diff --git a/roles/mail_server/molecule/default/tests/test_default.py b/roles/mail_server/molecule/default/tests/test_default.py index 5c2ad4eb4334c96a240190df5a61c5a474425244..5c98a7da89cac8631c2a5fc39f143041c39084b1 100644 --- a/roles/mail_server/molecule/default/tests/test_default.py +++ b/roles/mail_server/molecule/default/tests/test_default.py @@ -2,6 +2,8 @@ import os import re import uuid +import defusedxml.ElementTree as ElementTree + import testinfra.utils.ansible_runner @@ -608,3 +610,155 @@ def test_certificate_validity_check_configuration(host): assert config.group == 'root' assert config.mode == 0o644 assert config.content_string == "/etc/ssl/certs/%s_imap.pem" % hostname + + +def test_smtp_default_port_tls_version_and_ciphers(host): + """ + Tests TLS configuration for SMTP default port (needs to be less + restrictive for interoperability purposes). + """ + + expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + + expected_tls_ciphers = { + "stretch": [ + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CCM", + "TLS_DHE_RSA_WITH_AES_128_CCM_8", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CCM", + "TLS_DHE_RSA_WITH_AES_256_CCM_8", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_SEED_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", + "TLS_DH_anon_WITH_AES_256_CBC_SHA", + "TLS_DH_anon_WITH_AES_256_CBC_SHA256", + "TLS_DH_anon_WITH_AES_256_GCM_SHA384", + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_anon_WITH_SEED_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CCM", + "TLS_RSA_WITH_AES_128_CCM_8", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CCM", + "TLS_RSA_WITH_AES_256_CCM_8", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_RSA_WITH_SEED_CBC_SHA", + ], + "buster": [ + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_128_CCM', + 'TLS_DHE_RSA_WITH_AES_128_CCM_8', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CCM', + 'TLS_DHE_RSA_WITH_AES_256_CCM_8', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_DH_anon_WITH_SEED_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', + 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CCM', + 'TLS_RSA_WITH_AES_128_CCM_8', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CCM', + 'TLS_RSA_WITH_AES_256_CCM_8', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_RSA_WITH_SEED_CBC_SHA', + ] + } + + distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] + + # Run the nmap scanner against the server, and fetch the results. + nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml") + assert nmap.rc == 0 + report_content = host.file('/tmp/report.xml').content_string + + report_root = ElementTree.fromstring(report_content) + + tls_versions = [] + tls_ciphers = set() + + for child in report_root.findall("./host/ports/port/script/table"): + tls_versions.append(child.attrib['key']) + + for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"): + tls_ciphers.add(child.text) + + tls_versions.sort() + tls_ciphers = sorted(list(tls_ciphers)) + + assert tls_versions == expected_tls_versions + assert tls_ciphers == expected_tls_ciphers[distribution_release] diff --git a/roles/mail_server/molecule/default/tests/test_mandatory.py b/roles/mail_server/molecule/default/tests/test_mandatory.py index abf37774bfd3113c21a330716e64722677947c1a..39d9494dde9d131af102e39a1733c35329a44581 100644 --- a/roles/mail_server/molecule/default/tests/test_mandatory.py +++ b/roles/mail_server/molecule/default/tests/test_mandatory.py @@ -157,158 +157,6 @@ def test_imap_max_user_connections_per_ip(host): assert " mail_max_userip_connections = 10" in config.stdout -def test_smtp_default_port_tls_version_and_ciphers(host): - """ - Tests TLS configuration for SMTP default port (needs to be less - restrictive for interoperability purposes). - """ - - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] - - expected_tls_ciphers = { - "stretch": [ - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CCM", - "TLS_DHE_RSA_WITH_AES_128_CCM_8", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CCM", - "TLS_DHE_RSA_WITH_AES_256_CCM_8", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_SEED_CBC_SHA", - "TLS_DH_anon_WITH_AES_128_CBC_SHA", - "TLS_DH_anon_WITH_AES_128_CBC_SHA256", - "TLS_DH_anon_WITH_AES_128_GCM_SHA256", - "TLS_DH_anon_WITH_AES_256_CBC_SHA", - "TLS_DH_anon_WITH_AES_256_CBC_SHA256", - "TLS_DH_anon_WITH_AES_256_GCM_SHA384", - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DH_anon_WITH_SEED_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CCM", - "TLS_RSA_WITH_AES_128_CCM_8", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CCM", - "TLS_RSA_WITH_AES_256_CCM_8", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_SEED_CBC_SHA", - ], - "buster": [ - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_128_CCM', - 'TLS_DHE_RSA_WITH_AES_128_CCM_8', - 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CCM', - 'TLS_DHE_RSA_WITH_AES_256_CCM_8', - 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DH_anon_WITH_SEED_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', - 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_RSA_WITH_AES_128_CCM', - 'TLS_RSA_WITH_AES_128_CCM_8', - 'TLS_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_RSA_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_RSA_WITH_AES_256_CCM', - 'TLS_RSA_WITH_AES_256_CCM_8', - 'TLS_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_RSA_WITH_SEED_CBC_SHA', - ] - } - - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - # Run the nmap scanner against the server, and fetch the results. - nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml") - assert nmap.rc == 0 - report_content = host.file('/tmp/report.xml').content_string - - report_root = ElementTree.fromstring(report_content) - - tls_versions = [] - tls_ciphers = set() - - for child in report_root.findall("./host/ports/port/script/table"): - tls_versions.append(child.attrib['key']) - - for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"): - tls_ciphers.add(child.text) - - tls_versions.sort() - tls_ciphers = sorted(list(tls_ciphers)) - - assert tls_versions == expected_tls_versions - assert tls_ciphers == expected_tls_ciphers[distribution_release] - - def test_sieve_tls_configuration(host): """ Tests TLS configuration for SIEVE in Dovecot diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py index 09c3c14af6ef4b3d42ab01401dade301b7747a2c..a3b8d10902109e0631c39744287bdb999402e50c 100644 --- a/roles/mail_server/molecule/default/tests/test_optional.py +++ b/roles/mail_server/molecule/default/tests/test_optional.py @@ -188,158 +188,6 @@ def test_imap_max_user_connections_per_ip(host): assert " mail_max_userip_connections = 2" in config.stdout -def test_smtp_default_port_tls_version_and_ciphers(host): - """ - Tests TLS configuration for SMTP default port (needs to be less - restrictive for interoperability purposes). - """ - - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] - - expected_tls_ciphers = { - "stretch": [ - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CCM", - "TLS_DHE_RSA_WITH_AES_128_CCM_8", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CCM", - "TLS_DHE_RSA_WITH_AES_256_CCM_8", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_SEED_CBC_SHA", - "TLS_DH_anon_WITH_AES_128_CBC_SHA", - "TLS_DH_anon_WITH_AES_128_CBC_SHA256", - "TLS_DH_anon_WITH_AES_128_GCM_SHA256", - "TLS_DH_anon_WITH_AES_256_CBC_SHA", - "TLS_DH_anon_WITH_AES_256_CBC_SHA256", - "TLS_DH_anon_WITH_AES_256_GCM_SHA384", - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DH_anon_WITH_SEED_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CCM", - "TLS_RSA_WITH_AES_128_CCM_8", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CCM", - "TLS_RSA_WITH_AES_256_CCM_8", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_SEED_CBC_SHA", - ], - "buster": [ - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_128_CCM', - 'TLS_DHE_RSA_WITH_AES_128_CCM_8', - 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CCM', - 'TLS_DHE_RSA_WITH_AES_256_CCM_8', - 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DH_anon_WITH_SEED_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', - 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_RSA_WITH_AES_128_CCM', - 'TLS_RSA_WITH_AES_128_CCM_8', - 'TLS_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_RSA_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_RSA_WITH_AES_256_CCM', - 'TLS_RSA_WITH_AES_256_CCM_8', - 'TLS_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_RSA_WITH_SEED_CBC_SHA', - ] - } - - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - # Run the nmap scanner against the server, and fetch the results. - nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml") - assert nmap.rc == 0 - report_content = host.file('/tmp/report.xml').content_string - - report_root = ElementTree.fromstring(report_content) - - tls_versions = [] - tls_ciphers = set() - - for child in report_root.findall("./host/ports/port/script/table"): - tls_versions.append(child.attrib['key']) - - for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"): - tls_ciphers.add(child.text) - - tls_versions.sort() - tls_ciphers = sorted(list(tls_ciphers)) - - assert tls_versions == expected_tls_versions - assert tls_ciphers == expected_tls_ciphers[distribution_release] - - def test_sieve_tls_configuration(host): """ Tests TLS configuration for SIEVE in Dovecot