diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py index 45198c236d..d741514bbe 100644 --- a/tests/http/test_17_ssl_use.py +++ b/tests/http/test_17_ssl_use.py @@ -175,3 +175,71 @@ class TestSSLUse: assert r.json, f'{r}' if proto != 'h3': # we proxy h3 assert r.json['SSL_TLS_SNI'] == domain, f'{r.json}' + + # test setting cipher suites, the AES 256 ciphers are disabled in the test server + @pytest.mark.parametrize("ciphers, succeed", [ + [[0x1301], True], + [[0x1302], False], + [[0x1303], True], + [[0x1302, 0x1303], True], + [[0xC02B, 0xC02F], True], + [[0xC02C, 0xC030], False], + [[0xCCA9, 0xCCA8], True], + [[0xC02C, 0xC030, 0xCCA9, 0xCCA8], True], + ]) + def test_17_07_ssl_ciphers(self, env: Env, httpd, nghttpx, ciphers, succeed, repeat): + cipher_table = { + 0x1301: 'TLS_AES_128_GCM_SHA256', + 0x1302: 'TLS_AES_256_GCM_SHA384', + 0x1303: 'TLS_CHACHA20_POLY1305_SHA256', + 0xC02B: 'ECDHE-ECDSA-AES128-GCM-SHA256', + 0xC02F: 'ECDHE-RSA-AES128-GCM-SHA256', + 0xC02C: 'ECDHE-ECDSA-AES256-GCM-SHA384', + 0xC030: 'ECDHE-RSA-AES256-GCM-SHA384', + 0xCCA9: 'ECDHE-ECDSA-CHACHA20-POLY1305', + 0xCCA8: 'ECDHE-RSA-CHACHA20-POLY1305', + } + cipher_names = list(map(cipher_table.get, ciphers)) + proto = 'http/1.1' + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' + extra_args = [] + if env.curl_uses_lib('gnutls'): + pytest.skip('gnutls does not support setting ciphers by name') + if env.curl_uses_lib('rustls-ffi'): + pytest.skip('rustls-ffi does not support setting ciphers') + if ciphers[0] & 0xFF00 == 0x1300: + # test setting TLSv1.3 ciphers + if env.curl_uses_lib('bearssl'): + pytest.skip('bearssl does not support TLSv1.3') + elif env.curl_uses_lib('sectransp'): + pytest.skip('sectransp does not support TLSv1.3') + elif env.curl_uses_lib('boringssl'): + pytest.skip('boringssl does not support setting TLSv1.3 ciphers') + elif env.curl_uses_lib('mbedtls'): + if not env.curl_lib_version_at_least('mbedtls', '3.6.0'): + pytest.skip('mbedtls TLSv1.3 support requires at least 3.6.0') + extra_args = ['--ciphers', ':'.join(cipher_names)] + elif env.curl_uses_lib('wolfssl'): + extra_args = ['--ciphers', ':'.join(cipher_names)] + else: + extra_args = ['--tls13-ciphers', ':'.join(cipher_names)] + else: + # test setting TLSv1.2 ciphers + if env.curl_uses_lib('schannel'): + pytest.skip('schannel does not support setting TLSv1.2 ciphers by name') + elif env.curl_uses_lib('wolfssl'): + # setting tls version is botched with wolfssl: setting max (--tls-max) + # is not supported, setting min (--tlsv1.*) actually also sets max + extra_args = ['--tlsv1.2', '--ciphers', ':'.join(cipher_names)] + else: + # the server supports TLSv1.3, so to test TLSv1.2 ciphers we set tls-max + extra_args = ['--tls-max', '1.2', '--ciphers', ':'.join(cipher_names)] + r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args) + if succeed: + assert r.exit_code == 0, f'{r}' + assert r.json['HTTPS'] == 'on', f'{r.json}' + assert 'SSL_CIPHER' in r.json, f'{r.json}' + assert r.json['SSL_CIPHER'] in cipher_names, f'{r.json}' + else: + assert r.exit_code != 0, f'{r}' diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py index 5580c8427c..f664d32d89 100644 --- a/tests/http/testenv/httpd.py +++ b/tests/http/testenv/httpd.py @@ -255,6 +255,13 @@ class Httpd: f'Listen {self.env.proxys_port}', f'TypesConfig "{self._conf_dir}/mime.types', f'SSLSessionCache "shmcb:ssl_gcache_data(32000)"', + (f'SSLCipherSuite SSL' + f' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' + f':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305' + ), + (f'SSLCipherSuite TLSv1.3' + f' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256' + ), ] if 'base' in self._extra_configs: conf.extend(self._extra_configs['base'])