Path: blob/main/external/curl/tests/http/test_17_ssl_use.py
2654 views
#!/usr/bin/env python31# -*- coding: utf-8 -*-2#***************************************************************************3# _ _ ____ _4# Project ___| | | | _ \| |5# / __| | | | |_) | |6# | (__| |_| | _ <| |___7# \___|\___/|_| \_\_____|8#9# Copyright (C) Daniel Stenberg, <[email protected]>, et al.10#11# This software is licensed as described in the file COPYING, which12# you should have received as part of this distribution. The terms13# are also available at https://curl.se/docs/copyright.html.14#15# You may opt to use, copy, modify, merge, publish, distribute and/or sell16# copies of the Software, and permit persons to whom the Software is17# furnished to do so, under the terms of the COPYING file.18#19# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY20# KIND, either express or implied.21#22# SPDX-License-Identifier: curl23#24###########################################################################25#26import json27import logging28import os29import re30import pytest3132from testenv import Env, CurlClient, LocalClient333435log = logging.getLogger(__name__)363738class TLSDefs:39TLS_VERSIONS = ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']40TLS_VERSION_IDS = {41'TLSv1': 0x301,42'TLSv1.1': 0x302,43'TLSv1.2': 0x303,44'TLSv1.3': 0x30445}46CURL_ARG_MIN_VERSION_ID = {47'none': 0x0,48'tlsv1': 0x301,49'tlsv1.0': 0x301,50'tlsv1.1': 0x302,51'tlsv1.2': 0x303,52'tlsv1.3': 0x304,53}54CURL_ARG_MAX_VERSION_ID = {55'none': 0x0,56'1.0': 0x301,57'1.1': 0x302,58'1.2': 0x303,59'1.3': 0x304,60}616263class TestSSLUse:6465@pytest.fixture(autouse=True, scope='class')66def _class_scope(self, env, httpd, nghttpx):67env.make_data_file(indir=httpd.docs_dir, fname="data-10k", fsize=10*1024)6869def test_17_01_sslinfo_plain(self, env: Env, httpd):70proto = 'http/1.1'71curl = CurlClient(env=env)72url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'73r = curl.http_get(url=url, alpn_proto=proto)74assert r.json['HTTPS'] == 'on', f'{r.json}'75assert 'SSL_SESSION_ID' in r.json, f'{r.json}'76assert 'SSL_SESSION_RESUMED' in r.json, f'{r.json}'77assert r.json['SSL_SESSION_RESUMED'] == 'Initial', f'{r.json}'7879@pytest.mark.parametrize("tls_max", ['1.2', '1.3'])80def test_17_02_sslinfo_reconnect(self, env: Env, tls_max, httpd):81proto = 'http/1.1'82count = 383exp_resumed = 'Resumed'84xargs = ['--sessionid', '--tls-max', tls_max, f'--tlsv{tls_max}']85if env.curl_uses_lib('libressl'):86if tls_max == '1.3':87exp_resumed = 'Initial' # 1.2 works in LibreSSL, but 1.3 does not, TODO88if env.curl_uses_lib('rustls-ffi'):89exp_resumed = 'Initial' # Rustls does not support sessions, TODO90if env.curl_uses_lib('mbedtls') and tls_max == '1.3' and \91not env.curl_lib_version_at_least('mbedtls', '3.6.0'):92pytest.skip('mbedtls TLSv1.3 session resume not working in 3.6.0')9394run_env = os.environ.copy()95run_env['CURL_DEBUG'] = 'ssl'96curl = CurlClient(env=env, run_env=run_env)97# tell the server to close the connection after each request98urln = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo?'