def test_ticket48798(topology_st):
"""
Test DH param sizes offered by DS.
"""
topology_st.standalone.enable_tls()
# Confirm that we have a connection, and that it has DH
# Open a socket to the port.
# Check the security settings.
size = check_socket_dh_param_size(topology_st.standalone.host,
topology_st.standalone.sslport)
assert size == 2048
# Now toggle the settings.
enc = Encryption(topology_st.standalone)
enc.set('allowWeakDHParam', 'on')
topology_st.standalone.restart()
# Check the DH params are less than 1024.
size = check_socket_dh_param_size(topology_st.standalone.host,
topology_st.standalone.sslport)
assert size == 1024
def _security_ciphers_change(mode, ciphers, inst, log):
log = log.getChild('_security_ciphers_change')
if ('default' in ciphers) or ('all' in ciphers):
log.error((
'Use ciphers\' names only. Keywords "default" and "all" are ignored. '
'Please, instead specify them manually using \'set\' command.'))
return
enc = Encryption(inst)
if enc.change_ciphers(mode, ciphers) is False:
log.error('Setting new ciphers failed.')
def security_ciphers_get(inst, basedn, log, args):
enc = Encryption(inst)
if args.json:
print({'type': 'list', 'items': enc.ciphers})
else:
val = ','.join(enc.ciphers)
print(val if val != '' else '<undefined>')
def test_long_cipher_list(topo):
"""Test a long cipher list, and makre sure it is not truncated
:id: bc400f54-3966-49c8-b640-abbf4fb2377d
:setup: Standalone Instance
:steps:
1. Set nsSSL3Ciphers to a very long list of ciphers
2. Ciphers are applied correctly
:expectedresults:
1. Success
2. Success
"""
ENABLED_CIPHER = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256"
DISABLED_CIPHER = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128"
CIPHER_LIST = (
"-all,-SSL_CK_RC4_128_WITH_MD5,-SSL_CK_RC4_128_EXPORT40_WITH_MD5,-SSL_CK_RC2_128_CBC_WITH_MD5,"
"-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL_CK_DES_64_CBC_WITH_MD5,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5,"
"-TLS_RSA_WITH_RC4_128_MD5,-TLS_RSA_WITH_RC4_128_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,"
"-TLS_RSA_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,"
"-TLS_RSA_EXPORT_WITH_RC4_40_MD5,-TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-TLS_RSA_WITH_NULL_MD5,"
"-TLS_RSA_WITH_NULL_SHA,-TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,-SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,"
"-SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL_FORTEZZA_DMS_WITH_NULL_SHA,-TLS_DHE_DSS_WITH_DES_CBC_SHA,"
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_DES_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,"
"+TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,"
"+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,"
"-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_DHE_DSS_WITH_RC4_128_SHA,-TLS_ECDHE_RSA_WITH_RC4_128_SHA,"
"-TLS_RSA_WITH_NULL_SHA,-TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5,"
"-TLS_RSA_WITH_RC4_128_MD5,-TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
"-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
)
topo.standalone.enable_tls()
enc = Encryption(topo.standalone)
enc.set('nsSSL3Ciphers', CIPHER_LIST)
topo.standalone.restart()
enabled_ciphers = enc.get_attr_vals_utf8('nssslenabledciphers')
assert ENABLED_CIPHER in enabled_ciphers
assert DISABLED_CIPHER not in enabled_ciphers
def security_ciphers_list(inst, basedn, log, args):
enc = Encryption(inst)
if args.enabled:
lst = enc.enabled_ciphers
elif args.supported:
lst = enc.supported_ciphers
elif args.disabled:
lst = set(enc.supported_ciphers) - set(enc.enabled_ciphers)
else:
lst = enc.ciphers
if args.json:
print(json.dumps({'type': 'list', 'items': lst}, indent=4))
else:
if lst == []:
log.getChild('security').warn('List of ciphers is empty')
else:
print(*lst, sep='\n')
def security_ciphers_set(inst, basedn, log, args):
enc = Encryption(inst)
enc.ciphers = args.cipher_string.lstrip().split(',')
def test_ssl_version_range(topo):
"""Specify a test case purpose or name here
:id: bc400f54-3966-49c8-b640-abbf4fb2377e
1. Get current default range
2. Set sslVersionMin and verify it is applied after a restart
3. Set sslVersionMax and verify it is applied after a restart
4. Sanity test all the min/max versions
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
topo.standalone.enable_tls()
enc = Encryption(topo.standalone)
default_min = enc.get_attr_val_utf8('sslVersionMin')
default_max = enc.get_attr_val_utf8('sslVersionMax')
log.info(f"default min: {default_min} max: {default_max}")
if DEBUGGING:
topo.standalone.config.set('nsslapd-auditlog-logging-enabled', 'on')
