2015-05-19 03:38:21 +08:00
|
|
|
package setup
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"testing"
|
|
|
|
|
)
|
|
|
|
|
|
2015-05-21 14:06:53 +08:00
|
|
|
func TestTLSParseBasic(t *testing.T) {
|
2015-06-20 21:59:33 +08:00
|
|
|
c := NewTestController(`tls cert.pem key.pem`)
|
2015-05-21 14:06:53 +08:00
|
|
|
|
|
|
|
|
_, err := TLS(c)
|
|
|
|
|
if err != nil {
|
2015-05-22 00:37:39 +08:00
|
|
|
t.Errorf("Expected no errors, got: %v", err)
|
2015-05-21 14:06:53 +08:00
|
|
|
}
|
|
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
// Basic checks
|
2015-05-21 14:06:53 +08:00
|
|
|
if c.TLS.Certificate != "cert.pem" {
|
|
|
|
|
t.Errorf("Expected certificate arg to be 'cert.pem', was '%s'", c.TLS.Certificate)
|
|
|
|
|
}
|
|
|
|
|
if c.TLS.Key != "key.pem" {
|
|
|
|
|
t.Errorf("Expected key arg to be 'key.pem', was '%s'", c.TLS.Key)
|
|
|
|
|
}
|
|
|
|
|
if !c.TLS.Enabled {
|
|
|
|
|
t.Error("Expected TLS Enabled=true, but was false")
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
// Security defaults
|
|
|
|
|
if c.TLS.ProtocolMinVersion != tls.VersionTLS10 {
|
|
|
|
|
t.Errorf("Expected 'tls1.0 (0x0301)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
|
|
|
|
|
}
|
|
|
|
|
if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
|
|
|
|
|
t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", c.TLS.ProtocolMaxVersion)
|
|
|
|
|
}
|
2015-05-19 03:38:21 +08:00
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
// Cipher checks
|
|
|
|
|
expectedCiphers := []uint16{
|
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
|
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
|
tls.TLS_FALLBACK_SCSV,
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
// Ensure count is correct (plus one for TLS_FALLBACK_SCSV)
|
2015-12-19 19:37:38 +08:00
|
|
|
if len(c.TLS.Ciphers) != len(expectedCiphers) {
|
2015-05-22 00:37:39 +08:00
|
|
|
t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v",
|
2015-12-19 19:37:38 +08:00
|
|
|
len(expectedCiphers), len(c.TLS.Ciphers))
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
// Ensure ordering is correct
|
|
|
|
|
for i, actual := range c.TLS.Ciphers {
|
|
|
|
|
if actual != expectedCiphers[i] {
|
|
|
|
|
t.Errorf("Expected cipher in position %d to be %0x, got %0x", i, expectedCiphers[i], actual)
|
|
|
|
|
}
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
if !c.TLS.PreferServerCipherSuites {
|
|
|
|
|
t.Error("Expected PreferServerCipherSuites = true, but was false")
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestTLSParseIncompleteParams(t *testing.T) {
|
2016-01-04 07:44:30 +08:00
|
|
|
// This doesn't do anything useful but is allowed in case the user wants to be explicit
|
|
|
|
|
// about TLS being enabled...
|
2015-06-20 21:59:33 +08:00
|
|
|
c := NewTestController(`tls`)
|
2015-05-19 03:38:21 +08:00
|
|
|
_, err := TLS(c)
|
2016-01-04 07:44:30 +08:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("Expected no error, but got %v", err)
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestTLSParseWithOptionalParams(t *testing.T) {
|
|
|
|
|
params := `tls cert.crt cert.key {
|
2015-05-19 05:15:41 +08:00
|
|
|
protocols ssl3.0 tls1.2
|
2015-05-19 03:38:21 +08:00
|
|
|
ciphers RSA-3DES-EDE-CBC-SHA RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256
|
|
|
|
|
}`
|
2015-06-20 21:59:33 +08:00
|
|
|
c := NewTestController(params)
|
2015-05-19 03:38:21 +08:00
|
|
|
|
|
|
|
|
_, err := TLS(c)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("Expected no errors, got: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.TLS.ProtocolMinVersion != tls.VersionSSL30 {
|
2015-05-19 05:15:41 +08:00
|
|
|
t.Errorf("Expected 'ssl3.0 (0x0300)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
|
2015-05-19 05:15:41 +08:00
|
|
|
t.Errorf("Expected 'tls1.2 (0x0302)' as ProtocolMaxVersion, got %#v", c.TLS.ProtocolMaxVersion)
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
|
2015-05-22 00:37:39 +08:00
|
|
|
if len(c.TLS.Ciphers)-1 != 3 {
|
2016-01-04 07:44:30 +08:00
|
|
|
t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestTLSDefaultWithOptionalParams(t *testing.T) {
|
|
|
|
|
params := `tls {
|
|
|
|
|
ciphers RSA-3DES-EDE-CBC-SHA
|
|
|
|
|
}`
|
|
|
|
|
c := NewTestController(params)
|
|
|
|
|
|
|
|
|
|
_, err := TLS(c)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("Expected no errors, got: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if len(c.TLS.Ciphers)-1 != 1 {
|
|
|
|
|
t.Errorf("Expected 1 ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1)
|
2015-05-19 03:38:21 +08:00
|
|
|
}
|
|
|
|
|
}
|
2015-05-19 10:27:35 +08:00
|
|
|
|
2016-01-04 07:44:30 +08:00
|
|
|
// TODO: If we allow this... but probably not a good idea.