\99f'id=[0-{count-1}]&close'100r = curl.http_download(urls=[urln], alpn_proto=proto, with_stats=True,101extra_args=xargs)102r.check_response(count=count, http_status=200)103# should have used one connection for each request, sessions after104# first should have been resumed105assert r.total_connects == count, r.dump_logs()106for i in range(count):107dfile = curl.download_file(i)108assert os.path.exists(dfile)109with open(dfile) as f:110djson = json.load(f)111assert djson['HTTPS'] == 'on', f'{i}: {djson}'112if i == 0:113assert djson['SSL_SESSION_RESUMED'] == 'Initial', f'{i}: {djson}\n{r.dump_logs()}'114else:115assert djson['SSL_SESSION_RESUMED'] == exp_resumed, f'{i}: {djson}\n{r.dump_logs()}'116117# use host name with trailing dot, verify handshake118@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])119def test_17_03_trailing_dot(self, env: Env, proto, httpd, nghttpx):120if proto == 'h3' and not env.have_h3():121pytest.skip("h3 not supported")122curl = CurlClient(env=env)123domain = f'{env.domain1}.'124url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'125r = curl.http_get(url=url, alpn_proto=proto)126assert r.exit_code == 0, f'{r}'127assert r.json, f'{r}'128if proto != 'h3': # we proxy h3129# the SNI the server received is without trailing dot130assert r.json['SSL_TLS_SNI'] == env.domain1, f'{r.json}'131132# use host name with double trailing dot, verify handshake133@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])134def test_17_04_double_dot(self, env: Env, proto, httpd, nghttpx):135if proto == 'h3' and not env.have_h3():136pytest.skip("h3 not supported")137curl = CurlClient(env=env)138domain = f'{env.domain1}..'139url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'140r = curl.http_get(url=url, alpn_proto=proto, extra_args=[141'-H', f'Host: {env.domain1}',142])143if r.exit_code == 0:144assert r.json, f'{r.stdout}'145# the SNI the server received is without trailing dot146if proto != 'h3': # we proxy h3147assert r.json['SSL_TLS_SNI'] == env.domain1, f'{r.json}'148assert False, f'should not have succeeded: {r.json}'149# 7 - Rustls rejects a servername with .. during setup150# 35 - LibreSSL rejects setting an SNI name with trailing dot151# 60 - peer name matching failed against certificate152assert r.exit_code in [7, 35, 60], f'{r}'153154# use ip address for connect155@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])156def test_17_05_good_ip_addr(self, env: Env, proto, httpd, nghttpx):157if env.curl_uses_lib('mbedtls'):158pytest.skip("mbedTLS does use IP addresses in SNI")159if proto == 'h3' and not env.have_h3():160pytest.skip("h3 not supported")161curl = CurlClient(env=env)162domain = '127.0.0.1'163url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'164r = curl.http_get(url=url, alpn_proto=proto)165assert r.exit_code == 0, f'{r}'166assert r.json, f'{r}'167if proto != 'h3': # we proxy h3168# the SNI should not have been used169assert 'SSL_TLS_SNI' not in r.json, f'{r.json}'170171# use IP address that is not in cert172@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])173def test_17_05_bad_ip_addr(self, env: Env, proto,174httpd, configures_httpd,175nghttpx, configures_nghttpx):176if proto == 'h3' and not env.have_h3():177pytest.skip("h3 not supported")178httpd.set_domain1_cred_name('domain1-no-ip')179httpd.reload_if_config_changed()180if proto == 'h3':181nghttpx.set_cred_name('domain1-no-ip')182nghttpx.reload_if_config_changed()183curl = CurlClient(env=env)184url = f'https://127.0.0.1:{env.port_for(proto)}/curltest/sslinfo'185r = curl.http_get(url=url, alpn_proto=proto)186assert r.exit_code == 60, f'{r}'187188# use IP address that is in cert as DNS name (not really legal)189@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])190def test_17_05_very_bad_ip_addr(self, env: Env, proto,191httpd, configures_httpd,192nghttpx, configures_nghttpx):193if proto == 'h3' and not env.have_h3():194pytest.skip("h3 not supported")195if env.curl_uses_lib('mbedtls'):196pytest.skip("mbedtls falsely verifies a DNS: altname as IP address")197if env.curl_uses_lib('wolfssl'):198pytest.skip("wolfSSL