def test_server_cipher_ordering(self):
configured_ciphers = [
'ECDHE-RSA-CHACHA20-POLY1305', 'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA',
'ECDHE-RSA-AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384',
'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'
]
random.shuffle(configured_ciphers)
cipher_string = ":".join(configured_ciphers)
with ModernOpenSslServer(cipher=cipher_string,
prefer_server_order=True) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# OpenSslCipherSuitesPlugin works even when a client cert was not supplied
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Tlsv12ScanCommand())
detected_ciphers = [
c.openssl_name for c in plugin_result.accepted_cipher_list
]
assert configured_ciphers == detected_ciphers
def test_sslv2_enabled(self):
try:
with VulnerableOpenSslServer() as server:
server_info = ServerConnectivityInfo(hostname=server.hostname, ip_address=server.ip_address,
port=server.port)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv20ScanCommand())
except NotOnLinux64Error:
# The test suite only has the vulnerable OpenSSL version compiled for Linux 64 bits
logging.warning('WARNING: Not on Linux - skipping test_sslv2_enabled() test')
return
# The embedded server does not have a preference
self.assertFalse(plugin_result.preferred_cipher)
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5',
'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5',
'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertFalse(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_tlsv1_1_enabled(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_1')
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
self.assertEquals(
{
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
}, set(accepted_cipher_name_list))
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_null_cipher_suites(self):
server_test = ServerConnectivityTester(hostname='null.badssl.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
expected_ciphers = {
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
'TLS_DH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
'TLS_DH_anon_WITH_SEED_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_NULL_SHA', 'TLS_ECDH_anon_WITH_NULL_SHA',
'TLS_RSA_WITH_NULL_SHA256', 'TLS_RSA_WITH_NULL_SHA'
}
assert expected_ciphers == set(
[cipher.name for cipher in plugin_result.accepted_cipher_list])
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_sslv3_enabled(self):
with VulnerableOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Sslv30ScanCommand())
# The embedded server does not have a preference
self.assertFalse(plugin_result.preferred_cipher)
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
self.assertEqual(
{
'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_SEED_CBC_SHA',
'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
'TLS_ECDHE_RSA_WITH_NULL_SHA',
'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDH_anon_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA',
'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5',
'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
'TLS_ECDH_anon_WITH_NULL_SHA',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_NULL_MD5',
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA',
'TLS_DH_anon_WITH_DES_CBC_SHA', 'TLS_RSA_WITH_SEED_CBC_SHA',
'TLS_RSA_WITH_DES_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_MD5',
'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_NULL_SHA',
'TLS_RSA_WITH_IDEA_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_RC4_128_MD5'
}, set(accepted_cipher_name_list))
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_sslv2_enabled(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv20ScanCommand())
# The embedded server does not have a preference
self.assertFalse(plugin_result.preferred_cipher)
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5',
'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5',
'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertFalse(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_null_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname='null.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_2')
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
self.assertEquals(
{
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
'TLS_DH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
'TLS_DH_anon_WITH_SEED_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_NULL_SHA', 'TLS_ECDH_anon_WITH_NULL_SHA',
'TLS_RSA_WITH_NULL_SHA256', 'TLS_RSA_WITH_NULL_SHA'
}, set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_tlsv1_2_enabled(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
# Also do full HTTP connections
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand(http_get=True))
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_sslv2_enabled(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Sslv20ScanCommand())
# The embedded server does not have a preference
assert not plugin_result.preferred_cipher
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
assert {
'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5',
'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5',
'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5'
} == set(accepted_cipher_name_list)
assert plugin_result.accepted_cipher_list
assert not plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_tlsv1_2_enabled(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
# Also do full HTTP connections
plugin_result = plugin.process_task(server_info,
Tlsv12ScanCommand(http_get=True))
