OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <utility> | 5 #include <utility> |
6 | 6 |
7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
8 | 8 |
9 #if defined(OS_WIN) | 9 #if defined(OS_WIN) |
10 #include <windows.h> | 10 #include <windows.h> |
(...skipping 8692 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8703 }; | 8703 }; |
8704 | 8704 |
8705 // Tests the TLS 1.0 fallback doesn't happen. | 8705 // Tests the TLS 1.0 fallback doesn't happen. |
8706 TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { | 8706 TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { |
8707 SpawnedTestServer::SSLOptions ssl_options( | 8707 SpawnedTestServer::SSLOptions ssl_options( |
8708 SpawnedTestServer::SSLOptions::CERT_OK); | 8708 SpawnedTestServer::SSLOptions::CERT_OK); |
8709 ssl_options.tls_intolerant = | 8709 ssl_options.tls_intolerant = |
8710 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8710 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
8711 | 8711 |
8712 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8712 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8713 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 8714 } |
| 8715 |
| 8716 // Tests the TLS 1.1 fallback doesn't happen but 1.2-intolerance is detected. |
| 8717 TEST_F(HTTPSFallbackTest, TLSv1_1NoFallback) { |
| 8718 SpawnedTestServer::SSLOptions ssl_options( |
| 8719 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8720 ssl_options.tls_intolerant = |
| 8721 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
| 8722 |
| 8723 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8713 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); | 8724 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); |
8714 } | 8725 } |
8715 | 8726 |
8716 // Tests the TLS 1.1 fallback. | 8727 // Tests the TLS 1.1 fallback when explicitly enabled. |
8717 TEST_F(HTTPSFallbackTest, TLSv1_1Fallback) { | 8728 TEST_F(HTTPSFallbackTest, TLSv1_1Fallback) { |
8718 SpawnedTestServer::SSLOptions ssl_options( | 8729 SpawnedTestServer::SSLOptions ssl_options( |
8719 SpawnedTestServer::SSLOptions::CERT_OK); | 8730 SpawnedTestServer::SSLOptions::CERT_OK); |
8720 ssl_options.tls_intolerant = | 8731 ssl_options.tls_intolerant = |
8721 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8732 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
8722 | 8733 |
| 8734 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
8723 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8735 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8724 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | 8736 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
8725 } | 8737 } |
8726 | 8738 |
8727 // Tests that the TLS 1.1 fallback triggers on closed connections. | 8739 // Tests that the TLS 1.1 fallback, if enabled, triggers on closed connections. |
8728 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { | 8740 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { |
8729 SpawnedTestServer::SSLOptions ssl_options( | 8741 SpawnedTestServer::SSLOptions ssl_options( |
8730 SpawnedTestServer::SSLOptions::CERT_OK); | 8742 SpawnedTestServer::SSLOptions::CERT_OK); |
8731 ssl_options.tls_intolerant = | 8743 ssl_options.tls_intolerant = |
8732 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8744 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
8733 ssl_options.tls_intolerance_type = | 8745 ssl_options.tls_intolerance_type = |
8734 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8746 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
8735 | 8747 |
| 8748 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
8736 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8749 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8737 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | 8750 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
8738 } | 8751 } |
8739 | 8752 |
8740 // This test is disabled on Android because the remote test server doesn't cause | 8753 // This test is disabled on Android because the remote test server doesn't cause |
8741 // a TCP reset. | 8754 // a TCP reset. |
8742 #if !defined(OS_ANDROID) | 8755 #if !defined(OS_ANDROID) |
8743 // Tests fallback to TLS 1.1 on connection reset. | 8756 // Tests fallback to TLS 1.1, if enabled, on connection reset. |
8744 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { | 8757 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { |
8745 SpawnedTestServer::SSLOptions ssl_options( | 8758 SpawnedTestServer::SSLOptions ssl_options( |
8746 SpawnedTestServer::SSLOptions::CERT_OK); | 8759 SpawnedTestServer::SSLOptions::CERT_OK); |
8747 ssl_options.tls_intolerant = | 8760 ssl_options.tls_intolerant = |
8748 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8761 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
8749 ssl_options.tls_intolerance_type = | 8762 ssl_options.tls_intolerance_type = |
8750 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; | 8763 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
8751 | 8764 |
| 8765 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
