def test_not_vulnerable(self):
# Given a server that is NOT vulnerable to CCS injection
server_location = ServerNetworkLocation("www.google.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for CCS injection, it succeeds
result = OpenSslCcsInjectionImplementation.scan_server(server_info)
# And the server is reported as not vulnerable
assert not result.is_vulnerable_to_ccs_injection
# And a CLI output can be generated
assert OpenSslCcsInjectionImplementation.cli_connector_cls.result_to_console_output(
result)
def test_fails_when_client_auth_failed(self):
# Given a server that does NOT support SCSV and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for SCSV, it fails as a client cert was not supplied
with pytest.raises(ClientCertificateRequested):
FallbackScsvImplementation.scan_server(server_info)
def test_fails_when_client_auth_failed(self):
# Given a TLS 1.2 server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# The plugin fails
with pytest.raises(ClientCertificateRequested):
RobotImplementation.scan_server(server_info)
def test_optional_client_auth(self):
# Given a server that supports optional client authentication
with ModernOpenSslServer(
client_auth_config=ClientAuthConfigEnum.OPTIONAL) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
port=server.port,
ip_address=server.ip_address)
tls_probing_result = check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
# SSLyze correctly detects that client auth is optional
assert tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.OPTIONAL
def test_via_http_proxy_but_proxy_rejected_http_connect(self):
# Given a server location
server_location = ServerNetworkLocation(
hostname="www.google.com",
port=443,
# Configured with a proxy that is going to reject the HTTP CONNECT request
http_proxy_settings=HttpProxySettings("www.hotmail.com", 443),
)
# When testing connectivity, it fails with the right error
with pytest.raises(HttpProxyRejectedConnection):
check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
def test_rc4_cipher_suites(self):
# Given a server to scan that supports RC4 cipher suites
server_location = ServerNetworkLocation("rc4.badssl.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(
server_info)
# And the RC4 cipher suites were detected
assert {"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_RC4_128_SHA"} == {
accepted_cipher.cipher_suite.name
for accepted_cipher in result.accepted_cipher_suites
}
def test_via_http_proxy_but_proxy_timed_out(self):
# Given a server location
server_location = ServerNetworkLocation(
hostname="www.google.com",
port=443,
# Configured with a proxy that will time out
http_proxy_settings=HttpProxySettings("1.2.3.4", 80),
)
# When testing connectivity, it fails with the right error
with pytest.raises(ConnectionToHttpProxyTimedOut):
check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
def test_fallback_bad(self):
# Given a server that does NOT support SCSV
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for SCSV, it succeeds
result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server(
server_info)
# And the server is reported as NOT supporting SCSV
assert not result.supports_fallback_scsv
def test_fallback_good(self):
# Given a server that supports SCSV
server_location = ServerNetworkLocation("www.google.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for SCSV, it succeeds
result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server(
server_info)
# And the server is reported as supporting SCSV
assert result.supports_fallback_scsv
# And a CLI output can be generated
assert FallbackScsvImplementation.cli_connector_cls.result_to_console_output(
result)
def test_early_data_disabled(self):
# Given a server to scan that does NOT support early data because it it is disabled
with ModernOpenSslServer(max_early_data=None) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for early data support, it succeeds
result: EarlyDataScanResult = EarlyDataImplementation.scan_server(
server_info)
# And the right result is returned
assert not result.supports_early_data
def test_via_http_proxy_but_proxy_rejected_connection(self):
# Given a server location
server_location = ServerNetworkLocation(
hostname="www.google.com",
port=443,
# Configured with a proxy that's offline
http_proxy_settings=HttpProxySettings("localhost", 1234),
)
# When testing connectivity, it fails with the right error
with pytest.raises(HttpProxyRejectedConnection):
check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for compression support, it succeeds
result: CompressionScanResult = CompressionImplementation.scan_server(
server_info)
assert not result.supports_compression
def test_compression_disabled(self):
# Given a server to scan that has TLS compression disabled
server_location = ServerNetworkLocation(hostname="www.google.com",
port=443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for compression support, it succeeds
result: CompressionScanResult = CompressionImplementation.scan_server(
server_info)
# And the right result is returned
assert not result.supports_compression
# And a CLI output can be generated
assert CompressionImplementation.cli_connector_cls.result_to_console_output(
result)
def test_required_client_auth_tls_1_3(self):
# Given a TLS 1.3 server that requires client authentication
with ModernOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
port=server.port,
ip_address=server.ip_address)
tls_probing_result = check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
# SSLyze correctly detects that client auth is required
assert tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.REQUIRED
def test_renegotiation_good(self):
# Given a server that is NOT vulnerable to insecure reneg nor client reneg DOS
server_location = ServerNetworkLocation("www.google.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server(
server_info)
# And the server is reported as not vulnerable
assert result.supports_secure_renegotiation
assert not result.is_vulnerable_to_client_renegotiation_dos
# And a CLI output can be generated
assert SessionRenegotiationImplementation.cli_connector_cls.result_to_console_output(
result)
def test_via_http_proxy_but_proxy_dns_error(self):
# Given a server location
server_location = ServerNetworkLocation(
hostname="www.google.com",
port=443,
# Configured with a proxy that cannot be looked up via DNS
http_proxy_settings=HttpProxySettings(
"notarealdomain.not.real.notreal.not", 443),
)
# When testing connectivity, it fails with the right error
with pytest.raises(ConnectionToHttpProxyFailed):
check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
def test_succeeds_when_client_auth_failed(self):
