diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2018-05-06 13:52:34 +0900 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2018-11-22 09:14:58 -0800 |
commit | f512f5ea138fe86e47c0179d5733044daf6f4fe6 (patch) | |
tree | 944745196104118f057d4e0834b62422cf72480f /test/parallel/test-tls-min-max-version.js | |
parent | 160ac0f32513337214dc5a4cdb1fa8de3c2ed14c (diff) | |
download | android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.gz android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.tar.bz2 android-node-v8-f512f5ea138fe86e47c0179d5733044daf6f4fe6.zip |
tls: add min/max protocol version options
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'test/parallel/test-tls-min-max-version.js')
-rw-r--r-- | test/parallel/test-tls-min-max-version.js | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js new file mode 100644 index 0000000000..3a3dab33d5 --- /dev/null +++ b/test/parallel/test-tls-min-max-version.js @@ -0,0 +1,146 @@ +'use strict'; +const common = require('../common'); +const fixtures = require('../common/fixtures'); + +// Check min/max protocol versions. + +const { + assert, connect, keys, tls +} = require(fixtures.path('tls-connect')); +const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION; + +function test(cmin, cmax, cprot, smin, smax, sprot, expect) { + connect({ + client: { + checkServerIdentity: (servername, cert) => { }, + ca: `${keys.agent1.cert}\n${keys.agent6.ca}`, + minVersion: cmin, + maxVersion: cmax, + secureProtocol: cprot, + }, + server: { + cert: keys.agent6.cert, + key: keys.agent6.key, + minVersion: smin, + maxVersion: smax, + secureProtocol: sprot, + }, + }, common.mustCall((err, pair, cleanup) => { + if (expect && !expect.match(/^TLS/)) { + assert(err.message.match(expect)); + return cleanup(); + } + + if (expect) { + assert.ifError(pair.server.err); + assert.ifError(pair.client.err); + assert(pair.server.conn); + assert(pair.client.conn); + assert.strictEqual(pair.client.conn.getProtocol(), expect); + assert.strictEqual(pair.server.conn.getProtocol(), expect); + return cleanup(); + } + + assert(pair.server.err); + assert(pair.client.err); + return cleanup(); + })); +} + +const U = undefined; + +// Default protocol is TLSv1.2. +test(U, U, U, U, U, U, 'TLSv1.2'); + +// Insecure or invalid protocols cannot be enabled. +test(U, U, U, U, U, 'SSLv2_method', 'SSLv2 methods disabled'); +test(U, U, U, U, U, 'SSLv3_method', 'SSLv3 methods disabled'); +test(U, U, 'SSLv2_method', U, U, U, 'SSLv2 methods disabled'); +test(U, U, 'SSLv3_method', U, U, U, 'SSLv3 methods disabled'); +test(U, U, 'hokey-pokey', U, U, U, 'Unknown method'); +test(U, U, U, U, U, 'hokey-pokey', 'Unknown method'); + +// Cannot use secureProtocol and min/max versions simultaneously. +test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', 'conflicts with secureProtocol'); +test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', 'conflicts with secureProtocol'); +test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol'); +test('TLSv1.2', U, 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol'); + +// TLS_method means "any supported protocol". +test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2'); +test(U, U, 'TLSv1_1_method', U, U, 'TLS_method', 'TLSv1.1'); +test(U, U, 'TLSv1_method', U, U, 'TLS_method', 'TLSv1'); +test(U, U, 'TLS_method', U, U, 'TLSv1_2_method', 'TLSv1.2'); +test(U, U, 'TLS_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); +test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1'); + +// SSLv23 also means "any supported protocol" greater than the default +// minimum (which is configurable via command line). +test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2'); + +if (DEFAULT_MIN_VERSION === 'TLSv1.2') { + test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', null); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', null); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null); +} + +if (DEFAULT_MIN_VERSION === 'TLSv1.1') { + test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null); +} + +if (DEFAULT_MIN_VERSION === 'TLSv1') { + test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 'TLSv1'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 'TLSv1'); +} + +// TLSv1 thru TLSv1.2 are only supported with explicit configuration with API or +// CLI (--tls-v1.0 and --tls-v1.1). +test(U, U, 'TLSv1_2_method', U, U, 'TLSv1_2_method', 'TLSv1.2'); +test(U, U, 'TLSv1_1_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); +test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1'); + +// The default default. +if (DEFAULT_MIN_VERSION === 'TLSv1.2') { + test(U, U, 'TLSv1_1_method', U, U, U, null); + test(U, U, 'TLSv1_method', U, U, U, null); + test(U, U, U, U, U, 'TLSv1_1_method', null); + test(U, U, U, U, U, 'TLSv1_method', null); +} + +// The default with --tls-v1.1. +if (DEFAULT_MIN_VERSION === 'TLSv1.1') { + test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); + test(U, U, 'TLSv1_method', U, U, U, null); + test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); + test(U, U, U, U, U, 'TLSv1_method', null); +} + +// The default with --tls-v1.0. +if (DEFAULT_MIN_VERSION === 'TLSv1') { + test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); + test(U, U, 'TLSv1_method', U, U, U, 'TLSv1'); + test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); + test(U, U, U, U, U, 'TLSv1_method', 'TLSv1'); +} + +// TLS min/max are respected when set with no secureProtocol. +test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_method', 'TLSv1'); +test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_1_method', 'TLSv1.1'); +test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_2_method', 'TLSv1.2'); + +test(U, U, 'TLSv1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1'); +test(U, U, 'TLSv1_1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.1'); +test(U, U, 'TLSv1_2_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.2'); + +test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1'); +test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1'); +test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1'); +test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1', U, 'TLSv1'); +test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1'); +test('TLSv1', 'TLSv1.2', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1'); |