|
|
|
@ -17,22 +17,108 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
it 'must detect RSA certificate' do |
|
|
|
|
tls_serv material: [[:rsa, 1024]] do |
|
|
|
|
certs = server.certs.collect &:fingerprint |
|
|
|
|
expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71' |
|
|
|
|
expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect ECDSA certificate' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]] do |
|
|
|
|
certs = server.certs.collect &:fingerprint |
|
|
|
|
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06' |
|
|
|
|
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect RSA and ECDSA certificates' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do |
|
|
|
|
certs = server.certs.collect &:fingerprint |
|
|
|
|
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06', |
|
|
|
|
'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71' |
|
|
|
|
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06 |
|
|
|
|
a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#md5_sign?' do |
|
|
|
|
it 'must detect server using MD5 certificate' do |
|
|
|
|
tls_serv do |
|
|
|
|
expect(server.md5_sign?).to be false |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [:md5, [:rsa, 1024]] do |
|
|
|
|
expect(server.md5_sign?).to be true |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#sha1_sign?' do |
|
|
|
|
it 'must detect server using SHA1 certificate' do |
|
|
|
|
tls_serv do |
|
|
|
|
expect(server.sha1_sign?).to be false |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [:sha1, [:rsa, 1024]] do |
|
|
|
|
expect(server.sha1_sign?).to be true |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#sha2_sign?' do |
|
|
|
|
it 'must detect server using SHA2 certificate' do |
|
|
|
|
tls_serv do |
|
|
|
|
expect(server.sha2_sign?).to be true |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [:md5, :sha1] do |
|
|
|
|
expect(server.sha2_sign?).to be false |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#supported_methods' do |
|
|
|
|
it 'must detect SSLv2' do |
|
|
|
|
tls_serv methods: :SSLv2, material: [[:rsa, 1024]], chain: [], |
|
|
|
|
ciphers: %w(RC4-MD5) do |
|
|
|
|
methods = server.supported_methods.collect &:name |
|
|
|
|
expect(methods).to match_array %i(SSLv2) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect SSLv3' do |
|
|
|
|
tls_serv methods: %i(SSLv3), material: [[:rsa, 1024]], |
|
|
|
|
ciphers: %w(ECDHE-RSA-AES128-SHA) do |
|
|
|
|
methods = server.supported_methods.collect &:name |
|
|
|
|
expect(methods).to match_array %i(SSLv3) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect TLSv1.0' do |
|
|
|
|
tls_serv methods: %i(TLSv1), material: [[:rsa, 1024]], |
|
|
|
|
ciphers: %w(ECDHE-RSA-AES128-SHA) do |
|
|
|
|
methods = server.supported_methods.collect &:name |
|
|
|
|
expect(methods).to match_array %i(TLSv1) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect TLSv1.1' do |
|
|
|
|
tls_serv methods: %i(TLSv1_1), material: [[:rsa, 1024]], |
|
|
|
|
ciphers: %w(ECDHE-RSA-AES128-SHA) do |
|
|
|
|
methods = server.supported_methods.collect &:name |
|
|
|
|
expect(methods).to match_array %i(TLSv1_1) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect TLSv1.2' do |
|
|
|
|
tls_serv methods: %i(TLSv1_2), material: [[:rsa, 1024]], |
|
|
|
|
ciphers: %w(ECDHE-RSA-AES128-SHA) do |
|
|
|
|
methods = server.supported_methods.collect &:name |
|
|
|
|
expect(methods).to match_array %i(TLSv1_2) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect mixed methods' do |
|
|
|
|
tls_serv methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2), material: [[:rsa, 1024]], |
|
|
|
|
ciphers: %w(ECDHE-RSA-AES128-SHA) do |
|
|
|
|
methods = server.supported_methods.collect &:name |
|
|
|
|
expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2) |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
@ -46,7 +132,7 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect supported curves for RSA' do |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1) do |
|
|
|
|
curves = server.supported_curves.collect &:name |
|
|
|
|
expect(curves).to contain_exactly :prime256v1, :sect571r1 |
|
|
|
@ -54,7 +140,7 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect supported curves from ECDSA' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1), server_preference: false do |
|
|
|
|
curves = server.supported_curves.collect &:name |
|
|
|
|
expect(curves).to contain_exactly :prime256v1 |
|
|
|
@ -62,7 +148,7 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must detect supported curves from ECDSA and ECDHE' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1), server_preference: false do |
|
|
|
|
curves = server.supported_curves.collect &:name |
|
|
|
|
