test httpd, tweak cipher list

Configure the AES 256 instead of the AES 128 cipher in the test httpd to
make scorecard testing between httpd and caddy more comparable.

Adapt test_17 expectations, now that AES 128 can no longer, but 256 can
now be negotiated.

Closes #14502

diff --git a/tests/http/test_10_proxy.py b/tests/http/test_10_proxy.py
index a53ab0c5e3140558e8fb7f5758c45cb5a9d77f2a..dcc454e0d220c33a5d75b6a3b5c3250f2ddf5b5e 100644 (file)
--- a/tests/http/test_10_proxy.py
+++ b/tests/http/test_10_proxy.py
@@ -291,7 +291,7 @@ class TestProxy:
         x2_args = r1.args[1:]
         x2_args.append('--next')
         x2_args.extend(proxy_args)
-        x2_args.extend(['--proxy-tls13-ciphers', 'TLS_AES_128_GCM_SHA256'])
+        x2_args.extend(['--proxy-tls13-ciphers', 'TLS_AES_256_GCM_SHA384'])
         r2 = curl.http_download(urls=[url], alpn_proto='http/1.1', with_stats=True,
                                extra_args=x2_args)
         r2.check_response(count=2, http_status=200)
@@ -317,7 +317,7 @@ class TestProxy:
         x2_args = r1.args[1:]
         x2_args.append('--next')
         x2_args.extend(proxy_args)
-        x2_args.extend(['--proxy-tls13-ciphers', 'TLS_AES_128_GCM_SHA256'])
+        x2_args.extend(['--proxy-tls13-ciphers', 'TLS_AES_256_GCM_SHA384'])
         r2 = curl.http_download(urls=[url], alpn_proto='http/1.1', with_stats=True,
                                extra_args=x2_args)
         r2.check_response(count=2, http_status=200)
@@ -343,7 +343,7 @@ class TestProxy:
         x2_args = r1.args[1:]
         x2_args.append('--next')
         x2_args.extend(proxy_args)
-        x2_args.extend(['--tls13-ciphers', 'TLS_AES_128_GCM_SHA256'])
+        x2_args.extend(['--tls13-ciphers', 'TLS_AES_256_GCM_SHA384'])
         r2 = curl.http_download(urls=[url], alpn_proto='http/1.1', with_stats=True,
                                extra_args=x2_args)
         r2.check_response(count=2, http_status=200)

diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 2d122d5012696196d301d875be368dab8c7b7006..32d45980af96e390112de71385208d6a879af2f3 100644 (file)
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -44,7 +44,13 @@ class TestSSLUse:
     def _class_scope(self, env, httpd, nghttpx):
         if env.have_h3():
             nghttpx.start_if_needed()
-        httpd.clear_extra_configs()
+        httpd.set_extra_config('base', [
+            f'SSLCipherSuite SSL'\
+            f' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'\
+            f':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305',
+            f'SSLCipherSuite TLSv1.3'\
+            f' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256',
+        ])
         httpd.reload()
 
     def test_17_01_sslinfo_plain(self, env: Env, httpd, nghttpx, repeat):

diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py
index 4771ea36069c65b05d4dc4161610c81e3b8f4d1f..7b6cd6618dae2dcee61a879d0fe8414f39ae2a52 100644 (file)
--- a/tests/http/testenv/httpd.py
+++ b/tests/http/testenv/httpd.py
@@ -257,13 +257,6 @@ class Httpd:
                 f'Listen {self.env.proxys_port}',
                 f'TypesConfig "{self._conf_dir}/mime.types',
                 f'SSLSessionCache "shmcb:ssl_gcache_data(32000)"',
-                (f'SSLCipherSuite SSL'
-                 f' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'
-                 f':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'
-                ),
-                (f'SSLCipherSuite TLSv1.3'
-                 f' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256'
-                ),
             ]
             if 'base' in self._extra_configs:
                 conf.extend(self._extra_configs['base'])