diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-28 11:57:36 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-28 11:57:36 +0000 |
| commit | 34759995af4ca6b8c750b14dc63f9a007acba1db (patch) | |
| tree | c1fcaabf2872446e503ebb17503c02b501fba4de /net | |
| parent | 3655a6dec098ca14d8d5ccf001a8d801b005e0a5 (diff) | |
| download | chromium_src-34759995af4ca6b8c750b14dc63f9a007acba1db.zip chromium_src-34759995af4ca6b8c750b14dc63f9a007acba1db.tar.gz chromium_src-34759995af4ca6b8c750b14dc63f9a007acba1db.tar.bz2 | |
Add support to test_server.py to restrict the SSL/TLS bulk encryption algorithms via the command-line argument --ssl-alg.
BUG=58831
TEST=Run test_server.py as an HTTPS server with --ssl-alg=rc4. Connect via openssl s_client -connect 127.0.0.1:1337 -cipher DEFAULT:\!RC4. Observe a connection failure. Connect with openssl s_client -connect 127.0.0.1:1337, observe that a ciphersuite that uses RC4 is negotiated.
Review URL: http://codereview.chromium.org/3812007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@64233 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/socket/ssl_client_socket_unittest.cc | 20 | ||||
| -rw-r--r-- | net/test/test_server.cc | 173 | ||||
| -rw-r--r-- | net/test/test_server.h | 81 | ||||
| -rw-r--r-- | net/test/test_server_posix.cc | 36 | ||||
| -rw-r--r-- | net/test/test_server_win.cc | 49 | ||||
| -rw-r--r-- | net/tools/testserver/testserver.py | 23 | ||||
| -rw-r--r-- | net/url_request/url_request_unittest.cc | 12 |
7 files changed, 268 insertions, 126 deletions
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index 0e9070a..1cd7210 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -93,8 +93,9 @@ TEST_F(SSLClientSocketTest, Connect) { } TEST_F(SSLClientSocketTest, ConnectExpired) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_EXPIRED_CERTIFICATE, - FilePath()); + net::TestServer::HTTPSOptions https_options( + net::TestServer::HTTPSOptions::CERT_EXPIRED); + net::TestServer test_server(https_options, FilePath()); ASSERT_TRUE(test_server.Start()); net::AddressList addr; @@ -136,8 +137,9 @@ TEST_F(SSLClientSocketTest, ConnectExpired) { } TEST_F(SSLClientSocketTest, ConnectMismatched) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_MISMATCHED_HOSTNAME, - FilePath()); + net::TestServer::HTTPSOptions https_options( + net::TestServer::HTTPSOptions::CERT_MISMATCHED_NAME); + net::TestServer test_server(https_options, FilePath()); ASSERT_TRUE(test_server.Start()); net::AddressList addr; @@ -183,8 +185,9 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) { // return an error code on connect. // Flaky: http://crbug.com/54445 TEST_F(SSLClientSocketTest, FLAKY_ConnectClientAuthCertRequested) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_CLIENT_AUTH, - FilePath()); + net::TestServer::HTTPSOptions https_options; + https_options.request_client_certificate = true; + net::TestServer test_server(https_options, FilePath()); ASSERT_TRUE(test_server.Start()); net::AddressList addr; @@ -230,8 +233,9 @@ TEST_F(SSLClientSocketTest, FLAKY_ConnectClientAuthCertRequested) { // // TODO(davidben): Also test providing an actual certificate. TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_CLIENT_AUTH, - FilePath()); + net::TestServer::HTTPSOptions https_options; + https_options.request_client_certificate = true; + net::TestServer test_server(https_options, FilePath()); ASSERT_TRUE(test_server.Start()); net::AddressList addr; diff --git a/net/test/test_server.cc b/net/test/test_server.cc index 0b1cd085..3d44fc6 