mirror of
https://github.com/coredns/coredns.git
synced 2026-07-10 17:50:12 -04:00
Remove fixed TLS 1.2 cipher suite list and maximum TLS version so crypto/tls can use its maintained defaults. Keep TLS 1.2 as the minimum supported version. Document the shared TLS default behavior for plugins that expose TLS configuration and add coverage to ensure CoreDNS leaves Go-managed TLS fields unset. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
145 lines
3.4 KiB
Go
145 lines
3.4 KiB
Go
package tls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/coredns/coredns/plugin/test"
|
|
)
|
|
|
|
func getPEMFiles(t *testing.T) (cert, key, ca string) {
|
|
t.Helper()
|
|
tempDir, err := test.WritePEMFiles(t)
|
|
if err != nil {
|
|
t.Fatalf("Could not write PEM files: %s", err)
|
|
}
|
|
|
|
cert = filepath.Join(tempDir, "cert.pem")
|
|
key = filepath.Join(tempDir, "key.pem")
|
|
ca = filepath.Join(tempDir, "ca.pem")
|
|
|
|
return
|
|
}
|
|
|
|
func assertTLSDefaults(t *testing.T, c *tls.Config) {
|
|
t.Helper()
|
|
if c.MinVersion != tls.VersionTLS12 {
|
|
t.Errorf("MinVersion = %d, want %d", c.MinVersion, tls.VersionTLS12)
|
|
}
|
|
if c.MaxVersion != 0 {
|
|
t.Errorf("MaxVersion = %d, want 0 to use Go defaults", c.MaxVersion)
|
|
}
|
|
if c.CipherSuites != nil {
|
|
t.Errorf("CipherSuites = %v, want nil to use Go defaults", c.CipherSuites)
|
|
}
|
|
if c.CurvePreferences != nil {
|
|
t.Errorf("CurvePreferences = %v, want nil to use Go defaults", c.CurvePreferences)
|
|
}
|
|
}
|
|
|
|
func TestNewTLSConfig(t *testing.T) {
|
|
cert, key, ca := getPEMFiles(t)
|
|
c, err := NewTLSConfig(cert, key, ca)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
}
|
|
|
|
func TestNewTLSClientConfig(t *testing.T) {
|
|
_, _, ca := getPEMFiles(t)
|
|
|
|
c, err := NewTLSClientConfig(ca)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
}
|
|
|
|
func TestNewTLSConfigFromArgs(t *testing.T) {
|
|
cert, key, ca := getPEMFiles(t)
|
|
|
|
c, err := NewTLSConfigFromArgs()
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
|
|
c, err = NewTLSConfigFromArgs(ca)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
if c.RootCAs == nil {
|
|
t.Error("RootCAs should not be nil when one arg passed")
|
|
}
|
|
|
|
c, err = NewTLSConfigFromArgs(cert, key)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
if c.RootCAs != nil {
|
|
t.Error("RootCAs should be nil when two args passed")
|
|
}
|
|
if len(c.Certificates) != 1 {
|
|
t.Error("Certificates should have a single entry when two args passed")
|
|
}
|
|
args := []string{cert, key, ca}
|
|
c, err = NewTLSConfigFromArgs(args...)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
if c.RootCAs == nil {
|
|
t.Error("RootCAs should not be nil when three args passed")
|
|
}
|
|
if len(c.Certificates) != 1 {
|
|
t.Error("Certificates should have a single entry when three args passed")
|
|
}
|
|
}
|
|
|
|
func TestNewTLSConfigFromArgsWithRoot(t *testing.T) {
|
|
cert, key, ca := getPEMFiles(t)
|
|
tempDir := t.TempDir()
|
|
|
|
root := tempDir
|
|
args := []string{cert, key, ca}
|
|
for i := range args {
|
|
if !filepath.IsAbs(args[i]) && root != "" {
|
|
args[i] = filepath.Join(root, args[i])
|
|
}
|
|
}
|
|
c, err := NewTLSConfigFromArgs(args...)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
assertTLSDefaults(t, c)
|
|
if c.RootCAs == nil {
|
|
t.Error("RootCAs should not be nil when three args passed")
|
|
}
|
|
if len(c.Certificates) != 1 {
|
|
t.Error("Certificates should have a single entry when three args passed")
|
|
}
|
|
}
|
|
|
|
func TestNewHTTPSTransport(t *testing.T) {
|
|
_, _, ca := getPEMFiles(t)
|
|
|
|
cc, err := NewTLSClientConfig(ca)
|
|
if err != nil {
|
|
t.Errorf("Failed to create TLSConfig: %s", err)
|
|
}
|
|
|
|
tr := NewHTTPSTransport(cc)
|
|
if tr == nil {
|
|
t.Errorf("Failed to create https transport with cc")
|
|
}
|
|
|
|
tr = NewHTTPSTransport(nil)
|
|
if tr == nil {
|
|
t.Errorf("Failed to create https transport without cc")
|
|
}
|
|
}
|