Tests that CipherSuites is set to exclude HTTP/2 forbidden suites by default.
(t *testing.T)
| 250 | |
| 251 | // Tests that CipherSuites is set to exclude HTTP/2 forbidden suites by default. |
| 252 | func (s) TestTLS_CipherSuites(t *testing.T) { |
| 253 | ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) |
| 254 | defer cancel() |
| 255 | testCases := []struct { |
| 256 | name string |
| 257 | serverTLS func() *tls.Config |
| 258 | }{ |
| 259 | { |
| 260 | name: "base_case", |
| 261 | serverTLS: func() *tls.Config { |
| 262 | return &tls.Config{ |
| 263 | Certificates: []tls.Certificate{serverCert}, |
| 264 | } |
| 265 | }, |
| 266 | }, |
| 267 | { |
| 268 | name: "fallback_to_base", |
| 269 | serverTLS: func() *tls.Config { |
| 270 | config := &tls.Config{ |
| 271 | Certificates: []tls.Certificate{serverCert}, |
| 272 | } |
| 273 | config.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) { |
| 274 | return nil, nil |
| 275 | } |
| 276 | return config |
| 277 | }, |
| 278 | }, |
| 279 | { |
| 280 | name: "dynamic_using_get_config_for_client", |
| 281 | serverTLS: func() *tls.Config { |
| 282 | return &tls.Config{ |
| 283 | GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) { |
| 284 | return &tls.Config{ |
| 285 | Certificates: []tls.Certificate{serverCert}, |
| 286 | }, nil |
| 287 | }, |
| 288 | } |
| 289 | }, |
| 290 | }, |
| 291 | } |
| 292 | |
| 293 | for _, tc := range testCases { |
| 294 | t.Run(tc.name, func(t *testing.T) { |
| 295 | // Create server creds without cipher suites. |
| 296 | serverCreds := credentials.NewTLS(tc.serverTLS()) |
| 297 | ss := stubserver.StubServer{ |
| 298 | EmptyCallF: func(context.Context, *testpb.Empty) (*testpb.Empty, error) { |
| 299 | return &testpb.Empty{}, nil |
| 300 | }, |
| 301 | } |
| 302 | |
| 303 | // Create client creds that use a forbidden suite only. |
| 304 | clientCreds := credentials.NewTLS(&tls.Config{ |
| 305 | ServerName: serverName, |
| 306 | RootCAs: certPool, |
| 307 | CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA}, |
| 308 | MaxVersion: tls.VersionTLS12, // TLS1.3 cipher suites are not configurable, so limit to 1.2. |
| 309 | }) |
nothing calls this directly
no test coverage detected