Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DPP-622] Add conformance tests that verifies TLSv1.0 and TLSv1 are disabled. #10983

Merged
merged 4 commits into from
Sep 27, 2021
Merged

[DPP-622] Add conformance tests that verifies TLSv1.0 and TLSv1 are disabled. #10983

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
560a8dd
[DPP-622] Add conformance tests that verifies TLSv1.0 and TLSv1 are d…
pbatko-da Sep 22, 2021
121a14b
TLS min 1.2
pbatko-da Sep 22, 2021
8382977
Fix conformance test identifier
pbatko-da Sep 22, 2021
21ef5aa
drop min-tls-flag in tls1.1 test
pbatko-da Sep 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
TLS min 1.2
  • Loading branch information
@pbatko-da
pbatko-da committed Sep 22, 2021
commit 121a14b0c2fcecb6500c7e23870662d997ad6e62
2 changes: 1 addition & 1 deletion ledger/ledger-api-test-tool/BUILD.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,7 @@ conformance_test(
"--cacrt $$(rlocation $$TEST_WORKSPACE/$(rootpath //ledger/test-common/test-certificates:ca.crt))",
"--pem $$(rlocation $$TEST_WORKSPACE/$(rootpath //ledger/test-common/test-certificates:server.pem.enc))",
"--tls-secrets-url https://raw.githubusercontent.com/digital-asset/daml/main/ledger/test-common/files/server-pem-decryption-parameters.json",
"--min-tls-version 1.1",
"--min-tls-version 1.2",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once Netty upgrade PR is merged this test shall pass without --min-tls-version 1.2.

Alternatively we can code defensively and filter out protocols lower than TLS 1.1 before they are passed to initialize server's SSL context. And/or add an assertion to fail fast when server's SSL context has been started with TLS 1.1 or lower enabled.
I haven't added such assertion because I saw value in starting a server with e.g. TLS 1.1 enabled and seeing that can connect with a client on a TLS 1.1. And subsequently seeing that a server on TLS 1.2 fails with the same client.

],
test_tool_args = [
"--verbose",
Expand Down