Merge pull request #15 from genkiroid/control-tls-max-version

Control tls max version when specify cipher suite

README.md

@@ -210,6 +210,8 @@ Error:
 
 ```
 
+**If you specify a cipher suite, the maximum TLS version used is limited to TLS1.2. This is because if the server supports TLS1.3, the specified cipher suite is ignored and communication is performed using TLS1.3. This eliminates the meaning of specifying a cipher suite and confuses us. This specification will change when the cipher suite for tls1.3 becomes configurable in Go.**
+
 ## License
 
 [MIT](https://github.com/genkiroid/cert/blob/master/LICENSE)

cert.go

@@ -44,9 +44,6 @@ var cipherSuites = map[string]uint16{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-	"TLS_AES_128_GCM_SHA256":                  tls.TLS_AES_128_GCM_SHA256,
-	"TLS_AES_256_GCM_SHA384":                  tls.TLS_AES_256_GCM_SHA384,
-	"TLS_CHACHA20_POLY1305_SHA256":            tls.TLS_CHACHA20_POLY1305_SHA256,
 }
 
 var userTempl string
@@ -116,11 +113,19 @@ func cipherSuite() ([]uint16, error) {
 	var cs []uint16
 	cs = []uint16{cipherSuites[CipherSuite]}
 	if cs[0] == 0 {
-		return nil, fmt.Errorf("%s is unsupported cipher suite.", CipherSuite)
+		return nil, fmt.Errorf("%s is unsupported cipher suite or tls1.3 cipher suite.", CipherSuite)
 	}
 	return cs, nil
 }
 
+func tlsVersion() uint16 {
+	if CipherSuite != "" {
+		return tls.VersionTLS12
+	}
+	// Currently TLS 1.3
+	return 0
+}
+
 var serverCert = func(host, port string) ([]*x509.Certificate, string, error) {
 	d := &net.Dialer{
 		Timeout: time.Duration(TimeoutSeconds) * time.Second,
@@ -134,6 +139,7 @@ var serverCert = func(host, port string) ([]*x509.Certificate, string, error) {
 	conn, err := tls.DialWithDialer(d, "tcp", host+":"+port, &tls.Config{
 		InsecureSkipVerify: SkipVerify,
 		CipherSuites:       cs,
+		MaxVersion:         tlsVersion(),
 	})
 	if err != nil {
 		return []*x509.Certificate{&x509.Certificate{}}, "", err

cert_test.go

@@ -1,6 +1,7 @@
 package cert
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -266,18 +267,42 @@ func TestCertChain(t *testing.T) {
 }
 
 func TestCipherSuite(t *testing.T) {
-	CipherSuite = "TLS_CHACHA20_POLY1305_SHA256"
+	CipherSuite = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
 	if _, err := cipherSuite(); err != nil {
 		t.Errorf(`unexpected err %s, want nil`, err.Error())
 	}
 }
 
 func TestCipherSuiteError(t *testing.T) {
 	CipherSuite = "UNSUPPORTED_CIPHER_SUITE"
+	want := "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite or tls1.3 cipher suite."
+
 	if _, err := cipherSuite(); err == nil {
 		t.Error(`unexpected nil, want error`)
-	} else if err.Error() != "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite." {
-		t.Errorf(`unexpected err message, want %q`, "UNSUPPORTED_CIPHER_SUITE is unsupported cipher suite.")
+	} else if err.Error() != want {
+		t.Errorf(`unexpected err message, want %q`, want)
+	}
+}
+
+func TestTlsVersion(t *testing.T) {
+	type want struct {
+		version uint16
+	}
+	var tests = []struct {
+		cipherSuite string
+		want        want
+	}{
+		{"", want{0}}, // 0 means TLS1.3 currently
+		{"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", want{tls.VersionTLS12}},
+	}
+
+	for _, test := range tests {
+		CipherSuite = test.cipherSuite
+		v := tlsVersion()
+		got := want{v}
+		if got != test.want {
+			t.Errorf("tlsVersion() = %v, want %v", got, test.want)
+		}
 	}
 }