mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-20 14:11:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/helper/tlsutil/tlsutil_test.go
Michel Vocks 9617832784
Print warning when 'tls_cipher_suites' includes blacklisted cipher suites (#6300) 
* Implemented a warning when tls_cipher_suites includes only cipher suites which are not supprted by the HTTP/2 spec

* Added test for cipher suites

* Added hard fail on startup when all defined cipher suites are blacklisted. Added warning when some ciphers are blacklisted.

* Replaced hard failure with warning. Removed bad cipher util function and replaced it by external library.

* Added missing dependency. Fixed renaming of package name.
2019-03-01 16:48:06 +01:00

49 lines
1.8 KiB
Go
Raw Blame History

package tlsutil
import (
"crypto/tls"
"reflect"
"testing"
)
func TestParseCiphers(t *testing.T) {
testOk := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
v, err := ParseCiphers(testOk)
if err != nil {
t.Fatal(err)
}
if len(v) != 17 {
t.Fatal("missed ciphers after parse")
}
testBad := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,cipherX"
if _, err := ParseCiphers(testBad); err == nil {
t.Fatal("should fail on unsupported cipherX")
}
testOrder := "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
v, _ = ParseCiphers(testOrder)
expected := []uint16{tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_128_GCM_SHA256}
if !reflect.DeepEqual(expected, v) {
t.Fatal("cipher order is not preserved")
}
}
func TestGetCipherName(t *testing.T) {
testOkCipherStr := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
testOkCipher := tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
cipherStr, err := GetCipherName(testOkCipher)
if err != nil {
t.Fatal(err)
}
if cipherStr != testOkCipherStr {
t.Fatalf("cipher string should be %s but is %s", testOkCipherStr, cipherStr)
}
var testBadCipher uint16 = 0xC022
cipherStr, err = GetCipherName(testBadCipher)
if err == nil {
t.Fatal("should fail on unsupported cipher 0xC022")
}
}
Reference in New Issue View Git Blame Copy Permalink