def test_valid_chain(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.ocsp_response)
self.assertTrue(plugin_result.is_ocsp_response_trusted)
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEquals(len(plugin_result.certificate_chain), 2)
self.assertEquals(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEquals(len(plugin_result.path_validation_error_list), 0)
self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Test the --ca_path option
plugin_result = plugin.process_task(server_info, 'certinfo_basic',
{'ca_file': os.path.join(os.path.dirname(__file__), 'utils',
'wildcard-self-signed.pem')})
self.assertEquals(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == 'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
def test_invalid_chain(self):
server_info = ServerConnectivityInfo(
hostname=u'self-signed.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertIsNone(plugin_result.ocsp_response)
self.assertEquals(len(plugin_result.certificate_chain), 1)
self.assertEquals(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertFalse(path_validation_result.is_certificate_trusted)
self.assertEquals(len(plugin_result.path_validation_error_list), 0)
self.assertEquals(plugin_result.hostname_validation_result,
X509_NAME_MATCHES_SAN)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertIsNone(plugin_result.has_anchor_in_certificate_chain)
self.assertIsNone(plugin_result.has_sha1_in_certificate_chain)
self.assertFalse(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_https_tunneling(self):
# Start a local proxy
proxy_port = 8000
p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, ))
p.start()
try:
# Run a scan through the proxy
tunnel_settings = HttpConnectTunnelingSettings('localhost', proxy_port)
server_info = ServerConnectivityInfo(hostname=u'www.google.com', http_tunneling_settings=tunnel_settings)
# Try to connect to the proxy - retry if the proxy subprocess wasn't ready
proxy_connection_attempts = 0
while True:
try:
server_info.test_connectivity_to_server()
break
except ServerConnectivityError:
if proxy_connection_attempts > 3:
raise
proxy_connection_attempts += 1
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
finally:
# Kill the local proxy - unclean
p.terminate()
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_test = ServerConnectivityTester(hostname='1000-sans.badssl.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin.process_task(server_info, CertificateInfoScanCommand())
def test_ca_file_bad_file(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
with self.assertRaises(ValueError):
plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_ca_file_bad_file(self):
server_test = ServerConnectivityTester(hostname='www.hotmail.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
with self.assertRaises(ValueError):
plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
try:
with VulnerableOpenSslServer(
client_auth_config=
ClientAuthenticationServerConfigurationEnum.REQUIRED
) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# CertificateInfoPlugin works even when a client cert was not supplied
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(
server_info, CertificateInfoScanCommand())
except NotOnLinux64Error:
logging.warning('WARNING: Not on Linux - skipping test')
return
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin.process_task(server_info, CertificateInfoScanCommand())
def test_valid_chain_with_ev_cert(self):
server_test = ServerConnectivityTester(hostname='www.comodo.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEqual(len(plugin_result.certificate_chain), 4)
self.assertEqual(len(plugin_result.verified_certificate_chain), 3)
self.assertFalse(plugin_result.has_anchor_in_certificate_chain)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_valid_chain_with_ocsp_stapling(self):
server_info = ServerConnectivityInfo(hostname='login.live.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertTrue(plugin_result.ocsp_response)
self.assertTrue(plugin_result.is_ocsp_response_trusted)
self.assertEqual(len(plugin_result.certificate_chain), 2)
self.assertEqual(len(plugin_result.verified_certificate_chain), 3)
self.assertFalse(plugin_result.has_anchor_in_certificate_chain)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_invalid_chain(self):
server_test = ServerConnectivityTester(
hostname='self-signed.badssl.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertIsNone(plugin_result.ocsp_response)
self.assertEqual(len(plugin_result.certificate_chain), 1)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertFalse(path_validation_result.is_certificate_trusted)
self.assertEqual(plugin_result.certificate_included_scts_count, 0)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertIsNone(plugin_result.has_anchor_in_certificate_chain)
self.assertIsNone(plugin_result.has_sha1_in_certificate_chain)
self.assertFalse(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file_bad_file(self):
server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
with self.assertRaises(ValueError):
plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=u'doesntexist'))
def test_valid_chain(self):
server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.ocsp_response)
self.assertTrue(plugin_result.is_ocsp_response_trusted)
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEquals(len(plugin_result.certificate_chain), 2)
self.assertEquals(len(plugin_result.verified_certificate_chain), 3)
self.assertFalse(plugin_result.has_anchor_in_certificate_chain)
self.assertEquals(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEquals(len(plugin_result.path_validation_error_list), 0)
self.assertEquals(plugin_result.hostname_validation_result, HostnameValidationResultEnum.NAME_MATCHES_SAN)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def https_check(endpoint):
logging.debug("sslyzing %s..." % endpoint.url)
# remove the https:// from prefix for sslyze
hostname = endpoint.url[8:]
server_info = ServerConnectivityInfo(hostname=hostname, port=443)
try:
server_info.test_connectivity_to_server()
except sslyze.server_connectivity.ServerConnectivityError:
logging.warn("Error in sslyze server connectivity check")
return
cert_plugin = CertificateInfoPlugin()
try:
cert_plugin_result = cert_plugin.process_task(server_info, 'certinfo_basic')
except nassl._nassl.OpenSSLError:
logging.warn("Error in sslyze cert info plugin")
return
except nassl.x509_certificate.X509HostnameValidationError:
logging.warn("Error parsing x.509 certificate.")
