|
| 1 | +package config |
| 2 | + |
| 3 | +import ( |
| 4 | + "bytes" |
| 5 | + "crypto/tls" |
| 6 | + "net" |
| 7 | + "os/exec" |
| 8 | + "path/filepath" |
| 9 | + "testing" |
| 10 | +) |
| 11 | + |
| 12 | +func TestTLS(t *testing.T) { |
| 13 | + dir := t.TempDir() |
| 14 | + t.Setenv("SSL_CERT_FILE", filepath.Join(dir, `cert.pem`)) |
| 15 | + |
| 16 | + out, err := exec.Command(`go`, `env`, `GOROOT`).CombinedOutput() |
| 17 | + if err != nil { |
| 18 | + t.Logf("output:\n%s", string(out)) |
| 19 | + t.Fatal(err) |
| 20 | + } |
| 21 | + goroot := string(bytes.TrimSpace(out)) |
| 22 | + cmd := exec.Command(`go`, `run`, |
| 23 | + filepath.Join(goroot, "/src/crypto/tls/generate_cert.go"), |
| 24 | + "--rsa-bits=2048", |
| 25 | + "--host=127.0.0.1,::1,example.com", |
| 26 | + "--ca", |
| 27 | + "--start-date=Jan 1 00:00:00 1970", |
| 28 | + "--duration=1000000h", |
| 29 | + ) |
| 30 | + cmd.Dir = dir |
| 31 | + var errBuf bytes.Buffer |
| 32 | + cmd.Stderr = &errBuf |
| 33 | + if err := cmd.Run(); err != nil { |
| 34 | + t.Logf("stderr:\n%s", errBuf.String()) |
| 35 | + t.Fatal(err) |
| 36 | + } |
| 37 | + |
| 38 | + tlscfg := TLS{ |
| 39 | + Cert: filepath.Join(dir, `cert.pem`), |
| 40 | + Key: filepath.Join(dir, `key.pem`), |
| 41 | + } |
| 42 | + tlscfg.RootCA = tlscfg.Cert |
| 43 | + cfg, err := tlscfg.Config() |
| 44 | + if err != nil { |
| 45 | + t.Fatal(err) |
| 46 | + } |
| 47 | + |
| 48 | + checkTLSVersions(t, cfg) |
| 49 | +} |
| 50 | + |
| 51 | +func checkTLSVersions(t *testing.T, cfg *tls.Config) { |
| 52 | + t.Helper() |
| 53 | + l, err := net.Listen("tcp", "[::1]:0") |
| 54 | + if err != nil { |
| 55 | + t.Fatal(err) |
| 56 | + } |
| 57 | + defer l.Close() |
| 58 | + addr := l.Addr() |
| 59 | + l = tls.NewListener(l, cfg) |
| 60 | + done, gone := make(chan struct{}), make(chan struct{}) |
| 61 | + go func() { |
| 62 | + defer close(gone) |
| 63 | + for { |
| 64 | + select { |
| 65 | + case <-done: |
| 66 | + return |
| 67 | + default: |
| 68 | + } |
| 69 | + c, err := l.Accept() |
| 70 | + if err != nil { |
| 71 | + t.Error(err) |
| 72 | + return |
| 73 | + } |
| 74 | + t.Log("connected") |
| 75 | + tc := c.(*tls.Conn) |
| 76 | + if err := tc.Handshake(); err != nil { |
| 77 | + t.Log(err) |
| 78 | + continue |
| 79 | + } |
| 80 | + st := tc.ConnectionState() |
| 81 | + t.Logf("version: %v", st.Version) |
| 82 | + c.Close() |
| 83 | + } |
| 84 | + }() |
| 85 | + |
| 86 | + for _, tc := range []struct { |
| 87 | + Version uint16 |
| 88 | + FailOK bool |
| 89 | + }{ |
| 90 | + {tls.VersionTLS10, true}, |
| 91 | + {tls.VersionTLS11, true}, |
| 92 | + {tls.VersionTLS12, false}, |
| 93 | + {tls.VersionTLS13, false}, |
| 94 | + } { |
| 95 | + cfg := cfg.Clone() |
| 96 | + cfg.Certificates = nil |
| 97 | + cfg.MaxVersion = tc.Version |
| 98 | + _, err := tls.Dial(addr.Network(), addr.String(), cfg) |
| 99 | + if err != nil { |
| 100 | + t.Logf("%v: %v", tc.Version, err) |
| 101 | + if !tc.FailOK { |
| 102 | + t.Fail() |
| 103 | + } |
| 104 | + } |
| 105 | + } |
| 106 | + close(done) |
| 107 | + <-gone |
| 108 | +} |
0 commit comments