falsely verifies a DNS: altname as IP address")199httpd.set_domain1_cred_name('domain1-very-bad')200httpd.reload_if_config_changed()201if proto == 'h3':202nghttpx.set_cred_name('domain1-very-bad')203nghttpx.reload_if_config_changed()204curl = CurlClient(env=env)205url = f'https://127.0.0.1:{env.port_for(proto)}/curltest/sslinfo'206r = curl.http_get(url=url, alpn_proto=proto)207assert r.exit_code == 60, f'{r}'208209# use localhost for connect210@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])211def test_17_06_localhost(self, env: Env, proto, httpd, nghttpx):212if proto == 'h3' and not env.have_h3():213pytest.skip("h3 not supported")214curl = CurlClient(env=env)215domain = 'localhost'216url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'217r = curl.http_get(url=url, alpn_proto=proto)218assert r.exit_code == 0, f'{r}'219assert r.json, f'{r}'220if proto != 'h3': # we proxy h3221assert r.json['SSL_TLS_SNI'] == domain, f'{r.json}'222223@staticmethod224def gen_test_17_07_list():225tls13_tests = [226['def', None, True],227['AES128SHA256', ['TLS_AES_128_GCM_SHA256'], True],228['AES128SHA384', ['TLS_AES_256_GCM_SHA384'], False],229['CHACHA20SHA256', ['TLS_CHACHA20_POLY1305_SHA256'], True],230['AES128SHA384+CHACHA20SHA256', ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'], True],231]232tls12_tests = [233['def', None, True],234['AES128ish', ['ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256'], True],235['AES256ish', ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384'], False],236['CHACHA20ish', ['ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305'], True],237['AES256ish+CHACHA20ish', ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384',238'ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305'], True],239]240ret = []241for tls_id, tls_proto in {242'TLSv1.2+3': 'TLSv1.3 +TLSv1.2',243'TLSv1.3': 'TLSv1.3',244'TLSv1.2': 'TLSv1.2'}.items():245for [cid13, ciphers13, succeed13] in tls13_tests:246for [cid12, ciphers12, succeed12] in tls12_tests:247id = f'{tls_id}-{cid13}-{cid12}'248ret.append(pytest.param(tls_proto, ciphers13, ciphers12, succeed13, succeed12, id=id))249return ret250251@pytest.mark.parametrize(252"tls_proto, ciphers13, ciphers12, succeed13, succeed12",253gen_test_17_07_list())254def test_17_07_ssl_ciphers(self, env: Env, httpd, configures_httpd,255tls_proto, ciphers13, ciphers12,256succeed13, succeed12):257# to test setting cipher suites, the AES 256 ciphers are disabled in the test server258httpd.set_extra_config('base', [259'SSLCipherSuite SSL'260' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'261':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305',262'SSLCipherSuite TLSv1.3'263' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256',264f'SSLProtocol {tls_proto}'265])266httpd.reload_if_config_changed()267proto = 'http/1.1'268curl = CurlClient(env=env)269url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'270# SSL backend specifics271if env.curl_uses_lib('gnutls'):272pytest.skip('GnuTLS does not support setting ciphers')273elif env.curl_uses_lib('boringssl'):274if ciphers13 is not None:275pytest.skip('BoringSSL does not support setting TLSv1.3 ciphers')276elif env.curl_uses_lib('schannel'): # not in CI, so untested277if ciphers12 is not None:278pytest.skip('Schannel does not support setting TLSv1.2 ciphers by name')279elif env.curl_uses_lib('mbedtls') and not env.curl_lib_version_at_least('mbedtls', '3.6.0'):280if tls_proto == 'TLSv1.3':281pytest.skip('mbedTLS < 3.6.0 does not support TLSv1.3')282# test283extra_args = ['--tls13-ciphers', ':'.join(ciphers13)] if