class HeartbleedPluginTestCase(unittest.TestCase):
def test_heartbleed_good(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = HeartbleedPlugin()
plugin_result = plugin.process_task(server_info, HeartbleedScanCommand())
self.assertFalse(plugin_result.is_vulnerable_to_heartbleed)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
@unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64')
def test_heartbleed_bad(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(hostname=server.hostname, ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = HeartbleedPlugin()
plugin_result = plugin.process_task(server_info, HeartbleedScanCommand())
self.assertTrue(plugin_result.is_vulnerable_to_heartbleed)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
@unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64')
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED
) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
# The plugin works even when a client cert was not supplied
plugin = HeartbleedPlugin()
plugin_result = plugin.process_task(server_info, HeartbleedScanCommand())
self.assertTrue(plugin_result.is_vulnerable_to_heartbleed)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
class OpenSslCcsInjectionPluginTestCase(unittest.TestCase):
def test_ccs_injection_good(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand())
self.assertFalse(plugin_result.is_vulnerable_to_ccs_injection)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
@unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64')
def test_ccs_injection_bad(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand())
self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
@unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64')
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED
) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
# OpenSslCcsInjectionPlugin works even when a client cert was not supplied
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand())
self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sslv2_enabled(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Sslv20ScanCommand())
# The embedded server does not have a preference
assert not plugin_result.preferred_cipher
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
assert {
'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5',
'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5',
'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5'
} == set(accepted_cipher_name_list)
assert plugin_result.accepted_cipher_list
assert not plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_works_when_client_auth_succeeded(self):
# Given a server that is vulnerable and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
# And sslyze provides a client certificate
network_config = ServerNetworkConfiguration(
tls_server_name_indication=server.hostname,
tls_client_auth_credentials=ClientAuthenticationCredentials(
certificate_chain_path=server.get_client_certificate_path(
),
key_path=server.get_client_key_path()),
)
server_info = ServerConnectivityTester().perform(
server_location, network_config)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server(
server_info)
# And the results are correct
assert result.supports_secure_renegotiation
assert result.is_vulnerable_to_client_renegotiation_dos
def test_works_when_client_auth_succeeded(self):
# Given a server that does NOT support SCSV and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
# And sslyze provides a client certificate
network_config = ServerNetworkConfiguration(
tls_server_name_indication=server.hostname,
tls_client_auth_credentials=ClientAuthenticationCredentials(
certificate_chain_path=server.get_client_certificate_path(
),
key_path=server.get_client_key_path()),
)
server_info = ServerConnectivityTester().perform(
server_location, network_config)
# When testing for SCSV, it succeeds
result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server(
server_info)
# And the server is reported as NOT supporting SCSV
assert not result.supports_fallback_scsv
def test_get_dh_info_dh(self, ssl_client_cls):
with LegacyOpenSslServer(cipher="DHE-RSA-AES256-SHA") as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
ssl_client = ssl_client_cls(
ssl_version=OpenSslVersionEnum.TLSV1_2,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE,
)
try:
ssl_client.do_handshake()
finally:
ssl_client.shutdown()
dh_info = ssl_client.get_ephemeral_key()
assert isinstance(dh_info, DhEphemeralKeyInfo)
assert dh_info.type == OpenSslEvpPkeyEnum.DH
assert dh_info.size > 0
assert len(dh_info.public_bytes) > 0
assert len(dh_info.prime) > 0
assert len(dh_info.generator) > 0
def test_works_when_client_auth_succeeded(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client provides a client certificate
client_creds = ClientAuthenticationCredentials(
client_certificate_chain_path=server.
