def test_fails_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for insecure reneg, it fails
with pytest.raises(ClientCertificateRequested):
SessionRenegotiationImplementation.scan_server(server_info)
def test_works_when_client_auth_succeeded(self):
# Given a server that is vulnerable and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
# And sslyze provides a client certificate
network_config = ServerNetworkConfiguration(
tls_server_name_indication=server.hostname,
tls_client_auth_credentials=ClientAuthenticationCredentials(
certificate_chain_path=server.get_client_certificate_path(
),
key_path=server.get_client_key_path()),
)
server_info = ServerConnectivityTester().perform(
server_location, network_config)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server(
server_info)
# And the results are correct
assert result.supports_secure_renegotiation
assert result.is_vulnerable_to_client_renegotiation_dos
def test_renegotiation_good(self):
# Given a server that is NOT vulnerable to insecure reneg
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
"www.google.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.perform(
server_info)
# And the server is reported as not vulnerable
assert result.supports_secure_renegotiation
assert not result.accepts_client_renegotiation
def test_renegotiation_good(self):
# Given a server that is NOT vulnerable to insecure reneg nor client reneg DOS
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
"www.google.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server(
server_info)
# And the server is reported as not vulnerable
assert result.supports_secure_renegotiation
assert not result.is_vulnerable_to_client_renegotiation_dos
# And a CLI output can be generated
assert SessionRenegotiationImplementation.cli_connector_cls.result_to_console_output(
result)
def test_renegotiation_is_vulnerable_to_client_renegotiation_dos(self):
# Given a server that is vulnerable to client renegotiation DOS
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server(
server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_client_renegotiation_dos
# And a CLI output can be generated
assert SessionRenegotiationImplementation.cli_connector_cls.result_to_console_output(
result)