| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <utility> | 5 #include <utility> |
| 6 | 6 |
| 7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
| 8 | 8 |
| 9 #if defined(OS_WIN) | 9 #if defined(OS_WIN) |
| 10 #include <windows.h> | 10 #include <windows.h> |
| (...skipping 8692 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8703 }; | 8703 }; |
| 8704 | 8704 |
| 8705 // Tests the TLS 1.0 fallback doesn't happen. | 8705 // Tests the TLS 1.0 fallback doesn't happen. |
| 8706 TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { | 8706 TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { |
| 8707 SpawnedTestServer::SSLOptions ssl_options( | 8707 SpawnedTestServer::SSLOptions ssl_options( |
| 8708 SpawnedTestServer::SSLOptions::CERT_OK); | 8708 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8709 ssl_options.tls_intolerant = | 8709 ssl_options.tls_intolerant = |
| 8710 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8710 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 8711 | 8711 |
| 8712 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8712 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8713 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 8714 } |
| 8715 |
| 8716 // Tests the TLS 1.1 fallback doesn't happen but 1.2-intolerance is detected. |
| 8717 TEST_F(HTTPSFallbackTest, TLSv1_1NoFallback) { |
| 8718 SpawnedTestServer::SSLOptions ssl_options( |
| 8719 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8720 ssl_options.tls_intolerant = |
| 8721 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
| 8722 |
| 8723 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8713 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); | 8724 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); |
| 8714 } | 8725 } |
| 8715 | 8726 |
| 8716 // Tests the TLS 1.1 fallback. | 8727 // Tests the TLS 1.1 fallback when explicitly enabled. |
| 8717 TEST_F(HTTPSFallbackTest, TLSv1_1Fallback) { | 8728 TEST_F(HTTPSFallbackTest, TLSv1_1Fallback) { |
| 8718 SpawnedTestServer::SSLOptions ssl_options( | 8729 SpawnedTestServer::SSLOptions ssl_options( |
| 8719 SpawnedTestServer::SSLOptions::CERT_OK); | 8730 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8720 ssl_options.tls_intolerant = | 8731 ssl_options.tls_intolerant = |
| 8721 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8732 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
| 8722 | 8733 |
| 8734 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
| 8723 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8735 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8724 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | 8736 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
| 8725 } | 8737 } |
| 8726 | 8738 |
| 8727 // Tests that the TLS 1.1 fallback triggers on closed connections. | 8739 // Tests that the TLS 1.1 fallback, if enabled, triggers on closed connections. |
| 8728 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { | 8740 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { |
| 8729 SpawnedTestServer::SSLOptions ssl_options( | 8741 SpawnedTestServer::SSLOptions ssl_options( |
| 8730 SpawnedTestServer::SSLOptions::CERT_OK); | 8742 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8731 ssl_options.tls_intolerant = | 8743 ssl_options.tls_intolerant = |
| 8732 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8744 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
| 8733 ssl_options.tls_intolerance_type = | 8745 ssl_options.tls_intolerance_type = |
| 8734 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8746 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 8735 | 8747 |
| 8748 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
| 8736 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8749 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8737 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | 8750 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
| 8738 } | 8751 } |
| 8739 | 8752 |
| 8740 // This test is disabled on Android because the remote test server doesn't cause | 8753 // This test is disabled on Android because the remote test server doesn't cause |
| 8741 // a TCP reset. | 8754 // a TCP reset. |
| 8742 #if !defined(OS_ANDROID) | 8755 #if !defined(OS_ANDROID) |
| 8743 // Tests fallback to TLS 1.1 on connection reset. | 8756 // Tests fallback to TLS 1.1, if enabled, on connection reset. |
| 8744 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { | 8757 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { |
| 8745 SpawnedTestServer::SSLOptions ssl_options( | 8758 SpawnedTestServer::SSLOptions ssl_options( |
| 8746 SpawnedTestServer::SSLOptions::CERT_OK); | 8759 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8747 ssl_options.tls_intolerant = | 8760 ssl_options.tls_intolerant = |
| 8748 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8761 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
| 8749 ssl_options.tls_intolerance_type = | 8762 ssl_options.tls_intolerance_type = |
| 8750 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; | 8763 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
| 8751 | 8764 |
| 8765 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