return
try:
cert_response = cert_plugin_result.as_text()
except TypeError:
logging.warn("sslyze exception parsing issuer, see https://github.com/nabla-c0d3/sslyze/issues/167")
return
# Debugging
# for msg in cert_response:
# print(msg)
# A certificate can have multiple issues.
for msg in cert_response:
# Check for certificate expiration.
if (
(("Mozilla NSS CA Store") in msg) and
(("FAILED") in msg) and
(("certificate has expired") in msg)
):
endpoint.https_expired_cert = True
# Check for whether there's a valid chain to Mozilla.
# Note: this will also catch expired certs, but this is okay.
if (
(("Mozilla NSS CA Store") in msg) and
(("FAILED") in msg) and
(("Certificate is NOT Trusted") in msg)
):
endpoint.https_bad_chain = True
# Check for whether the hostname validates.
if (
(("Hostname Validation") in msg) and
(("FAILED") in msg) and
(("Certificate does NOT match") in msg)
):
endpoint.https_bad_hostname = True
def test_valid_chain_with_ev_cert(self):
server_test = ServerConnectivityTester(hostname='www.comodo.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert plugin_result.leaf_certificate_is_ev
assert len(plugin_result.received_certificate_chain) >= 3
assert len(plugin_result.verified_certificate_chain) >= 3
assert not plugin_result.received_chain_contains_anchor_certificate
assert len(plugin_result.path_validation_result_list) == 5
for path_validation_result in plugin_result.path_validation_result_list:
assert path_validation_result.was_validation_successful
assert len(plugin_result.path_validation_error_list) == 0
assert plugin_result.leaf_certificate_subject_matches_hostname
assert plugin_result.received_chain_has_valid_order
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_invalid_chain(self):
server_info = ServerConnectivityInfo(hostname='self-signed.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertIsNone(plugin_result.ocsp_response)
self.assertEqual(len(plugin_result.certificate_chain), 1)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertFalse(path_validation_result.is_certificate_trusted)
self.assertEqual(plugin_result.certificate_included_scts_count, 0)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertIsNone(plugin_result.has_anchor_in_certificate_chain)
self.assertIsNone(plugin_result.has_sha1_in_certificate_chain)
self.assertFalse(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_invalid_chain(self):
server_test = ServerConnectivityTester(hostname='self-signed.badssl.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert plugin_result.ocsp_response is None
assert len(plugin_result.received_certificate_chain) == 1
assert len(plugin_result.path_validation_result_list) >= 5
for path_validation_result in plugin_result.path_validation_result_list:
assert not path_validation_result.was_validation_successful
assert plugin_result.leaf_certificate_signed_certificate_timestamps_count == 0
assert len(plugin_result.path_validation_error_list) == 0
assert plugin_result.leaf_certificate_subject_matches_hostname
assert plugin_result.received_chain_has_valid_order
assert plugin_result.received_chain_contains_anchor_certificate is None
assert plugin_result.verified_chain_has_sha1_signature is None
assert not plugin_result.verified_certificate_chain
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_valid_chain_with_ev_cert(self):
server_info = ServerConnectivityInfo(hostname='www.comodo.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEqual(len(plugin_result.certificate_chain), 3)
self.assertEqual(len(plugin_result.verified_certificate_chain), 3)
self.assertFalse(plugin_result.has_anchor_in_certificate_chain)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_https_tunneling(self):
# Start a local proxy
proxy_port = 8000
p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, ))
p.start()
try:
# Run a scan through the proxy
tunnel_settings = HttpConnectTunnelingSettings(
'localhost', proxy_port)
server_info = ServerConnectivityInfo(
hostname='www.google.com',
http_tunneling_settings=tunnel_settings)
# Try to connect to the proxy - retry if the proxy subprocess wasn't ready
proxy_connection_attempts = 0
while True:
try:
server_info.test_connectivity_to_server()
break
except ServerConnectivityError:
if proxy_connection_attempts > 3:
raise
proxy_connection_attempts += 1
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
finally:
# Kill the local proxy - unclean
p.terminate()
def attack(results, host_name):
print("Running 10.16 attack.py host name: {}".format(host_name))
report = {}
try:
server_tester = ServerConnectivityTester(
hostname=host_name,
port=443,
tls_wrapped_protocol=TlsWrappedProtocolEnum.HTTPS)
server_info = server_tester.perform()
except ServerConnectivityError as e:
results.append(AttackResult('10.16', host_name, False, e))
return
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
# Valid host name
certificate_matches_hostname = plugin_result.certificate_matches_hostname
# Chain order is valid
is_certificate_chain_order_valid = plugin_result.is_certificate_chain_order_valid
# All certificates are trusted
certificates_are_trusted = True
for path_validation_result in plugin_result.path_validation_result_list:
if not path_validation_result.is_certificate_trusted:
certificates_are_trusted = False
result = certificate_matches_hostname and is_certificate_chain_order_valid and certificates_are_trusted
details = ''
if not certificate_matches_hostname:
details += ' Certificate does not match hostname'
if not is_certificate_chain_order_valid:
details += ' Certificate chain order is invalid'
if not certificates_are_trusted:
details += ' Certificates are not trusted.'
