def test_ca_file_bad_file(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
with self.assertRaises(ValueError):
plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_valid_chain(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.ocsp_response)
self.assertTrue(plugin_result.is_ocsp_response_trusted)
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEquals(len(plugin_result.certificate_chain), 2)
self.assertEquals(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEquals(len(plugin_result.path_validation_error_list), 0)
self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Test the --ca_path option
plugin_result = plugin.process_task(server_info, 'certinfo_basic',
{'ca_file': os.path.join(os.path.dirname(__file__), 'utils',
'wildcard-self-signed.pem')})
self.assertEquals(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == 'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin.process_task(server_info, CertificateInfoScanCommand())
def test_https_tunneling(self):
# Start a local proxy
proxy_port = 8000
p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, ))
p.start()
try:
# Run a scan through the proxy
tunnel_settings = HttpConnectTunnelingSettings('localhost', proxy_port)
server_info = ServerConnectivityInfo(hostname=u'www.google.com', http_tunneling_settings=tunnel_settings)
# Try to connect to the proxy - retry if the proxy subprocess wasn't ready
proxy_connection_attempts = 0
while True:
try:
server_info.test_connectivity_to_server()
break
except ServerConnectivityError:
if proxy_connection_attempts > 3:
raise
proxy_connection_attempts += 1
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
finally:
# Kill the local proxy - unclean
p.terminate()
def test_valid_chain_with_ev_cert(self):
server_info = ServerConnectivityInfo(hostname='www.comodo.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEqual(len(plugin_result.certificate_chain), 3)
self.assertEqual(len(plugin_result.verified_certificate_chain), 3)
self.assertFalse(plugin_result.has_anchor_in_certificate_chain)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_invalid_chain(self):
server_info = ServerConnectivityInfo(hostname='self-signed.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertIsNone(plugin_result.ocsp_response)
self.assertEqual(len(plugin_result.certificate_chain), 1)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertFalse(path_validation_result.is_certificate_trusted)
self.assertEqual(plugin_result.certificate_included_scts_count, 0)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertIsNone(plugin_result.has_anchor_in_certificate_chain)
self.assertIsNone(plugin_result.has_sha1_in_certificate_chain)
self.assertFalse(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
san_list = plugin_result.certificate_chain[0].as_dict['extensions']['X509v3 Subject Alternative Name']['DNS']
self.assertEquals(len(san_list), 1000)
def test_optional_client_authentication(self):
server_test = ServerConnectivityTester(hostname='client.badssl.com')
server_info = server_test.perform()
self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha256_chain(self):
server_info = ServerConnectivityInfo(hostname='sha256.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertIn('OK - No SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text()))
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']:
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self):
server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_test = ServerConnectivityTester(hostname='www.sociétégénérale.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname='sha1-intermediate.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_info = ServerConnectivityInfo(hostname=u'www.verizon.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_info = ServerConnectivityInfo(hostname=u'www.sociétégénérale.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, u'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ipv6(self):
server_test = ServerConnectivityTester(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
# TODO: Expose has_sha1 as an attribute
self.assertIn('INSECURE - SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text()))
self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ipv6(self):
server_test = ServerConnectivityTester(
hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_test = ServerConnectivityTester(
hostname='www.sociétégénérale.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(
hostname='sha1-intermediate.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_info = ServerConnectivityInfo(hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_info = ServerConnectivityInfo(
hostname='www.sociétégénérale.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertEqual(len(plugin_result.certificate_chain), 2)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']:
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
self.assertEquals(
server_info.client_auth_requirement,
ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_info = ServerConnectivityInfo(hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_certificate_with_no_subject(self):
server_info = ServerConnectivityInfo(hostname='no-subject.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self):
server_info = ServerConnectivityInfo(hostname='webmail.russia.nasa.gov')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.successful_trust_store.name, 'Windows')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_chain_with_anchor(self):
server_test = ServerConnectivityTester(hostname='www.verizon.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ecdsa_certificate(self):
server_info = ServerConnectivityInfo(hostname='www.cloudflare.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_certificate_with_scts(self):
server_test = ServerConnectivityTester(hostname='www.apple.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert plugin_result.leaf_certificate_signed_certificate_timestamps_count > 1
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_unicode_certificate(self):
server_test = ServerConnectivityTester(hostname='เพย์สบาย.th')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'wildcard-self-signed.pem')
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
self.assertEqual(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == 'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
def test_sha256_chain(self):
server_test = ServerConnectivityTester(hostname='sha256.badssl.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert not plugin_result.verified_chain_has_sha1_signature
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_unicode_certificate(self):
server_test = ServerConnectivityTester(hostname='เพย์สบาย.th')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert len(plugin_result.received_certificate_chain) >= 1
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_starttls(self):
for hostname, protocol in [('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP),
('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3),
('ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP),
('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER)]:
server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_test = ServerConnectivityTester(hostname='www.verizon.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert plugin_result.received_chain_contains_anchor_certificate
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_ca_file(self):
server_test = ServerConnectivityTester(hostname='www.hotmail.com')
server_info = server_test.perform()
ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'wildcard-self-signed.pem')
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
assert len(plugin_result.path_validation_result_list) >= 6
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == 'Custom --ca_file':
