Fix cluster cipher test (#7900)

Go 1.13 flipped TLS 1.3 to opt-out instead of opt-in, and its TLS 1.3 support does not allow configuring cipher suites. Simply remove the affected test; it's not relevant going forward and there's ample evidence it works properly prior to Go 1.13.
2019-11-18 23:04:49 -05:00 · 2019-11-18 23:04:49 -05:00 · 9b5392bc8f
parent b3fb8aa565
commit 9b5392bc8f
3 changed files with 4 additions and 37 deletions
--- a/sdk/helper/tlsutil/tlsutil.go
+++ b/sdk/helper/tlsutil/tlsutil.go
@ -42,6 +42,9 @@ var cipherMap = map[string]uint16{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	"TLS_AES_128_GCM_SHA256":                  tls.TLS_AES_128_GCM_SHA256,
+	"TLS_AES_256_GCM_SHA384":                  tls.TLS_AES_256_GCM_SHA384,
+	"TLS_CHACHA20_POLY1305_SHA256":            tls.TLS_CHACHA20_POLY1305_SHA256,
 }

 // ParseCiphers parse ciphersuites from the comma-separated string into recognized slice
--- a/vault/cluster_test.go
+++ b/vault/cluster_test.go
@ -5,7 +5,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"fmt"
 	"net/http"
 	"testing"
 	"time"
@ -372,38 +371,3 @@ func testCluster_ForwardRequests(t *testing.T, c *TestClusterCore, rootToken, re
 		}
 	}
 }
-
-func TestCluster_CustomCipherSuites(t *testing.T) {
-	cluster := NewTestCluster(t, &CoreConfig{
-		ClusterCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-	}, nil)
-	cluster.Start()
-	defer cluster.Cleanup()
-	core := cluster.Cores[0]
-
-	// Wait for core to become active
-	TestWaitActive(t, core.Core)
-
-	core.getClusterListener().AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{core.Core})
-
-	parsedCert := core.localClusterParsedCert.Load().(*x509.Certificate)
-	dialer := core.getGRPCDialer(context.Background(), consts.RequestForwardingALPN, parsedCert.Subject.CommonName, parsedCert)
-
-	netConn, err := dialer(core.getClusterListener().Addrs()[0].String(), 0)
-	conn := netConn.(*tls.Conn)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer conn.Close()
-	err = conn.Handshake()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if conn.ConnectionState().CipherSuite != tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 {
-		var availCiphers string
-		for _, cipher := range core.clusterCipherSuites {
-			availCiphers += fmt.Sprintf("%x ", cipher)
-		}
-		t.Fatalf("got bad negotiated cipher %x, core-set suites are %s", conn.ConnectionState().CipherSuite, availCiphers)
-	}
-}
--- a/vault/core.go
+++ b/vault/core.go
@ -711,7 +711,7 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 	c.activeContextCancelFunc.Store((context.CancelFunc)(nil))

 	switch conf.ClusterCipherSuites {
-	case "tls12":
+	case "tls13", "tls12":
 		// Do nothing, let Go use the default

 	case "":