nodejs/test/sequential/test-tls-honorcipherorder.js

'use strict';
var common = require('../common');
var assert = require('assert');

if (!common.hasCrypto) {
  console.log('1..0 # Skipped: missing crypto');
  return;
}
var tls = require('tls');

var fs = require('fs');
var nconns = 0;
// test only in TLSv1 to use DES which is no longer supported TLSv1.2
// to be safe when the default method is updated in the future
var SSL_Method = 'TLSv1_method';
var localhost = '127.0.0.1';

process.on('exit', function() {
  assert.equal(nconns, 6);
});

function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
  var soptions = {
    secureProtocol: SSL_Method,
    key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
    cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
    ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
    honorCipherOrder: !!honorCipherOrder
  };

  var server = tls.createServer(soptions, function(cleartextStream) {
    nconns++;

    // End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
    // it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
    cleartextStream.end();
  });
  server.listen(common.PORT, localhost, function() {
    var coptions = {
      rejectUnauthorized: false,
      secureProtocol: SSL_Method
    };
    if (clientCipher) {
      coptions.ciphers = clientCipher;
    }
    var client = tls.connect(common.PORT, localhost, coptions, function() {
      var cipher = client.getCipher();
      client.end();
      server.close();
      assert.equal(cipher.name, expectedCipher);
      if (cb) cb();
    });
  });
}

test1();

function test1() {
  // Client has the preference of cipher suites by default
  test(false, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'AES256-SHA', test2);
}

function test2() {
  // Server has the preference of cipher suites where DES-CBC-SHA is in
  // the first.
  test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3);
}

function test3() {
  // Server has the preference of cipher suites. RC4-SHA is given
  // higher priority over DES-CBC-SHA among client cipher suites.
  test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4);
}

function test4() {
  // As client has only one cipher, server has no choice in regardless
  // of honorCipherOrder.
  test(true, 'RC4-SHA', 'RC4-SHA', test5);
}

function test5() {
  // Client did not explicitly set ciphers. Ensure that client defaults to
  // sane ciphers. Even though server gives top priority to DES-CBC-SHA
  // it should not be negotiated because it's not in default client ciphers.
  test(true, null, 'AES256-SHA', test6);
}

function test6() {
  // Ensure that `tls.DEFAULT_CIPHERS` is used
  SSL_Method = 'TLSv1_2_method';
  tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';
  test(true, null, 'ECDHE-RSA-AES256-SHA');
}
test: enable linting for tests Enable linting for the test directory. A number of changes was made so all tests conform the current rules used by lib and src directories. The only exception for tests is that unreachable (dead) code is allowed. test-fs-non-number-arguments-throw had to be excluded from the changes because of a weird issue on Windows CI. PR-URL: https://github.com/nodejs/io.js/pull/1721 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> 2015-05-19 13:00:06 +02:00			`'use strict';`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`var common = require('../common');`
			`var assert = require('assert');`
test: refactor all tests that depends on crypto we had a few ways versions of looking for support before executing a test. this commit unifies them as well as add the check for all tests that previously lacked them. found by running `./configure --without-ssl && make test`. also, produce tap skip output if the test is skipped. PR-URL: https://github.com/iojs/io.js/pull/1049 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-03-04 02:11:21 +01:00
			`if (!common.hasCrypto) {`
			`console.log('1..0 # Skipped: missing crypto');`
test: changing process.exit to return while skipping tests This patch uses `return` statement to skip the test instead of using `process.exit` call. PR-URL: https://github.com/nodejs/io.js/pull/2109 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> 2015-07-07 17:25:55 +02:00			`return;`
test: refactor all tests that depends on crypto we had a few ways versions of looking for support before executing a test. this commit unifies them as well as add the check for all tests that previously lacked them. found by running `./configure --without-ssl && make test`. also, produce tap skip output if the test is skipped. PR-URL: https://github.com/iojs/io.js/pull/1049 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-03-04 02:11:21 +01:00			`}`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`var tls = require('tls');`
test: refactor all tests that depends on crypto we had a few ways versions of looking for support before executing a test. this commit unifies them as well as add the check for all tests that previously lacked them. found by running `./configure --without-ssl && make test`. also, produce tap skip output if the test is skipped. PR-URL: https://github.com/iojs/io.js/pull/1049 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-03-04 02:11:21 +01:00
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`var fs = require('fs');`
			`var nconns = 0;`
			`// test only in TLSv1 to use DES which is no longer supported TLSv1.2`
			`// to be safe when the default method is updated in the future`
			`var SSL_Method = 'TLSv1_method';`
			`var localhost = '127.0.0.1';`

			`process.on('exit', function() {`
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249 2014-03-07 00:27:01 +01:00			`assert.equal(nconns, 6);`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`});`

			`function test(honorCipherOrder, clientCipher, expectedCipher, cb) {`
			`var soptions = {`
			`secureProtocol: SSL_Method,`
			`key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),`
			`cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),`
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249 2014-03-07 00:27:01 +01:00			`ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`honorCipherOrder: !!honorCipherOrder`
			`};`

