def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError(
"This plugin does not take extra arguments")
# Run one job per cipher suite to test for
all_cipher_suites_to_test = CipherSuitesRepository.get_all_cipher_suites(
cls._tls_version)
scan_jobs = [
ScanJob(
function_to_call=connect_with_cipher_suite,
function_arguments=[
server_info, cls._tls_version, cipher_suite
],
) for cipher_suite in all_cipher_suites_to_test
]
# Run an additional job to find the preferred cipher suite
scan_jobs.append(
ScanJob(function_to_call=get_preferred_cipher_suite,
function_arguments=[server_info, cls._tls_version]))
return scan_jobs
def scan_jobs_for_scan_command(
cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError("This plugin does not take extra arguments")
return [
ScanJob(function_to_call=_test_secure_renegotiation, function_arguments=[server_info]),
ScanJob(function_to_call=_test_client_renegotiation, function_arguments=[server_info]),
]
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[CertificateInfoExtraArguments] = None
) -> List[ScanJob]:
custom_ca_file = extra_arguments.custom_ca_file if extra_arguments else None
# Try to retrieve different certificates from the server by having SSLyze's TLS handshake look like different
# kinds of clients
call_arguments: List[ArgumentsToGetCertificateChain] = []
if server_info.tls_probing_result.highest_tls_version_supported >= OpenSslVersionEnum.TLSV1_3:
# Get the default certificate chain sent to clients using TLS 1.3
call_arguments.append((server_info, custom_ca_file,
OpenSslVersionEnum.TLSV1_3, None))
# Get the other certificate chains sent to clients using TLS 1.2 that support or don't support RSA
call_arguments.append((server_info, custom_ca_file,
OpenSslVersionEnum.TLSV1_2, "RSA"))
call_arguments.append((server_info, custom_ca_file,
OpenSslVersionEnum.TLSV1_2, "ALL:-RSA"))
else:
# Get the certificate chains sent to clients that support or don't support RSA
call_arguments.append((server_info, custom_ca_file, None, None))
call_arguments.append((server_info, custom_ca_file, None, "RSA"))
call_arguments.append(
(server_info, custom_ca_file, None, "ALL:-RSA"))
# The custom_ca_file is not needed by get_certificate_chain() but we have to pass it anyway so we can eventually
# use it in result_for_completed_scan_jobs()
scan_jobs = [
ScanJob(function_to_call=get_certificate_chain,
function_arguments=call_arg) for call_arg in call_arguments
]
return scan_jobs
def scan_jobs_for_scan_command(
cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError("This plugin does not take extra arguments")
if not server_info.tls_probing_result.supports_ecdh_key_exchange:
# Nothing to test: the server doesn't support EC key exchange
return [ScanJob(function_to_call=_raise_elliptic_curve_not_supported, function_arguments=[])]
# List of curves are in https://tools.ietf.org/html/rfc4492#section-5.1.1 and
# https://tools.ietf.org/html/rfc8446#section-4.2.7
return [
ScanJob(function_to_call=_test_curve, function_arguments=[server_info, curve_nid])
for curve_nid in OpenSslEcNidEnum
]
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ValueError("This plugin does not take extra arguments")
# Test Session ID support
session_id_scan_jobs = _create_resume_with_session_id_scan_jobs(
server_info, cls._SESSION_ID_RESUMPTION_ATTEMPTS_NB)
# Test TLS tickets support
# Try with TLS 1.2 even if the server supports TLS 1.3 or higher as session resumption is different with TLS 1.3
if server_info.tls_probing_result.highest_tls_version_supported.value >= TlsVersionEnum.TLS_1_3.value:
tls_version_to_use = TlsVersionEnum.TLS_1_2
else:
tls_version_to_use = server_info.tls_probing_result.highest_tls_version_supported
tls_ticket_scan_jobs = [
ScanJob(function_to_call=resume_with_tls_ticket,
function_arguments=[server_info, tls_version_to_use])
]
return session_id_scan_jobs + tls_ticket_scan_jobs
def scan_jobs_for_scan_command(
cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[MockPlugin1ExtraArguments] = None
) -> List[ScanJob]:
# Create a bunch of "do nothing" jobs to imitate a real plugin
scan_jobs = [
ScanJob(function_to_call=_do_nothing, function_arguments=["test", 12]) for _ in range(cls._scan_jobs_count)
]
return scan_jobs
def _create_resume_with_session_id_scan_jobs(
server_info: ServerConnectivityInfo,
resumption_attempts_nb: int) -> List[ScanJob]:
scan_jobs = [
ScanJob(function_to_call=resume_with_session_id,
function_arguments=[server_info])
for _ in range(resumption_attempts_nb)
]
return scan_jobs
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArgument] = None
) -> List[ScanJob]:
return [
ScanJob(function_to_call=cls._job_work_function,
function_arguments=["test"]) for _ in range(10)
]
def scan_jobs_for_scan_command(
cls, server_info: ServerConnectivityInfo, extra_arguments: Optional[ScanCommandExtraArgument] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError("This plugin does not take extra arguments")
if server_info.network_configuration.tls_opportunistic_encryption:
raise ScanCommandWrongUsageError("Cannot scan for HTTP headers against a non-HTTP server.")
