1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
import os
from datetime import timedelta
import pytest
from .conf import TlsTestConf
class TestConf:
@pytest.fixture(autouse=True, scope='class')
def _class_scope(self, env):
TlsTestConf(env=env).install()
assert env.apache_restart() == 0
@pytest.fixture(autouse=True, scope='function')
def _function_scope(self, env):
if env.is_live(timeout=timedelta(milliseconds=100)):
assert env.apache_stop() == 0
def test_tls_02_conf_cert_args_missing(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate")
conf.install()
assert env.apache_fail() == 0
def test_tls_02_conf_cert_single_arg(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate cert.pem")
conf.install()
assert env.apache_fail() == 0
def test_tls_02_conf_cert_file_missing(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate cert.pem key.pem")
conf.install()
assert env.apache_fail() == 0
def test_tls_02_conf_cert_file_exist(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate test-02-cert.pem test-02-key.pem")
conf.install()
for name in ["test-02-cert.pem", "test-02-key.pem"]:
with open(os.path.join(env.server_dir, name), "w") as fd:
fd.write("")
assert env.apache_fail() == 0
def test_tls_02_conf_cert_listen_missing(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSEngine")
conf.install()
assert env.apache_fail() == 0
def test_tls_02_conf_cert_listen_wrong(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSEngine ^^^^^")
conf.install()
assert env.apache_fail() == 0
@pytest.mark.parametrize("listen", [
"443",
"129.168.178.188:443",
"[::]:443",
])
def test_tls_02_conf_cert_listen_valid(self, env, listen: str):
conf = TlsTestConf(env=env)
if not env.has_shared_module("tls"):
# Without cert/key openssl will complain
conf.add("SSLEngine on");
conf.install()
assert env.apache_restart() == 1
else:
conf.add("TLSEngine {listen}".format(listen=listen))
conf.install()
assert env.apache_restart() == 0
def test_tls_02_conf_cert_listen_cert(self, env):
domain = env.domain_a
conf = TlsTestConf(env=env)
conf.add_tls_vhosts(domains=[domain])
conf.install()
assert env.apache_restart() == 0
def test_tls_02_conf_proto_wrong(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSProtocol wrong")
conf.install()
assert env.apache_fail() == 0
@pytest.mark.parametrize("proto", [
"default",
"TLSv1.2+",
"TLSv1.3+",
"TLSv0x0303+",
])
def test_tls_02_conf_proto_valid(self, env, proto):
conf = TlsTestConf(env=env)
conf.add("TLSProtocol {proto}".format(proto=proto))
conf.install()
assert env.apache_restart() == 0
def test_tls_02_conf_honor_wrong(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSHonorClientOrder wrong")
conf.install()
assert env.apache_fail() == 0
@pytest.mark.parametrize("honor", [
"on",
"OfF",
])
def test_tls_02_conf_honor_valid(self, env, honor: str):
conf = TlsTestConf(env=env)
conf.add("TLSHonorClientOrder {honor}".format(honor=honor))
conf.install()
assert env.apache_restart() == 0
@pytest.mark.parametrize("cipher", [
"default",
"TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:"
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:"
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"""TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \\
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"""
])
def test_tls_02_conf_cipher_valid(self, env, cipher):
conf = TlsTestConf(env=env)
conf.add("TLSCiphersPrefer {cipher}".format(cipher=cipher))
conf.install()
assert env.apache_restart() == 0
@pytest.mark.parametrize("cipher", [
"wrong",
"YOLO",
"TLS_NULL_WITH_NULL_NULLX", # not supported
"TLS_DHE_RSA_WITH_AES128_GCM_SHA256", # not supported
])
def test_tls_02_conf_cipher_wrong(self, env, cipher):
conf = TlsTestConf(env=env)
conf.add("TLSCiphersPrefer {cipher}".format(cipher=cipher))
conf.install()
assert env.apache_fail() == 0
|