expect(curves).to contain_exactly :prime256v1, :sect571r1 |
|
|
|
@ -71,13 +157,13 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
|
|
|
|
|
# No luck here :'( |
|
|
|
|
it 'can\'t detect supported curves from ECDHE if server preference enforced' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1), server_preference: true do |
|
|
|
|
curves = server.supported_curves.collect &:name |
|
|
|
|
expect(curves).to contain_exactly :prime256v1 |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(sect571r1 prime256v1), server_preference: true do |
|
|
|
|
curves = server.supported_curves.collect &:name |
|
|
|
|
expect(curves).to contain_exactly :prime256v1, :sect571r1 |
|
|
|
@ -101,13 +187,13 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must report N/A if a single curve on RSA' do |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1), server_preference: true do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be_nil |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1), server_preference: false do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be_nil |
|
|
|
@ -115,13 +201,13 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must report server preference if server preference enforced on RSA' do |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1), server_preference: true do |
|
|
|
|
curves = server.curves_preference.collect &:name |
|
|
|
|
expect(curves).to eq %i(prime256v1 sect571r1) |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(sect571r1 prime256v1), server_preference: true do |
|
|
|
|
curves = server.curves_preference.collect &:name |
|
|
|
|
expect(curves).to eq %i(sect571r1 prime256v1) |
|
|
|
@ -129,13 +215,13 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must report client preference if server preference not enforced on RSA' do |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1), server_preference: false do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be :client |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(sect571r1 prime256v1), server_preference: false do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be :client |
|
|
|
@ -143,13 +229,13 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must report N/A if a single curve on ECDSA' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1), server_preference: true do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be_nil |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1), server_preference: false do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be_nil |
|
|
|
@ -158,7 +244,7 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
|
|
|
|
|
# No luck here :'( |
|
|
|
|
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1), server_preference: true do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be_nil |
|
|
|
@ -166,7 +252,7 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(sect571r1 prime256v1), server_preference: true do |
|
|
|
|
curves = server.curves_preference.collect &:name |
|
|
|
|
expect(curves).to eq %i(sect571r1 prime256v1) |
|
|
|
@ -174,53 +260,17 @@ describe CryptCheck::Tls::Server do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'must report client preference if server preference not enforced on ECDSA' do |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(prime256v1 sect571r1), server_preference: false do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be :client |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES), |
|
|
|
|
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256), |
|
|
|
|
curves: %i(sect571r1 prime256v1), server_preference: false do |
|
|
|
|
curves = server.curves_preference |
|
|
|
|
expect(curves).to be :client |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#md5_sign?' do |
|
|
|
|
it 'must detect server using MD5 certificate' do |
|
|
|
|
tls_serv do |
|
|
|
|
expect(server.md5_sign?).to be false |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [:md5, [:rsa, 1024]] do |
|
|
|
|
expect(server.md5_sign?).to be true |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#sha1_sign?' do |
|
|
|
|
it 'must detect server using SHA1 certificate' do |
|
|
|
|
tls_serv do |
|
|
|
|
expect(server.sha1_sign?).to be false |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [:sha1, [:rsa, 1024]] do |
|
|
|
|
expect(server.sha1_sign?).to be true |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#sha2_sign?' do |
|
|
|
|
it 'must detect server using SHA2 certificate' do |
|
|
|
|
tls_serv do |
|
|
|
|
expect(server.sha2_sign?).to be true |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
tls_serv material: [:md5, :sha1] do |
|
|
|
|
expect(server.sha2_sign?).to be false |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|