100644 --- a/net/test/test_server.cc +++ b/net/test/test_server.cc @@ -30,6 +30,8 @@ #include "net/test/python_utils.h" #include "testing/platform_test.h" +namespace net { + namespace { // Number of connection attempts for tests. @@ -40,30 +42,43 @@ const int kServerConnectionTimeoutMs = 1000; const char kTestServerShardFlag[] = "test-server-shard"; -int GetPortBase(net::TestServer::Type type) { - switch (type) { - case net::TestServer::TYPE_FTP: - return 3117; - case net::TestServer::TYPE_HTTP: - return 1337; - case net::TestServer::TYPE_HTTPS: +int GetHTTPSPortBase(const TestServer::HTTPSOptions& options) { + if (options.request_client_certificate) + return 9543; + + switch (options.server_certificate) { + case TestServer::HTTPSOptions::CERT_OK: return 9443; - case net::TestServer::TYPE_HTTPS_CLIENT_AUTH: - return 9543; - case net::TestServer::TYPE_HTTPS_EXPIRED_CERTIFICATE: + case TestServer::HTTPSOptions::CERT_MISMATCHED_NAME: + return 9643; + case TestServer::HTTPSOptions::CERT_EXPIRED: // TODO(phajdan.jr): Some tests rely on this hardcoded value. // Some uses of this are actually in .html/.js files. return 9666; - case net::TestServer::TYPE_HTTPS_MISMATCHED_HOSTNAME: - return 9643; default: NOTREACHED(); } return -1; } -int GetPort(net::TestServer::Type type) { - int port = GetPortBase(type); +int GetPortBase(TestServer::Type type, + const TestServer::HTTPSOptions& options) { + switch (type) { + case TestServer::TYPE_FTP: + return 3117; + case TestServer::TYPE_HTTP: + return 1337; + case TestServer::TYPE_HTTPS: + return GetHTTPSPortBase(options); + default: + NOTREACHED(); + } + return -1; +} + +int GetPort(TestServer::Type type, + const TestServer::HTTPSOptions& options) { + int port = GetPortBase(type, options); if (CommandLine::ForCurrentProcess()->HasSwitch(kTestServerShardFlag)) { std::string shard_str(CommandLine::ForCurrentProcess()->GetSwitchValueASCII( kTestServerShardFlag)); @@ -78,8 +93,11 @@ int GetPort(net::TestServer::Type type) { return port; } -std::string GetHostname(net::TestServer::Type type) { - if (type == net::TestServer::TYPE_HTTPS_MISMATCHED_HOSTNAME) { +std::string GetHostname(TestServer::Type type, + const TestServer::HTTPSOptions& options) { + if (type == TestServer::TYPE_HTTPS && + options.server_certificate == + TestServer::HTTPSOptions::CERT_MISMATCHED_NAME) { // Return a different hostname string that resolves to the same hostname. return "localhost"; } @@ -89,16 +107,59 @@ std::string GetHostname(net::TestServer::Type type) { } // namespace -namespace net { - #if defined(OS_MACOSX) void SetMacTestCertificate(X509Certificate* cert); #endif +TestServer::HTTPSOptions::HTTPSOptions() + : server_certificate(CERT_OK), + request_client_certificate(false), + bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY) {} + +TestServer::HTTPSOptions::HTTPSOptions( + TestServer::HTTPSOptions::ServerCertificate cert) + : server_certificate(cert), + request_client_certificate(false), + bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY) {} + +TestServer::HTTPSOptions::~HTTPSOptions() {} + +FilePath TestServer::HTTPSOptions::GetCertificateFile() const { + switch (server_certificate) { + case CERT_OK: + case CERT_MISMATCHED_NAME: + return FilePath(FILE_PATH_LITERAL("ok_cert.pem")); + case CERT_EXPIRED: + return FilePath(FILE_PATH_LITERAL("expired_cert.pem")); + default: + NOTREACHED(); + } + return FilePath(); +} + TestServer::TestServer(Type type, const