def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError( "This plugin does not take extra arguments") # Run one job per cipher suite to test for all_cipher_suites_to_test = CipherSuitesRepository.get_all_cipher_suites( cls._tls_version) scan_jobs = [ ScanJob( function_to_call=connect_with_cipher_suite, function_arguments=[ server_info, cls._tls_version, cipher_suite ], ) for cipher_suite in all_cipher_suites_to_test ] # Run an additional job to find the preferred cipher suite scan_jobs.append( ScanJob(function_to_call=get_preferred_cipher_suite, function_arguments=[server_info, cls._tls_version])) return scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError("This plugin does not take extra arguments") return [ ScanJob(function_to_call=_test_secure_renegotiation, function_arguments=[server_info]), ScanJob(function_to_call=_test_client_renegotiation, function_arguments=[server_info]), ]
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[CertificateInfoExtraArguments] = None ) -> List[ScanJob]: custom_ca_file = extra_arguments.custom_ca_file if extra_arguments else None # Try to retrieve different certificates from the server by having SSLyze's TLS handshake look like different # kinds of clients call_arguments: List[ArgumentsToGetCertificateChain] = [] if server_info.tls_probing_result.highest_tls_version_supported >= OpenSslVersionEnum.TLSV1_3: # Get the default certificate chain sent to clients using TLS 1.3 call_arguments.append((server_info, custom_ca_file, OpenSslVersionEnum.TLSV1_3, None)) # Get the other certificate chains sent to clients using TLS 1.2 that support or don't support RSA call_arguments.append((server_info, custom_ca_file, OpenSslVersionEnum.TLSV1_2, "RSA")) call_arguments.append((server_info, custom_ca_file, OpenSslVersionEnum.TLSV1_2, "ALL:-RSA")) else: # Get the certificate chains sent to clients that support or don't support RSA call_arguments.append((server_info, custom_ca_file, None, None)) call_arguments.append((server_info, custom_ca_file, None, "RSA")) call_arguments.append( (server_info, custom_ca_file, None, "ALL:-RSA")) # The custom_ca_file is not needed by get_certificate_chain() but we have to pass it anyway so we can eventually # use it in result_for_completed_scan_jobs() scan_jobs = [ ScanJob(function_to_call=get_certificate_chain, function_arguments=call_arg) for call_arg in call_arguments ] return scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError("This plugin does not take extra arguments") if not server_info.tls_probing_result.supports_ecdh_key_exchange: # Nothing to test: the server doesn't support EC key exchange return [ScanJob(function_to_call=_raise_elliptic_curve_not_supported, function_arguments=[])] # List of curves are in https://tools.ietf.org/html/rfc4492#section-5.1.1 and # https://tools.ietf.org/html/rfc8446#section-4.2.7 return [ ScanJob(function_to_call=_test_curve, function_arguments=[server_info, curve_nid]) for curve_nid in OpenSslEcNidEnum ]
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ValueError("This plugin does not take extra arguments") # Test Session ID support session_id_scan_jobs = _create_resume_with_session_id_scan_jobs( server_info, cls._SESSION_ID_RESUMPTION_ATTEMPTS_NB) # Test TLS tickets support # Try with TLS 1.2 even if the server supports TLS 1.3 or higher as session resumption is different with TLS 1.3 if server_info.tls_probing_result.highest_tls_version_supported.value >= TlsVersionEnum.TLS_1_3.value: tls_version_to_use = TlsVersionEnum.TLS_1_2 else: tls_version_to_use = server_info.tls_probing_result.highest_tls_version_supported tls_ticket_scan_jobs = [ ScanJob(function_to_call=resume_with_tls_ticket, function_arguments=[server_info, tls_version_to_use]) ] return session_id_scan_jobs + tls_ticket_scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[MockPlugin1ExtraArguments] = None ) -> List[ScanJob]: # Create a bunch of "do nothing" jobs to imitate a real plugin scan_jobs = [ ScanJob(function_to_call=_do_nothing, function_arguments=["test", 12]) for _ in range(cls._scan_jobs_count) ] return scan_jobs
