diff --git a/roles/mail_server/molecule/default/tests/test_default.py b/roles/mail_server/molecule/default/tests/test_default.py index df02ca9dffe1b9e34e166dabc5ec4c210f2386b5..768f1a18edab2efc2e4162726f235ac09d63688e 100644 --- a/roles/mail_server/molecule/default/tests/test_default.py +++ b/roles/mail_server/molecule/default/tests/test_default.py @@ -632,10 +632,11 @@ def test_smtp_default_port_tls_version_and_ciphers(host): restrictive for interoperability purposes). """ - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - expected_tls_ciphers = { - "bullseye": [ + if distribution_release == "bullseye": + expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + expected_tls_ciphers = [ 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_DHE_RSA_WITH_AES_128_CCM', @@ -696,9 +697,69 @@ def test_smtp_default_port_tls_version_and_ciphers(host): 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', 'TLS_RSA_WITH_SEED_CBC_SHA', ] - } - - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] + else: + expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + expected_tls_ciphers = [ + 'TLS_AKE_WITH_AES_128_GCM_SHA256', + 'TLS_AKE_WITH_AES_256_GCM_SHA384', + 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_128_CCM', + 'TLS_DHE_RSA_WITH_AES_128_CCM_8', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CCM', + 'TLS_DHE_RSA_WITH_AES_256_CCM_8', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', + 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CCM', + 'TLS_RSA_WITH_AES_128_CCM_8', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CCM', + 'TLS_RSA_WITH_AES_256_CCM_8', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', + ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml") @@ -720,7 +781,7 @@ def test_smtp_default_port_tls_version_and_ciphers(host): tls_ciphers = sorted(list(tls_ciphers)) assert tls_versions == expected_tls_versions - assert tls_ciphers == expected_tls_ciphers[distribution_release] + assert tls_ciphers == expected_tls_ciphers def test_dovecot_warnings(host):