FilePath& document_root) - : host_port_pair_(GetHostname(type), GetPort(type)), - process_handle_(base::kNullProcessHandle), - type_(type) { + : type_(type) { + Init(document_root); +} + +TestServer::TestServer(const HTTPSOptions& https_options, + const FilePath& document_root) + : https_options_(https_options), type_(TYPE_HTTPS) { + Init(document_root); +} + +TestServer::~TestServer() { +#if defined(OS_MACOSX) + SetMacTestCertificate(NULL); +#endif + Stop(); +} + +void TestServer::Init(const FilePath& document_root) { + host_port_pair_ = HostPortPair(GetHostname(type_, https_options_), + GetPort(type_, https_options_)); + process_handle_ = base::kNullProcessHandle; + FilePath src_dir; PathService::Get(base::DIR_SOURCE_ROOT, &src_dir); @@ -110,15 +171,8 @@ TestServer::TestServer(Type type, const FilePath& document_root) .Append(FILE_PATH_LITERAL("certificates")); } -TestServer::~TestServer() { -#if defined(OS_MACOSX) - SetMacTestCertificate(NULL); -#endif - Stop(); -} - bool TestServer::Start() { - if (GetScheme() == "https") { + if (type_ == TYPE_HTTPS) { if (!LoadTestRootCert()) return false; if (!CheckCATrusted()) @@ -177,9 +231,6 @@ std::string TestServer::GetScheme() const { case TYPE_HTTP: return "http"; case TYPE_HTTPS: - case TYPE_HTTPS_CLIENT_AUTH: - case TYPE_HTTPS_MISMATCHED_HOSTNAME: - case TYPE_HTTPS_EXPIRED_CERTIFICATE: return "https"; default: NOTREACHED(); @@ -292,21 +343,51 @@ bool TestServer::LoadTestRootCert() { #endif } -FilePath TestServer::GetCertificatePath() { - switch (type_) { - case TYPE_FTP: - case TYPE_HTTP: - return FilePath(); - case TYPE_HTTPS: - case TYPE_HTTPS_CLIENT_AUTH: - case TYPE_HTTPS_MISMATCHED_HOSTNAME: - return certificates_dir_.AppendASCII("ok_cert.pem"); - case TYPE_HTTPS_EXPIRED_CERTIFICATE: - return certificates_dir_.AppendASCII("expired_cert.pem"); - default: - NOTREACHED(); +bool TestServer::AddCommandLineArguments(CommandLine* command_line) const { + command_line->AppendSwitchASCII("port", + base::IntToString(host_port_pair_.port())); + command_line->AppendSwitchPath("data-dir", document_root_); + + if (type_ == TYPE_FTP) { + command_line->AppendArg("-f"); + } else if (type_ == TYPE_HTTPS) { + FilePath certificate_path(certificates_dir_); + certificate_path = certificate_path.Append( + https_options_.GetCertificateFile()); + if (!file_util::PathExists(certificate_path)) { + LOG(ERROR) << "Certificate path " << certificate_path.value() + << " doesn't exist. Can't launch https server."; + return false; + } + command_line->AppendSwitchPath("https", certificate_path); + + if (https_options_.request_client_certificate) + command_line->AppendSwitch("ssl-client-auth"); + + for (std::vector<FilePath>::const_iterator it = + https_options_.client_authorities.begin(); + it != https_options_.client_authorities.end(); ++it) { + if (!file_util::PathExists(*it)) { + LOG(ERROR) << "Client authority path " << it->value() + << " doesn't exist. Can't launch https server."; + return false; + } + + command_line->AppendSwitchPath("ssl-client-ca", *it); + } + + const char kBulkCipherSwitch[] = "ssl-bulk-cipher"; + if (https_options_.bulk_ciphers & HTTPSOptions::BULK_CIPHER_RC4) + command_line->AppendSwitchASCII(kBulkCipherSwitch, "rc4"); + if (https_options_.bulk_ciphers & HTTPSOptions::BULK_CIPHER_AES128) + command_line->AppendSwitchASCII(kBulkCipherSwitch, "aes128"); + if (https_options_.bulk_ciphers & HTTPSOptions::BULK_CIPHER_AES256) + command_line->AppendSwitchASCII(kBulkCipherSwitch, "aes256"); + if (https_options_.bulk_ciphers & HTTPSOptions::BULK_CIPHER_3DES) + command_line->AppendSwitchASCII(kBulkCipherSwitch, "3des"); } - return