			`var server = tls.createServer(soptions, function(cleartextStream) {`
			`nconns++;`
test: fix tls-honorcipherorder slowness End accepted stream to prevent client fd from hanging in FIN_WAIT_1 state. The 30 second delay was caused by default non-zero SO_LINGER. 2014-02-15 12:56:37 +01:00
			`// End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise`
			`// it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).`
			`cleartextStream.end();`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`});`
			`server.listen(common.PORT, localhost, function() {`
test: set rejectUnauthorized in tls/https tests Update the tls and https tests to explicitly set rejectUnauthorized instead of relying on the NODE_TLS_REJECT_UNAUTHORIZED environment variable getting set. 2012-08-30 16:43:20 +02:00			`var coptions = {`
			`rejectUnauthorized: false,`
			`secureProtocol: SSL_Method`
			`};`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`if (clientCipher) {`
			`coptions.ciphers = clientCipher;`
			`}`
			`var client = tls.connect(common.PORT, localhost, coptions, function() {`
			`var cipher = client.getCipher();`
			`client.end();`
			`server.close();`
			`assert.equal(cipher.name, expectedCipher);`
			`if (cb) cb();`
			`});`
			`});`
			`}`

			`test1();`

			`function test1() {`
			`// Client has the preference of cipher suites by default`
tools: re-enable comma-spacing linter rule The rule was disabled because of an eslint bug which is now resolved. All code in lib was already conforming and only test code needed a few changes to make the linter happy with this rule enabled. Ref: https://github.com/eslint/eslint/issues/2408 PR-URL: https://github.com/nodejs/io.js/pull/2072 Reviewed-By: Yosuke Furukawa <yosuke.furukawa@gmail.com> Reviewed-by: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Alex Kocharin <alex@kocharin.ru> 2015-06-28 17:42:35 +02:00			`test(false, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'AES256-SHA', test2);`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`}`

			`function test2() {`
crypto: honor default ciphers in client mode Right now no default ciphers are use in, e.g. https.get, meaning that weak export ciphers like TLS_RSA_EXPORT_WITH_DES40_CBC_SHA are accepted. To reproduce: node -e "require('https').get({hostname: 'www.howsmyssl.com', \ path: '/a/check'}, function(res) {res.on('data', \ function(d) {process.stdout.write(d)})})" 2014-01-24 02:28:08 +01:00			`// Server has the preference of cipher suites where DES-CBC-SHA is in`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`// the first.`
crypto: honor default ciphers in client mode Right now no default ciphers are use in, e.g. https.get, meaning that weak export ciphers like TLS_RSA_EXPORT_WITH_DES40_CBC_SHA are accepted. To reproduce: node -e "require('https').get({hostname: 'www.howsmyssl.com', \ path: '/a/check'}, function(res) {res.on('data', \ function(d) {process.stdout.write(d)})})" 2014-01-24 02:28:08 +01:00			`test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3);`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`}`

			`function test3() {`
			`// Server has the preference of cipher suites. RC4-SHA is given`
			`// higher priority over DES-CBC-SHA among client cipher suites.`
crypto: honor default ciphers in client mode Right now no default ciphers are use in, e.g. https.get, meaning that weak export ciphers like TLS_RSA_EXPORT_WITH_DES40_CBC_SHA are accepted. To reproduce: node -e "require('https').get({hostname: 'www.howsmyssl.com', \ path: '/a/check'}, function(res) {res.on('data', \ function(d) {process.stdout.write(d)})})" 2014-01-24 02:28:08 +01:00			`test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4);`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`}`

			`function test4() {`
			`// As client has only one cipher, server has no choice in regardless`
			`// of honorCipherOrder.`
crypto: honor default ciphers in client mode Right now no default ciphers are use in, e.g. https.get, meaning that weak export ciphers like TLS_RSA_EXPORT_WITH_DES40_CBC_SHA are accepted. To reproduce: node -e "require('https').get({hostname: 'www.howsmyssl.com', \ path: '/a/check'}, function(res) {res.on('data', \ function(d) {process.stdout.write(d)})})" 2014-01-24 02:28:08 +01:00			`test(true, 'RC4-SHA', 'RC4-SHA', test5);`
			`}`

			`function test5() {`
			`// Client did not explicitly set ciphers. Ensure that client defaults to`
			`// sane ciphers. Even though server gives top priority to DES-CBC-SHA`
			`// it should not be negotiated because it's not in default client ciphers.`
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249 2014-03-07 00:27:01 +01:00			`test(true, null, 'AES256-SHA', test6);`
			`}`

			`function test6() {`
			// Ensure that `tls.DEFAULT_CIPHERS` is used
			`SSL_Method = 'TLSv1_2_method';`
			`tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';`
			`test(true, null, 'ECDHE-RSA-AES256-SHA');`
test: add test of tls.createServer(honorCipherOrder=true) 2012-03-25 07:28:39 +02:00			`}`