|
|
|
|
|
// func TestTLSDisableHTTPRedirect(t *testing.T) {
|
|
|
|
|
// c := NewTestController(`tls {
|
|
|
|
|
// allow_http
|
|
|
|
|
// }`)
|
|
|
|
|
// _, err := TLS(c)
|
|
|
|
|
// if err != nil {
|
|
|
|
|
// t.Errorf("Expected no error, but got %v", err)
|
|
|
|
|
// }
|
|
|
|
|
// if !c.TLS.DisableHTTPRedir {
|
|
|
|
|
// t.Error("Expected HTTP redirect to be disabled, but it wasn't")
|
|
|
|
|
// }
|
|
|
|
|
// }
|
|
|
|
|
|
2015-05-19 10:27:35 +08:00
|
|
|
func TestTLSParseWithWrongOptionalParams(t *testing.T) {
|
|
|
|
|
// Test protocols wrong params
|
2015-05-26 01:42:09 +08:00
|
|
|
params := `tls cert.crt cert.key {
|
2015-05-19 10:27:35 +08:00
|
|
|
protocols ssl tls
|
|
|
|
|
}`
|
2015-06-20 21:59:33 +08:00
|
|
|
c := NewTestController(params)
|
2015-05-26 01:42:09 +08:00
|
|
|
_, err := TLS(c)
|
2015-05-19 10:27:35 +08:00
|
|
|
if err == nil {
|
|
|
|
|
t.Errorf("Expected errors, but no error returned")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test ciphers wrong params
|
|
|
|
|
params = `tls cert.crt cert.key {
|
|
|
|
|
ciphers not-valid-cipher
|
|
|
|
|
}`
|
2015-06-20 21:59:33 +08:00
|
|
|
c = NewTestController(params)
|
2015-05-19 10:27:35 +08:00
|
|
|
_, err = TLS(c)
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Errorf("Expected errors, but no error returned")
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-06-02 13:22:11 +08:00
|
|
|
|
|
|
|
|
func TestTLSParseWithClientAuth(t *testing.T) {
|
|
|
|
|
params := `tls cert.crt cert.key {
|
|
|
|
|
clients client_ca.crt client2_ca.crt
|
|
|
|
|
}`
|
2015-06-20 21:59:33 +08:00
|
|
|
c := NewTestController(params)
|
2015-06-02 13:22:11 +08:00
|
|
|
_, err := TLS(c)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("Expected no errors, got: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if count := len(c.TLS.ClientCerts); count != 2 {
|
|
|
|
|
t.Fatalf("Expected two client certs, had %d", count)
|
|
|
|
|
}
|
|
|
|
|
if actual := c.TLS.ClientCerts[0]; actual != "client_ca.crt" {
|
|
|
|
|
t.Errorf("Expected first client cert file to be '%s', but was '%s'", "client_ca.crt", actual)
|
|
|
|
|
}
|
|
|
|
|
if actual := c.TLS.ClientCerts[1]; actual != "client2_ca.crt" {
|
|
|
|
|
t.Errorf("Expected second client cert file to be '%s', but was '%s'", "client2_ca.crt", actual)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test missing client cert file
|
|
|
|
|
params = `tls cert.crt cert.key {
|
|
|
|
|
clients
|
|
|
|
|
}`
|
2015-06-20 21:59:33 +08:00
|
|
|
c = NewTestController(params)
|
2015-06-02 13:22:11 +08:00
|
|
|
_, err = TLS(c)
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Errorf("Expected an error, but no error returned")
|
|
|
|
|
}
|
|
|
|
|
}
|