FilePath(); + + return true; } } // namespace net diff --git a/net/test/test_server.h b/net/test/test_server.h index 4e68fd9..2bada0b 100644 --- a/net/test/test_server.h +++ b/net/test/test_server.h @@ -6,9 +6,10 @@ #define NET_TEST_TEST_SERVER_H_ #pragma once -#include "build/build_config.h" - #include <string> +#include <vector> + +#include "build/build_config.h" #include "base/compiler_specific.h" #include "base/file_path.h" @@ -25,6 +26,7 @@ #include "net/base/x509_certificate.h" #endif +class CommandLine; class GURL; namespace net { @@ -39,12 +41,70 @@ class TestServer { TYPE_FTP, TYPE_HTTP, TYPE_HTTPS, - TYPE_HTTPS_CLIENT_AUTH, - TYPE_HTTPS_MISMATCHED_HOSTNAME, - TYPE_HTTPS_EXPIRED_CERTIFICATE, + }; + + // Container for various options to control how the HTTPS server is + // initialized. + struct HTTPSOptions { + enum ServerCertificate { + CERT_OK, + CERT_MISMATCHED_NAME, + CERT_EXPIRED, + }; + + // Bitmask of bulk encryption algorithms that the test server supports + // and that can be selectively enabled or disabled. + enum BulkCipher { + // Special value used to indicate that any algorithm the server supports + // is acceptable. Preferred over explicitly OR-ing all ciphers. + BULK_CIPHER_ANY = 0, + + BULK_CIPHER_RC4 = (1 << 0), + BULK_CIPHER_AES128 = (1 << 1), + BULK_CIPHER_AES256 = (1 << 2), + + // NOTE: 3DES support in the Python test server has external + // dependencies and not be available on all machines. Clients may not + // be able to connect if only 3DES is specified. + BULK_CIPHER_3DES = (1 << 3), + }; + + // Initialize a new HTTPSOptions using CERT_OK as the certificate. + HTTPSOptions(); + + // Initialize a new HTTPSOptions that will use the specified certificate. + explicit HTTPSOptions(ServerCertificate cert); + ~HTTPSOptions(); + + // Returns the relative filename of the file that contains the + // |server_certificate|. + FilePath GetCertificateFile() const; + + // The certificate to use when serving requests. + ServerCertificate server_certificate; + + // True if a CertificateRequest should be sent to the client during + // handshaking. + bool request_client_certificate; + + // If |request_client_certificate| is true, an optional list of files, + // each containing a single, PEM-encoded X.509 certificates. The subject + // from each certificate will be added to the certificate_authorities + // field of the CertificateRequest. + std::vector<FilePath> client_authorities; + + // A bitwise-OR of BulkCipher that should be used by the + // HTTPS server, or BULK_CIPHER_ANY to indicate that all implemented + // ciphers are acceptable. + int bulk_ciphers; }; TestServer(Type type, const FilePath& document_root); + + // Initialize a HTTPS TestServer with a specific set of HTTPSOptions. + TestServer(const HTTPSOptions& https_options, + const FilePath& document_root); + ~TestServer(); bool Start() WARN_UNUSED_RESULT; @@ -67,6 +127,8 @@ class TestServer { const std::string& password); private: + void Init(const FilePath& document_root); + // Modify PYTHONPATH to contain libraries we need. bool SetPythonPath() WARN_UNUSED_RESULT; @@ -85,9 +147,9 @@ class TestServer { // Load the test root cert, if it hasn't been loaded yet. bool LoadTestRootCert() WARN_UNUSED_RESULT; - // Returns path to the SSL certificate we should use, or empty path - // if not applicable. - FilePath GetCertificatePath(); + // Add the command line arguments for the Python test server to + // |command_line|. Return true on success. + bool