attackResult = None
if not result:
attackResult = AttackResult('hostname', host_name, result, details)
else:
attackResult = AttackResult(
'hostname', host_name, result,
'TLS certificates match hostname, are trusted and the chain order is valid'
)
results.append(attackResult)
#results = []
#attack(results, 'https://www.google.co.uk')
def test_valid_chain_print_full_certificate(self):
server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(print_full_certificate=True))
# The only difference with the previous test is the text output
self.assertTrue(plugin_result.as_text())
def test_optional_client_authentication(self):
server_test = ServerConnectivityTester(hostname='client.badssl.com')
server_info = server_test.perform()
assert server_info.client_auth_requirement == ClientAuthenticationServerConfigurationEnum.OPTIONAL
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_optional_client_authentication(self):
server_test = ServerConnectivityTester(hostname='client.badssl.com')
server_info = server_test.perform()
self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
san_list = plugin_result.certificate_chain[0].as_dict['extensions']['X509v3 Subject Alternative Name']['DNS']
self.assertEquals(len(san_list), 1000)
def test_sha256_chain(self):
server_info = ServerConnectivityInfo(hostname='sha256.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertIn('OK - No SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text()))
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
server_info = ServerConnectivityInfo(hostname='xnet-eu.intellij.net')
server_info.test_connectivity_to_server()
self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname=u'1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
san_list = plugin_result.certificate_chain[0].as_dict[u'extensions'][u'X509v3 Subject Alternative Name'][u'DNS']
self.assertEquals(len(san_list), 1000)
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
# TODO: Expose has_sha1 as an attribute
self.assertIn('INSECURE - SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text()))
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
for hostname in [u'auth.startssl.com', u'xnet-eu.intellij.net']:
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname='sha1-intermediate.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']:
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ipv6(self):
server_test = ServerConnectivityTester(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_info = ServerConnectivityInfo(hostname=u'www.sociétégénérale.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, u'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_test = ServerConnectivityTester(hostname='www.sociétégénérale.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert len(plugin_result.received_certificate_chain) >= 1
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self):
server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha256_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha256.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertFalse(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_info = ServerConnectivityInfo(hostname='www.sociétégénérale.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ipv6(self):
server_test = ServerConnectivityTester(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert len(plugin_result.received_certificate_chain) >= 1
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_unicode_certificate(self):
server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self):
server_info = ServerConnectivityInfo(hostname=u'webmail.russia.nasa.gov')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.successful_trust_store.name, u'Microsoft')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_info = ServerConnectivityInfo(hostname=u'www.verizon.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_test = ServerConnectivityTester(hostname='www.sociétégénérale.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_info = ServerConnectivityInfo(hostname=u'www.verizon.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_info = ServerConnectivityInfo(hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_test = ServerConnectivityTester(hostname='www.verizon.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'wildcard-self-signed.pem')
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
self.assertEqual(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == 'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
def test_unicode_certificate(self):
server_test = ServerConnectivityTester(hostname='เพย์สบาย.th')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_certificate_with_scts(self):
server_info = ServerConnectivityInfo(hostname='www.apple.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.certificate_included_scts_count, 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self):
server_info = ServerConnectivityInfo(hostname='webmail.russia.nasa.gov')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.successful_trust_store.name, 'Windows')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ecdsa_certificate(self):
server_info = ServerConnectivityInfo(hostname='www.cloudflare.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_starttls(self):
for hostname, protocol in [('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP),
('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3),
('ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP),
('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER)]:
server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_certificate_with_no_subject(self):
server_info = ServerConnectivityInfo(hostname='no-subject.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_smtp_custom_port(self):
server_test = ServerConnectivityTester(
hostname='smtp.gmail.com',
port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP
)
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_test = ServerConnectivityTester(
hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com'
)
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