get_client_certificate_path(),
client_key_path=server.get_client_key_path(),
)
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port,
client_auth_credentials=client_creds,
)
server_info = server_test.perform()
# The plugin works fine
plugin = SessionRenegotiationPlugin()
plugin_result = plugin.process_task(
server_info, SessionRenegotiationScanCommand())
assert plugin_result.accepts_client_renegotiation
assert plugin_result.supports_secure_renegotiation
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_error_client_certificate_needed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
server_scan = ServerScanRequest(
server_info=server_info,
scan_commands={
# And a scan command that cannot be completed without a client certificate
ScanCommand.HTTP_HEADERS,
},
)
# When queuing the scan
scanner = Scanner()
scanner.queue_scan(server_scan)
# It succeeds
all_results = []
for result in scanner.get_results():
all_results.append(result)
assert len(all_results) == 1
# And the error was properly returned
error = all_results[0].scan_commands_errors[ScanCommand.HTTP_HEADERS]
assert error.reason == ScanCommandErrorReasonEnum.CLIENT_CERTIFICATE_NEEDED
def test_works_when_client_auth_succeeded(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
# And sslyze provides a client certificate
network_config = ServerNetworkConfiguration(
tls_server_name_indication=server.hostname,
tls_client_auth_credentials=ClientAuthenticationCredentials(
certificate_chain_path=server.get_client_certificate_path(
),
key_path=server.get_client_key_path()),
)
server_info = check_connectivity_to_server_and_return_info(
server_location, network_config)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
assert not result.strict_transport_security_header
assert not result.expect_ct_header
def test_vulnerable_and_server_has_sni_bug(self):
# Test for https://github.com/nabla-c0d3/sslyze/issues/202
# Given a server that is vulnerable to Heartbleed and that requires the right SNI to be sent
server_name_indication = "server.com"
with LegacyOpenSslServer(
require_server_name_indication_value=server_name_indication
) as server:
server_location = ServerNetworkLocation(
hostname=server_name_indication,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# But the server is buggy and returns a TLS alert when SNI is sent during the Hearbtleed check
# We replicate this behavior by having SSLyze send a wrong value for SNI, instead of complicated server code
# Use __setattr__ to bypass the dataclass' frozen=True setting
object.__setattr__(server_info.network_configuration,
"tls_server_name_indication", "wrongvalue.com")
# When testing for Heartbleed, it succeeds
result = HeartbleedImplementation.scan_server(server_info)
# And the server is reported as vulnerable even though it has the SNI bug
assert result.is_vulnerable_to_heartbleed
def test_sslv3_enabled(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Sslv30ScanCommand())
# The embedded server does not have a preference
self.assertFalse(plugin_result.preferred_cipher)
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
self.assertEqual(
{
'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_SEED_CBC_SHA',
'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
'TLS_ECDHE_RSA_WITH_NULL_SHA',
'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDH_anon_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA',
'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5',
'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
'TLS_ECDH_anon_WITH_NULL_SHA',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_NULL_MD5',
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA',
'TLS_DH_anon_WITH_DES_CBC_SHA', 'TLS_RSA_WITH_SEED_CBC_SHA',
'TLS_RSA_WITH_DES_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_MD5',
'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_NULL_SHA',
'TLS_RSA_WITH_IDEA_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_RC4_128_MD5'
}, set(accepted_cipher_name_list))
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_error_client_certificate_needed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And a scan request for it that does NOT provide a client certificate
scan_request = ServerScanRequest(
server_location=ServerNetworkLocation(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
),
scan_commands={
# And the request has a scan command that cannot be completed without a client certificate
ScanCommand.HTTP_HEADERS,
},
)
# When running the scan
scanner = Scanner()
scanner.queue_scans([scan_request])
# It succeeds
all_results = []
for result in scanner.get_results():
all_results.append(result)
# And the right result was returned
assert len(all_results) == 1
# And the fact that a client certificate is needed was properly returned
http_headers_result = all_results[0].scan_result.http_headers
assert http_headers_result.status == ScanCommandAttemptStatusEnum.ERROR
assert http_headers_result.error_reason == ScanCommandErrorReasonEnum.CLIENT_CERTIFICATE_NEEDED
assert http_headers_result.error_trace
assert http_headers_result.result is None
def test_fails_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for HTTP headers, it fails
with pytest.raises(ClientCertificateRequested):
HttpHeadersImplementation.scan_server(server_info)
def test_required_client_auth_tls_1_2(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
