From 9d5e79725cf0d599451e4cb0710a17808ba823b8 Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 7 Jun 2019 11:28:16 -0400
Subject: [PATCH] generalize TLS test

---
 .travis.yml |  4 +++-
 src/gam.py  | 21 ++++++++++++++++-----
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 89a857c8..9a076553 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -134,7 +134,9 @@ script:
 - $gam version | grep travis # travis should be part of the path (not /tmp or such)
 - if [ "$VMTYPE" == "build" ]; then $gam version | grep "Python ${BUILD_PYTHON_VERSION//./\\.}"; fi # We should be building with latest Python
 - if [ "$VMTYPE" == "build" ]; then $gam version extended | grep "OpenSSL ${BUILD_OPENSSL_VERSION//./\\.}"; fi # We should be using OpenSSL 1.1.1+
-- if [ "$VMTYPE" == "build" ]; then $gam version extended | grep TLSv1\.[23]; fi # Builds should support TLS 1.2 or 1.3 to Google
+- if [ "$VMTYPE" == "build" ]; then $gam version extended | grep TLSv1\.[23]; fi # Builds should default TLS 1.2 or 1.3 to Google
+- if [ "$VMTYPE" == "build" ]; then GAM_TLS_MIN_VERSION=TLSv1 GAM_TLS_MAX_VERSION=TLSv1 $gam version extended | grep TLSv1\.0; fi # Force TLS 1.0
+- if [ "$VMTYPE" == "build" ]; then GAM_TLS_MIN_VERSION=TLSv1_2 gamd version extended location tls-v1-0.badssl.com:1010; [[ $? == 3 ]]
 - export jid="$(cut -d'.' -f2 <<<"$TRAVIS_JOB_NUMBER")"
 - if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then export e2e=true; fi
 - if [ "$e2e" = true ]; then export gam_user=gam-travis-$jid@pdl.jaylee.us; fi
diff --git a/src/gam.py b/src/gam.py
index 63a6ec5a..de9c769d 100755
--- a/src/gam.py
+++ b/src/gam.py
@@ -53,7 +53,7 @@ import http.client as http_client
 from email.mime.text import MIMEText
 from multiprocessing import Pool
 from multiprocessing import freeze_support
-from urllib.parse import urlencode
+from urllib.parse import urlencode, urlparse
 from passlib.hash import sha512_crypt
 import dns.resolver
 import dateutil.parser
@@ -808,6 +808,7 @@ def doGAMVersion(checkForArgs=True):
   force_check = False
   simple = False
   extended = False
+  testLocation = 'www.googleapis.com'
   if checkForArgs:
     i = 2
     while i < len(sys.argv):
@@ -821,6 +822,9 @@ def doGAMVersion(checkForArgs=True):
       elif myarg == 'extended':
         extended = True
         i += 1
+      elif myarg == 'location':
+        testLocation = sys.argv[i+1]
+        i += 2
       else:
         systemErrorExit(2, '%s is not a valid argument for "gam version"' % sys.argv[i])
   if simple:
@@ -835,10 +839,17 @@ def doGAMVersion(checkForArgs=True):
     doGAMCheckForUpdates(forceCheck=True)
   if extended:
     print(ssl.OPENSSL_VERSION)
-    httpc = _createHttpObj()
-    httpc.request('https://www.googleapis.com')
-    cipher_name, tls_ver, _ = httpc.connections['https:www.googleapis.com'].sock.cipher()
-    print('www.googleapis.com connects using %s %s' % (tls_ver, cipher_name))
+    tls_ver, cipher_name = _getServerTLSUsed(testLocation)
+    print('%s connects using %s %s' % (testLocation, tls_ver, cipher_name))
+
+def _getServerTLSUsed(location):
+  url = 'https://%s' % location
+  _, netloc, _, _, _, _ = urlparse(url) 
+  conn = 'https:%s' % netloc
+  httpc = _createHttpObj()
+  httpc.request(url)
+  cipher_name, tls_ver, _ = httpc.connections[conn].sock.cipher()
+  return tls_ver, cipher_name
 
 def handleOAuthTokenError(e, soft_errors):
   if e.replace('.', '') in OAUTH2_TOKEN_ERRORS or e.startswith('Invalid response'):