# Test that setting the min version is applied after a restart
enc.replace('sslVersionMin', default_max)
enc.replace('sslVersionMax', default_max)
topo.standalone.restart()
min = enc.get_attr_val_utf8('sslVersionMin')
assert min == default_max
# Test that setting the max version is applied after a restart
enc.replace('sslVersionMin', default_min)
enc.replace('sslVersionMax', default_min)
topo.standalone.restart()
max = enc.get_attr_val_utf8('sslVersionMax')
assert max == default_min
# Sanity test all the min/max versions
for attr, versions in [('sslVersionMin',
['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]:
for version in versions:
# Test that the setting is correctly applied after a restart
enc.replace(attr, version)
topo.standalone.restart()
current_val = enc.get_attr_val_utf8(attr)
assert current_val == version
def test_healthcheck_min_allowed_tls_version_too_low(topology_st):
"""Check if HealthCheck returns DSELE0001 code
:id: a4be3390-9508-4827-8f82-e4e21081caab
:setup: Standalone instance
:steps:
1. Create DS instance
2. Set the TLS minimum version to TLS1.0
3. Use HealthCheck without --json option
4. Use HealthCheck with --json option
5. Set the TLS minimum version to TLS1.2
6. Use HealthCheck without --json option
7. Use HealthCheck with --json option
:expectedresults:
1. Success
2. Success
3. Healthcheck reports DSELE0001 code and related details
4. Healthcheck reports DSELE0001 code and related details
5. Success
6. Healthcheck reports no issue found
7. Healthcheck reports no issue found
"""
RET_CODE = 'DSELE0001'
HIGHER_VS = 'TLS1.2'
SMALL_VS = 'TLS1.0'
RHEL = 'Red Hat Enterprise Linux'
standalone = topology_st.standalone
standalone.enable_tls()
# We have to update-crypto-policies to LEGACY, otherwise we can't set TLS1.0
log.info('Updating crypto policies')
assert subprocess.check_call(['update-crypto-policies', '--set',
'LEGACY']) == 0
log.info('Set the TLS minimum version to TLS1.0')
enc = Encryption(standalone)
enc.replace('sslVersionMin', SMALL_VS)
standalone.restart()
run_healthcheck_and_flush_log(topology_st,
standalone,
json=False,
searched_code=RET_CODE)
run_healthcheck_and_flush_log(topology_st,
standalone,
json=True,
searched_code=RET_CODE)
log.info('Set the TLS minimum version to TLS1.2')
enc.replace('sslVersionMin', HIGHER_VS)
standalone.restart()
run_healthcheck_and_flush_log(topology_st,
standalone,
json=False,
searched_code=CMD_OUTPUT)
run_healthcheck_and_flush_log(topology_st,
standalone,
json=True,
searched_code=JSON_OUTPUT)
if RHEL in distro.linux_distribution():
log.info('Set crypto-policies back to DEFAULT')
assert subprocess.check_call(
['update-crypto-policies', '--set', 'DEFAULT']) == 0
def test_ssl_version_range(topo):
"""Specify a test case purpose or name here
:id: bc400f54-3966-49c8-b640-abbf4fb2377e
:customerscenario: True
1. Get current default range
2. Set sslVersionMin and verify it is applied after a restart
3. Set sslVersionMax and verify it is applied after a restart
4. Sanity test all the min/max versions
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
topo.standalone.enable_tls()
enc = Encryption(topo.standalone)
default_min = enc.get_attr_val_utf8('sslVersionMin')
default_max = enc.get_attr_val_utf8('sslVersionMax')
log.info(f"default min: {default_min} max: {default_max}")
if DEBUGGING:
topo.standalone.config.set('nsslapd-auditlog-logging-enabled', 'on')
# Test that setting the min version is applied after a restart
enc.replace('sslVersionMin', default_max)
enc.replace('sslVersionMax', default_max)
topo.standalone.restart()
min = enc.get_attr_val_utf8('sslVersionMin')
assert min == default_max
# Test that setting the max version is applied after a restart
enc.replace('sslVersionMin', default_min)
enc.replace('sslVersionMax', default_min)
topo.standalone.restart()
max = enc.get_attr_val_utf8('sslVersionMax')
assert max == default_min
# 389-ds-base-1.4.3 == Fedora 32, 389-ds-base-1.4.4 == Fedora 33
# Starting from Fedora 33, cryptographic protocols (TLS 1.0 and TLS 1.1) were moved to LEGACY
# So we should not check for the policies with our DEFAULT crypro setup
# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
if ds_is_older('1.4.4'):
ssl_versions = [('sslVersionMin',
['TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.0']),
('sslVersionMax', ['TLS1.0', 'TLS1.1', 'TLS1.2'])]
else:
ssl_versions = [('sslVersionMin', ['TLS1.2']),
('sslVersionMax', ['TLS1.2', 'TLS1.3'])]
# Sanity test all the min/max versions
for attr, versions in ssl_versions:
for version in versions:
# Test that the setting is correctly applied after a restart
enc.replace(attr, version)
topo.standalone.restart()
current_val = enc.get_attr_val_utf8(attr)
assert current_val == version