1
1
'use strict' ;
2
2
const common = require ( '../common' ) ;
3
3
const fixtures = require ( '../common/fixtures' ) ;
4
+
5
+ // Test the honorCipherOrder property
6
+
4
7
if ( ! common . hasCrypto )
5
8
common . skip ( 'missing crypto' ) ;
6
9
7
10
const assert = require ( 'assert' ) ;
11
+ const mustCall = common . mustCall ;
8
12
const tls = require ( 'tls' ) ;
9
-
10
- let nconns = 0 ;
13
+ const util = require ( 'util' ) ;
11
14
12
15
// We explicitly set TLS version to 1.2 so as to be safe when the
13
16
// default method is updated in the future
14
17
const SSL_Method = 'TLSv1_2_method' ;
15
18
const localhost = '127.0.0.1' ;
16
19
17
- process . on ( 'exit' , function ( ) {
18
- assert . strictEqual ( nconns , 6 ) ;
19
- } ) ;
20
-
21
- function test ( honorCipherOrder , clientCipher , expectedCipher , cb ) {
20
+ function test ( honorCipherOrder , clientCipher , expectedCipher , defaultCiphers ) {
22
21
const soptions = {
23
22
secureProtocol : SSL_Method ,
24
23
key : fixtures . readKey ( 'agent2-key.pem' ) ,
25
24
cert : fixtures . readKey ( 'agent2-cert.pem' ) ,
26
25
ciphers : 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' +
27
26
'ECDHE-RSA-AES128-GCM-SHA256' ,
28
- honorCipherOrder : ! ! honorCipherOrder
27
+ honorCipherOrder : honorCipherOrder ,
29
28
} ;
30
29
31
- const server = tls . createServer ( soptions , function ( cleartextStream ) {
32
- nconns ++ ;
33
-
30
+ const server = tls . createServer ( soptions , mustCall ( function ( clearTextStream ) {
34
31
// End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
35
32
// it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
36
- cleartextStream . end ( ) ;
37
- } ) ;
38
- server . listen ( 0 , localhost , function ( ) {
33
+ clearTextStream . end ( ) ;
34
+ } ) ) ;
35
+ server . listen ( 0 , localhost , mustCall ( function ( ) {
39
36
const coptions = {
40
37
rejectUnauthorized : false ,
41
38
secureProtocol : SSL_Method
@@ -44,54 +41,50 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
44
41
coptions . ciphers = clientCipher ;
45
42
}
46
43
const port = this . address ( ) . port ;
47
- const client = tls . connect ( port , localhost , coptions , function ( ) {
44
+ const savedDefaults = tls . DEFAULT_CIPHERS ;
45
+ tls . DEFAULT_CIPHERS = defaultCiphers || savedDefaults ;
46
+ const client = tls . connect ( port , localhost , coptions , mustCall ( function ( ) {
48
47
const cipher = client . getCipher ( ) ;
49
48
client . end ( ) ;
50
49
server . close ( ) ;
51
- assert . strictEqual ( cipher . name , expectedCipher ) ;
52
- if ( cb ) cb ( ) ;
53
- } ) ;
54
- } ) ;
50
+ const msg = util . format (
51
+ 'honorCipherOrder=%j, clientCipher=%j, expect=%j, got=%j' ,
52
+ honorCipherOrder , clientCipher , expectedCipher , cipher . name ) ;
53
+ assert . strictEqual ( cipher . name , expectedCipher , msg ) ;
54
+ } ) ) ;
55
+ tls . DEFAULT_CIPHERS = savedDefaults ;
56
+ } ) ) ;
55
57
}
56
58
57
- test1 ( ) ;
58
-
59
- function test1 ( ) {
60
- // Client has the preference of cipher suites by default
61
- test ( false , 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256' ,
62
- 'AES128-GCM-SHA256' , test2 ) ;
63
- }
59
+ // Client explicitly has the preference of cipher suites, not the default.
60
+ test ( false , 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256' ,
61
+ 'AES128-GCM-SHA256' ) ;
64
62
65
- function test2 ( ) {
66
- // Server has the preference of cipher suites, and AES256-SHA256 is
67
- // the server's top choice.
68
- test ( true , 'AES128-GCM-SHA256: AES256-SHA256:AES128-SHA256' ,
69
- ' AES256-SHA256' , test3 ) ;
70
- }
63
+ // Server has the preference of cipher suites, and AES256-SHA256 is
64
+ // the server's top choice.
65
+ test ( true , 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256' ,
66
+ ' AES256-SHA256' ) ;
67
+ test ( undefined , 'AES128-GCM-SHA256: AES256-SHA256:AES128-SHA256' ,
68
+ 'AES256-SHA256' ) ;
71
69
72
- function test3 ( ) {
73
- // Server has the preference of cipher suites. AES128-GCM-SHA256 is given
74
- // higher priority over AES128-SHA256 among client cipher suites.
75
- test ( true , 'AES128-SHA256:AES128-GCM-SHA256' , 'AES128-GCM-SHA256' , test4 ) ;
70
+ // Server has the preference of cipher suites. AES128-GCM-SHA256 is given
71
+ // higher priority over AES128-SHA256 among client cipher suites.
72
+ test ( true , ' AES128-SHA256:AES128-GCM-SHA256' , 'AES128-GCM-SHA256' ) ;
73
+ test ( undefined , 'AES128-SHA256:AES128-GCM-SHA256' , 'AES128-GCM-SHA256' ) ;
76
74
77
- }
78
75
79
- function test4 ( ) {
80
- // As client has only one cipher, server has no choice, irrespective
81
- // of honorCipherOrder.
82
- test ( true , 'AES128-SHA256' , 'AES128-SHA256' , test5 ) ;
83
- }
76
+ // As client has only one cipher, server has no choice, irrespective
77
+ // of honorCipherOrder.
78
+ test ( true , 'AES128-SHA256' , 'AES128-SHA256' ) ;
79
+ test ( undefined , 'AES128-SHA256' , 'AES128-SHA256' ) ;
84
80
85
- function test5 ( ) {
86
- // Client did not explicitly set ciphers and client offers
87
- // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
88
- // default list so the negotiated cipher is selected according to the
89
- // server's top preference of AES256-SHA256.
90
- test ( true , null , 'AES256-SHA256' , test6 ) ;
91
- }
81
+ // Client did not explicitly set ciphers and client offers
82
+ // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
83
+ // default list so the negotiated cipher is selected according to the
84
+ // server's top preference of AES256-SHA256.
85
+ test ( true , tls . DEFAULT_CIPHERS , ' AES256-SHA256' ) ;
86
+ test ( true , null , 'AES256-SHA256' ) ;
87
+ test ( undefined , null , 'AES256-SHA256' ) ;
92
88
93
- function test6 ( ) {
94
- // Ensure that `tls.DEFAULT_CIPHERS` is used
95
- tls . DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256' ;
96
- test ( true , null , 'ECDHE-RSA-AES128-GCM-SHA256' ) ;
97
- }
89
+ // Ensure that `tls.DEFAULT_CIPHERS` is used when its a limited cipher set.
90
+ test ( true , null , 'ECDHE-RSA-AES128-GCM-SHA256' , 'ECDHE-RSA-AES128-GCM-SHA256' ) ;
0 commit comments