From d5b46b100fae5bc3d84f342f0b9569597b328711 Mon Sep 17 00:00:00 2001 From: Amin Jamali Date: Mon, 9 Aug 2021 16:05:40 +0000 Subject: [PATCH] Run tests with a newer version of Go This is setting a max version for TLS 1.2 since TLS 1.3 ciphers is not configurable (https://github.com/golang/go/issues/29349) --- db/mysql_connection_string_builder_test.go | 13 ++++--------- mutualtls/mutualtls.go | 1 + mutualtls/mutualtls_test.go | 1 + 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/db/mysql_connection_string_builder_test.go b/db/mysql_connection_string_builder_test.go index 3400683a..6c3abba8 100644 --- a/db/mysql_connection_string_builder_test.go +++ b/db/mysql_connection_string_builder_test.go @@ -1,7 +1,6 @@ package db_test import ( - "crypto/tls" "crypto/x509" "encoding/pem" "errors" @@ -15,8 +14,7 @@ import ( ) const ( - - DATABASE_CLIENT_CERT = `-----BEGIN CERTIFICATE----- + DATABASE_CLIENT_CERT = `-----BEGIN CERTIFICATE----- MIIEOTCCAiECFFQB88eMvRFzig5vh+MJyi0LpnODMA0GCSqGSIb3DQEBCwUAMFcx CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl cm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB215c3FsQ0EwHhcNMjAwNzIx @@ -42,7 +40,6 @@ Gim3GXnxjUDAUZOd88665Y2iirAmG1TcMDek0lBu7/ysuxjBK+Ef3BQ0YONQvzmn mSvPMfv+Qs4rTUvQi9ISXSWS9WDxye35Y/H5Zas= -----END CERTIFICATE-----` - DATABASE_CLIENT_KEY = `-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAoCDk9QQsut5x0te6zRc9UmJ5lT4qMk26SrQ+hGUyVYj4dP4h tzsgwqoPRdDGNeunU+lDCdGWe0IpbnU5Lh2kEQaNF4E0+vNKF+AvUBw5Bcm1+FDX @@ -169,10 +166,8 @@ var _ = Describe("MySQLConnectionStringBuilder", func() { Expect(mySQLAdapter.RegisterTLSConfigCallCount()).To(Equal(1)) passedTLSConfigName, passedTLSConfig := mySQLAdapter.RegisterTLSConfigArgsForCall(0) Expect(passedTLSConfigName).To(Equal("some-database-tls")) - Expect(passedTLSConfig).To(Equal(&tls.Config{ - InsecureSkipVerify: false, - RootCAs: caCertPool, - })) + Expect(passedTLSConfig.InsecureSkipVerify).To(Equal(false)) + Expect(passedTLSConfig.RootCAs.Subjects()).To(Equal(caCertPool.Subjects())) }) Context("when SkipHostnameValidation is true", func() { @@ -189,7 +184,7 @@ var _ = Describe("MySQLConnectionStringBuilder", func() { passedTLSConfigName, passedTLSConfig := mySQLAdapter.RegisterTLSConfigArgsForCall(0) Expect(passedTLSConfigName).To(Equal("some-database-tls")) Expect(passedTLSConfig.InsecureSkipVerify).To(BeTrue()) - Expect(passedTLSConfig.RootCAs).To(Equal(caCertPool)) + Expect(passedTLSConfig.RootCAs.Subjects()).To(Equal(caCertPool.Subjects())) Expect(passedTLSConfig.Certificates).To(BeNil()) // impossible to assert VerifyPeerCertificate is set to a specfic function Expect(passedTLSConfig.VerifyPeerCertificate).NotTo(BeNil()) diff --git a/mutualtls/mutualtls.go b/mutualtls/mutualtls.go index 9c9dad3a..9f61e609 100644 --- a/mutualtls/mutualtls.go +++ b/mutualtls/mutualtls.go @@ -43,6 +43,7 @@ func newTLSConfig(certFile, keyFile string) (*tls.Config, error) { tlsConfig := &tls.Config{ Certificates: []tls.Certificate{keyPair}, MinVersion: tls.VersionTLS12, + MaxVersion: tls.VersionTLS12, } return tlsConfig, nil } diff --git a/mutualtls/mutualtls_test.go b/mutualtls/mutualtls_test.go index 1efdd0af..15f69e4f 100644 --- a/mutualtls/mutualtls_test.go +++ b/mutualtls/mutualtls_test.go @@ -176,6 +176,7 @@ var _ = Describe("TLS config for internal API server", func() { It("refuses the connection from the client", func() { _, err := makeRequest(serverListenAddr, clientTLSConfig) + Expect(err).To(MatchError(ContainSubstring("remote error"))) }) })