|
@@ -632,10 +632,11 @@ def test_smtp_default_port_tls_version_and_ciphers(host):
|
|
|
restrictive for interoperability purposes).
|
|
|
"""
|
|
|
|
|
|
expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
|
|
|
distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
|
|
|
|
|
|
expected_tls_ciphers = {
|
|
|
"bullseye": [
|
|
|
if distribution_release == "bullseye":
|
|
|
expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
|
|
|
expected_tls_ciphers = [
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CCM',
|
|
@@ -696,9 +697,69 @@ def test_smtp_default_port_tls_version_and_ciphers(host):
|
|
|
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
|
|
|
'TLS_RSA_WITH_SEED_CBC_SHA',
|
|
|
]
|
|
|
}
|
|
|
|
|
|
distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
|
|
|
else:
|
|
|
expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
|
|
|
expected_tls_ciphers = [
|
|
|
'TLS_AKE_WITH_AES_128_GCM_SHA256',
|
|
|
'TLS_AKE_WITH_AES_256_GCM_SHA384',
|
|
|
'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CCM',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_CCM_8',
|
|
|
'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
|
|
|
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_AES_256_CCM',
|
|
|
'TLS_DHE_RSA_WITH_AES_256_CCM_8',
|
|
|
'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
|
|
|
'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
|
|
|
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
|
|
|
'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
|
|
|
'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
|
|
|
'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
|
|
|
'TLS_DH_anon_WITH_AES_128_CBC_SHA',
|
|
|
'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
|
|
|
'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
|
|
|
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
|
|
|
'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
|
|
|
'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
|
|
|
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
|
|
|
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
|
|
|
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
|
|
|
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
|
|
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
|
|
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
|
|
|
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
|
|
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
|
|
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
|
|
|
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
|
|
|
'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
|
|
|
'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
|
|
|
'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
|
|
|
'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
|
|
|
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
|
|
|
'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
|
|
|
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
|
|
|
'TLS_RSA_WITH_AES_128_CBC_SHA',
|
|
|
'TLS_RSA_WITH_AES_128_CBC_SHA256',
|
|
|
'TLS_RSA_WITH_AES_128_CCM',
|
|
|
'TLS_RSA_WITH_AES_128_CCM_8',
|
|
|
'TLS_RSA_WITH_AES_128_GCM_SHA256',
|
|
|
'TLS_RSA_WITH_AES_256_CBC_SHA',
|
|
|
'TLS_RSA_WITH_AES_256_CBC_SHA256',
|
|
|
'TLS_RSA_WITH_AES_256_CCM',
|
|
|
'TLS_RSA_WITH_AES_256_CCM_8',
|
|
|
'TLS_RSA_WITH_AES_256_GCM_SHA384',
|
|
|
'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
|
|
|
'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
|
|
|
'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
|
|
|
'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
|
|
|
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
|
|
|
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
|
|
|
]
|
|
|
|
|
|
# Run the nmap scanner against the server, and fetch the results.
|
|
|
nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml")
|
|
@@ -720,7 +781,7 @@ def test_smtp_default_port_tls_version_and_ciphers(host):
|
|
|
tls_ciphers = sorted(list(tls_ciphers))
|
|
|
|
|
|
assert tls_versions == expected_tls_versions
|
|
|
assert tls_ciphers == expected_tls_ciphers[distribution_release]
|
|
|
assert tls_ciphers == expected_tls_ciphers
|
|
|
|
|
|
|
|
|
def test_dovecot_warnings(host):
|