luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/tlsutil/config_test.go

712 lines
21 KiB
Go
Raw Normal View History

Moved TLS Config stuff to tlsutil package
2014-11-18 16:03:36 +00:00
package tlsutil
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
import (
"crypto/tls"
Allow multiple PEM-encoded certificates in the ca_file. fixes #167
2014-05-26 17:58:57 +00:00
"crypto/x509"
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
"io"
"io/ioutil"
"net"
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
"reflect"
"strings"
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
"testing"
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
"github.com/hashicorp/yamux"
agent: honor when ca is set but verify_outgoing is disabled (#4826) * honor when verify_outgoing is false but ca is set * Remove code that exists only for tests * fix formatting
2018-12-17 17:56:18 +00:00
"github.com/stretchr/testify/require"
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
)
func TestConfig_KeyPair_None(t *testing.T) {
conf := &Config{}
cert, err := conf.KeyPair()
if err != nil {
t.Fatalf("err: %v", err)
}
if cert != nil {
t.Fatalf("bad: %v", cert)
}
}
func TestConfig_KeyPair_Valid(t *testing.T) {
conf := &Config{
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
cert, err := conf.KeyPair()
if err != nil {
t.Fatalf("err: %v", err)
}
if cert == nil {
t.Fatalf("expected cert")
}
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_MissingCA(t *testing.T) {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
conf := &Config{
VerifyOutgoing: true,
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.Error(t, err)
require.Nil(t, tlsConf)
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_OnlyCA(t *testing.T) {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
conf := &Config{
CAFile: "../test/ca/root.cer",
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_VerifyOutgoing(t *testing.T) {
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.RootCAs.Subjects(), 1)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.Empty(t, tlsConf.ServerName)
require.True(t, tlsConf.InsecureSkipVerify)
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_ServerName(t *testing.T) {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
Restore the 0.2 TLS verification behavior. Namely, don't check the DNS names in TLS certificates when connecting to other servers. As of golang 1.3, crypto/tls no longer natively supports doing partial verification (verifying the cert issuer but not the hostname), so we have to disable verification entirely and then do the issuer verification ourselves. Fortunately, crypto/x509 makes this relatively straightforward. If the "server_name" configuration option is passed, we preserve the existing behavior of checking that server name everywhere. No option is provided to retain the current behavior of checking the remote certificate against the local node name, since that behavior seems clearly buggy and unintentional, and I have difficulty imagining it is actually being used anywhere. It would be relatively straightforward to restore if desired, however.
2014-06-22 19:49:51 +00:00
ServerName: "consul.example.com",
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.RootCAs.Subjects(), 1)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.Equal(t, tlsConf.ServerName, "consul.example.com")
require.False(t, tlsConf.InsecureSkipVerify)
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_VerifyHostname(t *testing.T) {
tlsutil: Testing VerifyServerHostname on OutgoingConfig
2015-05-11 22:27:09 +00:00
conf := &Config{
Documentation and changes for `verify_server_hostname` (#5069) * verify_server_hostname implies verify_outgoing * mention CVE in the docs.
2018-12-06 21:51:49 +00:00
VerifyOutgoing: true,
tlsutil: Testing VerifyServerHostname on OutgoingConfig
2015-05-11 22:27:09 +00:00
VerifyServerHostname: true,
CAFile: "../test/ca/root.cer",
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.RootCAs.Subjects(), 1)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.False(t, tlsConf.InsecureSkipVerify)
tlsutil: Testing VerifyServerHostname on OutgoingConfig
2015-05-11 22:27:09 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_WithKeyPair(t *testing.T) {
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
require.True(t, tlsConf.InsecureSkipVerify)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.Certificates, 1)
consul: Adding configuration tests
2014-04-07 20:05:43 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_OutgoingTLS_TLSMinVersion(t *testing.T) {
Add TLSMinVersion to config options
2017-02-01 20:52:04 +00:00
tlsVersions := []string{"tls10", "tls11", "tls12"}
for _, version := range tlsVersions {
conf := &Config{
VerifyOutgoing: true,
CAFile: "../test/ca/root.cer",
TLSMinVersion: version,
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(conf)
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
require.Equal(t, tlsConf.MinVersion, TLSLookup[version])
Add TLSMinVersion to config options
2017-02-01 20:52:04 +00:00
}
}
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
func TestConfig_SkipBuiltinVerify(t *testing.T) {
type variant struct {
config Config
result bool
}
table := []variant{
variant{Config{ServerName: "", VerifyServerHostname: true}, false},
variant{Config{ServerName: "", VerifyServerHostname: false}, true},
variant{Config{ServerName: "consul", VerifyServerHostname: true}, false},
variant{Config{ServerName: "consul", VerifyServerHostname: false}, false},
}
for _, v := range table {
