crypto/tls: enable more large record bogo tests

cpu · cpu · commit 97eab214d140 · 2025-05-09T13:38:59.000-07:00
Previously a handful of large record tests were in the bogo config ignore list. The ignored tests were failing because they used insecure ciphersuites that aren't enabled by default. This commit adds the non-default insecure ciphersuites to the bogo TLS configuration and re-enables the tests. Doing this uncovered a handful of unrelated tests that needed to be fixed, each handled before this commit. Updates #72006 Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c7 Reviewed-on: https://go-review.googlesource.com/c/go/+/669158 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json
@@ -67,15 +67,6 @@
         "SupportTicketsWithSessionID": "TODO: first pass, this should be fixed",
         "NoNullCompression-TLS12": "TODO: first pass, this should be fixed",
         "KeyUpdate-RequestACK": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_128_GCM_SHA256-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS1-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS11-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_256_GCM_SHA384-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS1-RSA_WITH_AES_256_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS11-RSA_WITH_AES_256_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_256_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-ECDHE_RSA_WITH_AES_128_CBC_SHA256-LargeRecord": "TODO: first pass, this should be fixed",
         "RequireAnyClientCertificate-TLS1": "TODO: first pass, this should be fixed",
         "RequireAnyClientCertificate-TLS11": "TODO: first pass, this should be fixed",
         "RequireAnyClientCertificate-TLS12": "TODO: first pass, this should be fixed",
diff --git a/src/crypto/tls/bogo_shim_test.go b/src/crypto/tls/bogo_shim_test.go
@@ -125,6 +125,12 @@ func bogoShim() {
 		return
 	}
 
+	// Test with both the default and insecure cipher suites.
+	var ciphersuites []uint16
+	for _, s := range append(CipherSuites(), InsecureCipherSuites()...) {
+		ciphersuites = append(ciphersuites, s.ID)
+	}
+
 	cfg := &Config{
 		ServerName: "test",
 
@@ -133,6 +139,8 @@ func bogoShim() {
 
 		ClientSessionCache: NewLRUClientSessionCache(0),
 
+		CipherSuites: ciphersuites,
+
 		GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
 
 			if *expectAdvertisedALPN != "" {
