mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 16:22:45 -04:00 
			
		
		
		
	
		
			
				
	
	
		
			170 lines
		
	
	
		
			4.2 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			170 lines
		
	
	
		
			4.2 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package setup
 | |
| 
 | |
| import (
 | |
| 	"crypto/tls"
 | |
| 	"testing"
 | |
| 
 | |
| 	"github.com/mholt/caddy/app"
 | |
| )
 | |
| 
 | |
| func TestTLSParseBasic(t *testing.T) {
 | |
| 	c := newTestController(`tls cert.pem key.pem`)
 | |
| 
 | |
| 	_, err := TLS(c)
 | |
| 	if err != nil {
 | |
| 		t.Error("Expected no errors, but had an error")
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.Certificate != "cert.pem" {
 | |
| 		t.Errorf("Expected certificate arg to be 'cert.pem', was '%s'", c.TLS.Certificate)
 | |
| 	}
 | |
| 	if c.TLS.Key != "key.pem" {
 | |
| 		t.Errorf("Expected key arg to be 'key.pem', was '%s'", c.TLS.Key)
 | |
| 	}
 | |
| 	if !c.TLS.Enabled {
 | |
| 		t.Error("Expected TLS Enabled=true, but was false")
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestTLSParseNoOptional(t *testing.T) {
 | |
| 	c := newTestController(`tls cert.crt cert.key`)
 | |
| 
 | |
| 	_, err := TLS(c)
 | |
| 	if err != nil {
 | |
| 		t.Errorf("Expected no errors, got: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	if len(c.TLS.Ciphers) != len(supportedCiphers) {
 | |
| 		t.Errorf("Expected %v Ciphers, got %v", len(supportedCiphers), len(c.TLS.Ciphers))
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.ProtocolMinVersion != tls.VersionTLS11 {
 | |
| 		t.Errorf("Expected 'tls1.1 (0x0302)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
 | |
| 		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", c.TLS.ProtocolMaxVersion)
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.CacheSize != 64 {
 | |
| 		t.Errorf("Expected CacheSize 64, got %v", c.TLS.CacheSize)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestTLSParseIncompleteParams(t *testing.T) {
 | |
| 	c := newTestController(`tls`)
 | |
| 
 | |
| 	_, err := TLS(c)
 | |
| 	if err == nil {
 | |
| 		t.Errorf("Expected errors, but no error returned")
 | |
| 	}
 | |
| 
 | |
| 	c = newTestController(`tls cert.key`)
 | |
| 
 | |
| 	_, err = TLS(c)
 | |
| 	if err == nil {
 | |
| 		t.Errorf("Expected errors, but no error returned")
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestTLSParseWithOptionalParams(t *testing.T) {
 | |
| 	params := `tls cert.crt cert.key {
 | |
|             protocols ssl3.0 tls1.2
 | |
|             ciphers RSA-3DES-EDE-CBC-SHA RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256
 | |
|             cache 128
 | |
|         }`
 | |
| 	c := newTestController(params)
 | |
| 
 | |
| 	_, err := TLS(c)
 | |
| 	if err != nil {
 | |
| 		t.Errorf("Expected no errors, got: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.ProtocolMinVersion != tls.VersionSSL30 {
 | |
| 		t.Errorf("Expected 'ssl3.0 (0x0300)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
 | |
| 		t.Errorf("Expected 'tls1.2 (0x0302)' as ProtocolMaxVersion, got %#v", c.TLS.ProtocolMaxVersion)
 | |
| 	}
 | |
| 
 | |
| 	if len(c.TLS.Ciphers) != 3 {
 | |
| 		t.Errorf("Expected 3 Ciphers, got %v", len(c.TLS.Ciphers))
 | |
| 	}
 | |
| 
 | |
| 	if c.TLS.CacheSize != 128 {
 | |
| 		t.Errorf("Expected CacheSize 128, got %v", c.TLS.CacheSize)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestTLSParseWithWrongOptionalParams(t *testing.T) {
 | |
| 	params := `tls cert.crt cert.key {
 | |
|             cache a
 | |
|         }`
 | |
| 	c := newTestController(params)
 | |
| 	_, err := TLS(c)
 | |
| 	if err == nil {
 | |
| 		t.Errorf("Expected errors, but no error returned")
 | |
| 	}
 | |
| 
 | |
| 	// Test protocols wrong params
 | |
| 	params = `tls cert.crt cert.key {
 | |
| 			protocols ssl tls
 | |
| 		}`
 | |
| 	c = newTestController(params)
 | |
| 	_, err = TLS(c)
 | |
| 	if err == nil {
 | |
| 		t.Errorf("Expected errors, but no error returned")
 | |
| 	}
 | |
| 
 | |
| 	// Test ciphers wrong params
 | |
| 	params = `tls cert.crt cert.key {
 | |
| 			ciphers not-valid-cipher
 | |
| 		}`
 | |
| 	c = newTestController(params)
 | |
| 	_, err = TLS(c)
 | |
| 	if err == nil {
 | |
| 		t.Errorf("Expected errors, but no error returned")
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestTLSParseWithHTTP2Requirements(t *testing.T) {
 | |
| 	params := `tls cert.crt cert.key`
 | |
| 	c := newTestController(params)
 | |
| 
 | |
| 	// With HTTP2, cipher suites should be limited
 | |
| 	app.Http2 = true
 | |
| 	_, err := TLS(c)
 | |
| 	if err != nil {
 | |
| 		t.Errorf("Expected no errors, got: %v", err)
 | |
| 	}
 | |
| 	if len(c.TLS.Ciphers) != len(http2CipherSuites) {
 | |
| 		t.Errorf("With HTTP/2 on, expected %d supported ciphers, got %d",
 | |
| 			len(http2CipherSuites), len(c.TLS.Ciphers))
 | |
| 	}
 | |
| 
 | |
| 	params = `tls cert.crt cert.key {
 | |
| 			ciphers RSA-AES128-CBC-SHA
 | |
| 		}`
 | |
| 	c = newTestController(params)
 | |
| 	// Should not be able to specify a blacklisted cipher suite with HTTP2 on
 | |
| 	_, err = TLS(c)
 | |
| 	if err == nil {
 | |
| 		t.Error("Expected an error because cipher suite is invalid for HTTP/2")
 | |
| 	}
 | |
| 
 | |
| 	params = `tls cert.crt cert.key`
 | |
| 	c = newTestController(params)
 | |
| 
 | |
| 	// Without HTTP2, cipher suites should not be as restricted
 | |
| 	app.Http2 = false
 | |
| 	_, err = TLS(c)
 | |
| 	if err != nil {
 | |
| 		t.Errorf("Expected no errors, got: %v", err)
 | |
| 	}
 | |
| 	if len(c.TLS.Ciphers) != len(supportedCiphers) {
 | |
| 		t.Errorf("With HTTP/2 off, expected %d supported ciphers, got %d",
 | |
| 			len(supportedCiphers), len(c.TLS.Ciphers))
 | |
| 	}
 | |
| }
 |