Set default ciphers, set tls 1.2 via config, set curve prefs (#9315)

Config Checks at StartUp Part1

Config Checks; Tests for TLS Server

HSTS header implementation + tests

make gofmt happy with new go version...

make gofmt happy with new go version #2...

fix logic bug

fix typo

Fix unnecessary code block

1 files changed, 147 insertions, 0 deletions

diff --git a/app/server_test.go b/app/server_test.go
index 94771a44e..4a355e113 100644
--- a/app/server_test.go
+++ b/app/server_test.go
@@ -4,6 +4,12 @@
 package app
 
 import (
+	"crypto/tls"
+	"github.com/mattermost/mattermost-server/utils"
+	"net/http"
+	"path"
+	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/mattermost/mattermost-server/model"
@@ -16,6 +22,10 @@ func TestStartServerSuccess(t *testing.T) {
 
 	a.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = ":0" })
 	serverErr := a.StartServer()
+
+	client := &http.Client{}
+	checkEndpoint(t, client, "http://localhost:" + strconv.Itoa(a.Srv.ListenAddr.Port) + "/", http.StatusNotFound)
+
 	a.Shutdown()
 	require.NoError(t, serverErr)
 }
@@ -48,3 +58,140 @@ func TestStartServerPortUnavailable(t *testing.T) {
 	a.Shutdown()
 	require.Error(t, serverErr)
 }
+
+func TestStartServerTLSSuccess(t *testing.T) {
+	a, err := New()
+	require.NoError(t, err)
+
+	testDir, _ := utils.FindDir("tests")
+	a.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.ListenAddress = ":0"
+		*cfg.ServiceSettings.ConnectionSecurity = "TLS"
+		*cfg.ServiceSettings.TLSKeyFile = path.Join(testDir, "tls_test_key.pem")
+		*cfg.ServiceSettings.TLSCertFile = path.Join(testDir, "tls_test_cert.pem")
+	})
+	serverErr := a.StartServer()
+
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+
+	client := &http.Client{Transport: tr}
+	checkEndpoint(t, client, "https://localhost:" + strconv.Itoa(a.Srv.ListenAddr.Port) + "/", http.StatusNotFound)
+
+	a.Shutdown()
+	require.NoError(t, serverErr)
+}
+
+func TestStartServerTLSVersion(t *testing.T) {
+	a, err := New()
+	require.NoError(t, err)
+
+	testDir, _ := utils.FindDir("tests")
+	a.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.ListenAddress = ":0"
+		*cfg.ServiceSettings.ConnectionSecurity = "TLS"
+		*cfg.ServiceSettings.TLSMinVer = "1.2"
+		*cfg.ServiceSettings.TLSKeyFile = path.Join(testDir, "tls_test_key.pem")
+		*cfg.ServiceSettings.TLSCertFile = path.Join(testDir, "tls_test_cert.pem")
+	})
+	serverErr := a.StartServer()
+
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			MaxVersion: tls.VersionTLS11,
+		},
+	}
+
+	client := &http.Client{Transport: tr}
+	err = checkEndpoint(t, client, "https://localhost:" + strconv.Itoa(a.Srv.ListenAddr.Port) + "/", http.StatusNotFound)
+
+	if !strings.Contains(err.Error(), "remote error: tls: protocol version not supported") {
+		t.Errorf("Expected protocol version error, got %s", err)
+	}
+
+	client.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+
+	err = checkEndpoint(t, client, "https://localhost:" + strconv.Itoa(a.Srv.ListenAddr.Port) + "/", http.StatusNotFound)
+
+	if err != nil {
+		t.Errorf("Expected nil, got %s", err)
+	}
+
+	a.Shutdown()
+	require.NoError(t, serverErr)
+}
+
+func TestStartServerTLSOverwriteCipher(t *testing.T) {
+	a, err := New()
+	require.NoError(t, err)
+
+	testDir, _ := utils.FindDir("tests")
+	a.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.ListenAddress = ":0"
+		*cfg.ServiceSettings.ConnectionSecurity = "TLS"
+		cfg.ServiceSettings.TLSOverwriteCiphers = []string{
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+		}
+		*cfg.ServiceSettings.TLSKeyFile = path.Join(testDir, "tls_test_key.pem")
+		*cfg.ServiceSettings.TLSCertFile = path.Join(testDir, "tls_test_cert.pem")
+	})
+	serverErr := a.StartServer()
+
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			},
+		},
+	}
+
+	client := &http.Client{Transport: tr}
+	err = checkEndpoint(t, client, "https://localhost:" + strconv.Itoa(a.Srv.ListenAddr.Port) + "/", http.StatusNotFound)
+
+	if !strings.Contains(err.Error(), "remote error: tls: handshake failure") {
+		t.Errorf("Expected protocol version error, got %s", err)
+	}
+
+	client.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			},
+		},
+	}
+
+	err = checkEndpoint(t, client, "https://localhost:" + strconv.Itoa(a.Srv.ListenAddr.Port) + "/", http.StatusNotFound)
+
+	if err != nil {
+		t.Errorf("Expected nil, got %s", err)
+	}
+
+	a.Shutdown()
+	require.NoError(t, serverErr)
+}
+
+func checkEndpoint(t *testing.T, client *http.Client, url string, expectedStatus int) error {
+	res, err := client.Get(url)
+
+	if err != nil {
+		return err
+	}
+
+	defer res.Body.Close()
+
+	if res.StatusCode != expectedStatus {
+		t.Errorf("Response code was %d; want %d", res.StatusCode, expectedStatus)
+	}
+
+	return nil
+}