1 files changed, 158 insertions, 0 deletions

diff --git a/tests/unit/tls.tcl b/tests/unit/tls.tcl
new file mode 100644
index 0000000..29fe39f
--- /dev/null
+++ b/tests/unit/tls.tcl
@@ -0,0 +1,158 @@
+start_server {tags {"tls"}} {
+    if {$::tls} {
+        package require tls
+
+        test {TLS: Not accepting non-TLS connections on a TLS port} {
+            set s [redis [srv 0 host] [srv 0 port]]
+            catch {$s PING} e
+            set e
+        } {*I/O error*}
+
+        test {TLS: Verify tls-auth-clients behaves as expected} {
+            set s [redis [srv 0 host] [srv 0 port]]
+            ::tls::import [$s channel]
+            catch {$s PING} e
+            assert_match {*error*} $e
+
+            r CONFIG SET tls-auth-clients no
+
+            set s [redis [srv 0 host] [srv 0 port]]
+            ::tls::import [$s channel]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            r CONFIG SET tls-auth-clients optional
+
+            set s [redis [srv 0 host] [srv 0 port]]
+            ::tls::import [$s channel]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            r CONFIG SET tls-auth-clients yes
+
+            set s [redis [srv 0 host] [srv 0 port]]
+            ::tls::import [$s channel]
+            catch {$s PING} e
+            assert_match {*error*} $e
+        }
+
+        test {TLS: Verify tls-protocols behaves as expected} {
+            r CONFIG SET tls-protocols TLSv1.2
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
+            catch {$s PING} e
+            assert_match {*I/O error*} $e
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            r CONFIG SET tls-protocols ""
+        }
+
+        test {TLS: Verify tls-ciphers behaves as expected} {
+            r CONFIG SET tls-protocols TLSv1.2
+            r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
+            catch {$s PING} e
+            assert_match {*I/O error*} $e
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            r CONFIG SET tls-ciphers "DEFAULT"
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            r CONFIG SET tls-protocols ""
+            r CONFIG SET tls-ciphers "DEFAULT"
+        }
+
+        test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
+            r CONFIG SET tls-protocols TLSv1.2
+            r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
+
+            r CONFIG SET tls-prefer-server-ciphers yes
+
+            set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
+            catch {$s PING} e
+            assert_match {PONG} $e
+
+            assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
+
+            r CONFIG SET tls-protocols ""
+            r CONFIG SET tls-ciphers "DEFAULT"
+        }
+
+        test {TLS: Verify tls-cert-file is also used as a client cert if none specified} {
+            set master [srv 0 client]
+            set master_host [srv 0 host]
+            set master_port [srv 0 port]
+
+            # Use a non-restricted client/server cert for the replica
+            set redis_crt [format "%s/tests/tls/redis.crt" [pwd]]
+            set redis_key [format "%s/tests/tls/redis.key" [pwd]]
+
+            start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \
+                               omit [list tls-client-cert-file tls-client-key-file]] {
+                set replica [srv 0 client]
+                $replica replicaof $master_host $master_port
+                wait_for_condition 30 100 {
+                    [string match {*master_link_status:up*} [$replica info replication]]
+                } else {
+                    fail "Can't authenticate to master using just tls-cert-file!"
+                }
+            }
+        }
+
+        test {TLS: switch between tcp and tls ports} {
+            set srv_port [srv 0 port]
+
+            # TLS
+            set rd [redis [srv 0 host] $srv_port 0 1]
+            $rd PING
+
+            # TCP
+            $rd CONFIG SET tls-port 0
+            $rd CONFIG SET port $srv_port
+            $rd close
+
+            set rd [redis [srv 0 host] $srv_port 0 0]
+            $rd PING
+
+            # TLS
+            $rd CONFIG SET port 0
+            $rd CONFIG SET tls-port $srv_port
+            $rd close
+
+            set rd [redis [srv 0 host] $srv_port 0 1]
+            $rd PING
+            $rd close
+        }
+
+        test {TLS: Working with an encrypted keyfile} {
+            # Create an encrypted version
+            set keyfile [lindex [r config get tls-key-file] 1]
+            set keyfile_encrypted "$keyfile.encrypted"
+            exec -ignorestderr openssl rsa -in $keyfile -out $keyfile_encrypted -aes256 -passout pass:1234 2>/dev/null
+
+            # Using it without a password fails
+            catch {r config set tls-key-file $keyfile_encrypted} e
+            assert_match {*Unable to update TLS*} $e
+
+            # Now use a password
+            r config set tls-key-file-pass 1234
+            r config set tls-key-file $keyfile_encrypted
+        }
+    }
+}