AddCommandLineArguments(CommandLine* command_line) const; // Document root of the test server. FilePath document_root_; @@ -115,6 +177,9 @@ class TestServer { file_util::ScopedFD child_fd_closer_; #endif + // If |type_| is TYPE_HTTPS, the TLS settings to use for the test server. + HTTPSOptions https_options_; + #if defined(USE_NSS) scoped_refptr<X509Certificate> cert_; #endif diff --git a/net/test/test_server_posix.cc b/net/test/test_server_posix.cc index 1456ac8..707eb93 100644 --- a/net/test/test_server_posix.cc +++ b/net/test/test_server_posix.cc @@ -8,6 +8,7 @@ #include <vector> +#include "base/command_line.h" #include "base/file_util.h" #include "base/logging.h" #include "base/process_util.h" @@ -55,28 +56,12 @@ class OrphanedTestServerFilter : public base::ProcessFilter { } // namespace namespace net { -bool TestServer::LaunchPython(const FilePath& testserver_path) { - std::vector<std::string> command_line; - command_line.push_back("python"); - command_line.push_back(testserver_path.value()); - command_line.push_back("--port=" + base::IntToString(host_port_pair_.port())); - command_line.push_back("--data-dir=" + document_root_.value()); - - if (type_ == TYPE_FTP) - command_line.push_back("-f"); - - FilePath certificate_path(GetCertificatePath()); - if (!certificate_path.value().empty()) { - if (!file_util::PathExists(certificate_path)) { - LOG(ERROR) << "Certificate path " << certificate_path.value() - << " doesn't exist. Can't launch https server."; - return false; - } - command_line.push_back("--https=" + certificate_path.value()); - } - if (type_ == TYPE_HTTPS_CLIENT_AUTH) - command_line.push_back("--ssl-client-auth"); +bool TestServer::LaunchPython(const FilePath& testserver_path) { + CommandLine python_command(FilePath(FILE_PATH_LITERAL("python"))); + python_command.AppendArgPath(testserver_path); + if (!AddCommandLineArguments(&python_command)) + return false; int pipefd[2]; if (pipe(pipefd) != 0) { @@ -91,7 +76,8 @@ bool TestServer::LaunchPython(const FilePath& testserver_path) { base::file_handle_mapping_vector map_write_fd; map_write_fd.push_back(std::make_pair(pipefd[1], pipefd[1])); - command_line.push_back("--startup-pipe=" + base::IntToString(pipefd[1])); + python_command.AppendSwitchASCII("startup-pipe", + base::IntToString(pipefd[1])); // Try to kill any orphaned testserver processes that may be running. OrphanedTestServerFilter filter(testserver_path.value(), @@ -101,8 +87,10 @@ bool TestServer::LaunchPython(const FilePath& testserver_path) { } // Launch a new testserver process. - if (!base::LaunchApp(command_line, map_write_fd, false, &process_handle_)) { - LOG(ERROR) << "Failed to launch " << command_line[0] << " ..."; + if (!base::LaunchApp(python_command.argv(), map_write_fd, false, + &process_handle_)) { + LOG(ERROR) << "Failed to launch " << python_command.command_line_string() + << " ..."; return false; } diff --git a/net/test/test_server_win.cc b/net/test/test_server_win.cc index a8b3678..eadee56 100644 --- a/net/test/test_server_win.cc +++ b/net/test/test_server_win.cc @@ -8,6 +8,7 @@ #include <wincrypt.h> #include "base/base_paths.h" +#include "base/command_line.h" #include "base/file_util.h" #include "base/path_service.h" #include "base/string_number_conversions.h" @@ -18,7 +19,7 @@ namespace { -bool LaunchTestServerAsJob(const std::wstring& cmdline, +bool LaunchTestServerAsJob(const CommandLine& cmdline, bool start_hidden, base::ProcessHandle* process_handle, ScopedHandle* job_handle) { @@ -32,10 +33,10 @@ bool LaunchTestServerAsJob(const