# SSLyze correctly detects that client auth is required
assert server_info.client_auth_requirement == ClientAuthenticationServerConfigurationEnum.REQUIRED
def test_required_client_auth_tls_1_2(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
port=server.port,
ip_address=server.ip_address)
server_info = ServerConnectivityTester().perform(server_location)
# SSLyze correctly detects that client auth is required
assert server_info.tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.REQUIRED
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for compression support, it succeeds
result: CompressionScanResult = CompressionImplementation.scan_server(server_info)
assert not result.supports_compression
def test_succeeds_when_client_auth_failed_tls_1_2(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And SSLyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
assert result.accepted_cipher_suites
def test_fails_when_client_auth_failed(self):
# Given a server that does NOT support SCSV and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for SCSV, it fails as a client cert was not supplied
with pytest.raises(ClientCertificateRequested):
FallbackScsvImplementation.scan_server(server_info)
def test_heartbleed_bad(self):
# Given a server that is vulnerable to Heartbleed
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for Heartbleed, it succeeds
result: HeartbleedScanResult = HeartbleedImplementation.perform(
server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_heartbleed
def test_heartbleed_bad(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(hostname=server.hostname, ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = HeartbleedPlugin()
plugin_result = plugin.process_task(server_info, HeartbleedScanCommand())
self.assertTrue(plugin_result.is_vulnerable_to_heartbleed)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_fails_when_client_auth_failed(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# The plugin fails
with pytest.raises(ClientCertificateRequested):
RobotImplementation.scan_server(server_info)
def test_fails_when_client_auth_failed_tls_1_2(self):
# Given a server with TLS 1.2 that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# The plugin fails when a client cert was not supplied
plugin = HttpHeadersPlugin()
with self.assertRaises(ClientCertificateRequested):
plugin.process_task(server_info, HttpHeadersScanCommand())
def test_early_data_disabled_no_tls_1_3(self):
# Given a server to scan that does NOT support early data because it does not support TLS 1.3
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for early data support, it succeeds
result: EarlyDataScanResult = EarlyDataImplementation.perform(
server_info)
# And the right result is returned
assert not result.supports_early_data
def test_fallback_bad(self):
# Given a server that does NOT support SCSV
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for SCSV, it succeeds
result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server(
server_info)
# And the server is reported as NOT supporting SCSV
assert not result.supports_fallback_scsv
def test_ccs_injection_bad(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand())
assert plugin_result.is_vulnerable_to_ccs_injection
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_succeeds_when_client_auth_failed(self):
# Given a server that is vulnerable to CCS injection and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does not provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = ServerConnectivityTester().perform(server_location)
# When testing for CCS injection, it succeeds
result = OpenSslCcsInjectionImplementation.scan_server(server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_ccs_injection
def test_succeeds_when_client_auth_failed(self):
# Given a server that is vulnerable to Heartbleed and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for Heartbleed, it succeeds
result = HeartbleedImplementation.scan_server(server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_heartbleed
def test_required_client_auth_tls_1_2(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
port=server.port,
ip_address=server.ip_address)
tls_probing_result = check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
# SSLyze correctly detects that client auth is required
assert tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.REQUIRED
def test_sslv3_enabled(self):
# Given a server to scan that supports SSL 3.0
with LegacyOpenSslServer(openssl_cipher_string="ALL:COMPLEMENTOFALL") as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Sslv30ScanImplementation.scan_server(server_info)
# The right cipher suites were detected
assert len(result.accepted_cipher_suites) == 43
assert result.rejected_cipher_suites
# And the embedded server does not have a preference by default
assert not result.cipher_suite_preferred_by_server
def test_ssl_2(self):
# Given a server that supports SSL 2.0
with LegacyOpenSslServer() as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
ssl_client = LegacySslClient(
ssl_version=OpenSslVersionEnum.SSLV2,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE,
ignore_client_authentication_requests=True,
)
# When doing the special SSL 2.0 handshake, it succeeds
try:
ssl_client.do_handshake()
finally:
ssl_client.shutdown()