Skip to content

Commit

Permalink
test: assert on client and server side seperately
Browse files Browse the repository at this point in the history
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
  • Loading branch information
sam-github authored and BethGriggs committed Mar 28, 2019
1 parent 8dd8033 commit fe8e07d
Showing 1 changed file with 100 additions and 37 deletions.
137 changes: 100 additions & 37 deletions test/parallel/test-tls-min-max-version.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@ const {
assert, connect, keys, tls
} = require(fixtures.path('tls-connect'));
const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;

// For v11.x, the default is fixed and cannot be changed via CLI.
assert.strictEqual(DEFAULT_MIN_VERSION, 'TLSv1');

function test(cmin, cmax, cprot, smin, smax, sprot, expect) {
function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
assert(proto || cerr || serr, 'test missing any expectations');
connect({
client: {
checkServerIdentity: (servername, cert) => { },
Expand All @@ -29,23 +31,52 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) {
secureProtocol: sprot,
},
}, common.mustCall((err, pair, cleanup) => {
if (expect && !expect.match(/^TLS/)) {
assert(err.message.match(expect));
function u(_) { return _ === undefined ? 'U' : _; }
console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot),
'expect', u(proto), u(cerr), u(serr));
if (!proto) {
console.log('client', pair.client.err ? pair.client.err.code : undefined);
console.log('server', pair.server.err ? pair.server.err.code : undefined);
// 11.x doesn't have https://github.com/nodejs/node/pull/24729
if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
pair.client.err &&
pair.client.err.message.includes('methods disabled'))
pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
pair.server.err &&
pair.server.err.message.includes('methods disabled'))
pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
pair.client.err &&
pair.client.err.message.includes('Unknown method'))
pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
pair.server.err &&
pair.server.err.message.includes('Unknown method'))
pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
if (cerr) {
assert(pair.client.err);
// Accept these codes as aliases, the one reported depends on the
// OpenSSL version.
if (cerr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' &&
pair.client.err.code === 'ERR_SSL_VERSION_TOO_LOW')
cerr = 'ERR_SSL_VERSION_TOO_LOW';
assert.strictEqual(pair.client.err.code, cerr);
}
if (serr) {
assert(pair.server.err);
assert.strictEqual(pair.server.err.code, serr);
}
return cleanup();
}

if (expect) {
assert.ifError(pair.server.err);
assert.ifError(pair.client.err);
assert(pair.server.conn);
assert(pair.client.conn);
assert.strictEqual(pair.client.conn.getProtocol(), expect);
assert.strictEqual(pair.server.conn.getProtocol(), expect);
return cleanup();
}

assert(pair.server.err);
assert(pair.client.err);
assert.ifError(err);
assert.ifError(pair.server.err);
assert.ifError(pair.client.err);
assert(pair.server.conn);
assert(pair.client.conn);
assert.strictEqual(pair.client.conn.getProtocol(), proto);
assert.strictEqual(pair.server.conn.getProtocol(), proto);
return cleanup();
}));
}
Expand All @@ -56,18 +87,28 @@ const U = undefined;
test(U, U, U, U, U, U, 'TLSv1.2');

// Insecure or invalid protocols cannot be enabled.
test(U, U, U, U, U, 'SSLv2_method', 'SSLv2 methods disabled');
test(U, U, U, U, U, 'SSLv3_method', 'SSLv3 methods disabled');
test(U, U, 'SSLv2_method', U, U, U, 'SSLv2 methods disabled');
test(U, U, 'SSLv3_method', U, U, U, 'SSLv3 methods disabled');
test(U, U, 'hokey-pokey', U, U, U, 'Unknown method');
test(U, U, U, U, U, 'hokey-pokey', 'Unknown method');
test(U, U, U, U, U, 'SSLv2_method',
U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
test(U, U, U, U, U, 'SSLv3_method',
U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
test(U, U, 'SSLv2_method', U, U, U,
U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
test(U, U, 'SSLv3_method', U, U, U,
U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
test(U, U, 'hokey-pokey', U, U, U,
U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
test(U, U, U, U, U, 'hokey-pokey',
U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');

// Cannot use secureProtocol and min/max versions simultaneously.
test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', 'conflicts with secureProtocol');
test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', 'conflicts with secureProtocol');
test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol');
test('TLSv1.2', U, 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol');
test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method',
U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method',
U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U,
U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
test('TLSv1.2', U, 'TLS1_2_method', U, U, U,
U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');

// TLS_method means "any supported protocol".
test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2');
Expand All @@ -82,17 +123,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1');
test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2');

if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', null);
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null);
test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', null);
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null);
test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method',
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method',
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
}

if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1');
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null);
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1');
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null);
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
}

if (DEFAULT_MIN_VERSION === 'TLSv1') {
Expand All @@ -110,18 +157,34 @@ test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1');

// The default default.
if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
test(U, U, 'TLSv1_1_method', U, U, U, null);
test(U, U, 'TLSv1_method', U, U, U, null);
test(U, U, U, U, U, 'TLSv1_1_method', null);
test(U, U, U, U, U, 'TLSv1_method', null);
test(U, U, 'TLSv1_1_method', U, U, U,
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
test(U, U, 'TLSv1_method', U, U, U,
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');

if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
test(U, U, U, U, U, 'TLSv1_1_method',
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
test(U, U, U, U, U, 'TLSv1_method',
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
} else {
assert(false, 'unreachable');
}
}

// The default with --tls-v1.1.
if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1');
test(U, U, 'TLSv1_method', U, U, U, null);
test(U, U, 'TLSv1_method', U, U, U,
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1');
test(U, U, U, U, U, 'TLSv1_method', null);

if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
test(U, U, U, U, U, 'TLSv1_method',
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
} else {
assert(false, 'unreachable');
}
}

// The default with --tls-v1.0.
Expand Down

0 comments on commit fe8e07d

Please sign in to comment.