|
|
import os
|
|
|
|
|
|
import pytest
|
|
|
|
|
|
import testinfra.utils.ansible_runner
|
|
|
|
|
|
|
|
@@ -21,18 +23,104 @@ def test_tls_version(host):
|
|
|
assert old_tls_versions_disabled.rc != 0
|
|
|
|
|
|
|
|
|
def test_tls_ciphers(host):
|
|
|
ALL_CIPHERS = [
|
|
|
"AES128-GCM-SHA256",
|
|
|
"AES128-SHA",
|
|
|
"AES128-SHA256",
|
|
|
"AES256-GCM-SHA384",
|
|
|
"AES256-SHA",
|
|
|
"AES256-SHA256",
|
|
|
"DHE-PSK-AES128-CBC-SHA",
|
|
|
"DHE-PSK-AES128-CBC-SHA256",
|
|
|
"DHE-PSK-AES128-GCM-SHA256",
|
|
|
"DHE-PSK-AES256-CBC-SHA",
|
|
|
"DHE-PSK-AES256-CBC-SHA384",
|
|
|
"DHE-PSK-AES256-GCM-SHA384",
|
|
|
"DHE-PSK-CHACHA20-POLY1305",
|
|
|
"DHE-RSA-AES128-GCM-SHA256",
|
|
|
"DHE-RSA-AES128-SHA",
|
|
|
"DHE-RSA-AES128-SHA256",
|
|
|
"DHE-RSA-AES256-GCM-SHA384",
|
|
|
"DHE-RSA-AES256-SHA",
|
|
|
"DHE-RSA-AES256-SHA256",
|
|
|
"DHE-RSA-CHACHA20-POLY1305",
|
|
|
"ECDHE-ECDSA-AES128-GCM-SHA256",
|
|
|
"ECDHE-ECDSA-AES128-SHA",
|
|
|
"ECDHE-ECDSA-AES128-SHA256",
|
|
|
"ECDHE-ECDSA-AES256-GCM-SHA384",
|
|
|
"ECDHE-ECDSA-AES256-SHA",
|
|
|
"ECDHE-ECDSA-AES256-SHA384",
|
|
|
"ECDHE-ECDSA-CHACHA20-POLY1305",
|
|
|
"ECDHE-PSK-AES128-CBC-SHA",
|
|
|
"ECDHE-PSK-AES128-CBC-SHA256",
|
|
|
"ECDHE-PSK-AES256-CBC-SHA",
|
|
|
"ECDHE-PSK-AES256-CBC-SHA384",
|
|
|
"ECDHE-PSK-CHACHA20-POLY1305",
|
|
|
"ECDHE-RSA-AES128-GCM-SHA256",
|
|
|
"ECDHE-RSA-AES128-SHA",
|
|
|
"ECDHE-RSA-AES128-SHA256",
|
|
|
"ECDHE-RSA-AES256-GCM-SHA384",
|
|
|
"ECDHE-RSA-AES256-SHA",
|
|
|
"ECDHE-RSA-AES256-SHA384",
|
|
|
"ECDHE-RSA-CHACHA20-POLY1305",
|
|
|
"PSK-AES128-CBC-SHA",
|
|
|
"PSK-AES128-CBC-SHA256",
|
|
|
"PSK-AES128-GCM-SHA256",
|
|
|
"PSK-AES256-CBC-SHA",
|
|
|
"PSK-AES256-CBC-SHA384",
|
|
|
"PSK-AES256-GCM-SHA384",
|
|
|
"PSK-CHACHA20-POLY1305",
|
|
|
"RSA-PSK-AES128-CBC-SHA",
|
|
|
"RSA-PSK-AES128-CBC-SHA256",
|
|
|
"RSA-PSK-AES128-GCM-SHA256",
|
|
|
"RSA-PSK-AES256-CBC-SHA",
|
|
|
"RSA-PSK-AES256-CBC-SHA384",
|
|
|
"RSA-PSK-AES256-GCM-SHA384",
|
|
|
"RSA-PSK-CHACHA20-POLY1305",
|
|
|
"SRP-AES-128-CBC-SHA",
|
|
|
"SRP-AES-256-CBC-SHA",
|
|
|
"SRP-RSA-AES-128-CBC-SHA",
|
|
|
"SRP-RSA-AES-256-CBC-SHA",
|
|
|
]
|
|
|
|
|
|
ENABLED_CIPHERS = [
|
|
|
"DHE-RSA-AES128-GCM-SHA256",
|
|
|
"DHE-RSA-AES256-GCM-SHA384",
|
|
|
"DHE-RSA-CHACHA20-POLY1305",
|
|
|
"ECDHE-RSA-AES128-GCM-SHA256",
|
|
|
"ECDHE-RSA-AES256-GCM-SHA384",
|
|
|
"ECDHE-RSA-CHACHA20-POLY1305",
|
|
|
]
|
|
|
|
|
|
DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
|
|
|
def test_enabled_tls_ciphers(host, cipher):
|
|
|
"""
|
|
|
Tests available TLS ciphers on the server.
|
|
|
"""
|
|
|
|
|
|
hostname = host.run('hostname').stdout.strip()
|
|
|
fqdn = hostname[:hostname.rfind('-')]
|
|
|
|
|
|
client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
|
|
|
assert client.rc == 0
|
|
|
assert cipher in client.stdout
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
|
|
|
def test_disabled_tls_ciphers(host, cipher):
|
|
|
"""
|
|
|
Tests available TLS ciphers on the server.
|
|
|
"""
|
|
|
|
|
|
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
|
|
|
assert cipher.rc == 0
|
|
|
assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
|
|
|
hostname = host.run('hostname').stdout.strip()
|
|
|
fqdn = hostname[:hostname.rfind('-')]
|
|
|
|
|
|
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")
|
|
|
assert cipher.rc != 0
|
|
|
assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout
|
|
|
client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
|
|
|
assert client.rc != 0
|
|
|
assert cipher not in client.stdout
|
|
|
|
|
|
|
|
|
def test_https_enforcement(host):
|