ciphers13 else []284extra_args += ['--ciphers', ':'.join(ciphers12)] if ciphers12 else []285r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)286if tls_proto != 'TLSv1.2' and succeed13:287assert r.exit_code == 0, r.dump_logs()288assert r.json['HTTPS'] == 'on', r.dump_logs()289assert r.json['SSL_PROTOCOL'] == 'TLSv1.3', r.dump_logs()290assert ciphers13 is None or r.json['SSL_CIPHER'] in ciphers13, r.dump_logs()291elif tls_proto == 'TLSv1.2' and succeed12:292assert r.exit_code == 0, r.dump_logs()293assert r.json['HTTPS'] == 'on', r.dump_logs()294assert r.json['SSL_PROTOCOL'] == 'TLSv1.2', r.dump_logs()295assert ciphers12 is None or r.json['SSL_CIPHER'] in ciphers12, r.dump_logs()296else:297assert r.exit_code != 0, r.dump_logs()298299@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])300def test_17_08_cert_status(self, env: Env, proto, httpd, nghttpx):301if proto == 'h3' and not env.have_h3():302pytest.skip("h3 not supported")303if not env.curl_uses_lib('openssl') and \304not env.curl_uses_lib('gnutls') and \305not env.curl_uses_lib('quictls'):306pytest.skip("TLS library does not support --cert-status")307curl = CurlClient(env=env)308domain = 'localhost'309url = f'https://{env.authority_for(domain, proto)}/'310r = curl.http_get(url=url, alpn_proto=proto, extra_args=[311'--cert-status'312])313# CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info314assert r.exit_code == 91, f'{r}'315316@staticmethod317def gen_test_17_09_list():318return [319[server_tls, min_arg, max_arg]320for server_tls in TLSDefs.TLS_VERSIONS321for min_arg in TLSDefs.CURL_ARG_MIN_VERSION_ID322for max_arg in TLSDefs.CURL_ARG_MAX_VERSION_ID323]324325@pytest.mark.parametrize("server_tls, min_arg, max_arg", gen_test_17_09_list())326def test_17_09_ssl_min_max(self, env: Env, httpd, configures_httpd, server_tls, min_arg, max_arg):327# We test if curl using min/max versions arguments (and defaults) can connect328# to a server using 'server_tls' version only329httpd.set_extra_config('base', [330f'SSLProtocol {server_tls}',331'SSLCipherSuite ALL:@SECLEVEL=0',332])333httpd.reload_if_config_changed()334# curl's TLS backend supported version335if env.curl_uses_lib('gnutls') or \336env.curl_uses_lib('quiche') or \337env.curl_uses_lib('aws-lc') or \338env.curl_uses_lib('boringssl'):339curl_supported = [0x301, 0x302, 0x303, 0x304]340elif env.curl_uses_lib('openssl') and \341env.curl_lib_version_before('openssl', '3.0.0'):342curl_supported = [0x301, 0x302, 0x303, 0x304]343else: # most SSL backends dropped support for TLSv1.0, TLSv1.1344curl_supported = [0x303, 0x304]345346extra_args = ['--trace-config', 'ssl']347348# determine effective min/max version used by curl with these args349if max_arg != 'none':350extra_args.extend(['--tls-max', max_arg])351curl_max_ver = TLSDefs.CURL_ARG_MAX_VERSION_ID[max_arg]352else:353curl_max_ver = max(TLSDefs.TLS_VERSION_IDS.values())354if min_arg != 'none':355extra_args.append(f'--{min_arg}')356curl_min_ver = TLSDefs.CURL_ARG_MIN_VERSION_ID[min_arg]357else:358curl_min_ver = min(0x303, curl_max_ver) # TLSv1.2 is the default now359360# collect all versions that curl is allowed with this command lines and supports361curl_allowed = [tid for tid in sorted(TLSDefs.TLS_VERSION_IDS.values())362if curl_min_ver <= tid <= curl_max_ver and363tid in curl_supported]364# we expect a successful transfer, when the server TLS version is allowed365server_ver = TLSDefs.TLS_VERSION_IDS[server_tls]366# do the transfer367proto = 'http/1.1'368run_env = os.environ.copy()369if env.curl_uses_lib('gnutls'):370# we need to override any default system