首页 发现 帮助
登录
mirrors
/
nginx-proxy
镜像自地址 https://github.com/nginx-proxy/nginx-proxy.git
2
0
派生 0
文件
浏览代码

tests: Verify correct DH group size when negotiating

Additionally allows for adding extra openssl params when needed.
polarathene 3 年之前
父节点
75528bdfcb
当前提交
0f15130476
共有 1 个文件被更改,包括 12 次插入7 次删除
分列视图 显示文件统计
  1. 12 7
      test/test_ssl/test_dhparam.py

+ 12 - 7
test/test_ssl/test_dhparam.py
查看文件 

@@ -80,12 +80,17 @@ def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
 
         raise Exception("Failed to process CLI request:\n" + e.stderr) from None
 
 
 
-def can_negotiate_dhe_ciphersuite(sut_container):
 
-    r = negotiate_cipher(sut_container, "-cipher 'EDH'")
 
+# The default `dh_bits` can vary due to configuration.
 
+# `additional_params` allows for adjusting the request to a specific `VIRTUAL_HOST`,
 
+# where DH size can differ from the configured global default DH size.
 
+def can_negotiate_dhe_ciphersuite(sut_container, dh_bits=4096, additional_params=''):
 
+    openssl_params = f"-cipher 'EDH' {additional_params}"
 
+
 
+    r = negotiate_cipher(sut_container, openssl_params)
 
     assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
 
 
-    r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key")
 
-    assert "DH" in r2
 
+    r2 = negotiate_cipher(sut_container, openssl_params, "Server Temp Key")
 
+    assert f"Server Temp Key: DH, {dh_bits} bits" in r2
 
 
 
 def cannot_negotiate_dhe_ciphersuite(sut_container):
 
@@ -139,7 +144,7 @@ def test_default_dhparam_is_ffdhe4096(docker_compose):
 
         "/etc/nginx/dhparam/dhparam.pem"
 
     )
 
 
-    can_negotiate_dhe_ciphersuite(sut_container)
 
+    can_negotiate_dhe_ciphersuite(sut_container, 4096)
 
 
 
 # Overrides default DH group via ENV `DHPARAM_BITS=3072`:
 
@@ -157,7 +162,7 @@ def test_can_change_dhparam_group(docker_compose):
 
         "/etc/nginx/dhparam/dhparam.pem"
 
     )
 
 
-    can_negotiate_dhe_ciphersuite(sut_container)
 
+    can_negotiate_dhe_ciphersuite(sut_container, 3072)
 
 
 
 def test_fail_if_dhparam_group_not_supported(docker_compose):
 
@@ -192,7 +197,7 @@ def test_custom_dhparam_is_supported(docker_compose):
 
         "/etc/nginx/dhparam/dhparam.pem"
 
     )
 
 
-    can_negotiate_dhe_ciphersuite(sut_container)
 
+    can_negotiate_dhe_ciphersuite(sut_container, 3072)
 
 
 
 def test_can_skip_dhparam(docker_compose):