nixpkgs/nixos/tests/web-servers/h2o/tls-recommendations.nix

{ hostPkgs, lib, ... }:

let
  domain = "acme.test";
  port = 8443;

  hello_txt =
    name:
    hostPkgs.writeTextFile {
      name = "/hello_${name}.txt";
      text = "Hello, ${name}!";
    };

  mkH2OServer =
    recommendations:
    { pkgs, lib, ... }:
    {
      services.h2o = {
        enable = true;
        package = pkgs.h2o.override (
          lib.optionalAttrs
            (builtins.elem recommendations [
              "intermediate"
              "old"
            ])
            {
              openssl = pkgs.openssl_legacy;
            }
        );
        defaultTLSRecommendations = "modern"; # prove overridden
        hosts = {
          "${domain}" = {
            tls = {
              inherit port recommendations;
              policy = "force";
              identity = [
                {
                  key-file = ../../common/acme/server/acme.test.key.pem;
                  certificate-file = ../../common/acme/server/acme.test.cert.pem;
                }
              ];
              extraSettings = {
                # when using common ACME certs, disable talking to CA
                ocsp-update-interval = 0;
              };
            };
            settings = {
              paths."/"."file.file" = "${hello_txt recommendations}";
            };
          };
        };
        settings = {
          ssl-offload = "kernel";
        };
      };

      security.pki.certificates = [
        (builtins.readFile ../../common/acme/server/ca.cert.pem)
      ];

      networking = {
        firewall.allowedTCPPorts = [ port ];
        extraHosts = "127.0.0.1 ${domain}";
      };
    };
in
{
  name = "h2o-tls-recommendations";

  meta = {
    maintainers = with lib.maintainers; [ toastal ];
  };

  nodes = {
    server_modern = mkH2OServer "modern";
    server_intermediate = mkH2OServer "intermediate";
    server_old = mkH2OServer "old";
  };

  testScript =
    let
      portStr = builtins.toString port;
    in
    # python
    ''
      curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:${portStr}/'"
      curl_head = "curl -v --head 'https://${domain}:${portStr}/'"
      curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:${portStr}/'"
      curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:${portStr}/'"
      curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:${portStr}/'"

      server_modern.wait_for_unit("h2o.service")
      server_modern.wait_for_open_port(${portStr})
      modern_response = server_modern.succeed(curl_basic)
      assert "Hello, modern!" in modern_response
      modern_head = server_modern.succeed(curl_head)
      assert "strict-transport-security" in modern_head
      server_modern.fail(curl_max_tls1_2)

      server_intermediate.wait_for_unit("h2o.service")
      server_intermediate.wait_for_open_port(${portStr})
      intermediate_response = server_intermediate.succeed(curl_basic)
      assert "Hello, intermediate!" in intermediate_response
      intermediate_head = server_modern.succeed(curl_head)
      assert "strict-transport-security" in intermediate_head
      server_intermediate.succeed(curl_max_tls1_2)
      server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher)
      server_intermediate.fail(curl_max_tls1_2_old_cipher)

