From e938429bac3edac22906a7315eca39822fa4d6bd Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 18 Nov 2019 23:04:49 -0500 Subject: [PATCH] Fix cluster cipher test (#7900) Go 1.13 flipped TLS 1.3 to opt-out instead of opt-in, and its TLS 1.3 support does not allow configuring cipher suites. Simply remove the affected test; it's not relevant going forward and there's ample evidence it works properly prior to Go 1.13. --- sdk/helper/tlsutil/tlsutil.go | 3 +++ vault/cluster_test.go | 36 ----------------------------------- vault/core.go | 2 +- 3 files changed, 4 insertions(+), 37 deletions(-) diff --git a/sdk/helper/tlsutil/tlsutil.go b/sdk/helper/tlsutil/tlsutil.go index 236d32ec67..1ead6e590b 100644 --- a/sdk/helper/tlsutil/tlsutil.go +++ b/sdk/helper/tlsutil/tlsutil.go @@ -42,6 +42,9 @@ var cipherMap = map[string]uint16{ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, + "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, + "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, } // ParseCiphers parse ciphersuites from the comma-separated string into recognized slice diff --git a/vault/cluster_test.go b/vault/cluster_test.go index 81ff81b957..f20d2474a2 100644 --- a/vault/cluster_test.go +++ b/vault/cluster_test.go @@ -5,7 +5,6 @@ import ( "context" "crypto/tls" "crypto/x509" - "fmt" "net/http" "testing" "time" @@ -372,38 +371,3 @@ func testCluster_ForwardRequests(t *testing.T, c *TestClusterCore, rootToken, re } } } - -func TestCluster_CustomCipherSuites(t *testing.T) { - cluster := NewTestCluster(t, &CoreConfig{ - ClusterCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - }, nil) - cluster.Start() - defer cluster.Cleanup() - core := cluster.Cores[0] - - // Wait for core to become active - TestWaitActive(t, core.Core) - - core.getClusterListener().AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{core.Core}) - - parsedCert := core.localClusterParsedCert.Load().(*x509.Certificate) - dialer := core.getGRPCDialer(context.Background(), consts.RequestForwardingALPN, parsedCert.Subject.CommonName, parsedCert) - - netConn, err := dialer(core.getClusterListener().Addrs()[0].String(), 0) - conn := netConn.(*tls.Conn) - if err != nil { - t.Fatal(err) - } - defer conn.Close() - err = conn.Handshake() - if err != nil { - t.Fatal(err) - } - if conn.ConnectionState().CipherSuite != tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { - var availCiphers string - for _, cipher := range core.clusterCipherSuites { - availCiphers += fmt.Sprintf("%x ", cipher) - } - t.Fatalf("got bad negotiated cipher %x, core-set suites are %s", conn.ConnectionState().CipherSuite, availCiphers) - } -} diff --git a/vault/core.go b/vault/core.go index cb792084f3..fc0fdb9113 100644 --- a/vault/core.go +++ b/vault/core.go @@ -711,7 +711,7 @@ func NewCore(conf *CoreConfig) (*Core, error) { c.activeContextCancelFunc.Store((context.CancelFunc)(nil)) switch conf.ClusterCipherSuites { - case "tls12": + case "tls13", "tls12": // Do nothing, let Go use the default case "":