Changeset - 5a9a31d16029
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 2 months ago 2025-01-20 23:28:31
branko@majic.rs
MAR-230: Added TLS version/cipher tests to the xmpp_server role for server-to-server communications.
2 files changed with 84 insertions and 0 deletions:
roles/xmpp_server/molecule/default/tests/test_mandatory.py
42
roles/xmpp_server/molecule/default/tests/test_optional.py
42
0 comments (0 inline, 0 general) First comment
roles/xmpp_server/molecule/default/tests/test_mandatory.py
Show inline comments
 
@@ -83,3 +83,45 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port):
 

			




	
	
	
		
 
    assert tls_versions == expected_tls_versions

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_xmpp_s2s_tls_version_and_ciphers(host):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Tests if the correct TLS version and ciphers have been enabled for

			




	
	
	
		
 
    XMPP S2S port.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
    # Seems like TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is off by default.

			




	
	
	
		
 
    expected_tls_ciphers = [

			




	
	
	
		
 
        "TLS_AKE_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_AKE_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
    ]

			




	
	
	
		
 

			




	
	
	
		
 
    # Run the nmap scanner against the server, and fetch the results.

			




	
	
	
		
 
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 5269 domain1 -oX /tmp/report.xml")

			




	
	
	
		
 
    assert nmap.rc == 0

			




	
	
	
		
 
    report_content = host.file('/tmp/report.xml').content_string

			




	
	
	
		
 

			




	
	
	
		
 
    report_root = ElementTree.fromstring(report_content)

			




	
	
	
		
 

			




	
	
	
		
 
    tls_versions = []

			




	
	
	
		
 
    tls_ciphers = set()

			




	
	
	
		
 

			




	
	
	
		
 
    for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):

			




	
	
	
		
 
        tls_versions.append(child.attrib['key'])

			




	
	
	
		
 

			




	
	
	
		
 
    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):

			




	
	
	
		
 
        tls_ciphers.add(child.text)

			




	
	
	
		
 

			




	
	
	
		
 
    tls_versions.sort()

			




	
	
	
		
 
    tls_ciphers = sorted(list(tls_ciphers))

			




	
	
	
		
 

			




	
	
	
		
 
    assert tls_versions == expected_tls_versions

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers

			




        

    


    
    

    

        

                

                    roles/xmpp_server/molecule/default/tests/test_optional.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -83,3 +83,45 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port):

			




	
	
	
		
 

			




	
	
	
		
 
    assert tls_versions == expected_tls_versions

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_xmpp_s2s_tls_version_and_ciphers(host):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Tests if the correct TLS version and ciphers have been enabled for

			




	
	
	
		
 
    XMPP S2S port.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
    # Seems like TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is off by default.

			




	
	
	
		
 
    expected_tls_ciphers = [

			




	
	
	
		
 
        "TLS_AKE_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_AKE_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

			




	
	
	
		
 
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

			




	
	
	
		
 
    ]

			




	
	
	
		
 

			




	
	
	
		
 
    # Run the nmap scanner against the server, and fetch the results.

			




	
	
	
		
 
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 5269 domain2 -oX /tmp/report.xml")

			




	
	
	
		
 
    assert nmap.rc == 0

			




	
	
	
		
 
    report_content = host.file('/tmp/report.xml').content_string

			




	
	
	
		
 

			




	
	
	
		
 
    report_root = ElementTree.fromstring(report_content)

			




	
	
	
		
 

			




	
	
	
		
 
    tls_versions = []

			




	
	
	
		
 
    tls_ciphers = set()

			




	
	
	
		
 

			




	
	
	
		
 
    for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):

			




	
	
	
		
 
        tls_versions.append(child.attrib['key'])

			




	
	
	
		
 

			




	
	
	
		
 
    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):

			




	
	
	
		
 
        tls_ciphers.add(child.text)

			




	
	
	
		
 

			




	
	
	
		
 
    tls_versions.sort()

			




	
	
	
		
 
    tls_ciphers = sorted(list(tls_ciphers))

			




	
	
	
		
 

			




	
	
	
		
 
    assert tls_versions == expected_tls_versions

			




	
	
	
		
 
    assert tls_ciphers == expected_tls_ciphers

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    First comment





    


  

  

      

      

          

            You need to be logged in to comment. Login now
          

      

      

      
      

      

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.99,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.