1// Flags: --no-warnings 2// Copyright Joyent, Inc. and other Node contributors. 3// 4// Permission is hereby granted, free of charge, to any person obtaining a 5// copy of this software and associated documentation files (the 6// "Software"), to deal in the Software without restriction, including 7// without limitation the rights to use, copy, modify, merge, publish, 8// distribute, sublicense, and/or sell copies of the Software, and to permit 9// persons to whom the Software is furnished to do so, subject to the 10// following conditions: 11// 12// The above copyright notice and this permission notice shall be included 13// in all copies or substantial portions of the Software. 14// 15// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN 18// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 19// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 20// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 21// USE OR OTHER DEALINGS IN THE SOFTWARE. 22 23'use strict'; 24const common = require('../common'); 25if (!common.hasCrypto) 26 common.skip('missing crypto'); 27 28if (!common.opensslCli) 29 common.skip('missing openssl-cli'); 30 31const assert = require('assert'); 32const tls = require('tls'); 33const spawn = require('child_process').spawn; 34const fixtures = require('../common/fixtures'); 35 36const key = fixtures.readKey('agent2-key.pem'); 37const cert = fixtures.readKey('agent2-cert.pem'); 38let nsuccess = 0; 39let ntests = 0; 40const ciphers = 'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 41 42// Test will emit a warning because the DH parameter size is < 2048 bits 43common.expectWarning('SecurityWarning', 44 'DH parameter is less than 2048 bits'); 45 46function loadDHParam(n) { 47 const keyname = `dh${n}.pem`; 48 return fixtures.readKey(keyname); 49} 50 51function test(keylen, expectedCipher, cb) { 52 const options = { 53 key: key, 54 cert: cert, 55 ciphers: ciphers, 56 dhparam: loadDHParam(keylen) 57 }; 58 59 const server = tls.createServer(options, function(conn) { 60 conn.end(); 61 }); 62 63 server.on('close', function(err) { 64 assert.ifError(err); 65 if (cb) cb(); 66 }); 67 68 server.listen(0, '127.0.0.1', function() { 69 const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`, 70 '-cipher', ciphers]; 71 72 const client = spawn(common.opensslCli, args); 73 let out = ''; 74 client.stdout.setEncoding('utf8'); 75 client.stdout.on('data', function(d) { 76 out += d; 77 }); 78 client.stdout.on('end', function() { 79 // DHE key length can be checked -brief option in s_client but it 80 // is only supported in openssl 1.0.2 so we cannot check it. 81 const reg = new RegExp(`Cipher : ${expectedCipher}`); 82 if (reg.test(out)) { 83 nsuccess++; 84 server.close(); 85 } 86 }); 87 }); 88} 89 90function test512() { 91 assert.throws(function() { 92 test(512, 'DHE-RSA-AES128-SHA256', null); 93 }, /DH parameter is less than 1024 bits/); 94} 95 96function test1024() { 97 test(1024, 'DHE-RSA-AES128-SHA256', test2048); 98 ntests++; 99} 100 101function test2048() { 102 test(2048, 'DHE-RSA-AES128-SHA256', testError); 103 ntests++; 104} 105 106function testError() { 107 test('error', 'ECDHE-RSA-AES128-SHA256', test512); 108 ntests++; 109} 110 111test1024(); 112 113process.on('exit', function() { 114 assert.strictEqual(ntests, nsuccess); 115 assert.strictEqual(ntests, 3); 116}); 117