Skip to content

Commit 92f8266

Browse files
sam-githubrvagg
authored andcommitted
test: confirm tls server suite default is its own
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially. PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
1 parent 261aa78 commit 92f8266

File tree

1 file changed

+47
-54
lines changed

1 file changed

+47
-54
lines changed
+47-54
Original file line numberDiff line numberDiff line change
@@ -1,41 +1,38 @@
11
'use strict';
22
const common = require('../common');
33
const fixtures = require('../common/fixtures');
4+
5+
// Test the honorCipherOrder property
6+
47
if (!common.hasCrypto)
58
common.skip('missing crypto');
69

710
const assert = require('assert');
11+
const mustCall = common.mustCall;
812
const tls = require('tls');
9-
10-
let nconns = 0;
13+
const util = require('util');
1114

1215
// We explicitly set TLS version to 1.2 so as to be safe when the
1316
// default method is updated in the future
1417
const SSL_Method = 'TLSv1_2_method';
1518
const localhost = '127.0.0.1';
1619

17-
process.on('exit', function() {
18-
assert.strictEqual(nconns, 6);
19-
});
20-
21-
function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
20+
function test(honorCipherOrder, clientCipher, expectedCipher, defaultCiphers) {
2221
const soptions = {
2322
secureProtocol: SSL_Method,
2423
key: fixtures.readKey('agent2-key.pem'),
2524
cert: fixtures.readKey('agent2-cert.pem'),
2625
ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' +
2726
'ECDHE-RSA-AES128-GCM-SHA256',
28-
honorCipherOrder: !!honorCipherOrder
27+
honorCipherOrder: honorCipherOrder,
2928
};
3029

31-
const server = tls.createServer(soptions, function(cleartextStream) {
32-
nconns++;
33-
30+
const server = tls.createServer(soptions, mustCall(function(clearTextStream) {
3431
// End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
3532
// it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
36-
cleartextStream.end();
37-
});
38-
server.listen(0, localhost, function() {
33+
clearTextStream.end();
34+
}));
35+
server.listen(0, localhost, mustCall(function() {
3936
const coptions = {
4037
rejectUnauthorized: false,
4138
secureProtocol: SSL_Method
@@ -44,54 +41,50 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
4441
coptions.ciphers = clientCipher;
4542
}
4643
const port = this.address().port;
47-
const client = tls.connect(port, localhost, coptions, function() {
44+
const savedDefaults = tls.DEFAULT_CIPHERS;
45+
tls.DEFAULT_CIPHERS = defaultCiphers || savedDefaults;
46+
const client = tls.connect(port, localhost, coptions, mustCall(function() {
4847
const cipher = client.getCipher();
4948
client.end();
5049
server.close();
51-
assert.strictEqual(cipher.name, expectedCipher);
52-
if (cb) cb();
53-
});
54-
});
50+
const msg = util.format(
51+
'honorCipherOrder=%j, clientCipher=%j, expect=%j, got=%j',
52+
honorCipherOrder, clientCipher, expectedCipher, cipher.name);
53+
assert.strictEqual(cipher.name, expectedCipher, msg);
54+
}));
55+
tls.DEFAULT_CIPHERS = savedDefaults;
56+
}));
5557
}
5658

57-
test1();
58-
59-
function test1() {
60-
// Client has the preference of cipher suites by default
61-
test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
62-
'AES128-GCM-SHA256', test2);
63-
}
59+
// Client explicitly has the preference of cipher suites, not the default.
60+
test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
61+
'AES128-GCM-SHA256');
6462

65-
function test2() {
66-
// Server has the preference of cipher suites, and AES256-SHA256 is
67-
// the server's top choice.
68-
test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
69-
'AES256-SHA256', test3);
70-
}
63+
// Server has the preference of cipher suites, and AES256-SHA256 is
64+
// the server's top choice.
65+
test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
66+
'AES256-SHA256');
67+
test(undefined, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
68+
'AES256-SHA256');
7169

72-
function test3() {
73-
// Server has the preference of cipher suites. AES128-GCM-SHA256 is given
74-
// higher priority over AES128-SHA256 among client cipher suites.
75-
test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4);
70+
// Server has the preference of cipher suites. AES128-GCM-SHA256 is given
71+
// higher priority over AES128-SHA256 among client cipher suites.
72+
test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256');
73+
test(undefined, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256');
7674

77-
}
7875

79-
function test4() {
80-
// As client has only one cipher, server has no choice, irrespective
81-
// of honorCipherOrder.
82-
test(true, 'AES128-SHA256', 'AES128-SHA256', test5);
83-
}
76+
// As client has only one cipher, server has no choice, irrespective
77+
// of honorCipherOrder.
78+
test(true, 'AES128-SHA256', 'AES128-SHA256');
79+
test(undefined, 'AES128-SHA256', 'AES128-SHA256');
8480

85-
function test5() {
86-
// Client did not explicitly set ciphers and client offers
87-
// tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
88-
// default list so the negotiated cipher is selected according to the
89-
// server's top preference of AES256-SHA256.
90-
test(true, null, 'AES256-SHA256', test6);
91-
}
81+
// Client did not explicitly set ciphers and client offers
82+
// tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
83+
// default list so the negotiated cipher is selected according to the
84+
// server's top preference of AES256-SHA256.
85+
test(true, tls.DEFAULT_CIPHERS, 'AES256-SHA256');
86+
test(true, null, 'AES256-SHA256');
87+
test(undefined, null, 'AES256-SHA256');
9288

93-
function test6() {
94-
// Ensure that `tls.DEFAULT_CIPHERS` is used
95-
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256';
96-
test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256');
97-
}
89+
// Ensure that `tls.DEFAULT_CIPHERS` is used when its a limited cipher set.
90+
test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256');

0 commit comments

Comments
 (0)