configuration since371# we want to test all protocol versions. Ubuntu (or the GH image)372# disable TSL1.0 and TLS1.1 system wide. We do not want.373our_config = os.path.join(env.gen_dir, 'gnutls_config')374if not os.path.exists(our_config):375with open(our_config, 'w') as fd:376fd.write('# empty\n')377run_env['GNUTLS_SYSTEM_PRIORITY_FILE'] = our_config378curl = CurlClient(env=env, run_env=run_env)379url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'380r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)381382if server_ver in curl_allowed:383assert r.exit_code == 0, f'should succeed, server={server_ver:04x}, curl=[{curl_min_ver:04x}, {curl_max_ver:04x}], allowed={curl_allowed}\n{r.dump_logs()}'384assert r.json['HTTPS'] == 'on', r.dump_logs()385assert r.json['SSL_PROTOCOL'] == server_tls, r.dump_logs()386else:387assert r.exit_code != 0, f'should fail, server={server_ver:04x}, curl=[{curl_min_ver:04x}, {curl_max_ver:04x}]\n{r.dump_logs()}'388389@pytest.mark.skipif(condition=not Env.curl_is_debug(), reason="needs curl debug")390@pytest.mark.skipif(condition=not Env.curl_is_verbose(), reason="needs curl verbose strings")391def test_17_10_h3_session_reuse(self, env: Env, httpd, nghttpx):392if not env.have_h3():393pytest.skip("h3 not supported")394if not env.curl_uses_lib('quictls') and \395not (env.curl_uses_lib('openssl') and env.curl_uses_lib('ngtcp2')) and \396not env.curl_uses_lib('gnutls') and \397not env.curl_uses_lib('wolfssl'):398pytest.skip("QUIC session reuse not implemented")399count = 2400docname = 'data-10k'401url = f'https://localhost:{env.https_port}/{docname}'402client = LocalClient(name='cli_hx_download', env=env)403if not client.exists():404pytest.skip(f'example client not built: {client.name}')405r = client.run(args=[406'-n', f'{count}',407'-f', # forbid reuse of connections408'-r', f'{env.domain1}:{env.port_for("h3")}:127.0.0.1',409'-V', 'h3', url410])411r.check_exit_code(0)412# check that TLS session was reused as expected413reused_session = False414for line in r.trace_lines:415if re.match(r'.*\[1-1] (\* )?SSL reusing session.*', line):416reused_session = True417assert reused_session, f'{r}\n{r.dump_logs()}'418419# use host name server has no certificate for420@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])421def test_17_11_wrong_host(self, env: Env, proto, httpd, nghttpx):422if proto == 'h3' and not env.have_h3():423pytest.skip("h3 not supported")424curl = CurlClient(env=env)425domain = f'insecure.{env.tld}'426url = f'https://{domain}:{env.port_for(proto)}/curltest/sslinfo'427r = curl.http_get(url=url, alpn_proto=proto)428assert r.exit_code == 60, f'{r}'429430# use host name server has no cert for with --insecure431@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])432def test_17_12_insecure(self, env: Env, proto, httpd, nghttpx):433if proto == 'h3' and not env.have_h3():434pytest.skip("h3 not supported")435curl = CurlClient(env=env)436domain = f'insecure.{env.tld}'437url = f'https://{domain}:{env.port_for(proto)}/curltest/sslinfo'438r = curl.http_get(url=url, alpn_proto=proto, extra_args=[439'--insecure'440])441assert r.exit_code == 0, f'{r}'442assert r.json, f'{r}'443444# connect to an expired certificate445@pytest.mark.parametrize("proto", ['http/1.1', 'h2'])446def test_17_14_expired_cert(self, env: Env, proto, httpd):447if proto == 'h3' and not env.have_h3():448pytest.skip("h3 not supported")449curl = CurlClient(env=env)450url = f'https://{env.expired_domain}:{env.port_for(proto)}/'451r = curl.http_get(url=url, alpn_proto=proto)452assert r.exit_code == 60, f'{r}' # peer failed verification453exp_trace = None454match_trace = None455if env.curl_uses_lib('openssl') or env.curl_uses_lib('quictls'):456exp_trace = r'.