Skip to content

Commit

Permalink
test: change tls tests not to use LOW cipher
Browse files Browse the repository at this point in the history
DES-CBC-SHA is LOW cipher and disabled by default and it is used in
tests of hornorcipherorder. They are changed as to

- use RC4-SHA instead of DES-CBC-SHA.
- add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers.
- remove tests for non-default cipher because only SEED and IDEA are
available in !RC4:!HIGH:ALL.

Fixes: nodejs/Release#85
PR-URL: #5712
Reviewed-By: Ben Noordhuis <[email protected]>
  • Loading branch information
Shigeki Ohtsu committed Mar 15, 2016
1 parent a115779 commit 9c06db7
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 29 deletions.
6 changes: 3 additions & 3 deletions deps/openssl/config/opensslconf.h
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@
# ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
# endif
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
# define OPENSSL_NO_WEAK_SSL_CIPHERS
#endif
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
# define OPENSSL_NO_WEAK_SSL_CIPHERS
# endif
#endif /* OPENSSL_DOING_MAKEDEPEND */

#ifndef OPENSSL_THREADS
Expand Down
22 changes: 11 additions & 11 deletions test/simple/test-tls-honorcipherorder-secureOptions.js
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb)
secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA',
ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
secureOptions: secureOptions,
honorCipherOrder: !!honorCipherOrder
};
Expand Down Expand Up @@ -95,37 +95,37 @@ test1();

function test1() {
// Client has the preference of cipher suites by default
test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2);
test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2);
}

function test2() {
// Server has the preference of cipher suites where AES256-SHA is in
// the first.
test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3);
test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3);
}

function test3() {
// Server has the preference of cipher suites. RC4-SHA is given
// higher priority over DES-CBC-SHA among client cipher suites.
test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4);
// Server has the preference of cipher suites. AES256-SHA is given
// higher priority over RC4-SHA among client cipher suites.
test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4);
}

function test4() {
// As client has only one cipher, server has no choice in regardless
// of honorCipherOrder.
test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5);
test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5);
}

function test5() {
test(false,
'DES-CBC-SHA',
'DES-CBC-SHA',
'RC4-SHA',
'RC4-SHA',
process.binding('constants').SSL_OP_SINGLE_DH_USE, test6);
}

function test6() {
test(true,
'DES-CBC-SHA',
'DES-CBC-SHA',
'RC4-SHA',
'RC4-SHA',
process.binding('constants').SSL_OP_SINGLE_DH_USE);
}
23 changes: 8 additions & 15 deletions test/simple/test-tls-honorcipherorder.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,15 @@ var SSL_Method = 'TLSv1_method';
var localhost = '127.0.0.1';

process.on('exit', function() {
assert.equal(nconns, 6);
assert.equal(nconns, 5);
});

function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
var soptions = {
secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
ciphers: 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA',
honorCipherOrder: !!honorCipherOrder
};

Expand Down Expand Up @@ -75,31 +75,24 @@ function test1() {
}

function test2() {
// Server has the preference of cipher suites where DES-CBC-SHA is in
// Server has the preference of cipher suites where RC4-SHA is in
// the first.
test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3);
test(true, 'AES256-SHA:RC4-SHA', 'RC4-SHA', test3);
}

function test3() {
// Server has the preference of cipher suites. RC4-SHA is given
// higher priority over DES-CBC-SHA among client cipher suites.
test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4);
// Server has the preference of cipher suites. AES256-SHA is given
// higher priority over ECDHE-RSA-AES256-SHA among client cipher suites.
test(true, 'ECDHE-RSA-AES256-SHA:AES256-SHA', 'AES256-SHA', test4);
}

function test4() {
// As client has only one cipher, server has no choice in regardless
// of honorCipherOrder.
test(true, 'RC4-SHA', 'RC4-SHA', test5);
test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', test5);
}

function test5() {
// Client did not explicitly set ciphers. Ensure that client defaults to
// sane ciphers. Even though server gives top priority to DES-CBC-SHA
// it should not be negotiated because it's not in default client ciphers.
test(true, null, 'AES256-SHA', test6);
}

function test6() {
// Ensure that `tls.DEFAULT_CIPHERS` is used
SSL_Method = 'TLSv1_2_method';
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';
Expand Down

0 comments on commit 9c06db7

Please sign in to comment.