From b729a4e83c39b31628fe6213d69d041cbf74e854 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Mon, 17 Sep 2018 12:25:09 +0200 Subject: [PATCH] Remove brittle TestServerTLSCiphers unit test (#5982) The test TestServerTLSCiphers seems to fail sometimes for no obvious reason. Actually the test is not needed (as unit test) since minio/mint tests the server's TLS ciphers as part of its security tests. Fixes #5977 --- cmd/http/server_test.go | 77 ----------------------------------------- 1 file changed, 77 deletions(-) diff --git a/cmd/http/server_test.go b/cmd/http/server_test.go index 247930d3c..776982ae0 100644 --- a/cmd/http/server_test.go +++ b/cmd/http/server_test.go @@ -17,12 +17,10 @@ package http import ( - "crypto/tls" "fmt" "net/http" "reflect" "testing" - "time" "github.com/minio/minio/pkg/certs" ) @@ -96,78 +94,3 @@ func TestNewServer(t *testing.T) { } } } - -func TestServerTLSCiphers(t *testing.T) { - var unsupportedCipherSuites = []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // Go stack contains (some) countermeasures against timing attacks (Lucky13) - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // No countermeasures against timing attacks - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // Go stack contains (some) countermeasures against timing attacks (Lucky13) - tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, // Broken cipher - tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // Sweet32 - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // Go stack contains (some) countermeasures against timing attacks (Lucky13) - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // No countermeasures against timing attacks - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // Go stack contains (some) countermeasures against timing attacks (Lucky13) - tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, // Broken cipher - - // all RSA-PKCS1-v1.5 ciphers are disabled - danger of Bleichenbacher attack variants - tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // Sweet32 - tls.TLS_RSA_WITH_AES_128_CBC_SHA, // Go stack contains (some) countermeasures against timing attacks (Lucky13) - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // No countermeasures against timing attacks - tls.TLS_RSA_WITH_AES_256_CBC_SHA, // Go stack contains (some) countermeasures against timing attacks (Lucky13) - tls.TLS_RSA_WITH_RC4_128_SHA, // Broken cipher - - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // Disabled because of RSA-PKCS1-v1.5 - AES-GCM is considered secure. - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // Disabled because of RSA-PKCS1-v1.5 - AES-GCM is considered secure. - } - - testCases := []struct { - ciphers []uint16 - resetServerCiphers bool - expectErr bool - }{ - {nil, false, false}, - {defaultCipherSuites, false, false}, - {unsupportedCipherSuites, false, true}, - {nil, true, false}, - } - - for i, testCase := range testCases { - func() { - addr := "127.0.0.1:" + getNextPort() - - server := NewServer([]string{addr}, - http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintf(w, "Hello, world") - }), getCert) - if testCase.resetServerCiphers { - // Use Go default ciphers. - server.TLSConfig.CipherSuites = nil - } - - go func() { - server.Start() - }() - defer server.Shutdown() - - client := http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - CipherSuites: testCase.ciphers, - }, - }, - } - - // There is no guaranteed way to know whether the HTTP server is started successfully. - // The only option is to connect and check. Hence below sleep is used as workaround. - time.Sleep(1 * time.Second) - - _, err := client.Get("https://" + addr) - expectErr := (err != nil) - - if expectErr != testCase.expectErr { - t.Fatalf("test %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr) - } - }() - } -}