1// Copyright 2018 The etcd Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package integration 16 17import ( 18 "context" 19 "crypto/tls" 20 "testing" 21 "time" 22 23 "github.com/coreos/etcd/clientv3" 24 "github.com/coreos/etcd/pkg/testutil" 25 "google.golang.org/grpc" 26) 27 28func TestTLSClientCipherSuitesValid(t *testing.T) { testTLSCipherSuites(t, true) } 29func TestTLSClientCipherSuitesMismatch(t *testing.T) { testTLSCipherSuites(t, false) } 30 31// testTLSCipherSuites ensures mismatching client-side cipher suite 32// fail TLS handshake with the server. 33func testTLSCipherSuites(t *testing.T, valid bool) { 34 defer testutil.AfterTest(t) 35 36 cipherSuites := []uint16{ 37 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 38 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 39 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 40 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 41 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 42 tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 43 } 44 srvTLS, cliTLS := testTLSInfo, testTLSInfo 45 if valid { 46 srvTLS.CipherSuites, cliTLS.CipherSuites = cipherSuites, cipherSuites 47 } else { 48 srvTLS.CipherSuites, cliTLS.CipherSuites = cipherSuites[:2], cipherSuites[2:] 49 } 50 51 clus := NewClusterV3(t, &ClusterConfig{Size: 1, ClientTLS: &srvTLS}) 52 defer clus.Terminate(t) 53 54 cc, err := cliTLS.ClientConfig() 55 if err != nil { 56 t.Fatal(err) 57 } 58 cli, cerr := clientv3.New(clientv3.Config{ 59 Endpoints: []string{clus.Members[0].GRPCAddr()}, 60 DialTimeout: time.Second, 61 DialOptions: []grpc.DialOption{grpc.WithBlock()}, 62 TLS: cc, 63 }) 64 if cli != nil { 65 cli.Close() 66 } 67 if !valid && cerr != context.DeadlineExceeded { 68 t.Fatalf("expected %v with TLS handshake failure, got %v", context.DeadlineExceeded, cerr) 69 } 70 if valid && cerr != nil { 71 t.Fatalf("expected TLS handshake success, got %v", cerr) 72 } 73} 74