1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
package acceptance_test
import (
"crypto/tls"
"testing"
"github.com/stretchr/testify/require"
)
func TestAcceptsSupportedCiphers(t *testing.T) {
skipUnlessEnabled(t)
teardown := RunPagesProcess(t, *pagesBinary, listeners, "")
defer teardown()
tlsConfig := &tls.Config{
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
},
}
client, cleanup := ClientWithConfig(tlsConfig)
defer cleanup()
rsp, err := client.Get(httpsListener.URL("/"))
if rsp != nil {
rsp.Body.Close()
}
require.NoError(t, err)
}
func tlsConfigWithInsecureCiphersOnly() *tls.Config {
return &tls.Config{
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
},
MaxVersion: tls.VersionTLS12, // ciphers for TLS1.3 are not configurable and will work if enabled
}
}
func TestRejectsUnsupportedCiphers(t *testing.T) {
skipUnlessEnabled(t)
teardown := RunPagesProcess(t, *pagesBinary, listeners, "")
defer teardown()
client, cleanup := ClientWithConfig(tlsConfigWithInsecureCiphersOnly())
defer cleanup()
rsp, err := client.Get(httpsListener.URL("/"))
if rsp != nil {
rsp.Body.Close()
}
require.Error(t, err)
require.Nil(t, rsp)
}
func TestEnableInsecureCiphers(t *testing.T) {
skipUnlessEnabled(t)
teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "-insecure-ciphers")
defer teardown()
client, cleanup := ClientWithConfig(tlsConfigWithInsecureCiphersOnly())
defer cleanup()
rsp, err := client.Get(httpsListener.URL("/"))
if rsp != nil {
rsp.Body.Close()
}
require.NoError(t, err)
}
func TestTLSVersions(t *testing.T) {
skipUnlessEnabled(t)
tests := map[string]struct {
tlsMin string
tlsMax string
tlsClient uint16
expectError bool
}{
"client version not supported": {tlsMin: "tls1.1", tlsMax: "tls1.2", tlsClient: tls.VersionTLS10, expectError: true},
"client version supported": {tlsMin: "tls1.1", tlsMax: "tls1.2", tlsClient: tls.VersionTLS12, expectError: false},
"client and server using default settings": {tlsMin: "", tlsMax: "", tlsClient: 0, expectError: false},
}
for name, tc := range tests {
t.Run(name, func(t *testing.T) {
args := []string{}
if tc.tlsMin != "" {
args = append(args, "-tls-min-version", tc.tlsMin)
}
if tc.tlsMax != "" {
args = append(args, "-tls-max-version", tc.tlsMax)
}
teardown := RunPagesProcess(t, *pagesBinary, listeners, "", args...)
defer teardown()
tlsConfig := &tls.Config{}
if tc.tlsClient != 0 {
tlsConfig.MinVersion = tc.tlsClient
tlsConfig.MaxVersion = tc.tlsClient
}
client, cleanup := ClientWithConfig(tlsConfig)
defer cleanup()
rsp, err := client.Get(httpsListener.URL("/"))
if rsp != nil {
rsp.Body.Close()
}
if tc.expectError {
require.Error(t, err)
} else {
require.NoError(t, err)
}
})
}
}
|