def test_ca_file_bad_file(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() with self.assertRaises(ValueError): plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_invalid_chain(self): server_info = ServerConnectivityInfo(hostname='self-signed.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertIsNone(plugin_result.ocsp_response) self.assertEqual(len(plugin_result.certificate_chain), 1) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertFalse(path_validation_result.is_certificate_trusted) self.assertEqual(plugin_result.certificate_included_scts_count, 0) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertIsNone(plugin_result.has_anchor_in_certificate_chain) self.assertIsNone(plugin_result.has_sha1_in_certificate_chain) self.assertFalse(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_https_tunneling(self): # Start a local proxy proxy_port = 8000 p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, )) p.start() try: # Run a scan through the proxy tunnel_settings = HttpConnectTunnelingSettings('localhost', proxy_port) server_info = ServerConnectivityInfo(hostname=u'www.google.com', http_tunneling_settings=tunnel_settings) # Try to connect to the proxy - retry if the proxy subprocess wasn't ready proxy_connection_attempts = 0 while True: try: server_info.test_connectivity_to_server() break except ServerConnectivityError: if proxy_connection_attempts > 3: raise proxy_connection_attempts += 1 plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) finally: # Kill the local proxy - unclean p.terminate()
def test_valid_chain_with_ev_cert(self): server_info = ServerConnectivityInfo(hostname='www.comodo.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEqual(len(plugin_result.certificate_chain), 3) self.assertEqual(len(plugin_result.verified_certificate_chain), 3) self.assertFalse(plugin_result.has_anchor_in_certificate_chain) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_valid_chain(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.ocsp_response) self.assertTrue(plugin_result.is_ocsp_response_trusted) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEquals(len(plugin_result.certificate_chain), 2) self.assertEquals(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEquals(len(plugin_result.path_validation_error_list), 0) self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Test the --ca_path option plugin_result = plugin.process_task(server_info, 'certinfo_basic', {'ca_file': os.path.join(os.path.dirname(__file__), 'utils', 'wildcard-self-signed.pem')}) self.assertEquals(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == 'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin.process_task(server_info, CertificateInfoScanCommand())
def _get_plugin_result(self, hostname, command=Tlsv12ScanCommand()): server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, command) return plugin_result
def test_synchronous_scanner(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() sync_scanner = SynchronousScanner() plugin_result = sync_scanner.run_scan_command(server_info, CompressionScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_smtp_post_handshake_response(self): server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand()) self._test_plugin_outputs(plugin_result)
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') san_list = plugin_result.certificate_chain[0].as_dict['extensions']['X509v3 Subject Alternative Name']['DNS'] self.assertEquals(len(san_list), 1000)
def test_sha256_chain(self): server_info = ServerConnectivityInfo(hostname='sha256.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertIn('OK - No SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text())) self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self): server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_hsts_enabled(self): server_info = ServerConnectivityInfo(hostname='hsts.badssl.com') server_info.test_connectivity_to_server() plugin = HstsPlugin() plugin_result = plugin.process_task(server_info, 'hsts') self.assertTrue(plugin_result.hsts_header) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_compression_disabled(self): server_info = ServerConnectivityInfo(hostname=u"www.google.com") server_info.test_connectivity_to_server() plugin = CompressionPlugin() plugin_result = plugin.process_task(server_info, "compression") self.assertFalse(plugin_result.compression_name) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_info = ServerConnectivityInfo(hostname=u'www.verizon.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_dh_info(self): server_info = ServerConnectivityInfo(hostname=u'dh480.badssl.com') server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, 'tlsv1') self.assertTrue(plugin_result.preferred_cipher) self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], '480') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') # TODO: Expose has_sha1 as an attribute self.assertIn('INSECURE - SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text())) self.assertTrue(plugin_result.as_xml())
def test_ccs_injection_good(self): server_info = ServerConnectivityInfo(hostname=u'www.google.com') server_info.test_connectivity_to_server() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, 'heartbleed') self.assertFalse(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname='sha1-intermediate.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_heartbleed_good(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, 'heartbleed') self.assertFalse(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ccs_injection_good(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand()) self.assertFalse(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_info = ServerConnectivityInfo(hostname=u'www.sociétégénérale.