class HeartbleedPluginTestCase(unittest.TestCase): def test_heartbleed_good(self): server_test = ServerConnectivityTester(hostname='www.google.com') server_info = server_test.perform() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) self.assertFalse(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result)) @unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64') def test_heartbleed_bad(self): with LegacyOpenSslServer() as server: server_test = ServerConnectivityTester(hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result)) @unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64') def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() # The plugin works even when a client cert was not supplied plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
class OpenSslCcsInjectionPluginTestCase(unittest.TestCase): def test_ccs_injection_good(self): server_test = ServerConnectivityTester(hostname='www.google.com') server_info = server_test.perform() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand()) self.assertFalse(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) @unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64') def test_ccs_injection_bad(self): with LegacyOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) @unittest.skipIf(not LegacyOpenSslServer.is_platform_supported(), 'Not on Linux 64') def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() # OpenSslCcsInjectionPlugin works even when a client cert was not supplied plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sslv2_enabled(self): with LegacyOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Sslv20ScanCommand()) # The embedded server does not have a preference assert not plugin_result.preferred_cipher accepted_cipher_name_list = [ cipher.name for cipher in plugin_result.accepted_cipher_list ] assert { 'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5', 'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5', 'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5' } == set(accepted_cipher_name_list) assert plugin_result.accepted_cipher_list assert not plugin_result.rejected_cipher_list assert not plugin_result.errored_cipher_list assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_works_when_client_auth_succeeded(self): # Given a server that is vulnerable and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) # And sslyze provides a client certificate network_config = ServerNetworkConfiguration( tls_server_name_indication=server.hostname, tls_client_auth_credentials=ClientAuthenticationCredentials( certificate_chain_path=server.get_client_certificate_path( ), key_path=server.get_client_key_path()), ) server_info = ServerConnectivityTester().perform( server_location, network_config) # When testing for insecure reneg, it succeeds result: SessionRenegotiationScanResult = SessionRenegotiationImplementation.scan_server( server_info) # And the results are correct assert result.supports_secure_renegotiation assert result.is_vulnerable_to_client_renegotiation_dos
def test_works_when_client_auth_succeeded(self): # Given a server that does NOT support SCSV and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) # And sslyze provides a client certificate network_config = ServerNetworkConfiguration( tls_server_name_indication=server.hostname, tls_client_auth_credentials=ClientAuthenticationCredentials( certificate_chain_path=server.get_client_certificate_path( ), key_path=server.get_client_key_path()), ) server_info = ServerConnectivityTester().perform( server_location, network_config) # When testing for SCSV, it succeeds result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server( server_info) # And the server is reported as NOT supporting SCSV assert not result.supports_fallback_scsv
def test_get_dh_info_dh(self, ssl_client_cls): with LegacyOpenSslServer(cipher="DHE-RSA-AES256-SHA") as server: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((server.hostname, server.port)) ssl_client = ssl_client_cls( ssl_version=OpenSslVersionEnum.TLSV1_2, underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE, ) try: ssl_client.do_handshake() finally: ssl_client.shutdown() dh_info = ssl_client.get_ephemeral_key() assert isinstance(dh_info, DhEphemeralKeyInfo) assert dh_info.type == OpenSslEvpPkeyEnum.DH assert dh_info.size > 0 assert len(dh_info.public_bytes) > 0 assert len(dh_info.prime) > 0 assert len(dh_info.generator) > 0
def test_works_when_client_auth_succeeded(self): # Given a server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And the client provides a client certificate client_creds = ClientAuthenticationCredentials( client_certificate_chain_path=server. get_client_certificate_path(), client_key_path=server.get_client_key_path(), ) server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port, client_auth_credentials=client_creds, ) server_info = server_test.perform() # The plugin works fine plugin = SessionRenegotiationPlugin() plugin_result = plugin.process_task( server_info, SessionRenegotiationScanCommand()) assert plugin_result.accepts_client_renegotiation assert plugin_result.supports_secure_renegotiation assert plugin_result.as_text() assert plugin_result.as_xml()
def test_error_client_certificate_needed(self): # Given a server that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = ServerConnectivityTester().perform(server_location) server_scan = ServerScanRequest( server_info=server_info, scan_commands={ # And a scan command that cannot be completed without a client certificate ScanCommand.HTTP_HEADERS, }, ) # When queuing the scan scanner = Scanner() scanner.queue_scan(server_scan) # It succeeds all_results = [] for result in scanner.get_results(): all_results.append(result) assert len(all_results) == 1 # And the error was properly returned error = all_results[0].scan_commands_errors[ScanCommand.HTTP_HEADERS] assert error.reason == ScanCommandErrorReasonEnum.CLIENT_CERTIFICATE_NEEDED