8752 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8766 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8753 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | 8767 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
8754 } | 8768 } |
8755 #endif // !OS_ANDROID | 8769 #endif // !OS_ANDROID |
8756 | 8770 |
8757 // Tests that we don't fallback on handshake failure with servers that implement | 8771 // Tests that we don't fallback, even if enabled, on handshake failure with |
8758 // TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. | 8772 // servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error |
| 8773 // code is reported. |
8759 TEST_F(HTTPSFallbackTest, FallbackSCSV) { | 8774 TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
8760 SpawnedTestServer::SSLOptions ssl_options( | 8775 SpawnedTestServer::SSLOptions ssl_options( |
8761 SpawnedTestServer::SSLOptions::CERT_OK); | 8776 SpawnedTestServer::SSLOptions::CERT_OK); |
8762 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger | 8777 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger |
8763 // a version fallback. | 8778 // a version fallback. |
8764 ssl_options.tls_intolerant = | 8779 ssl_options.tls_intolerant = |
8765 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8780 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
8766 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 8781 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
8767 // connections are rejected. | 8782 // connections are rejected. |
8768 ssl_options.fallback_scsv_enabled = true; | 8783 ssl_options.fallback_scsv_enabled = true; |
8769 | 8784 |
| 8785 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
8770 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8786 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8771 | 8787 |
8772 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version | 8788 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
8773 // intolerance. If the fallback SCSV is processed when the original error | 8789 // intolerance. If the fallback SCSV is processed when the original error |
8774 // that caused the fallback should be returned, which should be | 8790 // that caused the fallback should be returned, which should be |
8775 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. | 8791 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. |
8776 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); | 8792 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
8777 } | 8793 } |
8778 | 8794 |
8779 // Tests that we don't fallback on connection closed with servers that implement | 8795 // Tests that we don't fallback, even if enabled, on connection closed with |
8780 // TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. | 8796 // servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error |
| 8797 // code is reported. |
8781 TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { | 8798 TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { |
8782 SpawnedTestServer::SSLOptions ssl_options( | 8799 SpawnedTestServer::SSLOptions ssl_options( |
8783 SpawnedTestServer::SSLOptions::CERT_OK); | 8800 SpawnedTestServer::SSLOptions::CERT_OK); |
8784 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger | 8801 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger |
8785 // a version fallback. | 8802 // a version fallback. |
8786 ssl_options.tls_intolerant = | 8803 ssl_options.tls_intolerant = |
8787 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8804 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
8788 ssl_options.tls_intolerance_type = | 8805 ssl_options.tls_intolerance_type = |
8789 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8806 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
8790 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 8807 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
8791 // connections are rejected. | 8808 // connections are rejected. |
8792 ssl_options.fallback_scsv_enabled = true; | 8809 ssl_options.fallback_scsv_enabled = true; |
8793 | 8810 |
| 8811 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
8794 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8812 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8795 | 8813 |
8796 // The original error should be replayed on rejected fallback. | 8814 // The original error should be replayed on rejected fallback. |
8797 ExpectFailure(ERR_CONNECTION_CLOSED); | 8815 ExpectFailure(ERR_CONNECTION_CLOSED); |
8798 } | 8816 } |
8799 | 8817 |
8800 // Test that fallback probe connections don't cause sessions to be cached. | 8818 // Test that fallback probe connections don't cause sessions to be cached. |
8801 TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { | 8819 TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
8802 SpawnedTestServer::SSLOptions ssl_options( | 8820 SpawnedTestServer::SSLOptions ssl_options( |
8803 SpawnedTestServer::SSLOptions::CERT_OK); | 8821 SpawnedTestServer::SSLOptions::CERT_OK); |
8804 ssl_options.tls_intolerant = | 8822 ssl_options.tls_intolerant = |
8805 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8823 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
8806 ssl_options.tls_intolerance_type = | 8824 ssl_options.tls_intolerance_type = |
