Tests for supported methods
parent
5976e801d8
commit
ba1f0e7c34
|
@ -28,7 +28,7 @@ module CryptCheck
|
|||
class ConnectionError < ::StandardError
|
||||
end
|
||||
|
||||
attr_reader :certs, :keys, :dh, :supported_curves, :curves_preference
|
||||
attr_reader :certs, :keys, :dh, :supported_methods, :supported_curves, :curves_preference
|
||||
|
||||
def initialize(hostname, family, ip, port)
|
||||
@hostname, @family, @ip, @port = hostname, family, ip, port
|
||||
|
@ -402,7 +402,8 @@ module CryptCheck
|
|||
when /state=SSLv2 read server hello A: peer error no cipher$/,
|
||||
/state=error: no ciphers available$/,
|
||||
/state=SSLv3 read server hello A: sslv3 alert handshake failure$/,
|
||||
/state=error: missing export tmp dh key$/
|
||||
/state=error: missing export tmp dh key$/,
|
||||
/state=error: wrong curve$/
|
||||
raise CipherNotAvailable, e
|
||||
when /state=SSLv3 read server hello A: tlsv1 alert inappropriate fallback$/
|
||||
raise InappropriateFallback, e
|
||||
|
|
|
@ -17,173 +17,22 @@ describe CryptCheck::Tls::Server do
|
|||
it 'must detect RSA certificate' do
|
||||
tls_serv material: [[:rsa, 1024]] do
|
||||
certs = server.certs.collect &:fingerprint
|
||||
expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
|
||||
expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect ECDSA certificate' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]] do
|
||||
certs = server.certs.collect &:fingerprint
|
||||
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06'
|
||||
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect RSA and ECDSA certificates' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do
|
||||
certs = server.certs.collect &:fingerprint
|
||||
expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06',
|
||||
'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#supported_curves' do
|
||||
it 'must detect no supported curves' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect supported curves for RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1) do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1, :sect571r1
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect supported curves from ECDSA' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1), server_preference: false do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect supported curves from ECDSA and ECDHE' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: false do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1, :sect571r1
|
||||
end
|
||||
end
|
||||
|
||||
# No luck here :'(
|
||||
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: true do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1
|
||||
end
|
||||
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: true do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1, :sect571r1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#curves_preference' do
|
||||
it 'must report N/A if no curve on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
|
||||
server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
|
||||
server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report N/A if a single curve on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1), server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report server preference if server preference enforced on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: true do
|
||||
curves = server.curves_preference.collect &:name
|
||||
expect(curves).to eq %i(prime256v1 sect571r1)
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: true do
|
||||
curves = server.curves_preference.collect &:name
|
||||
expect(curves).to eq %i(sect571r1 prime256v1)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report client preference if server preference not enforced on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report N/A if a single curve on ECDSA' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1), server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
# No luck here :'(
|
||||
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: true do
|
||||
curves = server.curves_preference.collect &:name
|
||||
expect(curves).to eq %i(sect571r1 prime256v1)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report client preference if server preference not enforced on ECDSA' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
|
||||
a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -223,4 +72,205 @@ describe CryptCheck::Tls::Server do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#supported_methods' do
|
||||
it 'must detect SSLv2' do
|
||||
tls_serv methods: :SSLv2, material: [[:rsa, 1024]], chain: [],
|
||||
ciphers: %w(RC4-MD5) do
|
||||
methods = server.supported_methods.collect &:name
|
||||
expect(methods).to match_array %i(SSLv2)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect SSLv3' do
|
||||
tls_serv methods: %i(SSLv3), material: [[:rsa, 1024]],
|
||||
ciphers: %w(ECDHE-RSA-AES128-SHA) do
|
||||
methods = server.supported_methods.collect &:name
|
||||
expect(methods).to match_array %i(SSLv3)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect TLSv1.0' do
|
||||
tls_serv methods: %i(TLSv1), material: [[:rsa, 1024]],
|
||||
ciphers: %w(ECDHE-RSA-AES128-SHA) do
|
||||
methods = server.supported_methods.collect &:name
|
||||
expect(methods).to match_array %i(TLSv1)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect TLSv1.1' do
|
||||
tls_serv methods: %i(TLSv1_1), material: [[:rsa, 1024]],
|
||||
ciphers: %w(ECDHE-RSA-AES128-SHA) do
|
||||
methods = server.supported_methods.collect &:name
|
||||
expect(methods).to match_array %i(TLSv1_1)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect TLSv1.2' do
|
||||
tls_serv methods: %i(TLSv1_2), material: [[:rsa, 1024]],
|
||||
ciphers: %w(ECDHE-RSA-AES128-SHA) do
|
||||
methods = server.supported_methods.collect &:name
|
||||
expect(methods).to match_array %i(TLSv1_2)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect mixed methods' do
|
||||
tls_serv methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2), material: [[:rsa, 1024]],
|
||||
ciphers: %w(ECDHE-RSA-AES128-SHA) do
|
||||
methods = server.supported_methods.collect &:name
|
||||
expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#supported_curves' do
|
||||
it 'must detect no supported curves' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect supported curves for RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1) do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1, :sect571r1
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect supported curves from ECDSA' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1), server_preference: false do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1
|
||||
end
|
||||
end
|
||||
|
||||
it 'must detect supported curves from ECDSA and ECDHE' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: false do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1, :sect571r1
|
||||
end
|
||||
end
|
||||
|
||||
# No luck here :'(
|
||||
it 'can\'t detect supported curves from ECDHE if server preference enforced' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: true do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1
|
||||
end
|
||||
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: true do
|
||||
curves = server.supported_curves.collect &:name
|
||||
expect(curves).to contain_exactly :prime256v1, :sect571r1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#curves_preference' do
|
||||
it 'must report N/A if no curve on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
|
||||
server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
|
||||
server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report N/A if a single curve on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1), server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report server preference if server preference enforced on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: true do
|
||||
curves = server.curves_preference.collect &:name
|
||||
expect(curves).to eq %i(prime256v1 sect571r1)
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: true do
|
||||
curves = server.curves_preference.collect &:name
|
||||
expect(curves).to eq %i(sect571r1 prime256v1)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report client preference if server preference not enforced on RSA' do
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
|
||||
tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE-RSA-AES128-GCM-SHA256),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report N/A if a single curve on ECDSA' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1), server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
# No luck here :'(
|
||||
it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: true do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: true do
|
||||
curves = server.curves_preference.collect &:name
|
||||
expect(curves).to eq %i(sect571r1 prime256v1)
|
||||
end
|
||||
end
|
||||
|
||||
it 'must report client preference if server preference not enforced on ECDSA' do
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(prime256v1 sect571r1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
|
||||
tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE-ECDSA-AES128-GCM-SHA256),
|
||||
curves: %i(sect571r1 prime256v1), server_preference: false do
|
||||
curves = server.curves_preference
|
||||
expect(curves).to be :client
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue