def test_tls_connect_revoked(self):
if _backend == 'mac':
from oscrypto._mac._security import osx_version_info
# macOS 10.12 will read the OCSP Staple response and raise a revoked
# error, even though we have revocation checking disabled
if osx_version_info >= (10, 12):
with assert_exception(self, errors.TLSError, 'revoked'):
tls.TLSSocket('revoked.grc.com', 443)
return
tls.TLSSocket('revoked.grc.com', 443)
def test_tls_error_expired_2(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
# This test allows past or future since cert is 1963, which some systems
# will intepret as 2063
with assert_exception(self, errors.TLSVerificationError,
'certificate expired|not valid until'):
tls.TLSSocket('expired-1963.badtls.io', 11000, session=session)
def test_tls_error_wildcard_mismatch(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSVerificationError,
'does not match'):
tls.TLSSocket('wildcard.mismatch.badtls.io',
11007,
session=session)
def tls_connect(self, hostname):
connection = tls.TLSSocket(hostname, 443)
self.assertIsInstance(connection.cipher_suite, str_cls)
self.assertIsInstance(connection.certificate, x509.Certificate)
self.assertLess(10, len(connection.cipher_suite))
connection.write(b'GET / HTTP/1.1\r\nHost: ' + hostname.encode('utf-8') + b'\r\n\r\n')
html = connection.read_until(b'</html>')
self.assertIn(b'</html>', html)
def test_tls_error_weak_dh_params(self):
# badssl.com uses SNI, which Windows XP does not support
regex = 'weak DH parameters' if not xp else 'self-signed'
# ideally we would use badtls.io since that does not require SNI, however
# it is not possible to force a good version of OpenSSL to use such a
# small value for DH params, and I don't feel like the headache of trying
# to get an old, staticly-linked socat set up just for this text on XP
with assert_exception(self, errors.TLSError, regex):
tls.TLSSocket('dh512.badssl.com', 443)
def test_tls_error_ftp(self):
s = None
try:
def_timeout = socket.getdefaulttimeout()
socket.setdefaulttimeout(5)
s = make_socket_server(8021, lambda s, d: s.send(b'220 Welcome to FooFTP\n'))
with assert_exception(self, errors.TLSError, 'remote end closed the connection|server responded using FTP'):
tls.TLSSocket('localhost', 8021)
finally:
if s:
s.close()
socket.setdefaulttimeout(def_timeout)
def tls_connect(self, hostname, port):
session = None
if hostname == 'dh1024.badtls.io':
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
connection = tls.TLSSocket(hostname, port, session=session)
self.assertEqual(hostname, connection.hostname)
self.assertIsInstance(connection.hostname, str_cls)
self.assertIsInstance(connection.cipher_suite, str_cls)
self.assertIsInstance(connection.certificate, x509.Certificate)
self.assertLess(10, len(connection.cipher_suite))
self.assertEqual(port, connection.port)
connection.write(b'GET / HTTP/1.1\r\nHost: ' + hostname.encode('utf-8') + b'\r\n\r\n')
html = connection.read_until(re.compile(b'</html>', re.I))
self.assertNotEqual(None, re.search(b'</html>', html, re.I))
def ensure_connected(self):
"""
Make sure a valid tls.TLSSocket() is open to the server
:return:
A boolean indicating if the connection was reused
"""
if self.socket:
return True
host, port = self.url_info
session = tls.TLSSession()
self.socket = tls.TLSSocket(host, port, timeout=self.timeout, session=session)
return False
def test_tls_error_san_mismatch(self):
session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path])
with self.assertRaisesRegexp(errors.TLSVerificationError, 'does not match'):
tls.TLSSocket('test3.tls-o-matic.com', 403, session=session)
def test_tls_error_expired(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSVerificationError,
'certificate expired'):
tls.TLSSocket('expired.badtls.io', 11006, session=session)
def test_tls_error_self_signed(self):
with assert_exception(self, errors.TLSVerificationError,
'self-signed'):
tls.TLSSocket('self-signed.badssl.com', 443)
def test_tls_error_client_cert_required(self):
session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path])
with self.assertRaisesRegexp(errors.TLSError, 'client authentication'):
tls.TLSSocket('test8.tls-o-matic.com', 408, session=session)
def test_tls_wildcard_success(self):
session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path])
tls.TLSSocket('test4.tls-o-matic.com', 404, session=session)
tls.TLSSocket('test4test.tls-o-matic.com', 404, session=session)
def test_tls_extra_trust_roots(self):
session = tls.TLSSession(
extra_trust_roots=[badtls_ca_path, digicert_ca_path])
tls.TLSSocket('domain-match.badtls.io', 10000, session=session)
def run():
"""
Runs through TLS hosts in the Alexa top 1000 to test TLS functionality
:return:
A bool - if the test succeeded without any socket errors
"""
task_start = time.time()
success = 0
tls_errors = 0
socket_errors = 0
mismatch_info = []
context = ValidationContext(allow_fetching=True)
with open(os.path.join(fixtures_dir, 'alexa_top_1000.csv'), 'rb') as f:
for line in f:
domain = line.decode('utf-8').rstrip()
os_result = None
cv_result = None
os_message = None
cv_message = None
try:
os_start = time.time()
con = tls.TLSSocket(domain, 443, timeout=3)
con.close()
success += 1
os_result = 'OK'
os_message = 'Success'
_color('green', 'OK', domain, os_start)