def test_works_when_client_auth_succeeded(self): # Given a server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) # And sslyze provides a client certificate network_config = ServerNetworkConfiguration( tls_server_name_indication=server.hostname, tls_client_auth_credentials=ClientAuthenticationCredentials( certificate_chain_path=server.get_client_certificate_path( ), key_path=server.get_client_key_path()), ) server_info = check_connectivity_to_server_and_return_info( server_location, network_config) # When scanning for HTTP headers, it succeeds result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server( server_info) assert not result.strict_transport_security_header assert not result.expect_ct_header
def test_vulnerable_and_server_has_sni_bug(self): # Test for https://github.com/nabla-c0d3/sslyze/issues/202 # Given a server that is vulnerable to Heartbleed and that requires the right SNI to be sent server_name_indication = "server.com" with LegacyOpenSslServer( require_server_name_indication_value=server_name_indication ) as server: server_location = ServerNetworkLocation( hostname=server_name_indication, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # But the server is buggy and returns a TLS alert when SNI is sent during the Hearbtleed check # We replicate this behavior by having SSLyze send a wrong value for SNI, instead of complicated server code # Use __setattr__ to bypass the dataclass' frozen=True setting object.__setattr__(server_info.network_configuration, "tls_server_name_indication", "wrongvalue.com") # When testing for Heartbleed, it succeeds result = HeartbleedImplementation.scan_server(server_info) # And the server is reported as vulnerable even though it has the SNI bug assert result.is_vulnerable_to_heartbleed
def test_sslv3_enabled(self): with LegacyOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Sslv30ScanCommand()) # The embedded server does not have a preference self.assertFalse(plugin_result.preferred_cipher) accepted_cipher_name_list = [ cipher.name for cipher in plugin_result.accepted_cipher_list ] self.assertEqual( { 'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DH_anon_WITH_AES_128_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', 'TLS_DH_anon_WITH_SEED_CBC_SHA', 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5', 'TLS_ECDHE_RSA_WITH_NULL_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_DH_anon_WITH_AES_256_CBC_SHA', 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDH_anon_WITH_RC4_128_SHA', 'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA', 'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5', 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA', 'TLS_ECDH_anon_WITH_NULL_SHA', 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_EXPORT_WITH_RC4_40_MD5', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_NULL_MD5', 'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA', 'TLS_DH_anon_WITH_DES_CBC_SHA', 'TLS_RSA_WITH_SEED_CBC_SHA', 'TLS_RSA_WITH_DES_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_NULL_SHA', 'TLS_RSA_WITH_IDEA_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DH_anon_WITH_RC4_128_MD5' }, set(accepted_cipher_name_list)) self.assertTrue(plugin_result.accepted_cipher_list) self.assertTrue(plugin_result.rejected_cipher_list) self.assertFalse(plugin_result.errored_cipher_list) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_error_client_certificate_needed(self): # Given a server that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And a scan request for it that does NOT provide a client certificate scan_request = ServerScanRequest( server_location=ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port ), scan_commands={ # And the request has a scan command that cannot be completed without a client certificate ScanCommand.HTTP_HEADERS, }, ) # When running the scan scanner = Scanner() scanner.queue_scans([scan_request]) # It succeeds all_results = [] for result in scanner.get_results(): all_results.append(result) # And the right result was returned assert len(all_results) == 1 # And the fact that a client certificate is needed was properly returned http_headers_result = all_results[0].scan_result.http_headers assert http_headers_result.status == ScanCommandAttemptStatusEnum.ERROR assert http_headers_result.error_reason == ScanCommandErrorReasonEnum.CLIENT_CERTIFICATE_NEEDED assert http_headers_result.error_trace assert http_headers_result.result is None
def test_fails_when_client_auth_failed(self): # Given a server that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = ServerConnectivityTester().perform(server_location) # When scanning for HTTP headers, it fails with pytest.raises(ClientCertificateRequested): HttpHeadersImplementation.scan_server(server_info)
def test_required_client_auth_tls_1_2(self): # Given a TLS 1.2 server that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() # SSLyze correctly detects that client auth is required assert server_info.client_auth_requirement == ClientAuthenticationServerConfigurationEnum.REQUIRED
def test_required_client_auth_tls_1_2(self): # Given a TLS 1.2 server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, port=server.port, ip_address=server.ip_address) server_info = ServerConnectivityTester().perform(server_location) # SSLyze correctly detects that client auth is required assert server_info.tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.REQUIRED
def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = ServerConnectivityTester().perform(server_location) # When testing for compression support, it succeeds result: CompressionScanResult = CompressionImplementation.scan_server(server_info) assert not result.supports_compression
