2012-03-25 07:28:39 +02:00
|
|
|
var common = require('../common');
|
|
|
|
var assert = require('assert');
|
2015-03-04 02:11:21 +01:00
|
|
|
|
|
|
|
if (!common.hasCrypto) {
|
|
|
|
console.log('1..0 # Skipped: missing crypto');
|
|
|
|
process.exit();
|
|
|
|
}
|
2012-03-25 07:28:39 +02:00
|
|
|
var tls = require('tls');
|
2015-03-04 02:11:21 +01:00
|
|
|
|
2012-03-25 07:28:39 +02:00
|
|
|
var fs = require('fs');
|
|
|
|
var nconns = 0;
|
|
|
|
// test only in TLSv1 to use DES which is no longer supported TLSv1.2
|
|
|
|
// to be safe when the default method is updated in the future
|
|
|
|
var SSL_Method = 'TLSv1_method';
|
|
|
|
var localhost = '127.0.0.1';
|
|
|
|
|
|
|
|
process.on('exit', function() {
|
2014-03-07 00:27:01 +01:00
|
|
|
assert.equal(nconns, 6);
|
2012-03-25 07:28:39 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
|
|
|
|
var soptions = {
|
|
|
|
secureProtocol: SSL_Method,
|
|
|
|
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
|
|
|
|
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
|
2014-03-07 00:27:01 +01:00
|
|
|
ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
|
2012-03-25 07:28:39 +02:00
|
|
|
honorCipherOrder: !!honorCipherOrder
|
|
|
|
};
|
|
|
|
|
|
|
|
var server = tls.createServer(soptions, function(cleartextStream) {
|
|
|
|
nconns++;
|
2014-02-15 12:56:37 +01:00
|
|
|
|
|
|
|
// End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
|
|
|
|
// it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
|
|
|
|
cleartextStream.end();
|
2012-03-25 07:28:39 +02:00
|
|
|
});
|
|
|
|
server.listen(common.PORT, localhost, function() {
|
2012-08-30 16:43:20 +02:00
|
|
|
var coptions = {
|
|
|
|
rejectUnauthorized: false,
|
|
|
|
secureProtocol: SSL_Method
|
|
|
|
};
|
2012-03-25 07:28:39 +02:00
|
|
|
if (clientCipher) {
|
|
|
|
coptions.ciphers = clientCipher;
|
|
|
|
}
|
|
|
|
var client = tls.connect(common.PORT, localhost, coptions, function() {
|
|
|
|
var cipher = client.getCipher();
|
|
|
|
client.end();
|
|
|
|
server.close();
|
|
|
|
assert.equal(cipher.name, expectedCipher);
|
|
|
|
if (cb) cb();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
test1();
|
|
|
|
|
|
|
|
function test1() {
|
|
|
|
// Client has the preference of cipher suites by default
|
2014-01-24 02:28:08 +01:00
|
|
|
test(false, 'AES256-SHA:DES-CBC-SHA:RC4-SHA','AES256-SHA', test2);
|
2012-03-25 07:28:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function test2() {
|
2014-01-24 02:28:08 +01:00
|
|
|
// Server has the preference of cipher suites where DES-CBC-SHA is in
|
2012-03-25 07:28:39 +02:00
|
|
|
// the first.
|
2014-01-24 02:28:08 +01:00
|
|
|
test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3);
|
2012-03-25 07:28:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function test3() {
|
|
|
|
// Server has the preference of cipher suites. RC4-SHA is given
|
|
|
|
// higher priority over DES-CBC-SHA among client cipher suites.
|
2014-01-24 02:28:08 +01:00
|
|
|
test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4);
|
2012-03-25 07:28:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function test4() {
|
|
|
|
// As client has only one cipher, server has no choice in regardless
|
|
|
|
// of honorCipherOrder.
|
2014-01-24 02:28:08 +01:00
|
|
|
test(true, 'RC4-SHA', 'RC4-SHA', test5);
|
|
|
|
}
|
|
|
|
|
|
|
|
function test5() {
|
|
|
|
// Client did not explicitly set ciphers. Ensure that client defaults to
|
|
|
|
// sane ciphers. Even though server gives top priority to DES-CBC-SHA
|
|
|
|
// it should not be negotiated because it's not in default client ciphers.
|
2014-03-07 00:27:01 +01:00
|
|
|
test(true, null, 'AES256-SHA', test6);
|
|
|
|
}
|
|
|
|
|
|
|
|
function test6() {
|
|
|
|
// Ensure that `tls.DEFAULT_CIPHERS` is used
|
|
|
|
SSL_Method = 'TLSv1_2_method';
|
|
|
|
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';
|
|
|
|
test(true, null, 'ECDHE-RSA-AES256-SHA');
|
2012-03-25 07:28:39 +02:00
|
|
|
}
|