tls.tcl 2.8 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485
  1. start_server {tags {"tls"}} {
  2. if {$::tls} {
  3. package require tls
  4. test {TLS: Not accepting non-TLS connections on a TLS port} {
  5. set s [redis [srv 0 host] [srv 0 port]]
  6. catch {$s PING} e
  7. set e
  8. } {*I/O error*}
  9. test {TLS: Verify tls-auth-clients behaves as expected} {
  10. set s [redis [srv 0 host] [srv 0 port]]
  11. ::tls::import [$s channel]
  12. catch {$s PING} e
  13. assert_match {*error*} $e
  14. r CONFIG SET tls-auth-clients no
  15. set s [redis [srv 0 host] [srv 0 port]]
  16. ::tls::import [$s channel]
  17. catch {$s PING} e
  18. assert_match {PONG} $e
  19. r CONFIG SET tls-auth-clients yes
  20. }
  21. test {TLS: Verify tls-protocols behaves as expected} {
  22. r CONFIG SET tls-protocols TLSv1.2
  23. set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
  24. catch {$s PING} e
  25. assert_match {*I/O error*} $e
  26. set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
  27. catch {$s PING} e
  28. assert_match {PONG} $e
  29. r CONFIG SET tls-protocols ""
  30. }
  31. test {TLS: Verify tls-ciphers behaves as expected} {
  32. r CONFIG SET tls-protocols TLSv1.2
  33. r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
  34. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
  35. catch {$s PING} e
  36. assert_match {*I/O error*} $e
  37. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
  38. catch {$s PING} e
  39. assert_match {PONG} $e
  40. r CONFIG SET tls-ciphers "DEFAULT"
  41. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
  42. catch {$s PING} e
  43. assert_match {PONG} $e
  44. r CONFIG SET tls-protocols ""
  45. r CONFIG SET tls-ciphers "DEFAULT"
  46. }
  47. test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
  48. r CONFIG SET tls-protocols TLSv1.2
  49. r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
  50. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
  51. catch {$s PING} e
  52. assert_match {PONG} $e
  53. assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
  54. r CONFIG SET tls-prefer-server-ciphers yes
  55. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
  56. catch {$s PING} e
  57. assert_match {PONG} $e
  58. assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
  59. r CONFIG SET tls-protocols ""
  60. r CONFIG SET tls-ciphers "DEFAULT"
  61. }
  62. }
  63. }