def test_succeeds_when_client_auth_failed_tls_1_2(self): # Given a TLS 1.2 server that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And SSLyze does NOT provide a client certificate server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = ServerConnectivityTester().perform(server_location) # When scanning for cipher suites, it succeeds result: CipherSuitesScanResult = Tlsv12ScanImplementation.scan_server(server_info) assert result.accepted_cipher_suites
def test_fails_when_client_auth_failed(self): # Given a server that does NOT support SCSV and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = ServerConnectivityTester().perform(server_location) # When testing for SCSV, it fails as a client cert was not supplied with pytest.raises(ClientCertificateRequested): FallbackScsvImplementation.scan_server(server_info)
def test_heartbleed_bad(self): # Given a server that is vulnerable to Heartbleed with LegacyOpenSslServer() as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = ServerConnectivityTester().perform(server_location) # When testing for Heartbleed, it succeeds result: HeartbleedScanResult = HeartbleedImplementation.perform( server_info) # And the server is reported as vulnerable assert result.is_vulnerable_to_heartbleed
def test_heartbleed_bad(self): with LegacyOpenSslServer() as server: server_test = ServerConnectivityTester(hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_fails_when_client_auth_failed(self): # Given a TLS 1.2 server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # The plugin fails with pytest.raises(ClientCertificateRequested): RobotImplementation.scan_server(server_info)
def test_fails_when_client_auth_failed_tls_1_2(self): # Given a server with TLS 1.2 that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # The plugin fails when a client cert was not supplied plugin = HttpHeadersPlugin() with self.assertRaises(ClientCertificateRequested): plugin.process_task(server_info, HttpHeadersScanCommand())
def test_early_data_disabled_no_tls_1_3(self): # Given a server to scan that does NOT support early data because it does not support TLS 1.3 with LegacyOpenSslServer() as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = ServerConnectivityTester().perform(server_location) # When testing for early data support, it succeeds result: EarlyDataScanResult = EarlyDataImplementation.perform( server_info) # And the right result is returned assert not result.supports_early_data
def test_fallback_bad(self): # Given a server that does NOT support SCSV with LegacyOpenSslServer() as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = ServerConnectivityTester().perform(server_location) # When testing for SCSV, it succeeds result: FallbackScsvScanResult = FallbackScsvImplementation.scan_server( server_info) # And the server is reported as NOT supporting SCSV assert not result.supports_fallback_scsv
def test_ccs_injection_bad(self): with LegacyOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand()) assert plugin_result.is_vulnerable_to_ccs_injection assert plugin_result.as_text() assert plugin_result.as_xml()
def test_succeeds_when_client_auth_failed(self): # Given a server that is vulnerable to CCS injection and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does not provide a client certificate server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = ServerConnectivityTester().perform(server_location) # When testing for CCS injection, it succeeds result = OpenSslCcsInjectionImplementation.scan_server(server_info) # And the server is reported as vulnerable assert result.is_vulnerable_to_ccs_injection
def test_succeeds_when_client_auth_failed(self): # Given a server that is vulnerable to Heartbleed and that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And sslyze does NOT provide a client certificate server_location = ServerNetworkLocation( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = check_connectivity_to_server_and_return_info( server_location) # When testing for Heartbleed, it succeeds result = HeartbleedImplementation.scan_server(server_info) # And the server is reported as vulnerable assert result.is_vulnerable_to_heartbleed
def test_required_client_auth_tls_1_2(self): # Given a TLS 1.2 server that requires client authentication with LegacyOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: server_location = ServerNetworkLocation( hostname=server.hostname, port=server.port, ip_address=server.ip_address) tls_probing_result = check_connectivity_to_server( server_location=server_location, network_configuration=ServerNetworkConfiguration. default_for_server_location(server_location), ) # SSLyze correctly detects that client auth is required assert tls_probing_result.client_auth_requirement == ClientAuthRequirementEnum.REQUIRED
def test_sslv3_enabled(self): # Given a server to scan that supports SSL 3.0 with LegacyOpenSslServer(openssl_cipher_string="ALL:COMPLEMENTOFALL") as server: server_location = ServerNetworkLocationViaDirectConnection( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = ServerConnectivityTester().perform(server_location) # When scanning for cipher suites, it succeeds result: CipherSuitesScanResult = Sslv30ScanImplementation.scan_server(server_info) # The right cipher suites were detected assert len(result.accepted_cipher_suites) == 43 assert result.rejected_cipher_suites # And the embedded server does not have a preference by default assert not result.cipher_suite_preferred_by_server
def test_ssl_2(self): # Given a server that supports SSL 2.0 with LegacyOpenSslServer() as server: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((server.hostname, server.port)) ssl_client = LegacySslClient( ssl_version=OpenSslVersionEnum.SSLV2, underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE, ignore_client_authentication_requests=True, ) # When doing the special SSL 2.0 handshake, it succeeds try: ssl_client.do_handshake() finally: ssl_client.shutdown()