require.Equal(t, v.result, v.config.skipBuiltinVerify())
}
}
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
func startTLSServer(config *Config) (net.Conn, chan error) {
errc := make(chan error, 1)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(config)
tlsConfigServer, err := c.IncomingRPCConfig()
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
if err != nil {
errc <- err
return nil, errc
}
client, server := net.Pipe()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
// Use yamux to buffer the reads, otherwise it's easy to deadlock
muxConf := yamux.DefaultConfig()
serverSession, _ := yamux.Server(server, muxConf)
clientSession, _ := yamux.Client(client, muxConf)
clientConn, _ := clientSession.Open()
serverConn, _ := serverSession.Accept()
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
go func() {
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
tlsServer := tls.Server(serverConn, tlsConfigServer)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
if err := tlsServer.Handshake(); err != nil {
errc <- err
}
close(errc)
Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281) * Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. * Fixes unit tests in a better manner by closing the client connection on errors. We traced through and realized that https://github.com/golang/go/issues/15709 causes the output from the client to get buffered, which cuts off the alert feedback due to the flush() call getting bypassed by the error return.
2016-11-08 02:15:26 +00:00
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
// Because net.Pipe() is unbuffered, if both sides
// Close() simultaneously, we will deadlock as they
// both send an alert and then block. So we make the
// server read any data from the client until error or
// EOF, which will allow the client to Close(), and
// *then* we Close() the server.
io.Copy(ioutil.Discard, tlsServer)
tlsServer.Close()
}()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
return clientConn, errc
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_outgoingWrapper_OK(t *testing.T) {
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
config := &Config{
CAFile: "../test/hostname/CertAuth.crt",
CertFile: "../test/hostname/Alice.crt",
KeyFile: "../test/hostname/Alice.key",
VerifyServerHostname: true,
Documentation and changes for `verify_server_hostname` (#5069) * verify_server_hostname implies verify_outgoing * mention CVE in the docs.
2018-12-06 21:51:49 +00:00
VerifyOutgoing: true,
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(config)
wrap, err := c.OutgoingRPCWrapper()
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
tlsClient, err := wrap("dc1", client)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
defer tlsClient.Close()
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
err = tlsClient.(*tls.Conn).Handshake()
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
err = <-errc
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_outgoingWrapper_BadDC(t *testing.T) {
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
config := &Config{
CAFile: "../test/hostname/CertAuth.crt",
CertFile: "../test/hostname/Alice.crt",
KeyFile: "../test/hostname/Alice.key",
VerifyServerHostname: true,
Documentation and changes for `verify_server_hostname` (#5069) * verify_server_hostname implies verify_outgoing * mention CVE in the docs.
2018-12-06 21:51:49 +00:00
VerifyOutgoing: true,
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(config)
wrap, err := c.OutgoingRPCWrapper()
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
tlsClient, err := wrap("dc2", client)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
err = tlsClient.(*tls.Conn).Handshake()
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
_, ok := err.(x509.HostnameError)
require.True(t, ok)
Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281) * Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. * Fixes unit tests in a better manner by closing the client connection on errors. We traced through and realized that https://github.com/golang/go/issues/15709 causes the output from the client to get buffered, which cuts off the alert feedback due to the flush() call getting bypassed by the error return.
2016-11-08 02:15:26 +00:00
tlsClient.Close()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
<-errc
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_outgoingWrapper_BadCert(t *testing.T) {
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
config := &Config{
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
VerifyServerHostname: true,
Documentation and changes for `verify_server_hostname` (#5069) * verify_server_hostname implies verify_outgoing * mention CVE in the docs.
2018-12-06 21:51:49 +00:00
VerifyOutgoing: true,
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(config)
wrap, err := c.OutgoingRPCWrapper()
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
tlsClient, err := wrap("dc1", client)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
err = tlsClient.(*tls.Conn).Handshake()
if _, ok := err.(x509.HostnameError); !ok {
t.Fatalf("should get hostname err: %v", err)
}
Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281) * Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. * Fixes unit tests in a better manner by closing the client connection on errors. We traced through and realized that https://github.com/golang/go/issues/15709 causes the output from the client to get buffered, which cuts off the alert feedback due to the flush() call getting bypassed by the error return.