std::wstring& cmdline, // If this code is run under a debugger, the test server process is // automatically associated with a job object created by the debugger. // The CREATE_BREAKAWAY_FROM_JOB flag is used to prevent this. - if (!CreateProcess(NULL, - const_cast<wchar_t*>(cmdline.c_str()), NULL, NULL, - TRUE, CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, - &startup_info, &process_info)) { + if (!CreateProcess( + NULL, const_cast<wchar_t*>(cmdline.command_line_string().c_str()), + NULL, NULL, TRUE, CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, + &startup_info, &process_info)) { LOG(ERROR) << "Could not create process."; return false; } @@ -74,6 +75,7 @@ bool LaunchTestServerAsJob(const std::wstring& cmdline, } // namespace namespace net { + bool TestServer::LaunchPython(const FilePath& testserver_path) { FilePath python_exe; if (!PathService::Get(base::DIR_SOURCE_ROOT, &python_exe)) @@ -83,29 +85,10 @@ bool TestServer::LaunchPython(const FilePath& testserver_path) { .Append(FILE_PATH_LITERAL("python_24")) .Append(FILE_PATH_LITERAL("python.exe")); - std::wstring command_line = - L"\"" + python_exe.value() + L"\" " + - L"\"" + testserver_path.value() + - L"\" --port=" + ASCIIToWide(base::IntToString(host_port_pair_.port())) + - L" --data-dir=\"" + document_root_.value() + L"\""; - - if (type_ == TYPE_FTP) - command_line.append(L" -f"); - - FilePath certificate_path(GetCertificatePath()); - if (!certificate_path.value().empty()) { - if (!file_util::PathExists(certificate_path)) { - LOG(ERROR) << "Certificate path " << certificate_path.value() - << " doesn't exist. Can't launch https server."; - return false; - } - command_line.append(L" --https=\""); - command_line.append(certificate_path.value()); - command_line.append(L"\""); - } - - if (type_ == TYPE_HTTPS_CLIENT_AUTH) - command_line.append(L" --ssl-client-auth"); + CommandLine python_command(python_exe); + python_command.AppendArgPath(testserver_path); + if (!AddCommandLineArguments(&python_command)) + return false; HANDLE child_read = NULL; HANDLE child_write = NULL; @@ -133,15 +116,15 @@ bool TestServer::LaunchPython(const FilePath& testserver_path) { // safe to truncate the handle (when passing it from 64-bit to // 32-bit) or sign-extend the handle (when passing it from 32-bit to // 64-bit)." - command_line.append( - L" --startup-pipe=" + - ASCIIToWide(base::IntToString(reinterpret_cast<uintptr_t>(child_write)))); + python_command.AppendSwitchASCII( + "startup-pipe", + base::IntToString(reinterpret_cast<uintptr_t>(child_write))); - if (!LaunchTestServerAsJob(command_line, + if (!LaunchTestServerAsJob(python_command, true, &process_handle_, &job_handle_)) { - LOG(ERROR) << "Failed to launch " << command_line; + LOG(ERROR) << "Failed to launch " << python_command.command_line_string(); return false; } diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py index c3fe86b..c54d425 100644 --- a/net/tools/testserver/testserver.py +++ b/net/tools/testserver/testserver.py @@ -64,7 +64,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer): """This is a specialization of StoppableHTTPerver that add https support.""" def __init__(self, server_address, request_hander_class, cert_path, - ssl_client_auth, ssl_client_cas): + ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers): s = open(cert_path).read() x509 = tlslite.api.X509() x509.parse(s) @@ -78,6 +78,9 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer): x509 = tlslite.api.X509() x509.parse(s) self.ssl_client_cas.append(x509.subject) + self.ssl_handshake_settings = tlslite.api.HandshakeSettings() + if ssl_bulk_ciphers is not None: + self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers self.session_cache = tlslite.api.SessionCache() StoppableHTTPServer.