go | 88 |
1 files changed, 72 insertions, 16 deletions
diff --git a/acceptance_test.go b/acceptance_test.go index f68b31ef..b22d5e97 100644 --- a/acceptance_test.go +++ b/acceptance_test.go @@ -1063,15 +1063,17 @@ func TestAcceptsSupportedCiphers(t *testing.T) { teardown := RunPagesProcess(t, *pagesBinary, listeners, "") defer teardown() - ciphers := []uint16{ - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tlsConfig := &tls.Config{ + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + }, } - client, cleanup := ClientWithCiphers(ciphers) + client, cleanup := ClientWithConfig(tlsConfig) defer cleanup() rsp, err := client.Get(httpsListener.URL("/")) @@ -1088,11 +1090,13 @@ func TestRejectsUnsupportedCiphers(t *testing.T) { teardown := RunPagesProcess(t, *pagesBinary, listeners, "") defer teardown() - ciphers := []uint16{ - tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + tlsConfig := &tls.Config{ + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + }, } - client, cleanup := ClientWithCiphers(ciphers) + client, cleanup := ClientWithConfig(tlsConfig) defer cleanup() rsp, err := client.Get(httpsListener.URL("/")) @@ -1110,11 +1114,13 @@ func TestEnableInsecureCiphers(t *testing.T) { teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "-insecure-ciphers") defer teardown() - ciphers := []uint16{ - tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + tlsConfig := &tls.Config{ + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + }, } - client, cleanup := ClientWithCiphers(ciphers) + client, cleanup := ClientWithConfig(tlsConfig) defer cleanup() rsp, err := client.Get(httpsListener.URL("/")) @@ -1125,3 +1131,53 @@ func TestEnableInsecureCiphers(t *testing.T) { require.NoError(t, err) } + +func TestTLSVersions(t *testing.T) { + skipUnlessEnabled(t) + + tests := map[string]struct { + tlsMin string + tlsMax string + tlsClient uint16 + expectError bool + }{ + "client version not supported": {tlsMin: "tls1.1", tlsMax: "tls1.2", tlsClient: tls.VersionTLS10, expectError: true}, + "client version supported": {tlsMin: "tls1.1", tlsMax: "tls1.2", tlsClient: tls.VersionTLS12, expectError: false}, + "client and server using default settings": {tlsMin: "", tlsMax: "", tlsClient: 0, expectError: false}, + } + + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + args := []string{} + if tc.tlsMin != "" { + args = append(args, "-tls-min-version", tc.tlsMin) + } + if tc.tlsMax != "" { + args = append(args, "-tls-max-version", tc.tlsMax) + } + + teardown := RunPagesProcess(t, *pagesBinary, listeners, "", args...) + defer teardown() + + tlsConfig := &tls.Config{} + if tc.tlsClient != 0 { + tlsConfig.MinVersion = tc.tlsClient + tlsConfig.MaxVersion = tc.tlsClient + } + client, cleanup := ClientWithConfig(tlsConfig) + defer cleanup() + + rsp, err := client.Get(httpsListener.URL("/")) + + if rsp != nil { + rsp.Body.Close() + } + + if tc.expectError { + require.Error(t, err) + } else { + require.NoError(t, err) + } + }) + } +} |