lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

test: change tls tests not to use LOW cipher 

DES-CBC-SHA is LOW cipher and disabled by default and it is used in
tests of hornorcipherorder. They are changed as to

- use RC4-SHA instead of DES-CBC-SHA.
- add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers.
- remove tests for non-default cipher because only SEED and IDEA are
available in !RC4:!HIGH:ALL.

Fixes: https://github.com/nodejs/LTS/issues/85
PR-URL: https://github.com/nodejs/node/pull/5712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
v0.12-staging
Shigeki Ohtsu 9 years ago
parent
a115779026
commit
9c06db7444
3 changed files with 22 additions and 29 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      deps/openssl/config/opensslconf.h
  2. 22
      test/simple/test-tls-honorcipherorder-secureOptions.js
  3. 23
      test/simple/test-tls-honorcipherorder.js

6
deps/openssl/config/opensslconf.h
View File

@ -44,9 +44,9 @@
# ifndef OPENSSL_NO_STORE # ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE # define OPENSSL_NO_STORE
# endif # endif
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
# define OPENSSL_NO_WEAK_SSL_CIPHERS # define OPENSSL_NO_WEAK_SSL_CIPHERS
#endif # endif
#endif /* OPENSSL_DOING_MAKEDEPEND */ #endif /* OPENSSL_DOING_MAKEDEPEND */
#ifndef OPENSSL_THREADS #ifndef OPENSSL_THREADS

22
test/simple/test-tls-honorcipherorder-secureOptions.js
View File

@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb)
secureProtocol: SSL_Method, secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA', ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
secureOptions: secureOptions, secureOptions: secureOptions,
honorCipherOrder: !!honorCipherOrder honorCipherOrder: !!honorCipherOrder
}; };
@ -95,37 +95,37 @@ test1();
function test1() { function test1() {
// Client has the preference of cipher suites by default // Client has the preference of cipher suites by default
test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2); test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2);
} }
function test2() { function test2() {
// Server has the preference of cipher suites where AES256-SHA is in // Server has the preference of cipher suites where AES256-SHA is in
// the first. // the first.
test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3); test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3);
} }
function test3() { function test3() {
// Server has the preference of cipher suites. RC4-SHA is given // Server has the preference of cipher suites. AES256-SHA is given
// higher priority over DES-CBC-SHA among client cipher suites. // higher priority over RC4-SHA among client cipher suites.
test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4); test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4);
} }
function test4() { function test4() {
// As client has only one cipher, server has no choice in regardless // As client has only one cipher, server has no choice in regardless
// of honorCipherOrder. // of honorCipherOrder.
test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5); test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5);
} }
function test5() { function test5() {
test(false, test(false,
'DES-CBC-SHA', 'RC4-SHA',
'DES-CBC-SHA', 'RC4-SHA',
process.binding('constants').SSL_OP_SINGLE_DH_USE, test6); process.binding('constants').SSL_OP_SINGLE_DH_USE, test6);
} }
function test6() { function test6() {
test(true, test(true,
'DES-CBC-SHA', 'RC4-SHA',
'DES-CBC-SHA', 'RC4-SHA',
process.binding('constants').SSL_OP_SINGLE_DH_USE); process.binding('constants').SSL_OP_SINGLE_DH_USE);
} }

23
test/simple/test-tls-honorcipherorder.js
View File

@ -30,7 +30,7 @@ var SSL_Method = 'TLSv1_method';
var localhost = '127.0.0.1'; var localhost = '127.0.0.1';
process.on('exit', function() { process.on('exit', function() {
assert.equal(nconns, 6); assert.equal(nconns, 5);
}); });
function test(honorCipherOrder, clientCipher, expectedCipher, cb) { function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
@ -38,7 +38,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
secureProtocol: SSL_Method, secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', ciphers: 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA',
honorCipherOrder: !!honorCipherOrder honorCipherOrder: !!honorCipherOrder
}; };
@ -75,31 +75,24 @@ function test1() {
} }
function test2() { function test2() {
// Server has the preference of cipher suites where DES-CBC-SHA is in // Server has the preference of cipher suites where RC4-SHA is in
// the first. // the first.
test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3); test(true, 'AES256-SHA:RC4-SHA', 'RC4-SHA', test3);
} }
function test3() { function test3() {
// Server has the preference of cipher suites. RC4-SHA is given // Server has the preference of cipher suites. AES256-SHA is given
// higher priority over DES-CBC-SHA among client cipher suites. // higher priority over ECDHE-RSA-AES256-SHA among client cipher suites.
test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4); test(true, 'ECDHE-RSA-AES256-SHA:AES256-SHA', 'AES256-SHA', test4);
} }
function test4() { function test4() {
// As client has only one cipher, server has no choice in regardless // As client has only one cipher, server has no choice in regardless
// of honorCipherOrder. // of honorCipherOrder.
test(true, 'RC4-SHA', 'RC4-SHA', test5); test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', test5);
} }
function test5() { function test5() {
// Client did not explicitly set ciphers. Ensure that client defaults to
// sane ciphers. Even though server gives top priority to DES-CBC-SHA
// it should not be negotiated because it's not in default client ciphers.
test(true, null, 'AES256-SHA', test6);
}
function test6() {
// Ensure that `tls.DEFAULT_CIPHERS` is used // Ensure that `tls.DEFAULT_CIPHERS` is used
SSL_Method = 'TLSv1_2_method'; SSL_Method = 'TLSv1_2_method';
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA'; tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';

Write Preview
Loading…
Cancel
Save