Changeset - 39f3062cba6a
Parent rev.
Child rev.
[Not reviewed]
0 3 0
Branko Majic (branko) - 3 years ago 2021-01-14 23:50:18
branko@majic.rs
MAR-151: Fix tests that fail due to differences between Debian Stretch and Debian Buster:

- Update the regex patterns used to locate deliveries via Dovecot.
- Enable verbose mode for gnutls-cli in one of the tests in order to
show the DH key size.
- Update the list of expected TLS ciphers for SMTP port 25 to account
for inclusion of additional ciphers in Debian Buster.
- Fix how the allowed relay IP is being fetched, because
host.ansible.get_variables method fails to resolve dynamic
variables.
3 files changed with 251 insertions and 117 deletions:
roles/mail_server/molecule/default/tests/test_default.py
4
2
roles/mail_server/molecule/default/tests/test_mandatory.py
121
56
roles/mail_server/molecule/default/tests/test_optional.py
126
59
0 comments (0 inline, 0 general)
roles/mail_server/molecule/default/tests/test_default.py
Show inline comments
 
@@ -242,7 +242,9 @@ def test_postfix_delivery_to_dovecot(host):
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 
        mail_log = host.file('/var/log/mail.log')

			




	
	
	
		
 
        pattern = r"dovecot: lda\(john.doe@domain1\): msgid=<%s>: saved mail to INBOX" % message_id

			




	
	
	
		
 
        # The (<\d+><.+?>)? pattern is for difference between Debian

			




	
	
	
		
 
        # Stretch and Debian Buster log format.

			




	
	
	
		
 
        pattern = r"dovecot: lda\(john.doe@domain1\)(<\d+><.+?>)?: msgid=<%s>: saved mail to INBOX" % message_id

			




	
	
	
		
 
        assert re.search(pattern, mail_log.content_string) is not None

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
		
 
@@ -405,7 +407,7 @@ def test_imap_server_uses_correct_dh_parameters(host):

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "

			




	
	
	
		
 
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' localhost")

			




	
	
	
		
 
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")

			




	
	
	
		
 

			




	
	
	
		
 
    assert " - Using prime: 2048 bits" in connection.stdout

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    roles/mail_server/molecule/default/tests/test_mandatory.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -165,61 +165,126 @@ def test_smtp_default_port_tls_version_and_ciphers(host):

			




	
	
	
		
 

			




	
	
	
		
 
    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]

			




	
	
	
		
 

			




	
	
	
		
 
    expected_tls_ciphers = [

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
    ]

			




	
	
	
		
 
    expected_tls_ciphers = {

			




	
	
	
		
 
        "stretch": [

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
            "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
        ],

			




	
	
	
		
 
        "buster": [

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CCM',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CCM_8',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CCM',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CCM_8',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_SEED_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_SEED_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

			




	
	
	
		
 
            'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CCM',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CCM_8',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CCM',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CCM_8',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_RSA_WITH_ARIA_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_ARIA_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_SEED_CBC_SHA',

			




	
	
	
		
 
        ]

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

			




	
	
	
		
 

			




	
	
	
		
 
    # Run the nmap scanner against the server, and fetch the results.

			




	
	
	
		
 
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml")

			




	
	
		
 
@@ -241,7 +306,7 @@ def test_smtp_default_port_tls_version_and_ciphers(host):

			




	
	
	
		
 
    tls_ciphers = sorted(list(tls_ciphers))

			




	
	
	
		
 

			




	
	
	
		
 
    assert tls_versions == expected_tls_versions

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers[distribution_release]

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_sieve_tls_configuration(host):

			




        

    


    
    

    

        

                

                    roles/mail_server/molecule/default/tests/test_optional.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -30,9 +30,9 @@ def test_postfix_main_cf_file_content(host):

			




	
	
	
		
 
    Tests if the Postfix main configuration file content is correct.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

			




	
	
	
		
 
    host_variables = host.ansible.get_variables()

			




	
	
	
		
 

			




	
	
	
		
 
    allow_relay_from_ip = host_variables["smtp_allow_relay_from"]

			




	
	
	
		
 
    allow_relay_from_ip = host_variables["release_based_smtp_allow_relay_from"][distribution_release]

			




	
	
	
		
 

			




	
	
	
		
 
    hostname = host.run('hostname').stdout.strip()

			




	
	
	
		
 

			




	
	
		
 
@@ -62,7 +62,9 @@ def test_local_aliases(host):

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 
        mail_log = host.file('/var/log/mail.log')

			




	
	
	
		
 
        pattern = r"dovecot: lda\(john.doe@domain1\): msgid=<%s>: saved mail to INBOX" % message_id

			




	
	
	
		
 
        # The (<\d+><.+?>)? pattern is for difference between Debian

			




	
	
	
		
 
        # Stretch and Debian Buster log format.

			




	
	
	
		
 
        pattern = r"dovecot: lda\(john.doe@domain1\)(<\d+><.+?>)?: msgid=<%s>: saved mail to INBOX" % message_id

			




	
	
	
		
 
        assert re.search(pattern, mail_log.content_string) is not None

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
		
 
@@ -194,61 +196,126 @@ def test_smtp_default_port_tls_version_and_ciphers(host):

			




	
	
	
		
 

			




	
	
	
		
 
    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]

			




	
	
	
		
 

			




	
	
	
		
 
    expected_tls_ciphers = [

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_DH_anon_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
        "TLS_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
        "TLS_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
    ]

			




	
	
	
		
 
    expected_tls_ciphers = {

			




	
	
	
		
 
        "stretch": [

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
            "TLS_DHE_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_DH_anon_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",

			




	
	
	
		
 
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
            "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CCM",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_CCM_8",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CCM",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_CCM_8",

			




	
	
	
		
 
            "TLS_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",

			




	
	
	
		
 
            "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",

			




	
	
	
		
 
            "TLS_RSA_WITH_SEED_CBC_SHA",

			




	
	
	
		
 
        ],

			




	
	
	
		
 
        "buster": [

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CCM',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_CCM_8',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CCM',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_CCM_8',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

			




	
	
	
		
 
            'TLS_DHE_RSA_WITH_SEED_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_DH_anon_WITH_SEED_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',

			




	
	
	
		
 
            'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

			




	
	
	
		
 
            'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CCM',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_CCM_8',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CCM',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_CCM_8',

			




	
	
	
		
 
            'TLS_RSA_WITH_AES_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_RSA_WITH_ARIA_128_GCM_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_ARIA_256_GCM_SHA384',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',

			




	
	
	
		
 
            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',

			




	
	
	
		
 
            'TLS_RSA_WITH_SEED_CBC_SHA',

			




	
	
	
		
 
        ]

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

			




	
	
	
		
 

			




	
	
	
		
 
    # Run the nmap scanner against the server, and fetch the results.

			




	
	
	
		
 
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml")

			




	
	
		
 
@@ -270,7 +337,7 @@ def test_smtp_default_port_tls_version_and_ciphers(host):

			




	
	
	
		
 
    tls_ciphers = sorted(list(tls_ciphers))

			




	
	
	
		
 

			




	
	
	
		
 
    assert tls_versions == expected_tls_versions

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers[distribution_release]

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_sieve_tls_configuration(host):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.