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
self.assertEquals(
{
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
}, set(accepted_cipher_name_list))
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
try:
with VulnerableOpenSslServer(
client_auth_config=
ClientAuthenticationServerConfigurationEnum.REQUIRED
) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# OpenSslCipherSuitesPlugin works even when a client cert was not supplied
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Sslv30ScanCommand())
except NotOnLinux64Error:
logging.warning('WARNING: Not on Linux - skipping test')
return
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_tlsv1_2_enabled(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
# Also do full HTTP connections
plugin_result = plugin.process_task(server_info,
Tlsv12ScanCommand(http_get=True))
assert plugin_result.preferred_cipher
assert plugin_result.accepted_cipher_list
expected_ciphers = {
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256'
}
assert expected_ciphers == set(
[cipher.name for cipher in plugin_result.accepted_cipher_list])
assert plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def _get_plugin_result(self, hostname, command=Tlsv12ScanCommand()):
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, command)
return plugin_result
def test_smtp_post_handshake_response(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self._test_plugin_outputs(plugin_result)
def test_tls_1_3_cipher_suites(self):
server_test = ServerConnectivityTester(hostname='www.cloudflare.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv13ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
assert {'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256'} == \
set(accepted_cipher_name_list)
def test_dh_info(self):
server_info = ServerConnectivityInfo(hostname='dh480.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1')
self.assertTrue(plugin_result.preferred_cipher)
self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], '480')
def test_tls_1_3_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname='www.cloudflare.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv13ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'TLS13-AES-128-GCM-SHA256', 'TLS13-AES-256-GCM-SHA384', 'TLS13-CHACHA20-POLY1305-SHA256'},
set(accepted_cipher_name_list))
def test_smtp_post_handshake_response(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_dh_info(self):
server_info = ServerConnectivityInfo(hostname=u'dh480.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1')
self.assertTrue(plugin_result.preferred_cipher)
self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], '480')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_dh_info(self):
server_info = ServerConnectivityInfo(hostname=u'dh1024.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.preferred_cipher)
self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], u'1024')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_tls_1_3_cipher_suites(self):
server_test = ServerConnectivityTester(hostname='www.cloudflare.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv13ScanCommand())
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
assert {'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256'} == \
set(accepted_cipher_name_list)
def test_rc4_md5_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname=u'rc4-md5.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_2')
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEquals({'TLS_RSA_WITH_RC4_128_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_rc4_md5_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname=u'rc4-md5.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEquals({'TLS_RSA_WITH_RC4_128_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_post_handshake_response(self):
server_test = ServerConnectivityTester(
hostname='smtp.gmail.com',
port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP
)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_tls_1_3_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname='www.cloudflare.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv13ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
# TODO(AD): Update to TLS 1.3 draft 23 and re-enable this test
return
self.assertEqual({'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256'},
set(accepted_cipher_name_list))
def test_sslv3_disabled(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'sslv3')
self.assertIsNone(plugin_result.preferred_cipher)
self.assertFalse(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sslv3_disabled(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'sslv3')
self.assertIsNone(plugin_result.preferred_cipher)
self.assertFalse(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_rc4_md5_cipher_suites(self):
server_test = ServerConnectivityTester(hostname='rc4-md5.badssl.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
assert {'TLS_RSA_WITH_RC4_128_MD5'} == set(accepted_cipher_name_list)
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_dh_info(self):
server_info = ServerConnectivityInfo(hostname='dh1024.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.preferred_cipher)
self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'],
'1024')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_follows_client_cipher_suite_preference(self):
# Google.com does not follow client cipher suite preference
plugin_result = self._get_plugin_result('www.google.com')
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
