diff --git a/roles/web_server/molecule/default/tests/test_mandatory.py b/roles/web_server/molecule/default/tests/test_mandatory.py index c09ed9f14607d3c0648d1ec8664578be2dce26df..403de252876735d3445ec27ed3debecfe8135ab6 100644 --- a/roles/web_server/molecule/default/tests/test_mandatory.py +++ b/roles/web_server/molecule/default/tests/test_mandatory.py @@ -23,17 +23,33 @@ def test_certificate_validity_check_configuration(host): assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname -def test_tls_configuration(host): +def test_tls_enabled(host): """ - Tests if the TLS has been configured correctly and works. + Tests if TLS has been enabled. """ tls = host.run('wget -q -O - https://parameters-mandatory/') assert tls.rc == 0 + +def test_tls_version(host): + """ + Tests if only the configured TLS protocol versions are allowed by + the server. + """ + old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443") - assert old_tls_versions_disabled.rc != 0 + + # Avoid false negatives by ensuring the client had actually + # established the TCP connection. assert "CONNECTED" in old_tls_versions_disabled.stdout + assert old_tls_versions_disabled.rc != 0 + + +def test_tls_ciphers(host): + """ + Tests available TLS ciphers on the server. + """ cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443") assert cipher.rc == 0 diff --git a/roles/web_server/molecule/default/tests/test_optional.py b/roles/web_server/molecule/default/tests/test_optional.py index 502c6f0a34334284cda49ad39384f2a2f42ee0f4..f8f5e08ef9666f1c42be2253fbabd35d2da9d12f 100644 --- a/roles/web_server/molecule/default/tests/test_optional.py +++ b/roles/web_server/molecule/default/tests/test_optional.py @@ -23,21 +23,45 @@ def test_certificate_validity_check_configuration(host): assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname -def test_tls_configuration(host): +def test_tls_enabled(host): """ - Tests if the TLS has been configured correctly and works. + Tests if TLS has been enabled. """ tls = host.run('wget -q -O - https://parameters-optional/') assert tls.rc == 0 + +def test_tls_version(host): + """ + Tests if only the configured TLS protocol versions are allowed by + the server. + """ + old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443") - assert old_tls_versions_disabled.rc != 0 + tls1_1_enabled = host.run("echo 'Q' | openssl s_client -tls1_1 -connect parameters-optional:443") + tls1_2_enabled = host.run("echo 'Q' | openssl s_client -tls1_2 -connect parameters-optional:443") + + # Avoid false negatives by ensuring the client had actually + # established the TCP connection. assert "CONNECTED" in old_tls_versions_disabled.stdout + assert old_tls_versions_disabled.rc != 0 + + # Avoid false negatives by ensuring the client had actually + # established the TCP connection. + assert "CONNECTED" in tls1_1_enabled.stdout + assert tls1_1_enabled.rc == 0 + + # Avoid false negatives by ensuring the client had actually + # established the TCP connection. + assert "CONNECTED" in tls1_2_enabled.stdout + assert tls1_2_enabled.rc == 0 - newer_tls_versions_enabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443") - assert newer_tls_versions_enabled.rc == 0 - assert "CONNECTED" in newer_tls_versions_enabled.stdout + +def test_tls_ciphers(host): + """ + Tests available TLS ciphers on the server. + """ cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443") assert cipher.rc == 0