*SSL certificate OpenSSL verify result: certificate has expired.*$'457elif env.curl_uses_lib('gnutls'):458exp_trace = r'.*SSL certificate verification failed: certificate has expired\..*'459elif env.curl_uses_lib('wolfssl'):460exp_trace = r'.*server verification failed: certificate has expired\.$'461if exp_trace is not None:462for line in r.trace_lines:463if re.match(exp_trace, line):464match_trace = line465break466assert match_trace, f'Did not find "{exp_trace}" in trace\n{r.dump_logs()}'467468@pytest.mark.skipif(condition=not Env.curl_has_feature('SSLS-EXPORT'),469reason='curl lacks SSL session export support')470def test_17_15_session_export(self, env: Env, httpd):471proto = 'http/1.1'472if env.curl_uses_lib('libressl'):473pytest.skip('Libressl resumption does not work inTLSv1.3')474if env.curl_uses_lib('rustls-ffi'):475pytest.skip('rustsls does not expose sessions')476if env.curl_uses_lib('mbedtls') and \477not env.curl_lib_version_at_least('mbedtls', '3.6.0'):478pytest.skip('mbedtls TLSv1.3 session resume not working before 3.6.0')479run_env = os.environ.copy()480run_env['CURL_DEBUG'] = 'ssl,ssls'481# clean session file first, then reuse482session_file = os.path.join(env.gen_dir, 'test_17_15.sessions')483if os.path.exists(session_file):484return os.remove(session_file)485xargs = ['--tls-max', '1.3', '--tlsv1.3', '--ssl-sessions', session_file]486curl = CurlClient(env=env, run_env=run_env)487# tell the server to close the connection after each request488url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'489r = curl.http_get(url=url, alpn_proto=proto, extra_args=xargs)490assert r.exit_code == 0, f'{r}'491assert r.json['HTTPS'] == 'on', f'{r.json}'492assert r.json['SSL_SESSION_RESUMED'] == 'Initial', f'{r.json}\n{r.dump_logs()}'493# ok, run again, sessions should be imported494run_dir2 = os.path.join(env.gen_dir, 'curl2')495curl = CurlClient(env=env, run_env=run_env, run_dir=run_dir2)496r = curl.http_get(url=url, alpn_proto=proto, extra_args=xargs)497assert r.exit_code == 0, f'{r}'498assert r.json['SSL_SESSION_RESUMED'] == 'Resumed', f'{r.json}\n{r.dump_logs()}'499500# verify the ciphers are ignored when talking TLSv1.3 only501# see issue #16232502def test_17_16_h3_ignore_ciphers12(self, env: Env, httpd, nghttpx):503proto = 'h3'504if proto == 'h3' and not env.have_h3():505pytest.skip("h3 not supported")506if env.curl_uses_lib('gnutls'):507pytest.skip("gnutls does not ignore --ciphers on TLSv1.3")508curl = CurlClient(env=env)509url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'510r = curl.http_get(url=url, alpn_proto=proto, extra_args=[511'--ciphers', 'NONSENSE'512])513assert r.exit_code == 0, f'{r}'514515def test_17_17_h1_ignore_ciphers13(self, env: Env, httpd):516proto = 'http/1.1'517curl = CurlClient(env=env)518url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'519r = curl.http_get(url=url, alpn_proto=proto, extra_args=[520'--tls13-ciphers', 'NONSENSE', '--tls-max', '1.2'521])522assert r.exit_code == 