Skip to content

Commit

Permalink
Merge pull request #15 from genkiroid/control-tls-max-version
Browse files Browse the repository at this point in the history
Control tls max version when specify cipher suite
  • Loading branch information
genkiroid authored Sep 29, 2019
2 parents 8828948 + d4c9194 commit 8a53bce
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 7 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,8 @@ Error:

```

**If you specify a cipher suite, the maximum TLS version used is limited to TLS1.2. This is because if the server supports TLS1.3, the specified cipher suite is ignored and communication is performed using TLS1.3. This eliminates the meaning of specifying a cipher suite and confuses us. This specification will change when the cipher suite for tls1.3 becomes configurable in Go.**

## License

[MIT](https://github.com/genkiroid/cert/blob/master/LICENSE)
Expand Down
14 changes: 10 additions & 4 deletions cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,6 @@ var cipherSuites = map[string]uint16{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
"TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256,
"TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384,
"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
}

var userTempl string
Expand Down Expand Up @@ -116,11 +113,19 @@ func cipherSuite() ([]uint16, error) {
var cs []uint16
cs = []uint16{cipherSuites[CipherSuite]}
if cs[0] == 0 {
return nil, fmt.Errorf("%s is unsupported cipher suite.", CipherSuite)
return nil, fmt.Errorf("%s is unsupported cipher suite or tls1.3 cipher suite.", CipherSuite)
}
return cs, nil
}

func tlsVersion() uint16 {
if CipherSuite != "" {
return tls.VersionTLS12
}
// Currently TLS 1.3
return 0
}

var serverCert = func(host, port string) ([]*x509.Certificate, string, error) {
d := &net.Dialer{
Timeout: time.Duration(TimeoutSeconds) * time.Second,
Expand All @@ -134,6 +139,7 @@ var serverCert = func(host, port string) ([]*x509.Certificate, string, error) {
conn, err := tls.DialWithDialer(d, "tcp", host+":"+port, &tls.Config{
InsecureSkipVerify: SkipVerify,
CipherSuites: cs,
MaxVersion: tlsVersion(),
})
if err != nil {
return []*x509.Certificate{&x509.Certificate{}}, "", err
Expand Down
31 changes: 28 additions & 3 deletions cert_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package cert

import (
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
Expand Down Expand Up @@ -266,18 +267,42 @@ func TestCertChain(t *testing.T) {
}

func TestCipherSuite(t *testing.T) {
CipherSuite = "TLS_CHACHA20_POLY1305_SHA256"
CipherSuite = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
if _, err := cipherSuite(); err != nil {
t.Errorf(`unexpected err %s, want nil`, err.Error())
}
}

func TestCipherSuiteError(t *testing.T) {
CipherSuite = "UNSUPPORTED_CIPHER_SUITE"
want := "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite or tls1.3 cipher suite."

if _, err := cipherSuite(); err == nil {
t.Error(`unexpected nil, want error`)
} else if err.Error() != "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite." {
t.Errorf(`unexpected err message, want %q`, "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite.")
} else if err.Error() != want {
t.Errorf(`unexpected err message, want %q`, want)
}
}

func TestTlsVersion(t *testing.T) {
type want struct {
version uint16
}
var tests = []struct {
cipherSuite string
want want
}{
{"", want{0}}, // 0 means TLS1.3 currently
{"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", want{tls.VersionTLS12}},
}

for _, test := range tests {
CipherSuite = test.cipherSuite
v := tlsVersion()
got := want{v}
if got != test.want {
t.Errorf("tlsVersion() = %v, want %v", got, test.want)
}
}
}

Expand Down

0 comments on commit 8a53bce

Please sign in to comment.