def test_tls_error_expired_2(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) # This test allows past or future since cert is 1963, which some systems # will intepret as 2063 with assert_exception(self, errors.TLSVerificationError, 'certificate expired|not valid until'): tls.TLSSocket('expired-1963.badtls.io', 11000, session=session)
def test_tls_error_wildcard_mismatch(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSVerificationError, 'does not match'): tls.TLSSocket('wildcard.mismatch.badtls.io', 11007, session=session)
def tls_connect(self, hostname, port): session = None if hostname == 'dh1024.badtls.io': session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) connection = tls.TLSSocket(hostname, port, session=session) self.assertEqual(hostname, connection.hostname) self.assertIsInstance(connection.hostname, str_cls) self.assertIsInstance(connection.cipher_suite, str_cls) self.assertIsInstance(connection.certificate, x509.Certificate) self.assertLess(10, len(connection.cipher_suite)) self.assertEqual(port, connection.port) connection.write(b'GET / HTTP/1.1\r\nHost: ' + hostname.encode('utf-8') + b'\r\n\r\n') html = connection.read_until(re.compile(b'</html>', re.I)) self.assertNotEqual(None, re.search(b'</html>', html, re.I))
def ensure_connected(self): """ Make sure a valid tls.TLSSocket() is open to the server :return: A boolean indicating if the connection was reused """ if self.socket: return True host, port = self.url_info session = tls.TLSSession() self.socket = tls.TLSSocket(host, port, timeout=self.timeout, session=session) return False
def test_tls_extra_trust_roots_no_match(self): expected = 'certificate issuer not found in trusted root certificate store' with self.assertRaisesRegexp(errors.TLSVerificationError, expected): session = tls.TLSSession(extra_trust_roots=[digicert_ca_path]) tls.TLSSocket('test1.tls-o-matic.com', 443, session=session)
def test_tls_error_expired(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSVerificationError, 'certificate expired'): tls.TLSSocket('expired.badtls.io', 11006, session=session)
def test_tls_error_handshake_error_3(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSError, 'weak certificate signature algorithm'): tls.TLSSocket('weak-sig.badtls.io', 11004, session=session)
def test_tls_error_non_web(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSVerificationError, 'verification failed'): tls.TLSSocket('bad-key-usage.badtls.io', 11005, session=session)
def test_tls_extra_trust_roots(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path, digicert_ca_path]) tls.TLSSocket('test1.tls-o-matic.com', 443, session=session)
def test_tls_error_client_cert_required(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSError, 'client authentication'): tls.TLSSocket('required-auth.badtls.io', 10003, session=session)
def run(): """ Runs through TLS hosts in the Alexa top 1000 to test TLS functionality :return: A bool - if the test succeeded without any socket errors """ task_start = time.time() success = 0 tls_errors = 0 socket_errors = 0 mismatch_info = [] context = ValidationContext(allow_fetching=True) with open(os.path.join(fixtures_dir, 'alexa_top_1000.csv'), 'rb') as f: for line in f: domain = line.decode('utf-8').rstrip() os_result = None cv_result = None os_message = None cv_message = None try: os_start = time.time() con = tls.TLSSocket(domain, 443, timeout=3) con.close() success += 1 os_result = 'OK' os_message = 'Success' _color('green', 'OK', domain, os_start) except (TLSVerificationError) as e: tls_errors += 1 os_result = 'TLS' os_message = str_cls(e) _color('yellow', 'TLS', domain, os_start, str_cls(e)) except (socket.error) as e: socket_errors += 1 os_result = 'SOCK' os_message = str_cls(e) _color('red', 'SOCK', domain, os_start, str_cls(e)) try: cv_start = time.time() session = tls.TLSSession(manual_validation=True) con = tls.TLSSocket(domain, 443, timeout=3, session=session) validator = CertificateValidator(con.certificate, con.intermediates, context) validator.validate_tls(domain) con.close() success += 1 cv_result = 'OK' cv_message = 'Success' _color('green', 'OK', domain, cv_start) except (PathValidationError, PathBuildingError) as e: tls_errors += 1 cv_result = 'TLS' cv_message = str_cls(e) _color('yellow', 'TLS', domain, cv_start, str_cls(e)) except (socket.error) as e: socket_errors += 1 cv_result = 'SOCK' cv_message = str_cls(e) _color('red', 'SOCK', domain, cv_start, str_cls(e)) if os_result != cv_result: mismatch_info.append( [domain, os_result, os_message, cv_result, cv_message]) total_time = time.time() - task_start total_domains = success + tls_errors + socket_errors stats = [] if success > 0: stats.append('%d [%sOK%s]' % (success, Fore.GREEN, Fore.RESET)) if tls_errors > 0: stats.append('%d [%sTLS%s]' % (tls_errors, Fore.YELLOW, Fore.RESET)) if socket_errors > 0: stats.append('%d [%sSOCK%s]' % (socket_errors, Fore.RED, Fore.RESET)) print('') print('Checked %d domains in %.3f seconds - %s' % (total_domains, total_time, ' '.join(stats))) if mismatch_info: print('') for info in mismatch_info: os_result = '[%s] %s' % (info[1], info[2]) cv_result = '[%s] %s' % (info[3], info[4]) _color( 'red', 'DIFF', 'oscrypto and certvalidator results for %s are different' % info[0], None, os_result, cv_result) return socket_errors == 0
def test_tls_wildcard_success(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) tls.TLSSocket('test4.tls-o-matic.com', 404, session=session) tls.TLSSocket('test4test.tls-o-matic.com', 404, session=session)
def test_tls_error_client_cert_required(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) with self.assertRaisesRegexp(errors.TLSError, 'client authentication'): tls.TLSSocket('test8.tls-o-matic.com', 408, session=session)
def test_tls_extra_trust_roots(self): session = tls.TLSSession( extra_trust_roots=[badtls_ca_path, digicert_ca_path]) tls.TLSSocket('domain-match.badtls.io', 10000, session=session)
def test_tls_error_missing_issuer_2(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) expected = 'certificate issuer not found in trusted root certificate store' with self.assertRaisesRegexp(errors.TLSVerificationError, expected): tls.TLSSocket('test7.tls-o-matic.com', 407, session=session)
def test_tls_error_expired_2(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) # This test allows past or future since cert is 1963, which some systems # will intepret as 2063 with self.assertRaisesRegexp(errors.TLSVerificationError, 'certificate expired|not valid until'): tls.TLSSocket('test6.tls-o-matic.com', 406, session=session)
def test_tls_error_not_yet_valid(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) with self.assertRaisesRegexp(errors.TLSVerificationError, 'not valid until'): tls.TLSSocket('test5.tls-o-matic.com', 405, session=session)
def test_tls_error_handshake_error_2(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSError, 'TLS handshake failed'): tls.TLSSocket('rc4.badtls.io', 11008, session=session)
def test_tls_error_non_web(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) with self.assertRaisesRegexp(errors.TLSVerificationError, 'verification failed'): tls.TLSSocket('test14.tls-o-matic.com', 414, session=session)
def test_tls_extra_trust_roots_no_match(self): expected = 'certificate issuer not found in trusted root certificate store' with assert_exception(self, errors.TLSVerificationError, expected): session = tls.TLSSession(extra_trust_roots=[digicert_ca_path]) tls.TLSSocket('domain-match.badtls.io', 10000, session=session)
def test_tls_error_san_mismatch(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) with self.assertRaisesRegexp(errors.TLSVerificationError, 'does not match'): tls.TLSSocket('test3.tls-o-matic.com', 403, session=session)
def test_tls_protocol_version(self): session = tls.TLSSession(set(['TLSv1', 'TLSv1.1'])) with assert_exception(self, errors.TLSError, 'TLS handshake failed - protocol version error'): tls.TLSSocket('github.com', 443, session=session)
def test_tls_wildcard_success(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) tls.TLSSocket('wildcard-match.badtls.io', 10001, session=session)
def test_tls_error_not_yet_valid(self): session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) with assert_exception(self, errors.TLSVerificationError, 'not valid until'): tls.TLSSocket('future.badtls.io', 11001, session=session)
def test_tls_error_handshake_error_3(self): session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path]) with self.assertRaisesRegexp(errors.TLSError, 'weak certificate signature algorithm'): tls.TLSSocket('test9.tls-o-matic.com', 409, session=session)