From 40cc131bbcda0f2feec38eaa8ed1dfe75f8ad6ab Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Tue, 15 Mar 2016 13:10:33 +0900 Subject: [PATCH] test: change tls tests not to use LOW cipher DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: https://github.com/nodejs/LTS/issues/85 PR-URL: https://github.com/nodejs/node/pull/5712 Reviewed-By: Ben Noordhuis --- deps/openssl/config/opensslconf.h | 6 ++--- ...test-tls-honorcipherorder-secureOptions.js | 22 +++++++++---------- test/simple/test-tls-honorcipherorder.js | 14 ++++++------ 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/deps/openssl/config/opensslconf.h b/deps/openssl/config/opensslconf.h index 64875ef0fa1fa5..5e5765d5b3ff47 100644 --- a/deps/openssl/config/opensslconf.h +++ b/deps/openssl/config/opensslconf.h @@ -44,9 +44,9 @@ # ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE # endif -#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS -# define OPENSSL_NO_WEAK_SSL_CIPHERS -#endif +# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +# define OPENSSL_NO_WEAK_SSL_CIPHERS +# endif #endif /* OPENSSL_DOING_MAKEDEPEND */ #ifndef OPENSSL_THREADS diff --git a/test/simple/test-tls-honorcipherorder-secureOptions.js b/test/simple/test-tls-honorcipherorder-secureOptions.js index e70cfb1ef4a43f..932ffe25b494a6 100644 --- a/test/simple/test-tls-honorcipherorder-secureOptions.js +++ b/test/simple/test-tls-honorcipherorder-secureOptions.js @@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb) secureProtocol: SSL_Method, key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), - ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA', + ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', secureOptions: secureOptions, honorCipherOrder: !!honorCipherOrder }; @@ -95,37 +95,37 @@ test1(); function test1() { // Client has the preference of cipher suites by default - test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2); + test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2); } function test2() { // Server has the preference of cipher suites where AES256-SHA is in // the first. - test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3); + test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3); } function test3() { - // Server has the preference of cipher suites. RC4-SHA is given - // higher priority over DES-CBC-SHA among client cipher suites. - test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4); + // Server has the preference of cipher suites. AES256-SHA is given + // higher priority over RC4-SHA among client cipher suites. + test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4); } function test4() { // As client has only one cipher, server has no choice in regardless // of honorCipherOrder. - test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5); + test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5); } function test5() { test(false, - 'DES-CBC-SHA', - 'DES-CBC-SHA', + 'RC4-SHA', + 'RC4-SHA', process.binding('constants').SSL_OP_SINGLE_DH_USE, test6); } function test6() { test(true, - 'DES-CBC-SHA', - 'DES-CBC-SHA', + 'RC4-SHA', + 'RC4-SHA', process.binding('constants').SSL_OP_SINGLE_DH_USE); } diff --git a/test/simple/test-tls-honorcipherorder.js b/test/simple/test-tls-honorcipherorder.js index 539a12abf4efd0..4d325ba71e7f52 100644 --- a/test/simple/test-tls-honorcipherorder.js +++ b/test/simple/test-tls-honorcipherorder.js @@ -38,7 +38,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) { secureProtocol: SSL_Method, key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), - ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA', + ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', honorCipherOrder: !!honorCipherOrder }; @@ -67,23 +67,23 @@ test1(); function test1() { // Client has the preference of cipher suites by default - test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', test2); + test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', test2); } function test2() { // Server has the preference of cipher suites where AES256-SHA is in // the first. - test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', test3); + test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', test3); } function test3() { - // Server has the preference of cipher suites. RC4-SHA is given - // higher priority over DES-CBC-SHA among client cipher suites. - test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', test4); + // Server has the preference of cipher suites. AES256-SHA is given + // higher priority over ECDHE-RSA-AES256-SHA among client cipher suites. + test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4); } function test4() { // As client has only one cipher, server has no choice in regardless // of honorCipherOrder. - test(true, 'DES-CBC-SHA', 'DES-CBC-SHA'); + test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA'); }