      server_old.wait_for_unit("h2o.service")
      server_old.wait_for_open_port(${portStr})
      old_response = server_old.succeed(curl_basic)
      assert "Hello, old!" in old_response
      old_head = server_modern.succeed(curl_head)
      assert "strict-transport-security" in old_head
      server_old.succeed(curl_max_tls1_2)
      server_old.succeed(curl_max_tls1_2_intermediate_cipher)
      server_old.succeed(curl_max_tls1_2_old_cipher)
    '';
}
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`{ hostPkgs, lib, ... }:`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`let`
			`domain = "acme.test";`
			`port = 8443;`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`hello_txt =`
			`name:`
			`hostPkgs.writeTextFile {`
			`name = "/hello_${name}.txt";`
			`text = "Hello, ${name}!";`
			`};`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`mkH2OServer =`
			`recommendations:`
			`{ pkgs, lib, ... }:`
			`{`
			`services.h2o = {`
			`enable = true;`
			`package = pkgs.h2o.override (`
			`lib.optionalAttrs`
			`(builtins.elem recommendations [`
			`"intermediate"`
			`"old"`
			`])`
			`{`
			`openssl = pkgs.openssl_legacy;`
			`}`
			`);`
			`defaultTLSRecommendations = "modern"; # prove overridden`
			`hosts = {`
			`"${domain}" = {`
			`tls = {`
			`inherit port recommendations;`
			`policy = "force";`
			`identity = [`
			`{`
			`key-file = ../../common/acme/server/acme.test.key.pem;`
			`certificate-file = ../../common/acme/server/acme.test.cert.pem;`
			`}`
			`];`
nixos/h2o: disable OCSP stapling in tests The ACME certs are faked for testing & no need to contact a certificate authority. 2025-03-27 22:26:10 +07:00			`extraSettings = {`
			`# when using common ACME certs, disable talking to CA`
			`ocsp-update-interval = 0;`
			`};`
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`};`
			`settings = {`
			`paths."/"."file.file" = "${hello_txt recommendations}";`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00			`};`
			`};`
			`};`
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`settings = {`
			`ssl-offload = "kernel";`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00			`};`
			`};`

nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`security.pki.certificates = [`
			`(builtins.readFile ../../common/acme/server/ca.cert.pem)`
			`];`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`networking = {`
			`firewall.allowedTCPPorts = [ port ];`
			`extraHosts = "127.0.0.1 ${domain}";`
			`};`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00			`};`
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`in`
			`{`
			`name = "h2o-tls-recommendations";`

			`meta = {`
			`maintainers = with lib.maintainers; [ toastal ];`
			`};`

			`nodes = {`
			`server_modern = mkH2OServer "modern";`
			`server_intermediate = mkH2OServer "intermediate";`
			`server_old = mkH2OServer "old";`
			`};`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`testScript =`
			`let`
			`portStr = builtins.toString port;`
			`in`
			`# python`
			`''`
			`curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:${portStr}/'"`
			`curl_head = "curl -v --head 'https://${domain}:${portStr}/'"`
			`curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:${portStr}/'"`
			`curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:${portStr}/'"`
			`curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:${portStr}/'"`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`server_modern.wait_for_unit("h2o.service")`
			`server_modern.wait_for_open_port(${portStr})`
			`modern_response = server_modern.succeed(curl_basic)`
			`assert "Hello, modern!" in modern_response`
			`modern_head = server_modern.succeed(curl_head)`
			`assert "strict-transport-security" in modern_head`
			`server_modern.fail(curl_max_tls1_2)`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`server_intermediate.wait_for_unit("h2o.service")`
			`server_intermediate.wait_for_open_port(${portStr})`
			`intermediate_response = server_intermediate.succeed(curl_basic)`
			`assert "Hello, intermediate!" in intermediate_response`
			`intermediate_head = server_modern.succeed(curl_head)`
			`assert "strict-transport-security" in intermediate_head`
			`server_intermediate.succeed(curl_max_tls1_2)`
			`server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher)`
			`server_intermediate.fail(curl_max_tls1_2_old_cipher)`
nixos/h2o: TLS recommendations From Mozilla’s ssl-config-generator project 2025-02-23 17:35:25 +07:00
nixos/h2o: move to runTest 2025-03-21 22:23:01 +07:00			`server_old.wait_for_unit("h2o.service")`
			`server_old.wait_for_open_port(${portStr})`
			`old_response = server_old.succeed(curl_basic)`
			`assert "Hello, old!" in old_response`
			`old_head = server_modern.succeed(curl_head)`
			`assert "strict-transport-security" in old_head`
			`server_old.succeed(curl_max_tls1_2)`
			`server_old.succeed(curl_max_tls1_2_intermediate_cipher)`
			`server_old.succeed(curl_max_tls1_2_old_cipher)`
			`'';`
			`}`