Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-10-31 02:27:19 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

More tests for TLS configuration

Browse Source
This commit is contained in:
Matthew Holt 2016-08-25 17:13:27 -06:00
parent d4f4fcdb4c
commit b1ae8a71f1
No known key found for this signature in database
GPG Key ID: 0D97CC73664F4D03
2 changed files with 65 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
caddytls/config.go
View File

@ -379,8 +379,8 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
config.CipherSuites = defaultCiphers config.CipherSuites = defaultCiphers
} }
// For security, ensure TLS_FALLBACK_SCSV is always included // For security, ensure TLS_FALLBACK_SCSV is always included first
if config.CipherSuites[0] != tls.TLS_FALLBACK_SCSV { if len(config.CipherSuites) == 0 || config.CipherSuites[0] != tls.TLS_FALLBACK_SCSV {
config.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, config.CipherSuites...) config.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, config.CipherSuites...)
} }

64
caddytls/config_test.go
View File

@ -8,7 +8,7 @@ import (
"testing" "testing"
) )
func TestMakeTLSConfig(t *testing.T) { func TestMakeTLSConfigProtocolVersions(t *testing.T) {
// same min and max protocol versions // same min and max protocol versions
configs := []*Config{ configs := []*Config{
{ {
@ -29,6 +29,68 @@ func TestMakeTLSConfig(t *testing.T) {
} }
} }
func TestMakeTLSConfigPreferServerCipherSuites(t *testing.T) {
// prefer server cipher suites
configs := []*Config{{Enabled: true, PreferServerCipherSuites: true}}
result, err := MakeTLSConfig(configs)
if err != nil {
t.Fatalf("Did not expect an error, but got %v", err)
}
if got, want := result.PreferServerCipherSuites, true; got != want {
t.Errorf("Expected PreferServerCipherSuites==%v but got %v", want, got)
}
}
func TestMakeTLSConfigTLSEnabledDisabled(t *testing.T) {
// verify handling when Enabled is true and false
configs := []*Config{
{Enabled: true},
{Enabled: false},
}
_, err := MakeTLSConfig(configs)
if err == nil {
t.Fatalf("Expected an error, but got %v", err)
}
// verify that when disabled, a nil pair is returned
configs = []*Config{{}, {}}
result, err := MakeTLSConfig(configs)
if err != nil {
t.Errorf("Did not expect an error, but got %v", err)
}
if result != nil {
t.Errorf("Expected a nil *tls.Config result, got %+v", result)
}
}
func TestMakeTLSConfigCipherSuites(t *testing.T) {
// ensure cipher suites are unioned and
// that TLS_FALLBACK_SCSV is prepended
configs := []*Config{
{Enabled: true, Ciphers: []uint16{0xc02c, 0xc030}},
{Enabled: true, Ciphers: []uint16{0xc012, 0xc030, 0xc00a}},
}
result, err := MakeTLSConfig(configs)
if err != nil {
t.Fatalf("Did not expect an error, but got %v", err)
}
expected := []uint16{tls.TLS_FALLBACK_SCSV, 0xc02c, 0xc030, 0xc012, 0xc00a}
if !reflect.DeepEqual(result.CipherSuites, expected) {
t.Errorf("Expected ciphers %v but got %v", expected, result.CipherSuites)
}
// use default suites if none specified
configs = []*Config{{Enabled: true}}
result, err = MakeTLSConfig(configs)
if err != nil {
t.Fatalf("Did not expect an error, but got %v", err)
}
expected = append([]uint16{tls.TLS_FALLBACK_SCSV}, defaultCiphers...)
if !reflect.DeepEqual(result.CipherSuites, expected) {
t.Errorf("Expected default ciphers %v but got %v", expected, result.CipherSuites)
}
}
func TestStorageForNoURL(t *testing.T) { func TestStorageForNoURL(t *testing.T) {
c := &Config{} c := &Config{}
if _, err := c.StorageFor(""); err == nil { if _, err := c.StorageFor(""); err == nil {