2016-11-08 02:15:26 +00:00
tlsClient.Close()
tlsutil: Testing hostname verification
2015-05-11 23:05:39 +00:00
<-errc
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_wrapTLS_OK(t *testing.T) {
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
config := &Config{
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
VerifyOutgoing: true,
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(config)
clientConfig, err := c.OutgoingRPCConfig()
require.NoError(t, err)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
agent: honor when ca is set but verify_outgoing is disabled (#4826) * honor when verify_outgoing is false but ca is set * Remove code that exists only for tests * fix formatting
2018-12-17 17:56:18 +00:00
tlsClient, err := config.wrapTLSClient(client, clientConfig)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
tlsClient.Close()
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
err = <-errc
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_wrapTLS_BadCert(t *testing.T) {
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
serverConfig := &Config{
CertFile: "../test/key/ssl-cert-snakeoil.pem",
KeyFile: "../test/key/ssl-cert-snakeoil.key",
}
client, errc := startTLSServer(serverConfig)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
clientConfig := &Config{
CAFile: "../test/ca/root.cer",
VerifyOutgoing: true,
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
c := NewConfigurator(clientConfig)
clientTLSConfig, err := c.OutgoingRPCConfig()
require.NoError(t, err)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
agent: honor when ca is set but verify_outgoing is disabled (#4826) * honor when verify_outgoing is false but ca is set * Remove code that exists only for tests * fix formatting
2018-12-17 17:56:18 +00:00
tlsClient, err := clientConfig.wrapTLSClient(client, clientTLSConfig)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.Error(t, err)
require.Nil(t, tlsClient)
Add some basic smoke tests for wrapTLSclient. Check the success case, and check that we reject a self-signed certificate.
2014-06-30 01:11:32 +00:00
err = <-errc
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.NoError(t, err)
Add TLSMinVersion to config options
2017-02-01 20:52:04 +00:00
}
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
func TestConfig_ParseCiphers(t *testing.T) {
testOk := strings.Join([]string{
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
🐛 Formatting changes only; add missing trailing commas
2018-03-13 17:30:18 +00:00
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
}, ",")
ciphers := []uint16{
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
🔒 Update supported TLS cipher suites The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-13 16:50:41 +00:00
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
🐛 Formatting changes only; add missing trailing commas
2018-03-13 17:30:18 +00:00
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
Add TLS cipher suite options and CA path support (#2963) This patch adds options to configure the available TLS cipher suites and adds support for a path for multiple CA certificates. Fixes #2959
2017-04-27 08:29:39 +00:00
}
v, err := ParseCiphers(testOk)
if err != nil {
t.Fatal(err)
}
if got, want := v, ciphers; !reflect.DeepEqual(got, want) {
t.Fatalf("got ciphers %#v want %#v", got, want)
}
testBad := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,cipherX"
if _, err := ParseCiphers(testBad); err == nil {
t.Fatal("should fail on unsupported cipherX")
}
}
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
func TestConfigurator_IncomingHTTPSConfig_CA_PATH(t *testing.T) {
conf := &Config{CAPath: "../test/ca_path"}
c := NewConfigurator(conf)
tlsConf, err := c.IncomingHTTPSConfig()
require.NoError(t, err)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.ClientCAs.Subjects(), 2)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
}
func TestConfigurator_IncomingHTTPS(t *testing.T) {
conf := &Config{
VerifyIncoming: true,
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
c := NewConfigurator(conf)
tlsConf, err := c.IncomingHTTPSConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.ClientCAs.Subjects(), 1)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.Equal(t, tlsConf.ClientAuth, tls.RequireAndVerifyClientCert)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Len(t, tlsConf.Certificates, 1)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
}
func TestConfigurator_IncomingHTTPS_MissingCA(t *testing.T) {