# Given a server that is vulnerable to Heartbleed and that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for Heartbleed, it succeeds
result = HeartbleedImplementation.scan_server(server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_heartbleed
def test_succeeds_when_client_auth_failed_tls_1_3(self):
# Given a TLS 1.3 server that requires client authentication
with ModernOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And SSLyze does NOT provide a client certificate
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv13ScanImplementation.scan_server(
server_info)
assert result.accepted_cipher_suites
def test_xmpp_but_server_rejected_opportunistic_tls(self):
# Given an XMPP server
hostname = "jabber.org"
server_location = ServerNetworkLocation(hostname=hostname, port=5222)
network_configuration = ServerNetworkConfiguration(
# But we provide a wrong XMPP setting
xmpp_to_hostname="lol.lol",
tls_server_name_indication=hostname,
tls_opportunistic_encryption=ProtocolWithOpportunisticTlsEnum.XMPP,
)
# When testing connectivity, it fails with the right error
with pytest.raises(ServerRejectedOpportunisticTlsNegotiation):
check_connectivity_to_server(
server_location=server_location,
network_configuration=network_configuration,
)
def test_expect_ct_enabled(self):
# Given a server to scan that has Expect-CT enabled
server_location = ServerNetworkLocation("github.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
# And the Expect-CT header was detected
assert result.expect_ct_header
assert result.expect_ct_header.max_age >= 0
# And a CLI output can be generated
assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
result)
def test(self):
# Given a completed scan for a server with the CERTIFICATE_INFO scan command
server_location = ServerNetworkLocation("www.facebook.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
plugin_result = CertificateInfoImplementation.scan_server(server_info)
# When converting it to JSON
result_as_json = CertificateInfoScanResultAsJson.from_orm(
plugin_result).json()
# It succeeds
assert result_as_json
# And complex object like certificates were properly serialized
assert "issuer" in result_as_json
assert "subject" in result_as_json
def test_sslv3_enabled(self):
# Given a server to scan that supports SSL 3.0
with LegacyOpenSslServer(
openssl_cipher_string="ALL:COMPLEMENTOFALL") as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Sslv30ScanImplementation.scan_server(
server_info)
# The right cipher suites were detected
assert len(result.accepted_cipher_suites) == 43
assert result.rejected_cipher_suites
def test_tls_1_3_cipher_suites(self):
# Given a server to scan that supports TLS 1.3
server_location = ServerNetworkLocation("www.cloudflare.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for cipher suites, it succeeds
result: CipherSuitesScanResult = Tlsv13ScanImplementation.scan_server(
server_info)
assert result.accepted_cipher_suites
assert {
"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256"
} == {
accepted_cipher.cipher_suite.name
for accepted_cipher in result.accepted_cipher_suites
}
def test_vulnerable(self):
# Given a server that is vulnerable to Heartbleed
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for Heartbleed, it succeeds
result = HeartbleedImplementation.scan_server(server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_heartbleed
# And a CLI output can be generated
assert HeartbleedImplementation.cli_connector_cls.result_to_console_output(
result)
def test_all_headers_disabled(self):
# Given a server to scan that does not have security headers
server_location = ServerNetworkLocation("expired.badssl.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
# And no headers are detected
assert result.http_request_sent
assert result.http_path_redirected_to
assert not result.strict_transport_security_header
assert not result.expect_ct_header
# And a CLI output can be generated
assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
result)
def test_tls_1_only(self):
# Given a server that only supports TLS 1.0
server_location = ServerNetworkLocation(hostname="tls-v1-0.badssl.com",
port=1010)
# When testing connectivity against it
tls_probing_result = check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
# It succeeds
assert tls_probing_result
assert tls_probing_result.client_auth_requirement
assert tls_probing_result.cipher_suite_supported
# And it detected that only TLS 1.0 is supported
assert tls_probing_result.highest_tls_version_supported == TlsVersionEnum.TLS_1_0
def test_ipv6(self):
# Given a server accessible via IPv6
server_location = ServerNetworkLocation(
hostname="www.google.com",
port=443,
ip_address="2607:f8b0:4005:804::2004")
# When testing connectivity against it
tls_probing_result = check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
# It succeeds
assert tls_probing_result
assert tls_probing_result.client_auth_requirement
assert tls_probing_result.highest_tls_version_supported
assert tls_probing_result.cipher_suite_supported
def test_early_data_enabled(self):
# Given a server to scan that supports early data
with ModernOpenSslServer(max_early_data=256) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for early data support, it succeeds
result: EarlyDataScanResult = EarlyDataImplementation.scan_server(
server_info)
# And the right result is returned
assert result.supports_early_data
# And a CLI output can be generated
assert EarlyDataImplementation.cli_connector_cls.result_to_console_output(
result)
def test_renegotiation_is_vulnerable_to_client_renegotiation_dos(self):
# Given a server that is vulnerable to client renegotiation DOS
with LegacyOpenSslServer() as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When testing for insecure reneg, it succeeds
result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server(
server_info)
# And the server is reported as vulnerable
assert result.is_vulnerable_to_client_renegotiation_dos
# And a CLI output can be generated
assert SessionRenegotiationImplementation.cli_connector_cls.result_to_console_output(
result)
def test_via_direct_connection(self):
# Given a server location
server_location = ServerNetworkLocation("www.google.com", 443)
# When testing connectivity
tls_probing_result = check_connectivity_to_server(
server_location=server_location,
network_configuration=ServerNetworkConfiguration.
default_for_server_location(server_location),
)
# It succeeds
assert tls_probing_result.cipher_suite_supported
assert tls_probing_result.highest_tls_version_supported
assert tls_probing_result.client_auth_requirement
assert tls_probing_result.supports_ecdh_key_exchange
# And the result can be converted to JSON
tls_probing_result_as_json = _ServerTlsProbingResultAsJson.from_orm(
tls_probing_result)
assert tls_probing_result_as_json.json()