test: change tls tests not to use LOW cipher

DES-CBC-SHA is LOW cipher and disabled by default and it is used in tests of hornorcipherorder. They are changed as to - use RC4-SHA instead of DES-CBC-SHA. - add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers. - remove tests for non-default cipher because only SEED and IDEA are available in !RC4:!HIGH:ALL. Fixes: nodejs/Release#85 PR-URL: nodejs/node#5712 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
ibmruntimes · Nov 4, 2016 · 609f7cb · 609f7cb
1 parent b4da87d
commit 609f7cb
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 29 deletions.
diff --git a/deps/openssl/config/opensslconf.h b/deps/openssl/config/opensslconf.h
@@ -44,9 +44,9 @@
 # ifndef OPENSSL_NO_STORE
 #  define OPENSSL_NO_STORE
 # endif
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-# define OPENSSL_NO_WEAK_SSL_CIPHERS
-#endif
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#  define OPENSSL_NO_WEAK_SSL_CIPHERS
+# endif
 #endif /* OPENSSL_DOING_MAKEDEPEND */
 
 #ifndef OPENSSL_THREADS

diff --git a/test/simple/test-tls-honorcipherorder-secureOptions.js b/test/simple/test-tls-honorcipherorder-secureOptions.js
@@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb)
     secureProtocol: SSL_Method,
     key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
     cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
-    ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA',
+    ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
     secureOptions: secureOptions,
     honorCipherOrder: !!honorCipherOrder
   };
@@ -95,37 +95,37 @@ test1();
 
 function test1() {
   // Client has the preference of cipher suites by default
-  test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2);
+  test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2);
 }
 
 function test2() {
   // Server has the preference of cipher suites where AES256-SHA is in
   // the first.
-  test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3);
+  test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3);
 }
 
 function test3() {
-  // Server has the preference of cipher suites. RC4-SHA is given
-  // higher priority over DES-CBC-SHA among client cipher suites.
-  test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4);
+  // Server has the preference of cipher suites. AES256-SHA is given
+  // higher priority over RC4-SHA among client cipher suites.
+  test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4);
 }
 
 function test4() {
   // As client has only one cipher, server has no choice in regardless
   // of honorCipherOrder.
-  test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5);
+  test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5);
 }
 
 function test5() {
   test(false,
-       'DES-CBC-SHA',
-       'DES-CBC-SHA',
+       'RC4-SHA',
+       'RC4-SHA',
        process.binding('constants').SSL_OP_SINGLE_DH_USE, test6);
 }
 
 function test6() {
   test(true,
-       'DES-CBC-SHA',
-       'DES-CBC-SHA',
+       'RC4-SHA',
+       'RC4-SHA',
        process.binding('constants').SSL_OP_SINGLE_DH_USE);
 }
diff --git a/test/simple/test-tls-honorcipherorder.js b/test/simple/test-tls-honorcipherorder.js
@@ -30,15 +30,15 @@ var SSL_Method = 'TLSv1_method';
 var localhost = '127.0.0.1';
 
 process.on('exit', function() {
-  assert.equal(nconns, 6);
+  assert.equal(nconns, 5);
 });
 
 function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
   var soptions = {
     secureProtocol: SSL_Method,
     key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
     cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
-    ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
+    ciphers: 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA',
     honorCipherOrder: !!honorCipherOrder
   };
 
@@ -75,31 +75,24 @@ function test1() {
 }
 
 function test2() {
-  // Server has the preference of cipher suites where DES-CBC-SHA is in
+  // Server has the preference of cipher suites where RC4-SHA is in
   // the first.
-  test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3);
+  test(true, 'AES256-SHA:RC4-SHA', 'RC4-SHA', test3);
 }
 
 function test3() {
-  // Server has the preference of cipher suites. RC4-SHA is given
-  // higher priority over DES-CBC-SHA among client cipher suites.
-  test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4);
+  // Server has the preference of cipher suites. AES256-SHA is given
+  // higher priority over ECDHE-RSA-AES256-SHA among client cipher suites.
+  test(true, 'ECDHE-RSA-AES256-SHA:AES256-SHA', 'AES256-SHA', test4);
 }
 
 function test4() {
   // As client has only one cipher, server has no choice in regardless
   // of honorCipherOrder.
-  test(true, 'RC4-SHA', 'RC4-SHA', test5);
+  test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', test5);
 }
 
 function test5() {
-  // Client did not explicitly set ciphers. Ensure that client defaults to
-  // sane ciphers. Even though server gives top priority to DES-CBC-SHA
-  // it should not be negotiated because it's not in default client ciphers.
-  test(true, null, 'AES256-SHA', test6);
-}
-
-function test6() {
   // Ensure that `tls.DEFAULT_CIPHERS` is used
   SSL_Method = 'TLSv1_2_method';
   tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';