def test_ca_file_bad_file(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
with self.assertRaises(ValueError):
plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_invalid_chain(self):
server_info = ServerConnectivityInfo(hostname='self-signed.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertIsNone(plugin_result.ocsp_response)
self.assertEqual(len(plugin_result.certificate_chain), 1)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertFalse(path_validation_result.is_certificate_trusted)
self.assertEqual(plugin_result.certificate_included_scts_count, 0)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertIsNone(plugin_result.has_anchor_in_certificate_chain)
self.assertIsNone(plugin_result.has_sha1_in_certificate_chain)
self.assertFalse(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_https_tunneling(self):
# Start a local proxy
proxy_port = 8000
p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, ))
p.start()
try:
# Run a scan through the proxy
tunnel_settings = HttpConnectTunnelingSettings('localhost', proxy_port)
server_info = ServerConnectivityInfo(hostname=u'www.google.com', http_tunneling_settings=tunnel_settings)
# Try to connect to the proxy - retry if the proxy subprocess wasn't ready
proxy_connection_attempts = 0
while True:
try:
server_info.test_connectivity_to_server()
break
except ServerConnectivityError:
if proxy_connection_attempts > 3:
raise
proxy_connection_attempts += 1
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
finally:
# Kill the local proxy - unclean
p.terminate()
def test_valid_chain_with_ev_cert(self):
server_info = ServerConnectivityInfo(hostname='www.comodo.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEqual(len(plugin_result.certificate_chain), 3)
self.assertEqual(len(plugin_result.verified_certificate_chain), 3)
self.assertFalse(plugin_result.has_anchor_in_certificate_chain)
self.assertEqual(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEqual(len(plugin_result.path_validation_error_list), 0)
self.assertEqual(plugin_result.certificate_matches_hostname, True)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_valid_chain(self):
server_info = ServerConnectivityInfo(hostname='www.hotmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.ocsp_response)
self.assertTrue(plugin_result.is_ocsp_response_trusted)
self.assertTrue(plugin_result.is_leaf_certificate_ev)
self.assertEquals(len(plugin_result.certificate_chain), 2)
self.assertEquals(len(plugin_result.path_validation_result_list), 5)
for path_validation_result in plugin_result.path_validation_result_list:
self.assertTrue(path_validation_result.is_certificate_trusted)
self.assertEquals(len(plugin_result.path_validation_error_list), 0)
self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN)
self.assertTrue(plugin_result.is_certificate_chain_order_valid)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Test the --ca_path option
plugin_result = plugin.process_task(server_info, 'certinfo_basic',
{'ca_file': os.path.join(os.path.dirname(__file__), 'utils',
'wildcard-self-signed.pem')})
self.assertEquals(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == 'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin.process_task(server_info, CertificateInfoScanCommand())
def _get_plugin_result(self, hostname, command=Tlsv12ScanCommand()):
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, command)
return plugin_result
def test_synchronous_scanner(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
sync_scanner = SynchronousScanner()
plugin_result = sync_scanner.run_scan_command(server_info, CompressionScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_post_handshake_response(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self._test_plugin_outputs(plugin_result)
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
san_list = plugin_result.certificate_chain[0].as_dict['extensions']['X509v3 Subject Alternative Name']['DNS']
self.assertEquals(len(san_list), 1000)
def test_sha256_chain(self):
server_info = ServerConnectivityInfo(hostname='sha256.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertIn('OK - No SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text()))
self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self):
server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_hsts_enabled(self):
server_info = ServerConnectivityInfo(hostname='hsts.badssl.com')
server_info.test_connectivity_to_server()
plugin = HstsPlugin()
plugin_result = plugin.process_task(server_info, 'hsts')
self.assertTrue(plugin_result.hsts_header)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_compression_disabled(self):
server_info = ServerConnectivityInfo(hostname=u"www.google.com")
server_info.test_connectivity_to_server()
plugin = CompressionPlugin()
plugin_result = plugin.process_task(server_info, "compression")
self.assertFalse(plugin_result.compression_name)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_info = ServerConnectivityInfo(hostname=u'www.verizon.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_dh_info(self):
