def init_self_tests(self):
# determine where to connect to
if self.options.listen_on[0] == HOST_ADDR_ANY:
peer_host = 'localhost'
else:
peer_host = self.options.listen_on[0]
peer = (peer_host, self.options.listen_on[1])
# instantiate hammer class
if self.options.self_test == 0:
self.selftest_hammer = None
else:
if self.options.self_test == 1:
self.selftest_hammer = TCPConnectionHammer(-1)
elif self.options.self_test == 2:
self.selftest_hammer = CNVerifyingSSLConnectionHammer(
-1, 'hello')
elif self.options.self_test == 3:
if self.options.user_ca_cert_file is not None:
self.selftest_hammer = CurlHammer(
-1, self.options.user_ca_cert_file)
else:
raise ConfigError(
'test mode 3 requires --user-ca-cert/--user-ca-key')
else:
raise ConfigError('invalid selftest number %d' %
self.options.self_test)
# set the peer for the hammer
self.selftest_hammer.set_peer(peer)
def test_curl_works_with_sslv2_and_export_ciphers(self):
# curl is expected to work with SSLv2 and weak ciphers
eccars = []
there_are_export_ciphers = False
protos = sslproto.get_supported_protocols()
for proto in protos:
for cipher in sslproto.DEFAULT_CIPHER_SUITES:
if cipher == sslproto.EXPORT_CIPHER:
there_are_export_ciphers = True
if proto == 'sslv2':
expected_res = ALERT_NON_SSLV2_INITIAL_PACKET
elif proto == 'sslv3':
expected_res = ALERT_SSLV3_BAD_CERTIFICATE
else:
expected_res = ALERT_UNKNOWN_CA
eccars.append(
ECCAR(SSLServerProtoSpec(proto, cipher),
expected_res=expected_res))
self.assertTrue(there_are_export_ciphers)
self._main_test(['-m', 'sslproto'], CurlHammer(len(eccars)), eccars)
def test_curl(self):
# curl does all the checks
eccars = [
# user-supplied certificate
ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN),
ConnectedGotEOFBeforeTimeout()),
# self-signed certificates
ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST), ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), ALERT_UNKNOWN_CA),
# signed by user-supplied certificate
ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN),
ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN),
ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN),
ALERT_UNKNOWN_CA),
# signed by user-supplied CA
ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN),
ConnectedGotRequest()),
ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
# default CN, signed by user-supplied CA, with an intermediate CA
ECCAR(
SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN,
TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
# user-supplied CN signed by user-supplied CA, with an intermediate CA
ECCAR(
SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN,
TEST_USER_CA_CN),
ConnectedGotRequest()),
# replica of server certificate signed by user-supplied CA, with an intermediate CA
ECCAR(
SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN,
TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
]
self._main_test(mk_sslcaudit_argv(user_cn=LOCALHOST),
CurlHammer(len(eccars), TEST_USER_CA_CERT_FILE),
eccars)
