|
@@ -23,21 +23,45 @@ def test_certificate_validity_check_configuration(host):
|
|
|
assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname
|
|
|
|
|
|
|
|
|
def test_tls_configuration(host):
|
|
|
def test_tls_enabled(host):
|
|
|
"""
|
|
|
Tests if the TLS has been configured correctly and works.
|
|
|
Tests if TLS has been enabled.
|
|
|
"""
|
|
|
|
|
|
tls = host.run('wget -q -O - https://parameters-optional/')
|
|
|
assert tls.rc == 0
|
|
|
|
|
|
|
|
|
def test_tls_version(host):
|
|
|
"""
|
|
|
Tests if only the configured TLS protocol versions are allowed by
|
|
|
the server.
|
|
|
"""
|
|
|
|
|
|
old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")
|
|
|
assert old_tls_versions_disabled.rc != 0
|
|
|
tls1_1_enabled = host.run("echo 'Q' | openssl s_client -tls1_1 -connect parameters-optional:443")
|
|
|
tls1_2_enabled = host.run("echo 'Q' | openssl s_client -tls1_2 -connect parameters-optional:443")
|
|
|
|
|
|
# Avoid false negatives by ensuring the client had actually
|
|
|
# established the TCP connection.
|
|
|
assert "CONNECTED" in old_tls_versions_disabled.stdout
|
|
|
assert old_tls_versions_disabled.rc != 0
|
|
|
|
|
|
# Avoid false negatives by ensuring the client had actually
|
|
|
# established the TCP connection.
|
|
|
assert "CONNECTED" in tls1_1_enabled.stdout
|
|
|
assert tls1_1_enabled.rc == 0
|
|
|
|
|
|
# Avoid false negatives by ensuring the client had actually
|
|
|
# established the TCP connection.
|
|
|
assert "CONNECTED" in tls1_2_enabled.stdout
|
|
|
assert tls1_2_enabled.rc == 0
|
|
|
|
|
|
newer_tls_versions_enabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443")
|
|
|
assert newer_tls_versions_enabled.rc == 0
|
|
|
assert "CONNECTED" in newer_tls_versions_enabled.stdout
|
|
|
|
|
|
def test_tls_ciphers(host):
|
|
|
"""
|
|
|
Tests available TLS ciphers on the server.
|
|
|
"""
|
|
|
|
|
|
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
|
|
|
assert cipher.rc == 0
|