| 8752 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8766 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8753 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | 8767 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
| 8754 } | 8768 } |
| 8755 #endif // !OS_ANDROID | 8769 #endif // !OS_ANDROID |
| 8756 | 8770 |
| 8757 // Tests that we don't fallback on handshake failure with servers that implement | 8771 // Tests that we don't fallback, even if enabled, on handshake failure with |
| 8758 // TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. | 8772 // servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error |
| 8773 // code is reported. |
| 8759 TEST_F(HTTPSFallbackTest, FallbackSCSV) { | 8774 TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
| 8760 SpawnedTestServer::SSLOptions ssl_options( | 8775 SpawnedTestServer::SSLOptions ssl_options( |
| 8761 SpawnedTestServer::SSLOptions::CERT_OK); | 8776 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8762 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger | 8777 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger |
| 8763 // a version fallback. | 8778 // a version fallback. |
| 8764 ssl_options.tls_intolerant = | 8779 ssl_options.tls_intolerant = |
| 8765 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8780 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 8766 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 8781 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
| 8767 // connections are rejected. | 8782 // connections are rejected. |
| 8768 ssl_options.fallback_scsv_enabled = true; | 8783 ssl_options.fallback_scsv_enabled = true; |
| 8769 | 8784 |
| 8785 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
| 8770 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8786 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8771 | 8787 |
| 8772 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version | 8788 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
| 8773 // intolerance. If the fallback SCSV is processed when the original error | 8789 // intolerance. If the fallback SCSV is processed when the original error |
| 8774 // that caused the fallback should be returned, which should be | 8790 // that caused the fallback should be returned, which should be |
| 8775 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. | 8791 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. |
| 8776 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); | 8792 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 8777 } | 8793 } |
| 8778 | 8794 |
| 8779 // Tests that we don't fallback on connection closed with servers that implement | 8795 // Tests that we don't fallback, even if enabled, on connection closed with |
| 8780 // TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. | 8796 // servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error |
| 8797 // code is reported. |
| 8781 TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { | 8798 TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { |
| 8782 SpawnedTestServer::SSLOptions ssl_options( | 8799 SpawnedTestServer::SSLOptions ssl_options( |
| 8783 SpawnedTestServer::SSLOptions::CERT_OK); | 8800 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8784 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger | 8801 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger |
| 8785 // a version fallback. | 8802 // a version fallback. |
| 8786 ssl_options.tls_intolerant = | 8803 ssl_options.tls_intolerant = |
| 8787 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8804 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 8788 ssl_options.tls_intolerance_type = | 8805 ssl_options.tls_intolerance_type = |
| 8789 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8806 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 8790 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 8807 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
| 8791 // connections are rejected. | 8808 // connections are rejected. |
| 8792 ssl_options.fallback_scsv_enabled = true; | 8809 ssl_options.fallback_scsv_enabled = true; |
| 8793 | 8810 |
| 8811 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
| 8794 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8812 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8795 | 8813 |
| 8796 // The original error should be replayed on rejected fallback. | 8814 // The original error should be replayed on rejected fallback. |
| 8797 ExpectFailure(ERR_CONNECTION_CLOSED); | 8815 ExpectFailure(ERR_CONNECTION_CLOSED); |
| 8798 } | 8816 } |
| 8799 | 8817 |
| 8800 // Test that fallback probe connections don't cause sessions to be cached. | 8818 // Test that fallback probe connections don't cause sessions to be cached. |
| 8801 TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { | 8819 TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
| 8802 SpawnedTestServer::SSLOptions ssl_options( | 8820 SpawnedTestServer::SSLOptions ssl_options( |
| 8803 SpawnedTestServer::SSLOptions::CERT_OK); | 8821 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8804 ssl_options.tls_intolerant = | 8822 ssl_options.tls_intolerant = |
| 8805 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8823 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
| 8806 ssl_options.tls_intolerance_type = | 8824 ssl_options.tls_intolerance_type = |