conf := &Config{
VerifyIncoming: true,
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
}
c := NewConfigurator(conf)
_, err := c.IncomingHTTPSConfig()
require.Error(t, err)
}
func TestConfigurator_IncomingHTTPS_MissingKey(t *testing.T) {
conf := &Config{
VerifyIncoming: true,
CAFile: "../test/ca/root.cer",
}
c := NewConfigurator(conf)
_, err := c.IncomingHTTPSConfig()
require.Error(t, err)
}
func TestConfigurator_IncomingHTTPS_NoVerify(t *testing.T) {
conf := &Config{}
c := NewConfigurator(conf)
tlsConf, err := c.IncomingHTTPSConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Nil(t, tlsConf.ClientCAs)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
require.Equal(t, tlsConf.ClientAuth, tls.NoClientCert)
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.Empty(t, tlsConf.Certificates)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
}
func TestConfigurator_IncomingHTTPS_TLSMinVersion(t *testing.T) {
tlsVersions := []string{"tls10", "tls11", "tls12"}
for _, version := range tlsVersions {
conf := &Config{
VerifyIncoming: true,
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
TLSMinVersion: version,
}
c := NewConfigurator(conf)
tlsConf, err := c.IncomingHTTPSConfig()
require.NoError(t, err)
require.NotNil(t, tlsConf)
require.Equal(t, tlsConf.MinVersion, TLSLookup[version])
}
}
func TestConfigurator_IncomingHTTPSCAPath_Valid(t *testing.T) {
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
c := NewConfigurator(&Config{CAPath: "../test/ca_path"})
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
tlsConf, err := c.IncomingHTTPSConfig()
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
require.NoError(t, err)
require.Len(t, tlsConf.ClientCAs.Subjects(), 2)
}
func TestConfigurator_CommonTLSConfigNoBaseConfig(t *testing.T) {
c := NewConfigurator(nil)
_, err := c.commonTLSConfig(false)
require.Error(t, err)
}
func TestConfigurator_CommonTLSConfigServerNameNodeName(t *testing.T) {
type variant struct {
config *Config
result string
}
variants := []variant{
{config: &Config{NodeName: "node", ServerName: "server"},
result: "server"},
{config: &Config{ServerName: "server"},
result: "server"},
{config: &Config{NodeName: "node"},
result: "node"},
}
for _, v := range variants {
c := NewConfigurator(v.config)
tlsConf, err := c.commonTLSConfig(false)
require.NoError(t, err)
require.Equal(t, v.result, tlsConf.ServerName)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
}
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
}
func TestConfigurator_CommonTLSConfigCipherSuites(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConfig, err := c.commonTLSConfig(false)
require.NoError(t, err)
require.Empty(t, tlsConfig.CipherSuites)
conf := &Config{CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305}}
c.Update(conf)
tlsConfig, err = c.commonTLSConfig(false)
require.NoError(t, err)
require.Equal(t, conf.CipherSuites, tlsConfig.CipherSuites)
}
func TestConfigurator_CommonTLSConfigCertKey(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.commonTLSConfig(false)
require.NoError(t, err)
require.Empty(t, tlsConf.Certificates)
c.Update(&Config{CertFile: "/something/bogus", KeyFile: "/more/bogus"})
tlsConf, err = c.commonTLSConfig(false)
require.Error(t, err)
c.Update(&Config{CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.commonTLSConfig(false)
require.NoError(t, err)
require.Len(t, tlsConf.Certificates, 1)
}
func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
tlsVersions := []string{"tls10", "tls11", "tls12"}
for _, version := range tlsVersions {
c := NewConfigurator(&Config{TLSMinVersion: version})
tlsConf, err := c.commonTLSConfig(false)
require.NoError(t, err)
require.Equal(t, tlsConf.MinVersion, TLSLookup[version])
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
}
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
c := NewConfigurator(&Config{TLSMinVersion: "tlsBOGUS"})
_, err := c.commonTLSConfig(false)
require.Error(t, err)
}
func TestConfigurator_CommonTLSConfigValidateVerifyOutgoingCA(t *testing.T) {
c := NewConfigurator(&Config{VerifyOutgoing: true})
_, err := c.commonTLSConfig(false)
require.Error(t, err)
}
func TestConfigurator_CommonTLSConfigLoadCA(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.commonTLSConfig(false)
require.NoError(t, err)
require.Nil(t, tlsConf.RootCAs)
require.Nil(t, tlsConf.ClientCAs)
c.Update(&Config{CAFile: "/something/bogus"})
_, err = c.commonTLSConfig(false)
require.Error(t, err)
c.Update(&Config{CAPath: "/something/bogus/"})
