Changeset - bbbc4c2cb188
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 2 months ago 2025-01-20 23:41:48
branko@majic.rs
MAR-230: Test for correct Diffie-Hellman parameter is not relevant for TLSv1.3:

- The test should be run only against servers where mandatory
parameters are tested since those have the TLSv1.2 enabled (by
defalt).
2 files changed with 24 insertions and 24 deletions:
roles/xmpp_server/molecule/default/tests/test_default.py
24
roles/xmpp_server/molecule/default/tests/test_mandatory.py
24
0 comments (0 inline, 0 general) First comment
roles/xmpp_server/molecule/default/tests/test_default.py
Show inline comments
 
@@ -129,30 +129,6 @@ def test_certificate_validity_check_configuration(host):
 
    assert config.content_string == "/etc/ssl/certs/%s_xmpp.pem" % hostname
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_xmpp_server_uses_correct_dh_parameters(host):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Tests if the HTTP server uses the generated Diffie-Hellman parameter.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    fqdn = host.run('hostname -f').stdout.strip()

			




	
	
	
		
 

			




	
	
	
		
 
    # Use first defined domain for testing.

			




	
	
	
		
 
    domain = host.ansible.get_variables()['xmpp_domains'][0]

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 
        expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()

			




	
	
	
		
 

			




	
	
	
		
 
    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "

			




	
	
	
		
 
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose %s", domain)

			




	
	
	
		
 

			




	
	
	
		
 
    output = connection.stdout

			




	
	
	
		
 
    begin_marker = "-----BEGIN DH PARAMETERS-----"

			




	
	
	
		
 
    end_marker = "-----END DH PARAMETERS-----"

			




	
	
	
		
 
    used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]

			




	
	
	
		
 

			




	
	
	
		
 
    assert used_dhparam == expected_dhparam

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_tls_connectivity(host):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Tests if it is possible to connect to the XMPP server using

			




        

    


    
    

    

        

                

                    roles/xmpp_server/molecule/default/tests/test_mandatory.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -39,6 +39,30 @@ Component "proxy.domain1" "proxy65"

			




	
	
	
		
 
  proxy65_acl = { "domain1" }""" in config.content_string

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_xmpp_server_uses_correct_dh_parameters(host):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Tests if the HTTP server uses the generated Diffie-Hellman parameter.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    fqdn = host.run('hostname -f').stdout.strip()

			




	
	
	
		
 

			




	
	
	
		
 
    # Use first defined domain for testing.

			




	
	
	
		
 
    domain = host.ansible.get_variables()['xmpp_domains'][0]

			




	
	
	
		
 

			




	
	
	
		
 
    with host.sudo():

			




	
	
	
		
 
        expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()

			




	
	
	
		
 

			




	
	
	
		
 
    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "

			




	
	
	
		
 
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose %s", domain)

			




	
	
	
		
 

			




	
	
	
		
 
    output = connection.stdout

			




	
	
	
		
 
    begin_marker = "-----BEGIN DH PARAMETERS-----"

			




	
	
	
		
 
    end_marker = "-----END DH PARAMETERS-----"

			




	
	
	
		
 
    used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]

			




	
	
	
		
 

			




	
	
	
		
 
    assert used_dhparam == expected_dhparam

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
@pytest.mark.parametrize("port", [

			




	
	
	
		
 
    5222,

			




	
	
	
		
 
    5223

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    First comment





    


  

  

      

      

          

            You need to be logged in to comment. Login now
          

      

      

      
      

      

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.99,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.