Merge pull request #787 from postmanlabs/feature/tls-ppb

Add TLS protocol profile behavior

CHANGELOG.yaml

@@ -1,9 +1,11 @@
 master:
   new features:
     - GH-786 Added history in request and response callback
+    - GH-787 Added TLS protocol profile behavior
   breaking changes:
     - GH-786 Moved timings out of response instance
   chores:
+    - GH-775 Added tests for proxy authentication
     - Updated dependencies
 
 7.10.0:

docs/protocol-profile-behavior.md

@@ -24,7 +24,17 @@ Redirect with the original HTTP method, by default redirects with HTTP method GE
 - `removeRefererHeaderOnRedirect`<br/>
 Removes the `referer` header when a redirect happens.
 
+- `tlsPreferServerCiphers:Boolean`<br/>
+Use the server's cipher suite order instead of the client's during negotiation
+
+- `tlsDisabledProtocols:Array`<br/>
+the SSL and TLS protocol versions to disabled during negotiation
+
+- `tlsCipherSelection:Array`<br/>
+Order of cipher suites that the SSL server profile uses to establish a secure connection
+
 **A collection with protocol profile behaviors:**
+
 ```javascript
 {
   "info": {

lib/requester/core.js

@@ -1,9 +1,14 @@
-var _ = require('lodash'),
-    dns = require('dns'),
-    Socket = require('net').Socket,
+var dns = require('dns'),
+    constants = require('constants'),
+
+    _ = require('lodash'),
     uuid = require('uuid/v4'),
+    sdk = require('postman-collection'),
+
+    Socket = require('net').Socket,
 
     requestBodyBuilders = require('./core-body-builder'),
+    version = require('../../package.json').version,
 
     LOCAL_IPV6 = '::1',
     LOCAL_IPV4 = '127.0.0.1',
@@ -22,8 +27,7 @@ var _ = require('lodash'),
     S_ERROR = 'error',
     S_TIMEOUT = 'timeout',
 
-    sdk = require('postman-collection'),
-    version = require('../../package.json').version,
+    SSL_OP_NO = 'SSL_OP_NO_',
 
     ERROR_ADDRESS_RESOLVE = 'NETERR: getaddrinfo ENOTFOUND ',
 
@@ -229,6 +233,7 @@ module.exports = {
             hostname = request.url && request.url.getHost();
 
         !defaultOpts && (defaultOpts = {});
+        !protocolProfileBehavior && (protocolProfileBehavior = {});
 
         options.headers = request.getHeaders({enabled: true, sanitizeKeys: true});
         url = request.url.toString();
@@ -238,6 +243,7 @@ module.exports = {
         options.timeout = defaultOpts.timeout;
         options.gzip = true;
         options.time = defaultOpts.timings;
+        options.verbose = defaultOpts.verbose;
         options.extraCA = defaultOpts.extendedRootCA;
 
         // Ensures that "request" creates URL encoded formdata or querystring as
@@ -253,6 +259,23 @@ module.exports = {
             options[reqOption] = resolveWithProtocolProfileBehavior(behaviorName, defaultOpts, protocolProfileBehavior);
         }
 
+        // use the server's cipher suite order instead of the client's during negotiation
+        if (protocolProfileBehavior.tlsPreferServerCiphers) {
+            options.honorCipherOrder = true;
+        }
+
+        // the SSL and TLS protocol versions to disabled during negotiation
+        if (Array.isArray(protocolProfileBehavior.tlsDisabledProtocols)) {
+            protocolProfileBehavior.tlsDisabledProtocols.forEach(function (protocol) {
+                options.secureOptions |= constants[SSL_OP_NO + protocol];
+            });
+        }
+
+        // order of cipher suites that the SSL server profile uses to establish a secure connection
+        if (Array.isArray(protocolProfileBehavior.tlsCipherSelection)) {
+            options.ciphers = protocolProfileBehavior.tlsCipherSelection.join(':');
+        }
+
         // Request body may return different options depending on the type of the body.
         bodyParams = self.getRequestBody(request, protocolProfileBehavior);
 

lib/requester/requester-pool.js

@@ -18,6 +18,7 @@ RequesterPool = function (options, callback) {
             _.get(options, 'timeout.global')
         ]), // validated later inside requester
         timings: _.get(options, 'requester.timings', true),
+        verbose: _.get(options, 'requester.verbose', false),
         keepAlive: _.get(options, 'requester.keepAlive', true),
         cookieJar: _.get(options, 'requester.cookieJar'), // default set later in this constructor
         strictSSL: _.get(options, 'requester.strictSSL'),

test/fixtures/server.js

@@ -64,6 +64,7 @@ function createRawEchoServer () {
 
     server.on('listening', function () {
         server.port = this.address().port;
+        server.url = 'http://localhost:' + server.port;
     });
 
     enableServerDestroy(server);
@@ -85,29 +86,34 @@ function createRawEchoServer () {
  * s.listen(3000, 'localhost');
  */
 function createSSLServer (opts) {
-    var i,
-        server,
+    var server,
         certDataPath = path.join(__dirname, 'certificates'),
         options = {
             'key': path.join(certDataPath, 'server-key.pem'),
             'cert': path.join(certDataPath, 'server-crt.pem'),
             'ca': path.join(certDataPath, 'ca.pem')
-        };
+        },
+        optionsWithFilePath = ['key', 'cert', 'ca', 'pfx'];
 
     if (opts) {
         options = Object.assign(options, opts);
     }
 
-    for (i in options) {
-        if (i !== 'requestCert' && i !== 'rejectUnauthorized' && i !== 'ciphers') {
-            options[i] = fs.readFileSync(options[i]);
-        }
-    }
+    optionsWithFilePath.forEach(function (option) {
+        if (!options[option]) { return; }
+
+        options[option] = fs.readFileSync(options[option]);
+    });
 
     server = https.createServer(options, function (req, res) {
         server.emit(req.url, req, res);
     });
 
+    server.on('listening', function () {
+        server.port = this.address().port;
+        server.url = 'https://localhost:' + server.port;
+    });
+
     enableServerDestroy(server);
 
     return server;
@@ -181,6 +187,11 @@ function createHTTPServer () {
         server.emit(req.url, req, res);
     });
 
+    server.on('listening', function () {
+        server.port = this.address().port;
+        server.url = 'http://localhost:' + server.port;
+    });
+
     enableServerDestroy(server);
 
     return server;