server_info = ServerConnectivityInfo(hostname=u'dh480.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'tlsv1')
self.assertTrue(plugin_result.preferred_cipher)
self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], '480')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
# TODO: Expose has_sha1 as an attribute
self.assertIn('INSECURE - SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text()))
self.assertTrue(plugin_result.as_xml())
def test_ccs_injection_good(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, 'heartbleed')
self.assertFalse(plugin_result.is_vulnerable_to_ccs_injection)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_hsts_enabled(self):
server_info = ServerConnectivityInfo(hostname='hsts.badssl.com')
server_info.test_connectivity_to_server()
plugin = HstsPlugin()
plugin_result = plugin.process_task(server_info, 'hsts')
self.assertTrue(plugin_result.hsts_header)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname='sha1-intermediate.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_heartbleed_good(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = HeartbleedPlugin()
plugin_result = plugin.process_task(server_info, 'heartbleed')
self.assertFalse(plugin_result.is_vulnerable_to_heartbleed)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ccs_injection_good(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand())
self.assertFalse(plugin_result.is_vulnerable_to_ccs_injection)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_international_names(self):
server_info = ServerConnectivityInfo(hostname=u'www.sociétégénérale.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, u'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_compression_disabled(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = CompressionPlugin()
plugin_result = plugin.process_task(server_info, 'compression')
self.assertFalse(plugin_result.compression_name)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']:
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self):
server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_fallback_good(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = FallbackScsvPlugin()
plugin_result = plugin.process_task(server_info, FallbackScsvScanCommand())
self.assertTrue(plugin_result.supports_fallback_scsv)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_robot_attack_good(self):
server_info = ServerConnectivityInfo(hostname='www.facebook.com')
server_info.test_connectivity_to_server()
plugin = RobotPlugin()
plugin_result = plugin.process_task(server_info, RobotScanCommand())
self.assertEqual(plugin_result.robot_result_enum, RobotScanResultEnum.NOT_VULNERABLE_NO_ORACLE)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_robot_attack_good(self):
server_info = ServerConnectivityInfo(hostname='www.facebook.com')
server_info.test_connectivity_to_server()
plugin = RobotPlugin()
plugin_result = plugin.process_task(server_info, RobotScanCommand())
self.assertEqual(plugin_result.robot_result_enum, RobotScanResultEnum.NOT_VULNERABLE_NO_ORACLE)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_fallback_good(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = FallbackScsvPlugin()
plugin_result = plugin.process_task(server_info, 'fallback')
self.assertTrue(plugin_result.supports_fallback_scsv)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self):
# Ensure SSLyze can process a leaf cert with 1000 SANs
server_info = ServerConnectivityInfo(hostname=u'1000-sans.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
san_list = plugin_result.certificate_chain[0].as_dict['extensions'][
'X509v3 Subject Alternative Name']['DNS']
self.assertEquals(len(san_list), 1000)
def https_check(endpoint):
logging.debug("sslyzing %s..." % endpoint.url)
# remove the https:// from prefix for sslyze
hostname = endpoint.url[8:]
server_info = ServerConnectivityInfo(hostname=hostname, port=443)
try:
server_info.test_connectivity_to_server()
except sslyze.server_connectivity.ServerConnectivityError:
logging.warn("Error in sslyze server connectivity check")
return
cert_plugin = CertificateInfoPlugin()
try:
cert_plugin_result = cert_plugin.process_task(server_info,
'certinfo_basic')
except nassl._nassl.OpenSSLError:
logging.warn("Error in sslyze cert info plugin")
return
except nassl.x509_certificate.X509HostnameValidationError:
logging.warn("Error parsing x.509 certificate.")
return
try:
cert_response = cert_plugin_result.as_text()
except TypeError:
logging.warn(
"sslyze exception parsing issuer, see https://github.com/nabla-c0d3/sslyze/issues/167"
)
return
# Debugging
# for msg in cert_response:
# print(msg)
# A certificate can have multiple issues.
for msg in cert_response:
# Check for certificate expiration.
if ((("Mozilla NSS CA Store") in msg) and (("FAILED") in msg)
and (("certificate has expired") in msg)):
