aeris
/
cryptcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Tests for supported methods

Browse Source
new-scoring
aeris 6 years ago
parent 5976e801d8
commit ba1f0e7c34
2 changed files with 110 additions and 59 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      lib/cryptcheck/tls/server.rb
  2. 164
      spec/cryptcheck/tls/server_spec.rb

5
lib/cryptcheck/tls/server.rb
Unescape View File

@ -28,7 +28,7 @@ module CryptCheck
class ConnectionError < ::StandardError
end
attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference
attr_reader :certs, :keys, :dh, :supported_methods, :supported_curves, :curves_preference
def initialize(hostname, family, ip, port)
@hostname, @family, @ip, @port = hostname, family, ip, port
@ -402,7 +402,8 @@ module CryptCheck
when /state=SSLv2 read server hello A: peer error no cipher$/,
/state=error: no ciphers available$/,
/state=SSLv3 read server hello A: sslv3 alert handshake failure$/,
/state=error: missing export tmp dh key$/
/state=error: missing export tmp dh key$/,
/state=error: wrong curve$/
raise CipherNotAvailable, e
when /state=SSLv3 read server hello A: tlsv1 alert inappropriate fallback$/
raise InappropriateFallback, e

164
spec/cryptcheck/tls/server_spec.rb
Unescape View File

@ -17,22 +17,108 @@ describe CryptCheck::Tls::Server do
it 'must detect RSA certificate' do
tls_serv material: [[:rsa, 1024]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
end
end
it 'must detect ECDSA certificate' do
tls_serv material: [[:ecdsa, :prime256v1]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06'
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
end
end
it 'must detect RSA and ECDSA certificates' do
tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do
certs = server.certs.collect &:fingerprint
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06',
'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
end
end
end
describe '#md5_sign?' do
it 'must detect server using MD5 certificate' do
tls_serv do
expect(server.md5_sign?).to be false
end
tls_serv material: [:md5, [:rsa, 1024]] do
expect(server.md5_sign?).to be true
end
end
end
describe '#sha1_sign?' do
it 'must detect server using SHA1 certificate' do
tls_serv do
expect(server.sha1_sign?).to be false
end
tls_serv material: [:sha1, [:rsa, 1024]] do
expect(server.sha1_sign?).to be true
end
end
end
describe '#sha2_sign?' do
it 'must detect server using SHA2 certificate' do
tls_serv do
expect(server.sha2_sign?).to be true
end
tls_serv material: [:md5, :sha1] do
expect(server.sha2_sign?).to be false
end
end
end
describe '#supported_methods' do
it 'must detect SSLv2' do
tls_serv methods: :SSLv2, material: [[:rsa, 1024]], chain: [],
ciphers: %w(RC4-MD5) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv2)
end
end
it 'must detect SSLv3' do
tls_serv methods: %i(SSLv3), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv3)
end
end
it 'must detect TLSv1.0' do
tls_serv methods: %i(TLSv1), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1)
end
end
it 'must detect TLSv1.1' do
tls_serv methods: %i(TLSv1_1), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1_1)
end
end
it 'must detect TLSv1.2' do
tls_serv methods: %i(TLSv1_2), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(TLSv1_2)
end
end
it 'must detect mixed methods' do
tls_serv methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2), material: [[:rsa, 1024]],
ciphers: %w(ECDHE-RSA-AES128-SHA) do
methods = server.supported_methods.collect &:name
expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
end
end
end
@ -46,7 +132,7 @@ describe CryptCheck::Tls::Server do
end
it 'must detect supported curves for RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1) do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
@ -54,7 +140,7 @@ describe CryptCheck::Tls::Server do
end
it 'must detect supported curves from ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
@ -62,7 +148,7 @@ describe CryptCheck::Tls::Server do
end
it 'must detect supported curves from ECDSA and ECDHE' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
@ -71,13 +157,13 @@ describe CryptCheck::Tls::Server do
# No luck here :'(
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.supported_curves.collect &:name
expect(curves).to contain_exactly :prime256v1, :sect571r1
@ -101,13 +187,13 @@ describe CryptCheck::Tls::Server do
end
it 'must report N/A if a single curve on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
@ -115,13 +201,13 @@ describe CryptCheck::Tls::Server do
end
it 'must report server preference if server preference enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(prime256v1 sect571r1)
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
@ -129,13 +215,13 @@ describe CryptCheck::Tls::Server do
end
it 'must report client preference if server preference not enforced on RSA' do
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
@ -143,13 +229,13 @@ describe CryptCheck::Tls::Server do
end
it 'must report N/A if a single curve on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be_nil
@ -158,7 +244,7 @@ describe CryptCheck::Tls::Server do
# No luck here :'(
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: true do
curves = server.curves_preference
expect(curves).to be_nil
@ -166,7 +252,7 @@ describe CryptCheck::Tls::Server do
end
it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: true do
curves = server.curves_preference.collect &:name
expect(curves).to eq %i(sect571r1 prime256v1)
@ -174,53 +260,17 @@ describe CryptCheck::Tls::Server do
end
it 'must report client preference if server preference not enforced on ECDSA' do
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(prime256v1 sect571r1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
curves: %i(sect571r1 prime256v1), server_preference: false do
curves = server.curves_preference
expect(curves).to be :client
end
end
end
describe '#md5_sign?' do
it 'must detect server using MD5 certificate' do
tls_serv do
expect(server.md5_sign?).to be false
end
tls_serv material: [:md5, [:rsa, 1024]] do
expect(server.md5_sign?).to be true
end
end
end
describe '#sha1_sign?' do
it 'must detect server using SHA1 certificate' do
tls_serv do
expect(server.sha1_sign?).to be false
end
tls_serv material: [:sha1, [:rsa, 1024]] do
expect(server.sha1_sign?).to be true
end
end
end
describe '#sha2_sign?' do
it 'must detect server using SHA2 certificate' do
tls_serv do
expect(server.sha2_sign?).to be true
end
tls_serv material: [:md5, :sha1] do
expect(server.sha2_sign?).to be false
end
end
end
end

Write Preview
Loading…
Cancel
Save