# Sogou.com follows client cipher suite preference
server_info = ServerConnectivityInfo(hostname='www.sogou.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self._test_plugin_outputs(plugin_result)
def test_rc4_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname='rc4.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_2')
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
self.assertEquals(
{'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_RC4_128_SHA'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_rc4_md5_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname='rc4-md5.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'TLS_RSA_WITH_RC4_128_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_sslv2_disabled(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv20ScanCommand())
self.assertIsNone(plugin_result.preferred_cipher)
self.assertFalse(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_tlsv1_0_disabled(self):
server_test = ServerConnectivityTester(hostname='success.trendmicro.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv10ScanCommand())
assert plugin_result.preferred_cipher is None
assert not plugin_result.accepted_cipher_list
assert plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_sslv2_disabled(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv20ScanCommand())
assert plugin_result.preferred_cipher is None
assert not plugin_result.accepted_cipher_list
assert plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_rc4_md5_cipher_suites(self):
server_test = ServerConnectivityTester(hostname='rc4-md5.badssl.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
assert {'TLS_RSA_WITH_RC4_128_MD5'} == set(accepted_cipher_name_list)
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_sslv3_enabled(self):
with LegacyOpenSslServer() as server:
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv30ScanCommand())
# The embedded server does not have a preference
assert not plugin_result.preferred_cipher
expected_ciphers = {
'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_SEED_CBC_SHA', 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
'TLS_ECDHE_RSA_WITH_NULL_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDH_anon_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5', 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
'TLS_ECDH_anon_WITH_NULL_SHA',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA',
'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_NULL_MD5',
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA', 'TLS_DH_anon_WITH_DES_CBC_SHA',
'TLS_RSA_WITH_SEED_CBC_SHA', 'TLS_RSA_WITH_DES_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_NULL_SHA',
'TLS_RSA_WITH_IDEA_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DH_anon_WITH_RC4_128_MD5'
}
assert expected_ciphers == set([cipher.name for cipher in plugin_result.accepted_cipher_list])
assert plugin_result.accepted_cipher_list
assert plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_tls_1_3_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname='www.cloudflare.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv13ScanCommand())
accepted_cipher_name_list = [
cipher.name for cipher in plugin_result.accepted_cipher_list
]
# TODO(AD): Update to TLS 1.3 draft 23 and re-enable this test
return
self.assertEqual(
{
'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_256_GCM_SHA384',
'TLS_AES_128_GCM_SHA256'
}, set(accepted_cipher_name_list))
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
with ModernOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
# OpenSslCipherSuitesPlugin works even when a client cert was not supplied
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_tlsv1_0_disabled(self):
server_test = ServerConnectivityTester(
hostname='success.trendmicro.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv10ScanCommand())
self.assertIsNone(plugin_result.preferred_cipher)
self.assertFalse(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_succeeds_when_client_auth_failed_tls_1_3(self):
# Given a TLS 1.3 server that requires client authentication
with ModernOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# OpenSslCipherSuitesPlugin works even when a client cert was not supplied
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info,
Tlsv13ScanCommand())
assert plugin_result.accepted_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_null_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname=u'null.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_2')
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEquals({'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', 'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', 'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
'TLS_DH_anon_WITH_AES_256_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA256', 'TLS_DH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_GCM_SHA256', 'TLS_DH_anon_WITH_SEED_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_NULL_SHA',
'TLS_ECDH_anon_WITH_NULL_SHA', 'TLS_RSA_WITH_NULL_SHA256', 'TLS_RSA_WITH_NULL_SHA'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_follows_client_cipher_suite_preference(self):
# Google.com does not follow client cipher suite preference
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_2')
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
# Sogou.com follows client cipher suite preference
server_info = ServerConnectivityInfo(hostname=u'www.sogou.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_2')
self.assertIsNone(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