except (TLSVerificationError) as e:
tls_errors += 1
os_result = 'TLS'
os_message = str_cls(e)
_color('yellow', 'TLS', domain, os_start, str_cls(e))
except (socket.error) as e:
socket_errors += 1
os_result = 'SOCK'
os_message = str_cls(e)
_color('red', 'SOCK', domain, os_start, str_cls(e))
try:
cv_start = time.time()
session = tls.TLSSession(manual_validation=True)
con = tls.TLSSocket(domain, 443, timeout=3, session=session)
validator = CertificateValidator(con.certificate,
con.intermediates, context)
validator.validate_tls(domain)
con.close()
success += 1
cv_result = 'OK'
cv_message = 'Success'
_color('green', 'OK', domain, cv_start)
except (PathValidationError, PathBuildingError) as e:
tls_errors += 1
cv_result = 'TLS'
cv_message = str_cls(e)
_color('yellow', 'TLS', domain, cv_start, str_cls(e))
except (socket.error) as e:
socket_errors += 1
cv_result = 'SOCK'
cv_message = str_cls(e)
_color('red', 'SOCK', domain, cv_start, str_cls(e))
if os_result != cv_result:
mismatch_info.append(
[domain, os_result, os_message, cv_result, cv_message])
total_time = time.time() - task_start
total_domains = success + tls_errors + socket_errors
stats = []
if success > 0:
stats.append('%d [%sOK%s]' % (success, Fore.GREEN, Fore.RESET))
if tls_errors > 0:
stats.append('%d [%sTLS%s]' % (tls_errors, Fore.YELLOW, Fore.RESET))
if socket_errors > 0:
stats.append('%d [%sSOCK%s]' % (socket_errors, Fore.RED, Fore.RESET))
print('')
print('Checked %d domains in %.3f seconds - %s' %
(total_domains, total_time, ' '.join(stats)))
if mismatch_info:
print('')
for info in mismatch_info:
os_result = '[%s] %s' % (info[1], info[2])
cv_result = '[%s] %s' % (info[3], info[4])
_color(
'red', 'DIFF',
'oscrypto and certvalidator results for %s are different' %
info[0], None, os_result, cv_result)
return socket_errors == 0
def test_tls_error_missing_issuer(self):
expected = 'certificate issuer not found in trusted root certificate store'
with self.assertRaisesRegexp(errors.TLSVerificationError, expected):
tls.TLSSocket('test1.tls-o-matic.com', 443)
def test_tls_error_not_yet_valid(self):
session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path])
with self.assertRaisesRegexp(errors.TLSVerificationError, 'not valid until'):
tls.TLSSocket('test5.tls-o-matic.com', 405, session=session)
def test_tls_error_missing_issuer(self):
expected = 'certificate issuer not found in trusted root certificate store'
with assert_exception(self, errors.TLSVerificationError, expected):
tls.TLSSocket('domain-match.badtls.io', 10000)
def test_tls_wildcard_success(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
tls.TLSSocket('wildcard-match.badtls.io', 10001, session=session)
def test_tls_error_http(self):
with assert_exception(self, errors.TLSError,
'server responded using HTTP'):
tls.TLSSocket('www.google.com', 80)
def test_tls_error_expired_2(self):
session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path])
# This test allows past or future since cert is 1963, which some systems
# will intepret as 2063
with self.assertRaisesRegexp(errors.TLSVerificationError, 'certificate expired|not valid until'):
tls.TLSSocket('test6.tls-o-matic.com', 406, session=session)
def test_tls_error_missing_issuer_2(self):
session = tls.TLSSession(extra_trust_roots=[tls_o_matic_ca_path])
expected = 'certificate issuer not found in trusted root certificate store'
with self.assertRaisesRegexp(errors.TLSVerificationError, expected):
tls.TLSSocket('test7.tls-o-matic.com', 407, session=session)
def test_tls_error_handshake_error_2(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSError, 'TLS handshake failed'):
tls.TLSSocket('rc4.badtls.io', 11008, session=session)
def test_tls_error_client_cert_required(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSError, 'client authentication'):
tls.TLSSocket('required-auth.badtls.io', 10003, session=session)
def test_tls_extra_trust_roots_no_match(self):
expected = 'certificate issuer not found in trusted root certificate store'
with assert_exception(self, errors.TLSVerificationError, expected):
session = tls.TLSSession(extra_trust_roots=[digicert_ca_path])
tls.TLSSocket('domain-match.badtls.io', 10000, session=session)
def test_tls_error_handshake_error_3(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSError,
'weak certificate signature algorithm'):
tls.TLSSocket('weak-sig.badtls.io', 11004, session=session)
def test_tls_protocol_version(self):
session = tls.TLSSession(set(['TLSv1', 'TLSv1.1']))
with assert_exception(self, errors.TLSError,
'TLS handshake failed - protocol version error'):
tls.TLSSocket('github.com', 443, session=session)
def test_tls_error_non_web(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSVerificationError,
'verification failed'):
tls.TLSSocket('bad-key-usage.badtls.io', 11005, session=session)
def test_tls_error_not_yet_valid(self):
session = tls.TLSSession(extra_trust_roots=[badtls_ca_path])
with assert_exception(self, errors.TLSVerificationError,
'not valid until'):
tls.TLSSocket('future.badtls.io', 11001, session=session)
def test_tls_error_ftp(self):
with assert_exception(
self, errors.TLSError,
'remote end closed the connection|server responded using FTP'):
tls.TLSSocket('ftp.debian.org', 21)