| 8807 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8825 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 8808 ssl_options.record_resume = true; | 8826 ssl_options.record_resume = true; |
| 8809 | 8827 |
| 8810 SpawnedTestServer test_server( | 8828 SpawnedTestServer test_server( |
| 8811 SpawnedTestServer::TYPE_HTTPS, | 8829 SpawnedTestServer::TYPE_HTTPS, |
| 8812 ssl_options, | 8830 ssl_options, |
| 8813 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 8831 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 8814 ASSERT_TRUE(test_server.Start()); | 8832 ASSERT_TRUE(test_server.Start()); |
| 8815 | 8833 |
| 8816 SSLClientSocket::ClearSessionCache(); | 8834 SSLClientSocket::ClearSessionCache(); |
| 8817 | 8835 |
| 8818 // Make a connection that does a probe fallback to TLSv1 but fails because | 8836 // Make a connection that does a probe fallback to TLSv1.1 but fails because |
| 8819 // TLSv1 fallback is disabled. We don't wish a session for this connection to | 8837 // fallback is disabled. We don't wish a session for this connection to be |
| 8820 // be inserted locally. | 8838 // inserted locally. |
| 8821 { | 8839 { |
| 8822 TestDelegate delegate; | 8840 TestDelegate delegate; |
| 8823 FallbackTestURLRequestContext context(true); | 8841 FallbackTestURLRequestContext context(true); |
| 8824 | 8842 |
| 8825 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_2); | |
| 8826 context.Init(); | 8843 context.Init(); |
| 8827 scoped_ptr<URLRequest> request(context.CreateRequest( | 8844 scoped_ptr<URLRequest> request(context.CreateRequest( |
| 8828 test_server.GetURL("/"), DEFAULT_PRIORITY, &delegate)); | 8845 test_server.GetURL("/"), DEFAULT_PRIORITY, &delegate)); |
| 8829 request->Start(); | 8846 request->Start(); |
| 8830 | 8847 |
| 8831 base::RunLoop().Run(); | 8848 base::RunLoop().Run(); |
| 8832 | 8849 |
| 8833 EXPECT_EQ(1, delegate.response_started_count()); | 8850 EXPECT_EQ(1, delegate.response_started_count()); |
| 8834 EXPECT_FALSE(request->status().is_success()); | 8851 EXPECT_FALSE(request->status().is_success()); |
| 8835 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); | 8852 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); |
| 8836 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, | 8853 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, |
| 8837 request->status().error()); | 8854 request->status().error()); |
| 8838 } | 8855 } |
| 8839 | 8856 |
| 8840 // Now allow TLSv1 fallback connections and request the session cache log. | 8857 // Now allow TLSv1.1 fallback connections and request the session cache log. |
| 8841 { | 8858 { |
| 8842 TestDelegate delegate; | 8859 TestDelegate delegate; |
| 8843 FallbackTestURLRequestContext context(true); | 8860 FallbackTestURLRequestContext context(true); |
| 8844 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1); | 8861 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
| 8845 | 8862 |
| 8846 context.Init(); | 8863 context.Init(); |
| 8847 scoped_ptr<URLRequest> request(context.CreateRequest( | 8864 scoped_ptr<URLRequest> request(context.CreateRequest( |
| 8848 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); | 8865 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); |
| 8849 request->Start(); | 8866 request->Start(); |
| 8850 | 8867 |
| 8851 base::RunLoop().Run(); | 8868 base::RunLoop().Run(); |
| 8852 | 8869 |
| 8853 EXPECT_EQ(1, delegate.response_started_count()); | 8870 EXPECT_EQ(1, delegate.response_started_count()); |
| 8854 EXPECT_NE(0, delegate.bytes_received()); | 8871 EXPECT_NE(0, delegate.bytes_received()); |
| 8855 EXPECT_EQ( | 8872 EXPECT_EQ( |
| 8856 SSL_CONNECTION_VERSION_TLS1, | 8873 SSL_CONNECTION_VERSION_TLS1_1, |
| 8857 SSLConnectionStatusToVersion(request->ssl_info().connection_status)); | 8874 SSLConnectionStatusToVersion(request->ssl_info().connection_status)); |
| 8858 EXPECT_TRUE(request->ssl_info().connection_status & | 8875 EXPECT_TRUE(request->ssl_info().connection_status & |
| 8859 SSL_CONNECTION_VERSION_FALLBACK); | 8876 SSL_CONNECTION_VERSION_FALLBACK); |
| 8860 | 8877 |
| 8861 std::vector<std::string> lines; | 8878 std::vector<std::string> lines; |
| 8862 // If no sessions were cached then the server should have seen two sessions | 8879 // If no sessions were cached then the server should have seen two sessions |
| 8863 // inserted with no lookups. | 8880 // inserted with no lookups. |
| 8864 AssertTwoDistinctSessionsInserted(delegate.data_received()); | 8881 AssertTwoDistinctSessionsInserted(delegate.data_received()); |
| 8865 } | 8882 } |
| 8866 } | 8883 } |
| (...skipping 996 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9863 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 9880 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 9864 | 9881 |
| 9865 req->Start(); | 9882 req->Start(); |
| 9866 req->Cancel(); | 9883 req->Cancel(); |
| 9867 base::RunLoop().RunUntilIdle(); | 9884 base::RunLoop().RunUntilIdle(); |
| 9868 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 9885 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
| 9869 EXPECT_EQ(0, d.received_redirect_count()); | 9886 EXPECT_EQ(0, d.received_redirect_count()); |
| 9870 } | 9887 } |
| 9871 | 9888 |
| 9872 } // namespace net | 9889 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1682623002:
Disable the TLS version fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master