def test_tlsv1_1_enabled(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1_1')
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEquals({'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_null_cipher_suites(self):
server_test = ServerConnectivityTester(hostname='null.badssl.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', 'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', 'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
'TLS_DH_anon_WITH_AES_256_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA256', 'TLS_DH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_GCM_SHA256', 'TLS_DH_anon_WITH_SEED_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_NULL_SHA',
'TLS_ECDH_anon_WITH_NULL_SHA', 'TLS_RSA_WITH_NULL_SHA256', 'TLS_RSA_WITH_NULL_SHA'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_sslv3_enabled(self):
with VulnerableOpenSslServer() as server:
server_info = ServerConnectivityInfo(hostname=server.hostname, ip_address=server.ip_address,
port=server.port)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv30ScanCommand())
# The embedded server does not have a preference
self.assertFalse(plugin_result.preferred_cipher)
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_WITH_AES_128_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
'TLS_DH_anon_WITH_SEED_CBC_SHA', 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5',
'TLS_ECDHE_RSA_WITH_NULL_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_AES_256_CBC_SHA',
'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDH_anon_WITH_RC4_128_SHA',
'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA',
'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5', 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA',
'TLS_ECDH_anon_WITH_NULL_SHA',
'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA',
'TLS_RSA_EXPORT_WITH_RC4_40_MD5',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_NULL_MD5',
'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA', 'TLS_DH_anon_WITH_DES_CBC_SHA',
'TLS_RSA_WITH_SEED_CBC_SHA', 'TLS_RSA_WITH_DES_CBC_SHA',
'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_NULL_SHA',
'TLS_RSA_WITH_IDEA_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DH_anon_WITH_RC4_128_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self._test_plugin_outputs(plugin_result)
def test_follows_client_cipher_suite_preference(self):
# Google.com does not follow client cipher suite preference
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
# Sogou.com follows client cipher suite preference
server_test = ServerConnectivityTester(hostname='www.sogou.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertIsNone(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_tlsv1_1_enabled(self):
server_test = ServerConnectivityTester(hostname='www.google.com')
server_info = server_test.perform()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv11ScanCommand())
assert plugin_result.preferred_cipher
assert plugin_result.accepted_cipher_list
expected_ciphers = {
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
}
assert expected_ciphers == set([cipher.name for cipher in plugin_result.accepted_cipher_list])
assert plugin_result.rejected_cipher_list
assert not plugin_result.errored_cipher_list
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_sslv2_enabled(self):
with VulnerableOpenSslServer() as server:
server_info = ServerConnectivityInfo(hostname=server.hostname, ip_address=server.ip_address,
port=server.port)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Sslv20ScanCommand())
# The embedded server does not have a preference
self.assertFalse(plugin_result.preferred_cipher)
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEqual({'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5',
'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5',
'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5',
'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.accepted_cipher_list)
self.assertFalse(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self._test_plugin_outputs(plugin_result)
def test_follows_client_cipher_suite_preference(self):
# Google.com does not follow client cipher suite preference
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
# Sogou.com follows client cipher suite preference
server_info = ServerConnectivityInfo(hostname=u'www.sogou.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertIsNone(plugin_result.preferred_cipher)
self.assertTrue(plugin_result.accepted_cipher_list)
for cipher in plugin_result.accepted_cipher_list:
print " {}".format(cipher.name)
elif plugin_result.plugin_command == "reneg":
reneg_result = plugin_result
print "Client renegotiation: {}".format(plugin_result.accepts_client_renegotiation)
print "Secure renegotiation: {}".format(plugin_result.supports_secure_renegotiation)
elif plugin_result.plugin_command == "certinfo_basic":
print "Server Certificate CN: {}".format(plugin_result.certificate_chain[0].as_dict["subject"]["commonName"])
# All plugin results also always expose two APIs:
# What the SSLyze CLI would output to the console
print "\nSSLyze text output"
for line in reneg_result.as_text():
print line
print "\nSSLyze XML node"
# The XML node for the SSLyze CLI XML output
print reneg_result.as_xml()
# You should use the process pool to make scans quick, but you can also call plugins directly
from sslyze.plugins.openssl_cipher_suites_plugin import OpenSslCipherSuitesPlugin
print "\nCalling a plugin directly..."
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, "tlsv1")
for cipher in plugin_result.accepted_cipher_list:
print " {}".format(cipher.name)