endpoint.https_expired_cert = True
# Check for whether there's a valid chain to Mozilla.
# Note: this will also catch expired certs, but this is okay.
if ((("Mozilla NSS CA Store") in msg) and (("FAILED") in msg)
and (("Certificate is NOT Trusted") in msg)):
endpoint.https_bad_chain = True
# Check for whether the hostname validates.
if ((("Hostname Validation") in msg) and (("FAILED") in msg)
and (("Certificate does NOT match") in msg)):
endpoint.https_bad_hostname = True
def test_international_names(self):
server_info = ServerConnectivityInfo(hostname='www.sociétégénérale.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self):
server_info = ServerConnectivityInfo(hostname=u'www.verizon.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_anchor_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha256_chain(self):
server_info = ServerConnectivityInfo(hostname=u'sha256.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertFalse(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self):
server_info = ServerConnectivityInfo(hostname=u'webmail.russia.nasa.gov')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEqual(plugin_result.successful_trust_store.name, u'Microsoft')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']:
server_info = ServerConnectivityInfo(hostname=hostname)
server_info.test_connectivity_to_server()
self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_dh_info(self):
server_info = ServerConnectivityInfo(hostname=u'dh1024.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.preferred_cipher)
self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], u'1024')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_robot_attack_good_boringssl(self):
# Validate the bug fix for https://github.com/nabla-c0d3/sslyze/issues/282
server_info = ServerConnectivityInfo(hostname='guide.duo.com')
server_info.test_connectivity_to_server()
plugin = RobotPlugin()
plugin_result = plugin.process_task(server_info, RobotScanCommand())
self.assertEqual(plugin_result.robot_result_enum, RobotScanResultEnum.NOT_VULNERABLE_NO_ORACLE)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self):
server_info = ServerConnectivityInfo(hostname='client.badssl.com')
server_info.test_connectivity_to_server()
self.assertEqual(server_info.client_auth_requirement,
ClientAuthenticationServerConfigurationEnum.OPTIONAL)
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info,
CertificateInfoScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_renegotiation_good(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = SessionRenegotiationPlugin()
plugin_result = plugin.process_task(server_info, 'reneg')
self.assertFalse(plugin_result.accepts_client_renegotiation)
self.assertTrue(plugin_result.supports_secure_renegotiation)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self):
server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_smtp_post_handshake_response(self):
server_info = ServerConnectivityInfo(
hostname='smtp.gmail.com',
port=587,
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_renegotiation_good(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = SessionRenegotiationPlugin()
plugin_result = plugin.process_task(server_info, 'reneg')
self.assertFalse(plugin_result.accepts_client_renegotiation)
self.assertTrue(plugin_result.supports_secure_renegotiation)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ccs_injection_bad(self):
with VulnerableOpenSslServer() as server:
server_info = ServerConnectivityInfo(hostname=server.hostname, ip_address=server.ip_address,
port=server.port)
server_info.test_connectivity_to_server()
plugin = OpenSslCcsInjectionPlugin()
plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand())
self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_only_trusted_by_custom_ca_file(self):
server_info = ServerConnectivityInfo(hostname=u'self-signed.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
ca_file_path = os.path.join(os.path.dirname(__file__), u'..', u'utils', u'self-signed.badssl.com.pem')
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
self.assertEqual(plugin_result.successful_trust_store.name, u'Custom --ca_file')
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_heartbleed_good(self):
server_info = ServerConnectivityInfo(hostname=u'www.google.com')
server_info.test_connectivity_to_server()
plugin = HeartbleedPlugin()
plugin_result = plugin.process_task(server_info,
HeartbleedScanCommand())
self.assertFalse(plugin_result.is_vulnerable_to_heartbleed)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_expect_ct_disabled(self):
server_info = ServerConnectivityInfo(hostname='hsts.badssl.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
self.assertFalse(plugin_result.expect_ct_header)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
self.assertTrue(pickle.dumps(plugin_result))
def test_xmpp_to(self):
server_info = ServerConnectivityInfo(hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self):
server_info = ServerConnectivityInfo(hostname='talk.google.com',
tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP,
xmpp_to_hostname='gmail.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, 'certinfo_basic')
self.assertEquals(len(plugin_result.certificate_chain), 3)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self):
# The test server no longer works
return
server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com')
server_info.test_connectivity_to_server()
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand())
self.assertTrue(plugin_result.has_sha1_in_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_rc4_md5_cipher_suites(self):
server_info = ServerConnectivityInfo(hostname=u'rc4-md5.badssl.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand())
accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list]
self.assertEquals({'TLS_RSA_WITH_RC4_128_MD5'},
set(accepted_cipher_name_list))
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def retrieve_ssl_vulnerabilities_for_tcp_service(
self,
org_uuid=None,
service_uuid=None,
scan_uuid=None,
):
"""
This performs various SSL vulnerability scans on the tcp service
:param org_uuid: The UUID of the organization to collect information on behalf of.
