Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls: allow the server to enforce its ciphersuite preferences.

Browse source 
Previously, Go TLS servers always took the client's preferences into
account when selecting a ciphersuite. This change adds the option of
using the server's preferences, which can be expressed by setting
tls.Config.CipherSuites.

This mirrors Apache's SSLHonorCipherOrder directive.

R=golang-dev, nightlyone, bradfitz, ality
CC=golang-dev
https://golang.org/cl/7163043
This commit is contained in:
Adam Langley 2013-01-22 10:10:38 -05:00
parent fd32ac4bae
commit 793cbd5b81
3 changed files with 64 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

44
src/pkg/crypto/tls/handshake_server_test.go
View file

@ -125,6 +125,50 @@ func TestClose(t *testing.T) {
}
}
func testHandshake(clientConfig, serverConfig *Config) (state ConnectionState, err error) {
c, s := net.Pipe()
go func() {
cli := Client(c, clientConfig)
cli.Handshake()
c.Close()
}()
server := Server(s, serverConfig)
err = server.Handshake()
if err == nil {
state = server.ConnectionState()
}
s.Close()
return
}
func TestCipherSuitePreference(t *testing.T) {
serverConfig := &Config{
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
Certificates: testConfig.Certificates,
}
clientConfig := &Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA},
InsecureSkipVerify: true,
}
state, err := testHandshake(clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
}
if state.CipherSuite != TLS_RSA_WITH_AES_128_CBC_SHA {
// By default the server should use the client's preference.
t.Fatalf("Client's preference was not used, got %x", state.CipherSuite)
}
serverConfig.PreferServerCipherSuites = true
state, err = testHandshake(clientConfig, serverConfig)
if err != nil {
t.Fatalf("handshake failed: %s", err)
}
if state.CipherSuite != TLS_RSA_WITH_RC4_128_SHA {
t.Fatalf("Server's preference was not used, got %x", state.CipherSuite)
}
}
func testServerScript(t *testing.T, name string, serverScript [][]byte, config *Config, peers []*x509.Certificate) {
c, s := net.Pipe()
srv := Server(s, config)