__init__(self, server_address, request_hander_class) @@ -89,6 +92,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer): privateKey=self.private_key, sessionCache=self.session_cache, reqCert=self.ssl_client_auth, + settings=self.ssl_handshake_settings, reqCAs=self.ssl_client_cas) tlsConnection.ignoreAbruptClose = True return True @@ -1169,7 +1173,8 @@ def main(options, args): ' exiting...' return server = HTTPSServer(('127.0.0.1', port), TestPageHandler, options.cert, - options.ssl_client_auth, options.ssl_client_ca) + options.ssl_client_auth, options.ssl_client_ca, + options.ssl_bulk_cipher) print 'HTTPS server started on port %d...' % port else: server = StoppableHTTPServer(('127.0.0.1', port), TestPageHandler) @@ -1240,8 +1245,18 @@ if __name__ == '__main__': help='Require SSL client auth on every connection.') option_parser.add_option('', '--ssl-client-ca', action='append', default=[], help='Specify that the client certificate request ' - 'should indicate that it supports the CA contained ' - 'in the specified certificate file') + 'should include the CA named in the subject of ' + 'the DER-encoded certificate contained in the ' + 'specified file. This option may appear multiple ' + 'times, indicating multiple CA names should be ' + 'sent in the request.') + option_parser.add_option('', '--ssl-bulk-cipher', action='append', + help='Specify the bulk encryption algorithm(s)' + 'that will be accepted by the SSL server. Valid ' + 'values are "aes256", "aes128", "3des", "rc4". If ' + 'omitted, all algorithms will be used. This ' + 'option may appear multiple times, indicating ' + 'multiple algorithms should be enabled.'); option_parser.add_option('', '--file-root-url', default='/files/', help='Specify a root URL for files served.') option_parser.add_option('', '--startup-pipe', type='int', diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index 3c5d05f..1cb0aa6 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -310,7 +310,9 @@ TEST_F(HTTPSRequestTest, HTTPSGetTest) { } TEST_F(HTTPSRequestTest, HTTPSMismatchedTest) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_MISMATCHED_HOSTNAME, + net::TestServer::HTTPSOptions https_options( + net::TestServer::HTTPSOptions::CERT_MISMATCHED_NAME); + net::TestServer test_server(https_options, FilePath(FILE_PATH_LITERAL("net/data/ssl"))); ASSERT_TRUE(test_server.Start()); @@ -340,7 +342,9 @@ TEST_F(HTTPSRequestTest, HTTPSMismatchedTest) { } TEST_F(HTTPSRequestTest, HTTPSExpiredTest) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_EXPIRED_CERTIFICATE, + net::TestServer::HTTPSOptions https_options( + net::TestServer::HTTPSOptions::CERT_EXPIRED); + net::TestServer test_server(https_options, FilePath(FILE_PATH_LITERAL("net/data/ssl"))); ASSERT_TRUE(test_server.Start()); @@ -398,7 +402,9 @@ class SSLClientAuthTestDelegate : public TestDelegate { // - Getting a certificate request in an SSL renegotiation sending the // HTTP request. TEST_F(HTTPSRequestTest, ClientAuthTest) { - net::TestServer test_server(net::TestServer::TYPE_HTTPS_CLIENT_AUTH, + net::TestServer::HTTPSOptions https_options; + https_options.request_client_certificate = true; + net::TestServer test_server(https_options, FilePath(FILE_PATH_LITERAL("net/data/ssl"))); ASSERT_TRUE(test_server.Start()); |