:param service_uuid: The UUID of the network service to retrieve the SSL certificate for.
:param scan_uuid: The UUID of the network service scan that this SSL certificate retrieval is associated
with.
:return: None
"""
ip_address, port, protocol = self.get_endpoint_information(service_uuid)
ssl_vulnerabilities_record = SslVulnerabilitiesModel.from_database_model_uuid(
uuid=scan_uuid,
db_session=self.db_session
)
server_info = ServerConnectivityInfo(hostname=ip_address, ip_address=ip_address, port=port)
try:
server_info.test_connectivity_to_server()
except ServerConnectivityError as e:
# Could not establish an SSL connection to the server
logger.error(
"Error making an SSL connection to the server while looking for vulnerabilities, something went really wrong."
)
synchronous_scanner = SynchronousScanner()
fallback_scsv_command = FallbackScsvScanCommand()
fallback_scsv_result = synchronous_scanner.run_scan_command(server_info, fallback_scsv_command)
ssl_vulnerabilities_record.supports_fallback_scsv = fallback_scsv_result.supports_fallback_scsv
heartbleed_command = HeartbleedScanCommand()
heartbleed_result = synchronous_scanner.run_scan_command(server_info, heartbleed_command)
ssl_vulnerabilities_record.is_vulnerable_to_heartbleed = heartbleed_result.is_vulnerable_to_heartbleed
openssl_css_injection_command = OpenSslCcsInjectionScanCommand()
openssl_css_injection_result = synchronous_scanner.run_scan_command(server_info, openssl_css_injection_command)
ssl_vulnerabilities_record.is_vulnerable_to_ccs_injection = openssl_css_injection_result.is_vulnerable_to_ccs_injection
session_renegotion_command = SessionRenegotiationScanCommand()
session_renegotion_result = synchronous_scanner.run_scan_command(server_info, session_renegotion_command)
ssl_vulnerabilities_record.accepts_client_renegotiation = session_renegotion_result.accepts_client_renegotiation
ssl_vulnerabilities_record.supports_secure_renegotiation = session_renegotion_result.supports_secure_renegotiation
session_resumption_support_command = SessionResumptionSupportScanCommand()
session_resumption_support_result = synchronous_scanner.run_scan_command(server_info, session_resumption_support_command)
ssl_vulnerabilities_record.is_ticket_resumption_supported = session_resumption_support_result.is_ticket_resumption_supported
ssl_vulnerabilities_record.save(org_uuid)
def test_resumption(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = SessionResumptionPlugin()
plugin_result = plugin.process_task(server_info, 'resum')
self.assertTrue(plugin_result.is_ticket_resumption_supported)
self.assertTrue(plugin_result.attempted_resumptions_nb)
self.assertTrue(plugin_result.successful_resumptions_nb)
self.assertFalse(plugin_result.errored_resumptions_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_sslv3_disabled(self):
server_info = ServerConnectivityInfo(hostname='www.google.com')
server_info.test_connectivity_to_server()
plugin = OpenSslCipherSuitesPlugin()
plugin_result = plugin.process_task(server_info, 'sslv3')
self.assertIsNone(plugin_result.preferred_cipher)
self.assertFalse(plugin_result.accepted_cipher_list)
self.assertTrue(plugin_result.rejected_cipher_list)
self.assertFalse(plugin_result.errored_cipher_list)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_ca_file(self):
server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com')
server_info.test_connectivity_to_server()
ca_file_path = os.path.join(os.path.dirname(__file__), u'..', u'utils', u'wildcard-self-signed.pem')
plugin = CertificateInfoPlugin()
plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path))
self.assertEquals(len(plugin_result.path_validation_result_list), 6)
for path_validation_result in plugin_result.path_validation_result_list:
if path_validation_result.trust_store.name == u'Custom --ca_file':
self.assertFalse(path_validation_result.is_certificate_trusted)
else:
self.assertTrue(path_validation_result.is_certificate_trusted)
