def test_not_vulnerable(self): # Given a server that is NOT vulnerable to CCS injection server_location = ServerNetworkLocation("www.google.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for CCS injection, it succeeds result = OpenSslCcsInjectionImplementation.scan_server(server_info) # And the server is reported as not vulnerable assert not result.is_vulnerable_to_ccs_injection # And a CLI output can be generated assert OpenSslCcsInjectionImplementation.cli_connector_cls.result_to_console_output( result)
def test_fails_when_client_auth_failed(self): # Given a server that does NOT support SCSV and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for SCSV, it fails as a client cert was not supplied with pytest.raises(ClientCertificateRequested): FallbackScsvImplementation.scan_server(server_info)
def test_fails_when_client_auth_failed(self): # Given a TLS 1.2 server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # The plugin fails with pytest.raises(ClientCertificateRequested): RobotImplementation.scan_server(server_info)
def test_optional_client_auth(self): # Given a server that supports optional client authentication with ModernOpenSslServer( client_auth_config=ClientAuthConfigEnum.OPTIONAL) as server: server_location = ServerNetworkLocation( hostname=server.hostname, port=server.port, ip_address=server.ip_address) tls_probing_result = check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), ) # SSLyze correctly detects that client auth is optional assert tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.OPTIONAL
def test_via_http_proxy_but_proxy_rejected_http_connect(self): # Given a server location server_location = ServerNetworkLocation( hostname="www.google.com", port=443, # Configured with a proxy that is going to reject the HTTP CONNECT request http_proxy_settings=HttpProxySettings("www.hotmail.com", 443), ) # When testing connectivity, it fails with the right error with pytest.raises(HttpProxyRejectedConnection): check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), )
def test_rc4_cipher_suites(self): # Given a server to scan that supports RC4 cipher suites server_location = ServerNetworkLocation("rc4.badssl.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When scanning for cipher suites, it succeeds result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server( server_info) # And the RC4 cipher suites were detected assert {"TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_RC4_128_SHA"} == { accepted_cipher.cipher_suite.name for accepted_cipher in result.accepted_cipher_suites }
def test_via_http_proxy_but_proxy_timed_out(self): # Given a server location server_location = ServerNetworkLocation( hostname="www.google.com", port=443, # Configured with a proxy that will time out http_proxy_settings=HttpProxySettings("1.2.3.4", 80), ) # When testing connectivity, it fails with the right error with pytest.raises(ConnectionToHttpProxyTimedOut): check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), )
def test_fallback_bad(self): # Given a server that does NOT support SCSV with LegacyOpenSslServer() as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for SCSV, it succeeds result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server( server_info) # And the server is reported as NOT supporting SCSV assert not result.supports_fallback_scsv
def test_fallback_good(self): # Given a server that supports SCSV server_location = ServerNetworkLocation("www.google.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for SCSV, it succeeds result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server( server_info) # And the server is reported as supporting SCSV assert result.supports_fallback_scsv # And a CLI output can be generated assert FallbackScsvImplementation.cli_connector_cls.result_to_console_output( result)
def test_early_data_disabled(self): # Given a server to scan that does NOT support early data because it it is disabled with ModernOpenSslServer(max_early_data=None) as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for early data support, it succeeds result: EarlyDataScanResult = EarlyDataImplementation.scan_server( server_info) # And the right result is returned assert not result.supports_early_data
def test_via_http_proxy_but_proxy_rejected_connection(self): # Given a server location server_location = ServerNetworkLocation( hostname="www.google.com", port=443, # Configured with a proxy that's offline http_proxy_settings=HttpProxySettings("localhost", 1234), ) # When testing connectivity, it fails with the right error with pytest.raises(HttpProxyRejectedConnection): check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), )
def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for compression support, it succeeds result: CompressionScanResult = CompressionImplementation.scan_server( server_info) assert not result.supports_compression
def test_compression_disabled(self): # Given a server to scan that has TLS compression disabled server_location = ServerNetworkLocation(hostname="www.google.com", port=443) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for compression support, it succeeds result: CompressionScanResult = CompressionImplementation.scan_server( server_info) # And the right result is returned assert not result.supports_compression # And a CLI output can be generated assert CompressionImplementation.cli_connector_cls.result_to_console_output( result)
def test_required_client_auth_tls_1_3(self): # Given a TLS 1.3 server that requires client authentication with ModernOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_location = ServerNetworkLocation( hostname=server.hostname, port=server.port, ip_address=server.ip_address) tls_probing_result = check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), ) # SSLyze correctly detects that client auth is required assert tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.REQUIRED
def test_renegotiation_good(self): # Given a server that is NOT vulnerable to insecure reneg nor client reneg DOS server_location = ServerNetworkLocation("www.google.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for insecure reneg, it succeeds result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server( server_info) # And the server is reported as not vulnerable assert result.supports_secure_renegotiation assert not result.is_vulnerable_to_client_renegotiation_dos # And a CLI output can be generated assert SessionRenegotiationImplementation.cli_connector_cls.result_to_console_output( result)
def test_via_http_proxy_but_proxy_dns_error(self): # Given a server location server_location = ServerNetworkLocation( hostname="www.google.com", port=443, # Configured with a proxy that cannot be looked up via DNS http_proxy_settings=HttpProxySettings( "notarealdomain.not.real.notreal.not", 443), ) # When testing connectivity, it fails with the right error with pytest.raises(ConnectionToHttpProxyFailed): check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), )
