def test_null_cipher_suites(self):
# Given a server to scan that supports NULL cipher suites
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("null.badssl.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
# And the NULL/Anon cipher suites were detected
expected_ciphers = {
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_SEED_CBC_SHA",
"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_RSA_WITH_NULL_SHA",
}
assert expected_ciphers == {
accepted_cipher.cipher_suite.name for accepted_cipher in result.accepted_cipher_suites
}
def test_cipher_suite_preferred_by_server(self):
# Given an ordered list of cipher suites
configured_cipher_suites = [
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"AES128-SHA",
"AES256-SHA",
]
random.shuffle(configured_cipher_suites)
cipher_string = ":".join(configured_cipher_suites)
# And a server that is configured with this list as its prefered cipher suites
with ModernOpenSslServer(
openssl_cipher_string=cipher_string, should_enable_server_cipher_preference=True
) as server:
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
# And the server's cipher suite preference was detected
assert result.cipher_suite_preferred_by_server
assert configured_cipher_suites[0] == result.cipher_suite_preferred_by_server.cipher_suite.openssl_name
def test_tlsv1_2_enabled(self):
# Given a server to scan that supports TLS 1.2
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("www.google.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
# And the result confirms that TLS 1.2 is supported
expected_ciphers = {
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
}
assert expected_ciphers == {
accepted_cipher.cipher_suite.name for accepted_cipher in result.accepted_cipher_suites
}
def test_follows_client_cipher_suite_preference(self):
# Given a server to scan that follows client cipher suite preference
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("www.hotmail.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
# And the server is detected as following the client's preference
assert result.cipher_suite_preferred_by_server
def test(self):
# Given a completed scan for a cipher suites scan command
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
"www.google.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
plugin_result = Tlsv12ScanImplementation.scan_server(server_info)
# When generating the CLI output for this result, it succeeds
result_as_txt = Tlsv12ScanImplementation.cli_connector_cls.result_to_console_output(
plugin_result)
assert result_as_txt
def test(self):
# Given a completed scan for a cipher suites scan command
server_location = ServerNetworkLocation("www.google.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
plugin_result = Tlsv12ScanImplementation.scan_server(server_info)
# When generating the CLI output for this result, it succeeds
result_as_txt = Tlsv12ScanImplementation.cli_connector_cls.result_to_console_output(
plugin_result)
assert result_as_txt
def test_smtp(self):
# Given an SMTP server to scan
hostname = "smtp.gmail.com"
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(hostname, 587)
network_configuration = ServerNetworkConfiguration(
tls_server_name_indication=hostname, tls_opportunistic_encryption=ProtocolWithOpportunisticTlsEnum.SMTP
)
server_info = ServerConnectivityTester().perform(server_location, network_configuration)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
assert result.accepted_cipher_suites
def test_rc4_cipher_suites(self):
# Given a server to scan that supports RC4 cipher suites
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("rc4.badssl.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
# And the RC4 cipher suites were detected
assert {"TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_RC4_128_SHA"} == {
accepted_cipher.cipher_suite.name for accepted_cipher in result.accepted_cipher_suites
}
def test_follows_client_cipher_suite_preference(self):
# Given a server to scan that follows client cipher suite preference
server_location = ServerNetworkLocation("www.hotmail.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(
server_info)
# And the server is detected as following the client's preference
assert result.cipher_suite_preferred_by_server
def test_succeeds_when_client_auth_failed_tls_1_2(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And SSLyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
assert result.accepted_cipher_suites
def test_rc4_cipher_suites(self):
# Given a server to scan that supports RC4 cipher suites
server_location = ServerNetworkLocation("rc4.badssl.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(
server_info)
# And the RC4 cipher suites were detected
assert {"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_RC4_128_SHA"} == {
accepted_cipher.cipher_suite.name
for accepted_cipher in result.accepted_cipher_suites
}
def test_ephemeral_key_info(self):
# Given a server to scan that supports DH and ECDH ephemeral keys
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("www.hotmail.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
assert result.accepted_cipher_suites
# And the ephemeral keys were returned
found_dh_key = False
found_ecdh_key = False
for accepted_cipher_suite in result.accepted_cipher_suites:
if isinstance(accepted_cipher_suite.ephemeral_key, EcDhEphemeralKeyInfo):
found_ecdh_key = True
elif isinstance(accepted_cipher_suite.ephemeral_key, DhEphemeralKeyInfo):
found_dh_key = True
assert found_dh_key
assert found_ecdh_key
def test_ecdsa_cipher_suites(self):
# Given a server to scan that supports ECDSA cipher suites
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("ecc256.badssl.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info)
# And the RC4 cipher suites were detected
expected_ciphers = {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
}
assert expected_ciphers == {
accepted_cipher.cipher_suite.name for accepted_cipher in result.accepted_cipher_suites
}