0, f'{r}'523524@pytest.mark.parametrize("priority, tls_proto, ciphers, success", [525pytest.param("", "", [], False, id='prio-empty'),526pytest.param("NONSENSE", "", [], False, id='nonsense'),527pytest.param("+NONSENSE", "", [], False, id='+nonsense'),528pytest.param("NORMAL:-VERS-ALL:+VERS-TLS1.2", "TLSv1.2", ['ECDHE-RSA-CHACHA20-POLY1305'], True, id='TLSv1.2-normal-only'),529pytest.param("-VERS-ALL:+VERS-TLS1.2", "TLSv1.2", ['ECDHE-RSA-CHACHA20-POLY1305'], True, id='TLSv1.2-only'),530pytest.param("NORMAL", "TLSv1.3", ['TLS_CHACHA20_POLY1305_SHA256'], True, id='TLSv1.3-normal'),531pytest.param("NORMAL:-VERS-ALL:+VERS-TLS1.3", "TLSv1.3", ['TLS_CHACHA20_POLY1305_SHA256'], True, id='TLSv1.3-normal-only'),532pytest.param("-VERS-ALL:+VERS-TLS1.3", "TLSv1.3", ['TLS_CHACHA20_POLY1305_SHA256'], True, id='TLSv1.3-only'),533pytest.param("!CHACHA20-POLY1305", "TLSv1.3", ['TLS_AES_128_GCM_SHA256'], True, id='TLSv1.3-no-chacha'),534pytest.param("-CIPHER-ALL:+CHACHA20-POLY1305", "TLSv1.3", ['TLS_CHACHA20_POLY1305_SHA256'], True, id='TLSv1.3-only-chacha'),535pytest.param("-CIPHER-ALL:+AES-256-GCM", "", [], False, id='only-AES256'),536pytest.param("-CIPHER-ALL:+AES-128-GCM", "TLSv1.3", ['TLS_AES_128_GCM_SHA256'], True, id='TLSv1.3-only-AES128'),537pytest.param("SECURE:-CIPHER-ALL:+AES-128-GCM:-VERS-ALL:+VERS-TLS1.2", "TLSv1.2", ['ECDHE-RSA-AES128-GCM-SHA256'], True, id='TLSv1.2-secure'),538pytest.param("-MAC-ALL:+SHA256", "", [], False, id='MAC-only-SHA256'),539pytest.param("-MAC-ALL:+AEAD", "TLSv1.3", ['TLS_CHACHA20_POLY1305_SHA256'], True, id='TLSv1.3-MAC-only-AEAD'),540pytest.param("-GROUP-ALL:+GROUP-X25519", "TLSv1.3", ['TLS_CHACHA20_POLY1305_SHA256'], True, id='TLSv1.3-group-only-X25519'),541pytest.param("-GROUP-ALL:+GROUP-SECP192R1", "", [], False, id='group-only-SECP192R1'),542])543def test_17_18_gnutls_priority(self, env: Env, httpd, configures_httpd, priority, tls_proto, ciphers, success):544# to test setting cipher suites, the AES 256 ciphers are disabled in the test server545httpd.set_extra_config('base', [546'SSLCipherSuite SSL'547' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'548':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305',549'SSLCipherSuite TLSv1.3'550' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256',551])552httpd.reload_if_config_changed()553proto = 'http/1.1'554curl = CurlClient(env=env)555url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'556# SSL backend specifics557if not env.curl_uses_lib('gnutls'):558pytest.skip('curl not build with GnuTLS')559# test560extra_args = ['--ciphers', f'{priority}']561r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)562if success:563assert r.exit_code == 0, r.dump_logs()564assert r.json['HTTPS'] == 'on', r.dump_logs()565if tls_proto:566assert r.json['SSL_PROTOCOL'] == tls_proto, r.dump_logs()567assert r.json['SSL_CIPHER'] in ciphers, r.dump_logs()568else:569assert r.exit_code != 0, r.dump_logs()570571@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])572def test_17_19_wrong_pin(self, env: Env, proto, httpd):573if proto == 'h3' and not env.have_h3():574pytest.skip("h3 not supported")575if env.curl_uses_lib('rustls-ffi'):576pytest.skip('TLS backend ignores --pinnedpubkey')577curl = CurlClient(env=env)578url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'579r = curl.http_get(url=url, alpn_proto=proto, extra_args=[580'--pinnedpubkey', 'sha256//ffff'581])582# expect NOT_IMPLEMENTED or CURLE_SSL_PINNEDPUBKEYNOTMATCH583assert r.exit_code in [2, 90], f'{r.dump_logs()}'584585@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])586def test_17_20_correct_pin(self, env: Env, proto, httpd):587if proto == 'h3' and not env.have_h3():588pytest.skip("h3 not supported")589curl = CurlClient(env=env)590creds = env.get_credentials(env.domain1)591assert creds592url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'593r = curl.http_get(url=url, alpn_proto=proto, extra_args=[594'--pinnedpubkey', f'sha256//{creds.pub_sha256_b64()}'595])596# expect NOT_IMPLEMENTED or OK597assert r.exit_code in [0, 2], f'{r.dump_logs()}'598599600