def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # CertificateInfoPlugin works even when a client cert was not supplied plugin = CertificateInfoPlugin() plugin_result = plugin.process_task( server_info, CertificateInfoScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_fails_when_client_auth_failed_session(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config=ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() # SessionResumptionPlugin fails even when a client cert was not supplied plugin = SessionResumptionPlugin() plugin_result = plugin.process_task(server_info, SessionResumptionSupportScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return # All session resumption attempts returned an error because of client authentication self.assertEqual(len(plugin_result.errored_resumptions_list), 5) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_client_authentication_no_certificate_supplied_but_ignore(self): # Given a server that accepts optional client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.OPTIONAL ) as server: # And the client does NOT provide a client cert but is configured to ignore the client auth request sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((server.hostname, server.port)) ssl_client = self._SSL_CLIENT_CLS( ssl_version=OpenSslVersionEnum.SSLV23, underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE, ignore_client_authentication_requests=True, ) # When doing the handshake try: ssl_client.do_handshake() # It succeeds self.assertTrue(ssl_client) finally: ssl_client.shutdown() sock.close() except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return
def test_client_authentication_succeeds(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client provides a client certificate sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((server.hostname, server.port)) ssl_client = self._SSL_CLIENT_CLS( ssl_version=OpenSslVersionEnum.SSLV23, underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE, client_certchain_file=server.get_client_certificate_path(), client_key_file=server.get_client_key_path(), ) # When doing the handshake, it succeeds try: ssl_client.do_handshake() finally: ssl_client.shutdown() sock.close() except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return
def test_client_authentication_no_certificate_supplied(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((server.hostname, server.port)) ssl_client = self._SSL_CLIENT_CLS( ssl_version=OpenSslVersionEnum.SSLV23, underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE, ) # When doing the handshake the right error is returned self.assertRaisesRegexp( ClientCertificateRequested, 'Server requested a client certificate', ssl_client.do_handshake) sock.close() except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return
def test_ssl_2(self): # Given a server that supports SSL 2.0 try: with VulnerableOpenSslServer() as server: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((server.hostname, server.port)) ssl_client = LegacySslClient( ssl_version=OpenSslVersionEnum.SSLV2, underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE, ignore_client_authentication_requests=True, ) # When doing the special SSL 2.0 handshake, it succeeds try: ssl_client.do_handshake() self.assertTrue(ssl_client) finally: ssl_client.shutdown() sock.close() except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return
def test_sslv3_enabled(self): with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Sslv30ScanCommand()) # The embedded server does not have a preference self.assertFalse(plugin_result.preferred_cipher) accepted_cipher_name_list = [ cipher.name for cipher in plugin_result.accepted_cipher_list ] self.assertEqual( { 'TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DH_anon_WITH_AES_128_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', 'TLS_DH_anon_WITH_SEED_CBC_SHA', 'TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5', 'TLS_ECDHE_RSA_WITH_NULL_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_DH_anon_WITH_AES_256_CBC_SHA', 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDH_anon_WITH_RC4_128_SHA', 'TLS_DH_anon_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA', 'TLS_DH_anon_EXPORT_WITH_RC4_40_MD5', 'TLS_RSA_EXPORT_WITH_DES40_CBC_SHA', 'TLS_ECDH_anon_WITH_NULL_SHA', 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_EXPORT_WITH_RC4_40_MD5', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_NULL_MD5', 'TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA', 'TLS_DH_anon_WITH_DES_CBC_SHA', 'TLS_RSA_WITH_SEED_CBC_SHA', 'TLS_RSA_WITH_DES_CBC_SHA', 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_NULL_SHA', 'TLS_RSA_WITH_IDEA_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DH_anon_WITH_RC4_128_MD5' }, set(accepted_cipher_name_list)) self.assertTrue(plugin_result.accepted_cipher_list) self.assertTrue(plugin_result.rejected_cipher_list) self.assertFalse(plugin_result.errored_cipher_list) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_works_when_client_auth_succeeded(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client provides a client certificate client_creds = ClientAuthenticationCredentials( client_certificate_chain_path=server. get_client_certificate_path(), client_key_path=server.get_client_key_path(), ) server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port, client_auth_credentials=client_creds, ) server_info = server_test.perform() # The plugin works fine plugin = FallbackScsvPlugin() plugin_result = plugin.process_task(server_info, FallbackScsvScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return self.assertFalse(plugin_result.supports_fallback_scsv) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_works_when_client_auth_succeeded(self): # Given a server that requires client authentication with VulnerableOpenSslServer( client_auth_config=ClientAuthenticationServerConfigurationEnum. REQUIRED) as server: # And the client provides a client certificate client_creds = ClientAuthenticationCredentials( client_certificate_chain_path=server. get_client_certificate_path(), client_key_path=server.get_client_key_path(), ) server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port, client_auth_credentials=client_creds, ) server_info = server_test.perform() # The plugin works fine plugin = SessionRenegotiationPlugin() plugin_result = plugin.process_task( server_info, SessionRenegotiationScanCommand()) self.assertTrue(plugin_result.accepts_client_renegotiation) self.assertTrue(plugin_result.supports_secure_renegotiation) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_required_client_auth(self): # Given a server that requires client authentication with VulnerableOpenSslServer( client_auth_config=ClientAuthenticationServerConfigurationEnum. REQUIRED) as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # SSLyze correctly detects that client auth is required self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.REQUIRED)
def test_ccs_injection_bad(self): with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task( server_info, OpenSslCcsInjectionScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_heartbleed_bad(self): with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester(hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_fails_when_client_auth_failed(self): # Given a server that requires client authentication with VulnerableOpenSslServer( client_auth_config=ClientAuthenticationServerConfigurationEnum. REQUIRED) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # The plugin fails when a client cert was not supplied plugin = HttpHeadersPlugin() with self.assertRaises(ClientCertificateRequested): plugin.process_task(server_info, HttpHeadersScanCommand())
def test_fallback_bad(self): with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = FallbackScsvPlugin() plugin_result = plugin.process_task(server_info, FallbackScsvScanCommand()) self.assertFalse(plugin_result.supports_fallback_scsv) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_required_client_auth(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return # SSLyze correctly detects that client auth is required self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.REQUIRED)
def test_sslv2_enabled(self): try: with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Sslv20ScanCommand()) except NotOnLinux64Error: # The test suite only has the vulnerable OpenSSL version compiled for Linux 64 bits logging.warning('WARNING: Not on Linux - skipping test') return # The embedded server does not have a preference self.assertFalse(plugin_result.preferred_cipher) accepted_cipher_name_list = [ cipher.name for cipher in plugin_result.accepted_cipher_list ] self.assertEqual( { 'SSL_CK_RC4_128_EXPORT40_WITH_MD5', 'SSL_CK_IDEA_128_CBC_WITH_MD5', 'SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_DES_192_EDE3_CBC_WITH_MD5', 'SSL_CK_RC4_128_WITH_MD5', 'SSL_CK_RC2_128_CBC_WITH_MD5', 'SSL_CK_DES_64_CBC_WITH_MD5' }, set(accepted_cipher_name_list)) self.assertTrue(plugin_result.accepted_cipher_list) self.assertFalse(plugin_result.rejected_cipher_list) self.assertFalse(plugin_result.errored_cipher_list) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication with VulnerableOpenSslServer( client_auth_config=ClientAuthenticationServerConfigurationEnum. REQUIRED) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # OpenSslCipherSuitesPlugin works even when a client cert was not supplied plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Sslv30ScanCommand()) self.assertTrue(plugin_result.accepted_cipher_list) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_fails_when_client_auth_failed(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # The plugin fails when a client cert was not supplied plugin = FallbackScsvPlugin() with self.assertRaises(ClientCertificateRequested): plugin.process_task(server_info, FallbackScsvScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return
def test_heartbleed_bad(self): try: with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return self.assertTrue(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_fallback_bad(self): try: with VulnerableOpenSslServer() as server: server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() plugin = FallbackScsvPlugin() plugin_result = plugin.process_task(server_info, FallbackScsvScanCommand()) except NotOnLinux64Error: # The test suite only has the vulnerable OpenSSL version compiled for Linux 64 bits logging.warning( 'WARNING: Not on Linux - skipping test_fallback_bad() test') return self.assertFalse(plugin_result.supports_fallback_scsv) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))