Skip to content

Commit fe8e07d

Browse files
sam-githubBethGriggs
sam-github
authored and
BethGriggs
committed
test: assert on client and server side seperately
This gets better coverage of the codes, and is more explicit. It also works around ordering differences in the errors produced by openssl. The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared openssl. Backport-PR-URL: #26270 PR-URL: #25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
1 parent 8dd8033 commit fe8e07d

File tree

1 file changed

+100
-37
lines changed

1 file changed

+100
-37
lines changed

test/parallel/test-tls-min-max-version.js

Lines changed: 100 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,13 @@ const {
88
assert, connect, keys, tls
99
} = require(fixtures.path('tls-connect'));
1010
const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
11+
const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;
1112

1213
// For v11.x, the default is fixed and cannot be changed via CLI.
1314
assert.strictEqual(DEFAULT_MIN_VERSION, 'TLSv1');
1415

15-
function test(cmin, cmax, cprot, smin, smax, sprot, expect) {
16+
function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
17+
assert(proto || cerr || serr, 'test missing any expectations');
1618
connect({
1719
client: {
1820
checkServerIdentity: (servername, cert) => { },
@@ -29,23 +31,52 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) {
2931
secureProtocol: sprot,
3032
},
3133
}, common.mustCall((err, pair, cleanup) => {
32-
if (expect && !expect.match(/^TLS/)) {
33-
assert(err.message.match(expect));
34+
function u(_) { return _ === undefined ? 'U' : _; }
35+
console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot),
36+
'expect', u(proto), u(cerr), u(serr));
37+
if (!proto) {
38+
console.log('client', pair.client.err ? pair.client.err.code : undefined);
39+
console.log('server', pair.server.err ? pair.server.err.code : undefined);
40+
// 11.x doesn't have https://github.com/nodejs/node/pull/24729
41+
if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
42+
pair.client.err &&
43+
pair.client.err.message.includes('methods disabled'))
44+
pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
45+
if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
46+
pair.server.err &&
47+
pair.server.err.message.includes('methods disabled'))
48+
pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
49+
if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
50+
pair.client.err &&
51+
pair.client.err.message.includes('Unknown method'))
52+
pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
53+
if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
54+
pair.server.err &&
55+
pair.server.err.message.includes('Unknown method'))
56+
pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
57+
if (cerr) {
58+
assert(pair.client.err);
59+
// Accept these codes as aliases, the one reported depends on the
60+
// OpenSSL version.
61+
if (cerr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' &&
62+
pair.client.err.code === 'ERR_SSL_VERSION_TOO_LOW')
63+
cerr = 'ERR_SSL_VERSION_TOO_LOW';
64+
assert.strictEqual(pair.client.err.code, cerr);
65+
}
66+
if (serr) {
67+
assert(pair.server.err);
68+
assert.strictEqual(pair.server.err.code, serr);
69+
}
3470
return cleanup();
3571
}
3672

37-
if (expect) {
38-
assert.ifError(pair.server.err);
39-
assert.ifError(pair.client.err);
40-
assert(pair.server.conn);
41-
assert(pair.client.conn);
42-
assert.strictEqual(pair.client.conn.getProtocol(), expect);
43-
assert.strictEqual(pair.server.conn.getProtocol(), expect);
44-
return cleanup();
45-
}
46-
47-
assert(pair.server.err);
48-
assert(pair.client.err);
73+
assert.ifError(err);
74+
assert.ifError(pair.server.err);
75+
assert.ifError(pair.client.err);
76+
assert(pair.server.conn);
77+
assert(pair.client.conn);
78+
assert.strictEqual(pair.client.conn.getProtocol(), proto);
79+
assert.strictEqual(pair.server.conn.getProtocol(), proto);
4980
return cleanup();
5081
}));
5182
}
@@ -56,18 +87,28 @@ const U = undefined;
5687
test(U, U, U, U, U, U, 'TLSv1.2');
5788

5889
// Insecure or invalid protocols cannot be enabled.
59-
test(U, U, U, U, U, 'SSLv2_method', 'SSLv2 methods disabled');
60-
test(U, U, U, U, U, 'SSLv3_method', 'SSLv3 methods disabled');
61-
test(U, U, 'SSLv2_method', U, U, U, 'SSLv2 methods disabled');
62-
test(U, U, 'SSLv3_method', U, U, U, 'SSLv3 methods disabled');
63-
test(U, U, 'hokey-pokey', U, U, U, 'Unknown method');
64-
test(U, U, U, U, U, 'hokey-pokey', 'Unknown method');
90+
test(U, U, U, U, U, 'SSLv2_method',
91+
U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
92+
test(U, U, U, U, U, 'SSLv3_method',
93+
U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
94+
test(U, U, 'SSLv2_method', U, U, U,
95+
U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
96+
test(U, U, 'SSLv3_method', U, U, U,
97+
U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
98+
test(U, U, 'hokey-pokey', U, U, U,
99+
U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
100+
test(U, U, U, U, U, 'hokey-pokey',
101+
U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD');
65102

66103
// Cannot use secureProtocol and min/max versions simultaneously.
67-
test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', 'conflicts with secureProtocol');
68-
test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', 'conflicts with secureProtocol');
69-
test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol');
70-
test('TLSv1.2', U, 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol');
104+
test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method',
105+
U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
106+
test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method',
107+
U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
108+
test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U,
109+
U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
110+
test('TLSv1.2', U, 'TLS1_2_method', U, U, U,
111+
U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT');
71112

72113
// TLS_method means "any supported protocol".
73114
test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2');
@@ -82,17 +123,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1');
82123
test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2');
83124

84125
if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
85-
test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', null);
86-
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null);
87-
test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', null);
88-
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null);
126+
test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method',
127+
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
128+
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
129+
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
130+
test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method',
131+
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
132+
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
133+
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
89134
}
90135

91136
if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
92137
test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1');
93-
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null);
138+
test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
139+
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
94140
test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1');
95-
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null);
141+
test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
142+
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
96143
}
97144

98145
if (DEFAULT_MIN_VERSION === 'TLSv1') {
@@ -110,18 +157,34 @@ test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1');
110157

111158
// The default default.
112159
if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
113-
test(U, U, 'TLSv1_1_method', U, U, U, null);
114-
test(U, U, 'TLSv1_method', U, U, U, null);
115-
test(U, U, U, U, U, 'TLSv1_1_method', null);
116-
test(U, U, U, U, U, 'TLSv1_method', null);
160+
test(U, U, 'TLSv1_1_method', U, U, U,
161+
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
162+
test(U, U, 'TLSv1_method', U, U, U,
163+
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
164+
165+
if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
166+
test(U, U, U, U, U, 'TLSv1_1_method',
167+
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
168+
test(U, U, U, U, U, 'TLSv1_method',
169+
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
170+
} else {
171+
assert(false, 'unreachable');
172+
}
117173
}
118174

119175
// The default with --tls-v1.1.
120176
if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
121177
test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1');
122-
test(U, U, 'TLSv1_method', U, U, U, null);
178+
test(U, U, 'TLSv1_method', U, U, U,
179+
U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
123180
test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1');
124-
test(U, U, U, U, U, 'TLSv1_method', null);
181+
182+
if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
183+
test(U, U, U, U, U, 'TLSv1_method',
184+
U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
185+
} else {
186+
assert(false, 'unreachable');
187+
}
125188
}
126189

127190
// The default with --tls-v1.0.

0 commit comments

Comments
 (0)