def test_succeeds_when_client_auth_failed(self): # Given a server that is vulnerable to Heartbleed and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for Heartbleed, it succeeds result = HeartbleedImplementation.scan_server(server_info) # And the server is reported as vulnerable assert result.is_vulnerable_to_heartbleed
def test_succeeds_when_client_auth_failed_tls_1_3(self): # Given a TLS 1.3 server that requires client authentication with ModernOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And SSLyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When scanning for cipher suites, it succeeds result: CipherSuitesScanResult = Tlsv13ScanImplementation.scan_server( server_info) assert result.accepted_cipher_suites
def test_xmpp_but_server_rejected_opportunistic_tls(self): # Given an XMPP server hostname = "jabber.org" server_location = ServerNetworkLocation(hostname=hostname, port=5222) network_configuration = ServerNetworkConfiguration( # But we provide a wrong XMPP setting xmpp_to_hostname="lol.lol", tls_server_name_indication=hostname, tls_opportunistic_encryption=ProtocolWithOpportunisticTlsEnum.XMPP, ) # When testing connectivity, it fails with the right error with pytest.raises(ServerRejectedOpportunisticTlsNegotiation): check_connectivity_to_server( server_location=server_location, network_configuration=network_configuration, )
def test_expect_ct_enabled(self): # Given a server to scan that has Expect-CT enabled server_location = ServerNetworkLocation("github.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When scanning for HTTP headers, it succeeds result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server( server_info) # And the Expect-CT header was detected assert result.expect_ct_header assert result.expect_ct_header.max_age >= 0 # And a CLI output can be generated assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output( result)
def test(self): # Given a completed scan for a server with the CERTIFICATE_INFO scan command server_location = ServerNetworkLocation("www.facebook.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) plugin_result = CertificateInfoImplementation.scan_server(server_info) # When converting it to JSON result_as_json = CertificateInfoScanResultAsJson.from_orm( plugin_result).json() # It succeeds assert result_as_json # And complex object like certificates were properly serialized assert "issuer" in result_as_json assert "subject" in result_as_json
def test_sslv3_enabled(self): # Given a server to scan that supports SSL 3.0 with LegacyOpenSslServer( openssl_cipher_string="ALL:COMPLEMENTOFALL") as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When scanning for cipher suites, it succeeds result: CipherSuitesScanResult = Sslv30ScanImplementation.scan_server( server_info) # The right cipher suites were detected assert len(result.accepted_cipher_suites) == 43 assert result.rejected_cipher_suites
def test_tls_1_3_cipher_suites(self): # Given a server to scan that supports TLS 1.3 server_location = ServerNetworkLocation("www.cloudflare.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When scanning for cipher suites, it succeeds result: CipherSuitesScanResult = Tlsv13ScanImplementation.scan_server( server_info) assert result.accepted_cipher_suites assert { "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256" } == { accepted_cipher.cipher_suite.name for accepted_cipher in result.accepted_cipher_suites }
def test_vulnerable(self): # Given a server that is vulnerable to Heartbleed with LegacyOpenSslServer() as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for Heartbleed, it succeeds result = HeartbleedImplementation.scan_server(server_info) # And the server is reported as vulnerable assert result.is_vulnerable_to_heartbleed # And a CLI output can be generated assert HeartbleedImplementation.cli_connector_cls.result_to_console_output( result)
def test_all_headers_disabled(self): # Given a server to scan that does not have security headers server_location = ServerNetworkLocation("expired.badssl.com", 443) server_info = check_connectivity_to_server_and_return_info( server_location) # When scanning for HTTP headers, it succeeds result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server( server_info) # And no headers are detected assert result.http_request_sent assert result.http_path_redirected_to assert not result.strict_transport_security_header assert not result.expect_ct_header # And a CLI output can be generated assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output( result)
def test_tls_1_only(self): # Given a server that only supports TLS 1.0 server_location = ServerNetworkLocation(hostname="tls-v1-0.badssl.com", port=1010) # When testing connectivity against it tls_probing_result = check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), ) # It succeeds assert tls_probing_result assert tls_probing_result.client_auth_requirement assert tls_probing_result.cipher_suite_supported # And it detected that only TLS 1.0 is supported assert tls_probing_result.highest_tls_version_supported == TlsVersionEnum.TLS_1_0
def test_ipv6(self): # Given a server accessible via IPv6 server_location = ServerNetworkLocation( hostname="www.google.com", port=443, ip_address="2607:f8b0:4005:804::2004") # When testing connectivity against it tls_probing_result = check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), ) # It succeeds assert tls_probing_result assert tls_probing_result.client_auth_requirement assert tls_probing_result.highest_tls_version_supported assert tls_probing_result.cipher_suite_supported
def test_early_data_enabled(self): # Given a server to scan that supports early data with ModernOpenSslServer(max_early_data=256) as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for early data support, it succeeds result: EarlyDataScanResult = EarlyDataImplementation.scan_server( server_info) # And the right result is returned assert result.supports_early_data # And a CLI output can be generated assert EarlyDataImplementation.cli_connector_cls.result_to_console_output( result)
def test_renegotiation_is_vulnerable_to_client_renegotiation_dos(self): # Given a server that is vulnerable to client renegotiation DOS with LegacyOpenSslServer() as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for insecure reneg, it succeeds result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server( server_info) # And the server is reported as vulnerable assert result.is_vulnerable_to_client_renegotiation_dos # And a CLI output can be generated assert SessionRenegotiationImplementation.cli_connector_cls.result_to_console_output( result)
def test_via_direct_connection(self): # Given a server location server_location = ServerNetworkLocation("www.google.com", 443) # When testing connectivity tls_probing_result = check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), ) # It succeeds assert tls_probing_result.cipher_suite_supported assert tls_probing_result.highest_tls_version_supported assert tls_probing_result.client_auth_requirement assert tls_probing_result.supports_ecdh_key_exchange # And the result can be converted to JSON tls_probing_result_as_json = _ServerTlsProbingResultAsJson.from_orm( tls_probing_result) assert tls_probing_result_as_json.json()