def _create_resume_with_session_id_scan_jobs( server_info: ServerConnectivityInfo, resumption_attempts_nb: int) -> List[ScanJob]: scan_jobs = [ ScanJob(function_to_call=resume_with_session_id, function_arguments=[server_info]) for _ in range(resumption_attempts_nb) ] return scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArgument] = None ) -> List[ScanJob]: return [ ScanJob(function_to_call=cls._job_work_function, function_arguments=["test"]) for _ in range(10) ]
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArgument] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError("This plugin does not take extra arguments") if server_info.network_configuration.tls_opportunistic_encryption: raise ScanCommandWrongUsageError("Cannot scan for HTTP headers against a non-HTTP server.") return [ScanJob(function_to_call=_retrieve_and_analyze_http_response, function_arguments=[server_info])]
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError( "This plugin does not take extra arguments") # Try with TLS 1.2 even if the server supports TLS 1.3 or higher as there is no reneg with TLS 1.3 if server_info.tls_probing_result.highest_tls_version_supported.value >= TlsVersionEnum.TLS_1_3.value: tls_version_to_use = TlsVersionEnum.TLS_1_2 else: tls_version_to_use = server_info.tls_probing_result.highest_tls_version_supported return [ ScanJob(function_to_call=_test_secure_renegotiation, function_arguments=[server_info, tls_version_to_use]), ScanJob(function_to_call=_test_client_renegotiation, function_arguments=[server_info, tls_version_to_use]), ]
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArgument] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError( "This plugin does not take extra arguments") return [ ScanJob(function_to_call=_test_early_data_support, function_arguments=[server_info]) ]
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[SessionResumptionSupportExtraArgument] = None, ) -> List[ScanJob]: if extra_arguments: number_of_resumption_attempts = extra_arguments.number_of_resumptions_to_attempt else: number_of_resumption_attempts = cls._DEFAULT_RESUMPTION_ATTEMPTS # Test Session ID support session_id_scan_jobs = [ ScanJob(function_to_call=resume_with_session_id, function_arguments=[server_info]) for _ in range(number_of_resumption_attempts) ] # Test TLS tickets support tls_ticket_scan_jobs = [ ScanJob(function_to_call=resume_with_tls_ticket, function_arguments=[server_info]) for _ in range(number_of_resumption_attempts) ] return session_id_scan_jobs + tls_ticket_scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArgument] = None ) -> List[ScanJob]: # Create a bunch of "do nothing" jobs to imitate a real plugin did_receive_extra_arguments = extra_arguments is not None scan_jobs = [ ScanJob( function_to_call=cls._scan_job_work_function, function_arguments=["test", 12, did_receive_extra_arguments], ) for _ in range(cls._scan_jobs_count) ] return scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ScanCommandWrongUsageError( "This plugin does not take extra arguments") # Run the test three times to ensure the results are consistent return [ ScanJob(function_to_call=test_robot, function_arguments=[server_info]) for _ in range(cls._TEST_ATTEMPTS_NB) ]
def _create_resume_with_session_id_scan_jobs( server_info: ServerConnectivityInfo, resumption_attempts_nb: int) -> List[ScanJob]: # Try with TLS 1.2 even if the server supports TLS 1.3 or higher as session resumption is different with TLS 1.3 if server_info.tls_probing_result.highest_tls_version_supported.value >= TlsVersionEnum.TLS_1_3.value: tls_version_to_use = TlsVersionEnum.TLS_1_2 else: tls_version_to_use = server_info.tls_probing_result.highest_tls_version_supported scan_jobs = [ ScanJob(function_to_call=resume_with_session_id, function_arguments=[server_info, tls_version_to_use]) for _ in range(resumption_attempts_nb) ] return scan_jobs
def scan_jobs_for_scan_command( cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None ) -> List[ScanJob]: if extra_arguments: raise ValueError("This plugin does not take extra arguments") # Test Session ID support session_id_scan_jobs = _create_resume_with_session_id_scan_jobs( server_info, cls._SESSION_ID_RESUMPTION_ATTEMPTS_NB) # Test TLS tickets support tls_ticket_scan_jobs = [ ScanJob(function_to_call=resume_with_tls_ticket, function_arguments=[server_info]) ] return session_id_scan_jobs + tls_ticket_scan_jobs