return [ScanJob(function_to_call=_retrieve_and_analyze_http_response, function_arguments=[server_info])]
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError(
"This plugin does not take extra arguments")
# Try with TLS 1.2 even if the server supports TLS 1.3 or higher as there is no reneg with TLS 1.3
if server_info.tls_probing_result.highest_tls_version_supported.value >= TlsVersionEnum.TLS_1_3.value:
tls_version_to_use = TlsVersionEnum.TLS_1_2
else:
tls_version_to_use = server_info.tls_probing_result.highest_tls_version_supported
return [
ScanJob(function_to_call=_test_secure_renegotiation,
function_arguments=[server_info, tls_version_to_use]),
ScanJob(function_to_call=_test_client_renegotiation,
function_arguments=[server_info, tls_version_to_use]),
]
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArgument] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError(
"This plugin does not take extra arguments")
return [
ScanJob(function_to_call=_test_early_data_support,
function_arguments=[server_info])
]
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[SessionResumptionSupportExtraArgument] = None,
) -> List[ScanJob]:
if extra_arguments:
number_of_resumption_attempts = extra_arguments.number_of_resumptions_to_attempt
else:
number_of_resumption_attempts = cls._DEFAULT_RESUMPTION_ATTEMPTS
# Test Session ID support
session_id_scan_jobs = [
ScanJob(function_to_call=resume_with_session_id, function_arguments=[server_info])
for _ in range(number_of_resumption_attempts)
]
# Test TLS tickets support
tls_ticket_scan_jobs = [
ScanJob(function_to_call=resume_with_tls_ticket, function_arguments=[server_info])
for _ in range(number_of_resumption_attempts)
]
return session_id_scan_jobs + tls_ticket_scan_jobs
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArgument] = None
) -> List[ScanJob]:
# Create a bunch of "do nothing" jobs to imitate a real plugin
did_receive_extra_arguments = extra_arguments is not None
scan_jobs = [
ScanJob(
function_to_call=cls._scan_job_work_function,
function_arguments=["test", 12, did_receive_extra_arguments],
) for _ in range(cls._scan_jobs_count)
]
return scan_jobs
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ScanCommandWrongUsageError(
"This plugin does not take extra arguments")
# Run the test three times to ensure the results are consistent
return [
ScanJob(function_to_call=test_robot,
function_arguments=[server_info])
for _ in range(cls._TEST_ATTEMPTS_NB)
]
def _create_resume_with_session_id_scan_jobs(
server_info: ServerConnectivityInfo,
resumption_attempts_nb: int) -> List[ScanJob]:
# Try with TLS 1.2 even if the server supports TLS 1.3 or higher as session resumption is different with TLS 1.3
if server_info.tls_probing_result.highest_tls_version_supported.value >= TlsVersionEnum.TLS_1_3.value:
tls_version_to_use = TlsVersionEnum.TLS_1_2
else:
tls_version_to_use = server_info.tls_probing_result.highest_tls_version_supported
scan_jobs = [
ScanJob(function_to_call=resume_with_session_id,
function_arguments=[server_info, tls_version_to_use])
for _ in range(resumption_attempts_nb)
]
return scan_jobs
def scan_jobs_for_scan_command(
cls,
server_info: ServerConnectivityInfo,
extra_arguments: Optional[ScanCommandExtraArguments] = None
) -> List[ScanJob]:
if extra_arguments:
raise ValueError("This plugin does not take extra arguments")
# Test Session ID support
session_id_scan_jobs = _create_resume_with_session_id_scan_jobs(
server_info, cls._SESSION_ID_RESUMPTION_ATTEMPTS_NB)
# Test TLS tickets support
tls_ticket_scan_jobs = [
ScanJob(function_to_call=resume_with_tls_ticket,
function_arguments=[server_info])
]
return session_id_scan_jobs + tls_ticket_scan_jobs