assert not path_validation_result.was_validation_successful
else:
assert path_validation_result.was_validation_successful
def test_certificate_with_scts(self):
server_info = ServerConnectivityInfo(hostname='www.apple.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.certificate_included_scts_count, 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ecdsa_certificate(self):
server_test = ServerConnectivityTester(hostname='www.cloudflare.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_smtp_custom_port(self):
server_info = ServerConnectivityInfo(
hostname='smtp.gmail.com',
port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_certificate_with_no_subject(self):
server_test = ServerConnectivityTester(hostname='no-subject.badssl.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_certificate_with_scts(self):
server_test = ServerConnectivityTester(hostname='www.apple.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreater(plugin_result.certificate_included_scts_count, 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self):
server_test = ServerConnectivityTester(hostname='webmail.russia.nasa.gov')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.successful_trust_store.name, 'Windows')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file(self):
server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com')
server_info.test_connectivity_to_server()
ca_file_path = os.path.join(os.path.dirname(__file__), u'..', u'utils', u'wildcard-self-signed.pem')
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
self.assertEquals(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == u'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
def test_starttls(self):
for hostname, protocol in [('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP),
('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3),
('ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP),
('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER)]:
server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
# The test server no longer works
return
server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def concurrent_scan(site_info):
# Setup the server to scan and ensure it is online/reachable
server_info = server_connectivity_tester(site_info.name)
if server_info:
synchronous_scanner = SynchronousScanner()
cert_info_plugin = CertificateInfoPlugin()
plugin_result = cert_info_plugin.process_task(
server_info, CertificateInfoScanCommand())
#not plugin_result.verified_certificate_chain or
#not plugin_result.leaf_certificate_subject_matches_hostname some sites' certs CN is with "www." so the result here is false
if plugin_result.verified_certificate_chain and site_info.name not in str(
plugin_result.verified_certificate_chain[0].subject):
site_info.cert_trusted = "False"
print("not trusted: " + site_info.name)
print(plugin_result.__dict__)
# elif not plugin_result.verified_certificate_chain:
# site_info.cert_trusted = "False"
# print("not trusted: " + site_info.name)
# print(plugin_result.__dict__)
else:
site_info.cert_trusted = "True"
scan_result1 = synchronous_scanner.run_scan_command(
server_info, Sslv20ScanCommand())
if len(scan_result1.accepted_cipher_list) > 0:
site_info.sslv2 = "True"
scan_result2 = synchronous_scanner.run_scan_command(
server_info, Sslv30ScanCommand())
if len(scan_result2.accepted_cipher_list) > 0:
site_info.sslv3 = "True"
scan_result3 = synchronous_scanner.run_scan_command(
server_info, Tlsv10ScanCommand())
if len(scan_result3.accepted_cipher_list) > 0:
site_info.tlsv1 = "True"
scan_result4 = synchronous_scanner.run_scan_command(
server_info, Tlsv11ScanCommand())
if len(scan_result4.accepted_cipher_list) > 0:
site_info.tlsv11 = "True"
scan_result5 = synchronous_scanner.run_scan_command(
server_info, Tlsv12ScanCommand())
if len(scan_result5.accepted_cipher_list) > 0:
site_info.tlsv12 = "True"
scan_result6 = synchronous_scanner.run_scan_command(
server_info, Tlsv13ScanCommand())
if len(scan_result6.accepted_cipher_list) > 0:
site_info.tlsv13 = "True"
recheck_cert(site_info)
def test_ipv6(self):
if not self._is_ipv6_available():
logging.warning('WARNING: IPv6 not available - skipping test')
return
server_info = ServerConnectivityInfo(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_test = ServerConnectivityTester(
hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com'
)
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self):
server_test = ServerConnectivityTester(
hostname='smtp.gmail.com',
port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP
)
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_test = ServerConnectivityTester(
hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com'
)
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert len(plugin_result.received_certificate_chain) >= 1
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_smtp_custom_port(self):
server_test = ServerConnectivityTester(
hostname='smtp.gmail.com',
port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP
)
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert len(plugin_result.received_certificate_chain) >= 1
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_unicode_certificate(self):
server_info = ServerConnectivityInfo(hostname='เพย์สบาย.th')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertGreaterEqual(len(plugin_result.certificate_chain), 1)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_chain_with_anchor(self):
server_info = ServerConnectivityInfo(hostname='www.verizon.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_only_trusted_by_custom_ca_file(self):
server_test = ServerConnectivityTester(hostname='self-signed.badssl.com')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'self-signed.badssl.com.pem')
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
self.assertEqual(plugin_result.successful_trust_store.name, 'Custom --ca_file')
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_starttls(self):
for hostname, protocol in [
('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP),
('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3),
('ldap.uchicago.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP),
('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER),
# Some Heroku Postgres instance I created
('ec2-54-75-226-17.eu-west-1.compute.amazonaws.com', TlsWrappedProtocolEnum.STARTTLS_POSTGRES)
]:
server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_valid_chain_with_ocsp_stapling_and_must_staple(self):
server_test = ServerConnectivityTester(hostname='www.scotthelme.co.uk')
server_info = server_test.perform()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.ocsp_response)
self.assertEqual(plugin_result.ocsp_response_status, OcspResponseStatusEnum.SUCCESSFUL)
self.assertTrue(plugin_result.is_ocsp_response_trusted)
self.assertTrue(plugin_result.certificate_has_must_staple_extension)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_starttls(self):
for hostname, protocol in [(u'imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP),
(u'pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3),
(u'ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP),
(u'jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER),
# Some Heroku Postgres instance I created
('ec2-54-235-80-86.compute-1.amazonaws.com', TlsWrappedProtocolEnum.STARTTLS_POSTGRES)]:
server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_succeeds_when_client_auth_failed(self):
# Given a server that requires client authentication
with ModernOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
# CertificateInfoPlugin works even when a client cert was not supplied
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
assert plugin_result.received_certificate_chain
assert plugin_result.as_text()
assert plugin_result.as_xml()