8807 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8825 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
8808 ssl_options.record_resume = true; | 8826 ssl_options.record_resume = true; |
8809 | 8827 |
8810 SpawnedTestServer test_server( | 8828 SpawnedTestServer test_server( |
8811 SpawnedTestServer::TYPE_HTTPS, | 8829 SpawnedTestServer::TYPE_HTTPS, |
8812 ssl_options, | 8830 ssl_options, |
8813 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 8831 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
8814 ASSERT_TRUE(test_server.Start()); | 8832 ASSERT_TRUE(test_server.Start()); |
8815 | 8833 |
8816 SSLClientSocket::ClearSessionCache(); | 8834 SSLClientSocket::ClearSessionCache(); |
8817 | 8835 |
8818 // Make a connection that does a probe fallback to TLSv1 but fails because | 8836 // Make a connection that does a probe fallback to TLSv1.1 but fails because |
8819 // TLSv1 fallback is disabled. We don't wish a session for this connection to | 8837 // fallback is disabled. We don't wish a session for this connection to be |
8820 // be inserted locally. | 8838 // inserted locally. |
8821 { | 8839 { |
8822 TestDelegate delegate; | 8840 TestDelegate delegate; |
8823 FallbackTestURLRequestContext context(true); | 8841 FallbackTestURLRequestContext context(true); |
8824 | 8842 |
8825 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_2); | |
8826 context.Init(); | 8843 context.Init(); |
8827 scoped_ptr<URLRequest> request(context.CreateRequest( | 8844 scoped_ptr<URLRequest> request(context.CreateRequest( |
8828 test_server.GetURL("/"), DEFAULT_PRIORITY, &delegate)); | 8845 test_server.GetURL("/"), DEFAULT_PRIORITY, &delegate)); |
8829 request->Start(); | 8846 request->Start(); |
8830 | 8847 |
8831 base::RunLoop().Run(); | 8848 base::RunLoop().Run(); |
8832 | 8849 |
8833 EXPECT_EQ(1, delegate.response_started_count()); | 8850 EXPECT_EQ(1, delegate.response_started_count()); |
8834 EXPECT_FALSE(request->status().is_success()); | 8851 EXPECT_FALSE(request->status().is_success()); |
8835 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); | 8852 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); |
8836 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, | 8853 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, |
8837 request->status().error()); | 8854 request->status().error()); |
8838 } | 8855 } |
8839 | 8856 |
8840 // Now allow TLSv1 fallback connections and request the session cache log. | 8857 // Now allow TLSv1.1 fallback connections and request the session cache log. |
8841 { | 8858 { |
8842 TestDelegate delegate; | 8859 TestDelegate delegate; |
8843 FallbackTestURLRequestContext context(true); | 8860 FallbackTestURLRequestContext context(true); |
8844 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1); | 8861 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
8845 | 8862 |
8846 context.Init(); | 8863 context.Init(); |
8847 scoped_ptr<URLRequest> request(context.CreateRequest( | 8864 scoped_ptr<URLRequest> request(context.CreateRequest( |
8848 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); | 8865 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); |
8849 request->Start(); | 8866 request->Start(); |
8850 | 8867 |
8851 base::RunLoop().Run(); | 8868 base::RunLoop().Run(); |
8852 | 8869 |
8853 EXPECT_EQ(1, delegate.response_started_count()); | 8870 EXPECT_EQ(1, delegate.response_started_count()); |
8854 EXPECT_NE(0, delegate.bytes_received()); | 8871 EXPECT_NE(0, delegate.bytes_received()); |
8855 EXPECT_EQ( | 8872 EXPECT_EQ( |
8856 SSL_CONNECTION_VERSION_TLS1, | 8873 SSL_CONNECTION_VERSION_TLS1_1, |
8857 SSLConnectionStatusToVersion(request->ssl_info().connection_status)); | 8874 SSLConnectionStatusToVersion(request->ssl_info().connection_status)); |
8858 EXPECT_TRUE(request->ssl_info().connection_status & | 8875 EXPECT_TRUE(request->ssl_info().connection_status & |
8859 SSL_CONNECTION_VERSION_FALLBACK); | 8876 SSL_CONNECTION_VERSION_FALLBACK); |
8860 | 8877 |
8861 std::vector<std::string> lines; | 8878 std::vector<std::string> lines; |
8862 // If no sessions were cached then the server should have seen two sessions | 8879 // If no sessions were cached then the server should have seen two sessions |
8863 // inserted with no lookups. | 8880 // inserted with no lookups. |
8864 AssertTwoDistinctSessionsInserted(delegate.data_received()); | 8881 AssertTwoDistinctSessionsInserted(delegate.data_received()); |
8865 } | 8882 } |
8866 } | 8883 } |
(...skipping 996 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9863 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 9880 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
9864 | 9881 |
9865 req->Start(); | 9882 req->Start(); |
9866 req->Cancel(); | 9883 req->Cancel(); |
9867 base::RunLoop().RunUntilIdle(); | 9884 base::RunLoop().RunUntilIdle(); |
9868 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 9885 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
9869 EXPECT_EQ(0, d.received_redirect_count()); | 9886 EXPECT_EQ(0, d.received_redirect_count()); |
9870 } | 9887 } |
9871 | 9888 |
9872 } // namespace net | 9889 } // namespace net |
OLD | NEW |