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, u'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_compression_disabled(self): server_info = ServerConnectivityInfo(hostname=u'www.google.com') server_info.test_connectivity_to_server() plugin = CompressionPlugin() plugin_result = plugin.process_task(server_info, 'compression') self.assertFalse(plugin_result.compression_name) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']: server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self): server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_fallback_good(self): server_info = ServerConnectivityInfo(hostname=u'www.google.com') server_info.test_connectivity_to_server() plugin = FallbackScsvPlugin() plugin_result = plugin.process_task(server_info, FallbackScsvScanCommand()) self.assertTrue(plugin_result.supports_fallback_scsv) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_robot_attack_good(self): server_info = ServerConnectivityInfo(hostname='www.facebook.com') server_info.test_connectivity_to_server() plugin = RobotPlugin() plugin_result = plugin.process_task(server_info, RobotScanCommand()) self.assertEqual(plugin_result.robot_result_enum, RobotScanResultEnum.NOT_VULNERABLE_NO_ORACLE) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_fallback_good(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() plugin = FallbackScsvPlugin() plugin_result = plugin.process_task(server_info, 'fallback') self.assertTrue(plugin_result.supports_fallback_scsv) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname=u'1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') san_list = plugin_result.certificate_chain[0].as_dict['extensions'][ 'X509v3 Subject Alternative Name']['DNS'] self.assertEquals(len(san_list), 1000)
def https_check(endpoint): logging.debug("sslyzing %s..." % endpoint.url) # remove the https:// from prefix for sslyze hostname = endpoint.url[8:] server_info = ServerConnectivityInfo(hostname=hostname, port=443) try: server_info.test_connectivity_to_server() except sslyze.server_connectivity.ServerConnectivityError: logging.warn("Error in sslyze server connectivity check") return cert_plugin = CertificateInfoPlugin() try: cert_plugin_result = cert_plugin.process_task(server_info, 'certinfo_basic') except nassl._nassl.OpenSSLError: logging.warn("Error in sslyze cert info plugin") return except nassl.x509_certificate.X509HostnameValidationError: logging.warn("Error parsing x.509 certificate.") return try: cert_response = cert_plugin_result.as_text() except TypeError: logging.warn( "sslyze exception parsing issuer, see https://github.com/nabla-c0d3/sslyze/issues/167" ) return # Debugging # for msg in cert_response: # print(msg) # A certificate can have multiple issues. for msg in cert_response: # Check for certificate expiration. if ((("Mozilla NSS CA Store") in msg) and (("FAILED") in msg) and (("certificate has expired") in msg)): endpoint.https_expired_cert = True # Check for whether there's a valid chain to Mozilla. # Note: this will also catch expired certs, but this is okay. if ((("Mozilla NSS CA Store") in msg) and (("FAILED") in msg) and (("Certificate is NOT Trusted") in msg)): endpoint.https_bad_chain = True # Check for whether the hostname validates. if ((("Hostname Validation") in msg) and (("FAILED") in msg) and (("Certificate does NOT match") in msg)): endpoint.https_bad_hostname = True
def test_international_names(self): server_info = ServerConnectivityInfo(hostname='www.sociétégénérale.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_info = ServerConnectivityInfo(hostname=u'www.verizon.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha256_chain(self): server_info = ServerConnectivityInfo(hostname=u'sha256.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertFalse(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self): server_info = ServerConnectivityInfo(hostname=u'webmail.russia.nasa.gov') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.successful_trust_store.name, u'Microsoft') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']: server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_dh_info(self): server_info = ServerConnectivityInfo(hostname=u'dh1024.badssl.com') server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand()) self.assertTrue(plugin_result.preferred_cipher) self.assertEquals(plugin_result.preferred_cipher.dh_info['GroupSize'], u'1024') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_robot_attack_good_boringssl(self): # Validate the bug fix for https://github.com/nabla-c0d3/sslyze/issues/282 server_info = ServerConnectivityInfo(hostname='guide.duo.com') server_info.test_connectivity_to_server() plugin = RobotPlugin() plugin_result = plugin.process_task(server_info, RobotScanCommand()) self.assertEqual(plugin_result.robot_result_enum, RobotScanResultEnum.NOT_VULNERABLE_NO_ORACLE) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): server_info = ServerConnectivityInfo(hostname='client.badssl.com') server_info.test_connectivity_to_server() self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self): server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_renegotiation_good(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() plugin = SessionRenegotiationPlugin() plugin_result = plugin.process_task(server_info, 'reneg') self.assertFalse(plugin_result.accepts_client_renegotiation) self.assertTrue(plugin_result.supports_secure_renegotiation) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self): server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_smtp_post_handshake_response(self): server_info = ServerConnectivityInfo( hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_renegotiation_good(self): server_info = ServerConnectivityInfo(hostname=u'www.google.com') server_info.test_connectivity_to_server() plugin = SessionRenegotiationPlugin() plugin_result = plugin.process_task(server_info, 'reneg') self.assertFalse(plugin_result.accepts_client_renegotiation) self.assertTrue(plugin_result.supports_secure_renegotiation) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ccs_injection_bad(self): with VulnerableOpenSslServer() as server: server_info = ServerConnectivityInfo(hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info.test_connectivity_to_server() plugin = OpenSslCcsInjectionPlugin() plugin_result = plugin.process_task(server_info, OpenSslCcsInjectionScanCommand()) self.assertTrue(plugin_result.is_vulnerable_to_ccs_injection) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_only_trusted_by_custom_ca_file(self): server_info = ServerConnectivityInfo(hostname=u'self-signed.