Add Server.PermitProhibitedCipherSuites option; update curl tests.
Update tatsuhiro-t/nghttp2#140
diff --git a/server.go b/server.go
index d47ae96..9b9c949 100644
--- a/server.go
+++ b/server.go
@@ -108,6 +108,10 @@
// 16k and 16M, inclusive. If zero or otherwise invalid, a
// default value is used.
MaxReadFrameSize uint32
+
+ // PermitProhibitedCipherSuites, if true, permits the use of
+ // cipher suites prohibited by the HTTP/2 spec.
+ PermitProhibitedCipherSuites bool
}
func (s *Server) maxReadFrameSize() uint32 {
@@ -246,7 +250,7 @@
// So for now, do nothing here again.
}
- if isBadCipher(sc.tlsState.CipherSuite) {
+ if !srv.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) {
// "Endpoints MAY choose to generate a connection error
// (Section 5.4.1) of type INADEQUATE_SECURITY if one of
// the prohibited cipher suites are negotiated."
diff --git a/server_test.go b/server_test.go
index 17f1be9..503f93c 100644
--- a/server_test.go
+++ b/server_test.go
@@ -2103,17 +2103,26 @@
}
}
-func TestServerWithCurl(t *testing.T) {
- if runtime.GOOS == "darwin" {
- t.Skip("skipping Docker test on Darwin; requires --net which won't work with boot2docker anyway")
+// TestServerWithCurl currently fails, hence the LenientCipherSuites test. See:
+// https://github.com/tatsuhiro-t/nghttp2/issues/140 &
+// http://sourceforge.net/p/curl/bugs/1472/
+func TestServerWithCurl(t *testing.T) { testServerWithCurl(t, false) }
+func TestServerWithCurl_LenientCipherSuites(t *testing.T) { testServerWithCurl(t, true) }
+
+func testServerWithCurl(t *testing.T, permitProhibitedCipherSuites bool) {
+ if runtime.GOOS != "linux" {
+ t.Skip("skipping Docker test when not on Linux; requires --net which won't work with boot2docker anyway")
}
requireCurl(t)
const msg = "Hello from curl!\n"
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Foo", "Bar")
+ w.Header().Set("Client-Proto", r.Proto)
io.WriteString(w, msg)
}))
- ConfigureServer(ts.Config, &Server{})
+ ConfigureServer(ts.Config, &Server{
+ PermitProhibitedCipherSuites: permitProhibitedCipherSuites,
+ })
ts.TLS = ts.Config.TLSConfig // the httptest.Server has its own copy of this TLS config
ts.StartTLS()
defer ts.Close()
@@ -2138,8 +2147,12 @@
if err, ok := res.(error); ok {
t.Fatal(err)
}
- if !strings.Contains(string(res.([]byte)), "< foo:Bar") {
- t.Errorf("didn't see foo:Bar header")
+ if !strings.Contains(string(res.([]byte)), "foo: Bar") {
+ t.Errorf("didn't see foo: Bar header")
+ t.Logf("Got: %s", res)
+ }
+ if !strings.Contains(string(res.([]byte)), "client-proto: HTTP/2") {
+ t.Errorf("didn't see client-proto: HTTP/2 header")
t.Logf("Got: %s", res)
}
if !strings.Contains(string(res.([]byte)), msg) {
