-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test httpd, tweak cipher list #14502
Conversation
Configure the AES 256 instead of the AES 128 cipher in the test httpd to make scorecard testing between httpd and caddy more comparable. Adapt test_17 expectations, now that AES 128 can no longer, but 256 can now be negotiated.
AES128 was intentionally chosen over AES256 to be kept enabled for testing as it should be faster (well, at least in theory). I am not to sure what scoreboard testing is, so I do not understand why AES256 and AES128 must be swapped? But, if you absolutely must swap the two, please do it consistently. So do swap the TLS 1.2 ciphers as well. Otherwise the "AES 128 ciphers are disabled in the test server" comment is not true, and the test will be harder to understand. Also, these two lines: When all swapped out, the list should become: [[0x1301], False],
[[0x1302], True],
[[0x1303], True],
[[0x1301, 0x1303], True],
[[0xC02B, 0xC02F], False],
[[0xC02C, 0xC030], True],
[[0xCCA9, 0xCCA8], True],
[[0xC02B, 0xC02F, 0xCCA9, 0xCCA8], True], |
When running
You think it is important to swap the 1.2 ciphers? I can update the comment. |
Hmm, such a significant performance difference likely suggests that GnuTLS prefers the non hardware-accelerated CHACHA20 over AES128 and uses that instead. Out of curiosity... is this performance difference still there with the SSLHonorCipherOrder turned on, or when CHACHA20 is disabled?
Yes, but for for consistency. It would be easier for someone looking at the test to understand it, when either AES128 or AES256 is completely disabled, than to have a mishmash between protocols and algorithms. Also while we are at it... when I wrote |
The test is not for the faint of heart... =)
Yes, that is possible to allow an override in the config and reload the server in the test. |
Can you give me pointers how to that? Then I think it would be better to let the test server have the default cipher config, and let the |
I just added that to this PR. It is done in test_17_ssl_use.py when the fixture for httpd is created. |
Great! If only I had known it could be done like that in the first place. |
Should have thought of that. Ah, well. |
Configure the AES 256 instead of the AES 128 cipher in the test httpd to make scorecard testing between httpd and caddy more comparable.
Adapt test_17 expectations, now that AES 128 can no longer, but 256 can now be negotiated.