_, err = c.commonTLSConfig(false)
require.Error(t, err)
c.Update(&Config{CAFile: "../test/ca/root.cer"})
tlsConf, err = c.commonTLSConfig(false)
require.NoError(t, err)
require.Len(t, tlsConf.RootCAs.Subjects(), 1)
require.Len(t, tlsConf.ClientCAs.Subjects(), 1)
c.Update(&Config{CAPath: "../test/ca_path"})
tlsConf, err = c.commonTLSConfig(false)
require.NoError(t, err)
require.Len(t, tlsConf.RootCAs.Subjects(), 2)
require.Len(t, tlsConf.ClientCAs.Subjects(), 2)
c.Update(&Config{CAFile: "../test/ca/root.cer", CAPath: "../test/ca_path"})
tlsConf, err = c.commonTLSConfig(false)
require.NoError(t, err)
require.Len(t, tlsConf.RootCAs.Subjects(), 1)
require.Len(t, tlsConf.ClientCAs.Subjects(), 1)
}
func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.commonTLSConfig(false)
require.NoError(t, err)
require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncoming: true})
tlsConf, err = c.commonTLSConfig(false)
require.Error(t, err)
c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer"})
tlsConf, err = c.commonTLSConfig(false)
require.Error(t, err)
c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/cert/ourdomain.cer"})
tlsConf, err = c.commonTLSConfig(false)
require.Error(t, err)
c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.commonTLSConfig(false)
require.NoError(t, err)
require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncoming: false, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.commonTLSConfig(true)
require.NoError(t, err)
require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth)
}
func TestConfigurator_IncomingRPCConfig(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.IncomingRPCConfig()
require.NoError(t, err)
require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.IncomingRPCConfig()
require.NoError(t, err)
require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncomingRPC: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.IncomingRPCConfig()
require.NoError(t, err)
require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncomingHTTPS: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.IncomingRPCConfig()
require.NoError(t, err)
require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth)
}
func TestConfigurator_IncomingHTTPSConfig(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.IncomingHTTPSConfig()
require.NoError(t, err)
require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncoming: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.IncomingHTTPSConfig()
require.NoError(t, err)
require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncomingHTTPS: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.IncomingHTTPSConfig()
require.NoError(t, err)
require.Equal(t, tls.RequireAndVerifyClientCert, tlsConf.ClientAuth)
c.Update(&Config{VerifyIncomingRPC: true, CAFile: "../test/ca/root.cer", CertFile: "../test/key/ourdomain.cer", KeyFile: "../test/key/ourdomain.key"})
tlsConf, err = c.IncomingHTTPSConfig()
require.NoError(t, err)
require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth)
}
func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.OutgoingRPCConfig()
require.NoError(t, err)
require.Nil(t, tlsConf)
c.Update(&Config{VerifyOutgoing: true})
tlsConf, err = c.OutgoingRPCConfig()
require.Error(t, err)
c.Update(&Config{VerifyOutgoing: true, CAFile: "../test/ca/root.cer"})
tlsConf, err = c.OutgoingRPCConfig()
require.NoError(t, err)
c.Update(&Config{VerifyOutgoing: true, CAPath: "../test/ca_path"})
tlsConf, err = c.OutgoingRPCConfig()
require.NoError(t, err)
}
func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
c := NewConfigurator(&Config{})
tlsConf, err := c.OutgoingTLSConfigForCheck("")
require.NoError(t, err)
require.False(t, tlsConf.InsecureSkipVerify)
c.Update(&Config{EnableAgentTLSForChecks: true})
tlsConf, err = c.OutgoingTLSConfigForCheck("")
require.NoError(t, err)
require.False(t, tlsConf.InsecureSkipVerify)
c.AddCheck("c1", true)
c.Update(&Config{EnableAgentTLSForChecks: true})
tlsConf, err = c.OutgoingTLSConfigForCheck("c1")
require.NoError(t, err)
require.True(t, tlsConf.InsecureSkipVerify)
c.AddCheck("c1", false)
c.Update(&Config{EnableAgentTLSForChecks: true})
tlsConf, err = c.OutgoingTLSConfigForCheck("c1")
require.NoError(t, err)
require.False(t, tlsConf.InsecureSkipVerify)
c.AddCheck("c1", false)
c.Update(&Config{EnableAgentTLSForChecks: true})
tlsConf, err = c.OutgoingTLSConfigForCheck("c1")
require.NoError(t, err)
require.False(t, tlsConf.InsecureSkipVerify)
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
}