1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
// Tests handling of Encrypted Client Hello. These ECHConfigs
// can be regenerated by running EncryptedClientHelloServer
// and dumping the output of SSL_EncodeEchConfig. They do not
// expire. An update here is only needed if the host or ECH
// ciphersuite configuration changes, or if the keypair in
// EncryptedClientHelloServer.cpp is modified.
// Public name: ech-public.example.com
const ECH_CONFIG_FIXED =
"AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host.
const ECH_CONFIG_TRUSTED_RETRY =
"AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host.
const ECH_CONFIG_UNTRUSTED_RETRY =
"AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA";
function shouldBeAcceptedEch(aTransportSecurityInfo) {
Assert.ok(
aTransportSecurityInfo.isAcceptedEch,
"This host should have accepted ECH"
);
Assert.ok(
!aTransportSecurityInfo.usedPrivateDNS,
"This connection does not use DoH"
);
}
function shouldBeRejectedEch(aTransportSecurityInfo) {
Assert.ok(
!aTransportSecurityInfo.isAcceptedEch,
"This host should have rejected ECH"
);
Assert.ok(
!aTransportSecurityInfo.usedPrivateDNS,
"This connection does not use DoH"
);
}
do_get_profile();
add_tls_server_setup(
"EncryptedClientHelloServer",
"test_encrypted_client_hello"
);
// Connect directly without ECH first
add_connection_test(
"ech-public.example.com",
PRErrorCodeSuccess,
null,
shouldBeRejectedEch
);
// Connect with ECH
add_connection_test(
"ech-private.example.com",
PRErrorCodeSuccess,
null,
shouldBeAcceptedEch,
null,
null,
ECH_CONFIG_FIXED
);
// Trigger retry_configs by setting an ECHConfig with a different.
// AEAD than the server supports.
add_connection_test(
"ech-private.example.com",
SSL_ERROR_ECH_RETRY_WITH_ECH,
null,
null,
null,
null,
ECH_CONFIG_TRUSTED_RETRY
);
// Trigger retry_configs, but from a host that is untrusted
// (due to a self-signed certificate for the public name).
// Retry_configs must not be used or reported as available.
add_connection_test(
"ech-private.example.com",
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
null,
null,
null,
null,
ECH_CONFIG_UNTRUSTED_RETRY
);
// A client-only (retry_without_ech) test is located in
// test_encrypted_client_hello_client_only.js We can't easily restart
// a different server (one without ECHConfigs) here, so put that
// test in a different file that launches a non-ECH server.
|