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() ca_file_path = os.path.join(os.path.dirname(__file__), u'..', u'utils', u'self-signed.badssl.com.pem') plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) self.assertEqual(plugin_result.successful_trust_store.name, u'Custom --ca_file') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_heartbleed_good(self): server_info = ServerConnectivityInfo(hostname=u'www.google.com') server_info.test_connectivity_to_server() plugin = HeartbleedPlugin() plugin_result = plugin.process_task(server_info, HeartbleedScanCommand()) self.assertFalse(plugin_result.is_vulnerable_to_heartbleed) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_expect_ct_disabled(self): server_info = ServerConnectivityInfo(hostname='hsts.badssl.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertFalse(plugin_result.expect_ct_header) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) self.assertTrue(pickle.dumps(plugin_result))
def test_xmpp_to(self): server_info = ServerConnectivityInfo(hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_info = ServerConnectivityInfo(hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): # The test server no longer works return server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_rc4_md5_cipher_suites(self): server_info = ServerConnectivityInfo(hostname=u'rc4-md5.badssl.com') server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, Tlsv12ScanCommand()) accepted_cipher_name_list = [cipher.name for cipher in plugin_result.accepted_cipher_list] self.assertEquals({'TLS_RSA_WITH_RC4_128_MD5'}, set(accepted_cipher_name_list)) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def retrieve_ssl_vulnerabilities_for_tcp_service( self, org_uuid=None, service_uuid=None, scan_uuid=None, ): """ This performs various SSL vulnerability scans on the tcp service :param org_uuid: The UUID of the organization to collect information on behalf of. :param service_uuid: The UUID of the network service to retrieve the SSL certificate for. :param scan_uuid: The UUID of the network service scan that this SSL certificate retrieval is associated with. :return: None """ ip_address, port, protocol = self.get_endpoint_information(service_uuid) ssl_vulnerabilities_record = SslVulnerabilitiesModel.from_database_model_uuid( uuid=scan_uuid, db_session=self.db_session ) server_info = ServerConnectivityInfo(hostname=ip_address, ip_address=ip_address, port=port) try: server_info.test_connectivity_to_server() except ServerConnectivityError as e: # Could not establish an SSL connection to the server logger.error( "Error making an SSL connection to the server while looking for vulnerabilities, something went really wrong." ) synchronous_scanner = SynchronousScanner() fallback_scsv_command = FallbackScsvScanCommand() fallback_scsv_result = synchronous_scanner.run_scan_command(server_info, fallback_scsv_command) ssl_vulnerabilities_record.supports_fallback_scsv = fallback_scsv_result.supports_fallback_scsv heartbleed_command = HeartbleedScanCommand() heartbleed_result = synchronous_scanner.run_scan_command(server_info, heartbleed_command) ssl_vulnerabilities_record.is_vulnerable_to_heartbleed = heartbleed_result.is_vulnerable_to_heartbleed openssl_css_injection_command = OpenSslCcsInjectionScanCommand() openssl_css_injection_result = synchronous_scanner.run_scan_command(server_info, openssl_css_injection_command) ssl_vulnerabilities_record.is_vulnerable_to_ccs_injection = openssl_css_injection_result.is_vulnerable_to_ccs_injection session_renegotion_command = SessionRenegotiationScanCommand() session_renegotion_result = synchronous_scanner.run_scan_command(server_info, session_renegotion_command) ssl_vulnerabilities_record.accepts_client_renegotiation = session_renegotion_result.accepts_client_renegotiation ssl_vulnerabilities_record.supports_secure_renegotiation = session_renegotion_result.supports_secure_renegotiation session_resumption_support_command = SessionResumptionSupportScanCommand() session_resumption_support_result = synchronous_scanner.run_scan_command(server_info, session_resumption_support_command) ssl_vulnerabilities_record.is_ticket_resumption_supported = session_resumption_support_result.is_ticket_resumption_supported ssl_vulnerabilities_record.save(org_uuid)
def test_resumption(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() plugin = SessionResumptionPlugin() plugin_result = plugin.process_task(server_info, 'resum') self.assertTrue(plugin_result.is_ticket_resumption_supported) self.assertTrue(plugin_result.attempted_resumptions_nb) self.assertTrue(plugin_result.successful_resumptions_nb) self.assertFalse(plugin_result.errored_resumptions_list) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sslv3_disabled(self): server_info = ServerConnectivityInfo(hostname='www.google.com') server_info.test_connectivity_to_server() plugin = OpenSslCipherSuitesPlugin() plugin_result = plugin.process_task(server_info, 'sslv3') self.assertIsNone(plugin_result.preferred_cipher) self.assertFalse(plugin_result.accepted_cipher_list) self.assertTrue(plugin_result.rejected_cipher_list) self.assertFalse(plugin_result.errored_cipher_list) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ca_file(self): server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com') server_info.test_connectivity_to_server() ca_file_path = os.path.join(os.path.dirname(__file__), u'..', u'utils', u'wildcard-self-signed.pem') plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) self.assertEquals(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == u'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)