mirror of
https://github.com/curl/curl.git
synced 2024-12-27 06:59:43 +08:00
tests: add pytest for --ciphers and --tls13-ciphers options
Closes #13530
This commit is contained in:
parent
96a4cad46a
commit
74e0bb1e7a
@ -175,3 +175,71 @@ class TestSSLUse:
|
||||
assert r.json, f'{r}'
|
||||
if proto != 'h3': # we proxy h3
|
||||
assert r.json['SSL_TLS_SNI'] == domain, f'{r.json}'
|
||||
|
||||
# test setting cipher suites, the AES 256 ciphers are disabled in the test server
|
||||
@pytest.mark.parametrize("ciphers, succeed", [
|
||||
[[0x1301], True],
|
||||
[[0x1302], False],
|
||||
[[0x1303], True],
|
||||
[[0x1302, 0x1303], True],
|
||||
[[0xC02B, 0xC02F], True],
|
||||
[[0xC02C, 0xC030], False],
|
||||
[[0xCCA9, 0xCCA8], True],
|
||||
[[0xC02C, 0xC030, 0xCCA9, 0xCCA8], True],
|
||||
])
|
||||
def test_17_07_ssl_ciphers(self, env: Env, httpd, nghttpx, ciphers, succeed, repeat):
|
||||
cipher_table = {
|
||||
0x1301: 'TLS_AES_128_GCM_SHA256',
|
||||
0x1302: 'TLS_AES_256_GCM_SHA384',
|
||||
0x1303: 'TLS_CHACHA20_POLY1305_SHA256',
|
||||
0xC02B: 'ECDHE-ECDSA-AES128-GCM-SHA256',
|
||||
0xC02F: 'ECDHE-RSA-AES128-GCM-SHA256',
|
||||
0xC02C: 'ECDHE-ECDSA-AES256-GCM-SHA384',
|
||||
0xC030: 'ECDHE-RSA-AES256-GCM-SHA384',
|
||||
0xCCA9: 'ECDHE-ECDSA-CHACHA20-POLY1305',
|
||||
0xCCA8: 'ECDHE-RSA-CHACHA20-POLY1305',
|
||||
}
|
||||
cipher_names = list(map(cipher_table.get, ciphers))
|
||||
proto = 'http/1.1'
|
||||
curl = CurlClient(env=env)
|
||||
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
|
||||
extra_args = []
|
||||
if env.curl_uses_lib('gnutls'):
|
||||
pytest.skip('gnutls does not support setting ciphers by name')
|
||||
if env.curl_uses_lib('rustls-ffi'):
|
||||
pytest.skip('rustls-ffi does not support setting ciphers')
|
||||
if ciphers[0] & 0xFF00 == 0x1300:
|
||||
# test setting TLSv1.3 ciphers
|
||||
if env.curl_uses_lib('bearssl'):
|
||||
pytest.skip('bearssl does not support TLSv1.3')
|
||||
elif env.curl_uses_lib('sectransp'):
|
||||
pytest.skip('sectransp does not support TLSv1.3')
|
||||
elif env.curl_uses_lib('boringssl'):
|
||||
pytest.skip('boringssl does not support setting TLSv1.3 ciphers')
|
||||
elif env.curl_uses_lib('mbedtls'):
|
||||
if not env.curl_lib_version_at_least('mbedtls', '3.6.0'):
|
||||
pytest.skip('mbedtls TLSv1.3 support requires at least 3.6.0')
|
||||
extra_args = ['--ciphers', ':'.join(cipher_names)]
|
||||
elif env.curl_uses_lib('wolfssl'):
|
||||
extra_args = ['--ciphers', ':'.join(cipher_names)]
|
||||
else:
|
||||
extra_args = ['--tls13-ciphers', ':'.join(cipher_names)]
|
||||
else:
|
||||
# test setting TLSv1.2 ciphers
|
||||
if env.curl_uses_lib('schannel'):
|
||||
pytest.skip('schannel does not support setting TLSv1.2 ciphers by name')
|
||||
elif env.curl_uses_lib('wolfssl'):
|
||||
# setting tls version is botched with wolfssl: setting max (--tls-max)
|
||||
# is not supported, setting min (--tlsv1.*) actually also sets max
|
||||
extra_args = ['--tlsv1.2', '--ciphers', ':'.join(cipher_names)]
|
||||
else:
|
||||
# the server supports TLSv1.3, so to test TLSv1.2 ciphers we set tls-max
|
||||
extra_args = ['--tls-max', '1.2', '--ciphers', ':'.join(cipher_names)]
|
||||
r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)
|
||||
if succeed:
|
||||
assert r.exit_code == 0, f'{r}'
|
||||
assert r.json['HTTPS'] == 'on', f'{r.json}'
|
||||
assert 'SSL_CIPHER' in r.json, f'{r.json}'
|
||||
assert r.json['SSL_CIPHER'] in cipher_names, f'{r.json}'
|
||||
else:
|
||||
assert r.exit_code != 0, f'{r}'
|
||||
|
@ -255,6 +255,13 @@ class Httpd:
|
||||
f'Listen {self.env.proxys_port}',
|
||||
f'TypesConfig "{self._conf_dir}/mime.types',
|
||||
f'SSLSessionCache "shmcb:ssl_gcache_data(32000)"',
|
||||
(f'SSLCipherSuite SSL'
|
||||
f' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'
|
||||
f':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'
|
||||
),
|
||||
(f'SSLCipherSuite TLSv1.3'
|
||||
f' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256'
|
||||
),
|
||||
]
|
||||
if 'base' in self._extra_configs:
|
||||
conf.extend(self._extra_configs['base'])
|
||||
|
Loading…
Reference in New Issue
Block a user