Test that client cipher preferences are enforced.
Change-Id: I6e760cfd785c0c5688da6f7d3d3092a8add40409
Reviewed-on: https://boringssl-review.googlesource.com/4070
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 5cad289..a9c5083 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -671,6 +671,10 @@
// NoSignatureAlgorithmsOnRenego, if true, causes renegotiations to omit
// the signature_algorithms extension.
NoSignatureAlgorithmsOnRenego bool
+
+ // IgnorePeerCipherPreferences, if true, causes the peer's cipher
+ // preferences to be ignored.
+ IgnorePeerCipherPreferences bool
}
func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 3caf81b..00ee44b 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -340,6 +340,9 @@
return false, errors.New("tls: fallback SCSV found when not expected")
}
+ if config.Bugs.IgnorePeerCipherPreferences {
+ hs.clientHello.cipherSuites = c.config.cipherSuites()
+ }
var preferenceList, supportedList []uint16
if c.config.PreferServerCipherSuites {
preferenceList = c.config.cipherSuites()
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index c936214..d72ac43 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -892,6 +892,18 @@
},
},
},
+ {
+ name: "UnsupportedCipherSuite",
+ config: Config{
+ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ Bugs: ProtocolBugs{
+ IgnorePeerCipherPreferences: true,
+ },
+ },
+ flags: []string{"-cipher", "DEFAULT:!RC4"},
+ shouldFail: true,
+ expectedError: ":WRONG_CIPHER_RETURNED:",
+ },
}
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {