You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

server_spec.rb 6.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185
  1. module CryptCheck::Tls
  2. describe Server do
  3. around :each do |example|
  4. FakeTime.freeze (Time.utc 2000, 1, 1) { example.run }
  5. end
  6. def server(*args, **kargs)
  7. do_in_serv *args, **kargs do |host, port|
  8. TcpServer.new 'localhost', host, ::Socket::PF_INET, port
  9. end
  10. end
  11. describe '#certs' do
  12. it 'must detect RSA certificate' do
  13. certs = server(:rsa).certs.collect &:fingerprint
  14. expect(certs).to match_array %w(a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
  15. end
  16. it 'must detect ECDSA certificate' do
  17. certs = server.certs.collect &:fingerprint
  18. expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06)
  19. end
  20. it 'must detect RSA and ECDSA certificates' do
  21. certs = server(:mixed).certs.collect &:fingerprint
  22. expect(certs).to match_array %w(531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06
  23. a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71)
  24. end
  25. end
  26. describe '#supported_methods' do
  27. it 'must detect SSLv2' do
  28. s = server :sslv2
  29. methods = s.supported_methods.collect &:to_sym
  30. expect(methods).to match_array %i(SSLv2)
  31. end
  32. it 'must detect SSLv3' do
  33. server = server methods: %i(SSLv3)
  34. methods = server.supported_methods.collect &:to_sym
  35. expect(methods).to match_array %i(SSLv3)
  36. end
  37. it 'must detect TLSv1.0' do
  38. server = server methods: %i(TLSv1)
  39. methods = server.supported_methods.collect &:to_sym
  40. expect(methods).to match_array %i(TLSv1)
  41. end
  42. it 'must detect TLSv1.1' do
  43. server = server methods: %i(TLSv1_1)
  44. methods = server.supported_methods.collect &:to_sym
  45. expect(methods).to match_array %i(TLSv1_1)
  46. end
  47. it 'must detect TLSv1.2' do
  48. server = server methods: %i(TLSv1_2)
  49. methods = server.supported_methods.collect &:to_sym
  50. expect(methods).to match_array %i(TLSv1_2)
  51. end
  52. it 'must detect mixed methods' do
  53. server = server methods: %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
  54. methods = server.supported_methods.collect &:to_sym
  55. expect(methods).to match_array %i(SSLv3 TLSv1 TLSv1_1 TLSv1_2)
  56. end
  57. end
  58. describe '#supported_ciphers' do
  59. it 'must detect supported cipher' do
  60. ciphers = server.supported_ciphers
  61. .map { |k, v| [k.to_sym, v.keys.collect(&:name)] }
  62. .to_h[:TLSv1_2]
  63. expect(ciphers).to match_array %w(ECDHE-ECDSA-AES128-SHA)
  64. end
  65. end
  66. describe '#supported_curves' do
  67. it 'must detect no supported curves' do
  68. s = server :rsa, ciphers: %w(AES128-SHA)
  69. curves = s.supported_curves.collect &:name
  70. expect(curves).to be_empty
  71. end
  72. it 'must detect supported curves for RSA' do
  73. s = server :rsa, curves: %i(prime256v1 sect571r1)
  74. curves = s.supported_curves.collect &:name
  75. expect(curves).to contain_exactly :prime256v1, :sect571r1
  76. end
  77. it 'must detect supported curves from ECDSA' do
  78. server = server server_preference: false
  79. curves = server.supported_curves.collect &:name
  80. expect(curves).to contain_exactly :prime256v1
  81. end
  82. it 'must detect supported curves from ECDSA and ECDHE' do
  83. server = server curves: %i(prime256v1 sect571r1), server_preference: false
  84. curves = server.supported_curves.collect &:name
  85. expect(curves).to contain_exactly :prime256v1, :sect571r1
  86. end
  87. # No luck here :'(
  88. it 'can\'t detect supported curves from ECDHE if server preference enforced' do
  89. server = server curves: %i(prime256v1 sect571r1)
  90. curves = server.supported_curves.collect &:name
  91. expect(curves).to contain_exactly :prime256v1
  92. server = server curves: %i(sect571r1 prime256v1)
  93. curves = server.supported_curves.collect &:name
  94. expect(curves).to contain_exactly :prime256v1, :sect571r1
  95. end
  96. end
  97. describe '#curves_preference' do
  98. it 'must report N/A if no curve on RSA' do
  99. s = server :rsa, ciphers: %w(AES128-GCM-SHA256)
  100. curves = s.curves_preference
  101. expect(curves).to be_nil
  102. s = server :rsa, ciphers: %w(AES128-GCM-SHA256), server_preference: false
  103. curves = s.curves_preference
  104. expect(curves).to be_nil
  105. end
  106. it 'must report N/A if a single curve on RSA' do
  107. curves = server(:rsa).curves_preference
  108. expect(curves).to be_nil
  109. curves = server(:rsa, server_preference: false).curves_preference
  110. expect(curves).to be_nil
  111. end
  112. it 'must report server preference if server preference enforced on RSA' do
  113. s = server :rsa, curves: %i(prime256v1 sect571r1)
  114. curves = s.curves_preference.collect &:name
  115. expect(curves).to eq %i(prime256v1 sect571r1)
  116. s = server :rsa, curves: %i(sect571r1 prime256v1)
  117. curves = s.curves_preference.collect &:name
  118. expect(curves).to eq %i(sect571r1 prime256v1)
  119. end
  120. it 'must report client preference if server preference not enforced on RSA' do
  121. s = server :rsa, curves: %i(prime256v1 sect571r1), server_preference: false
  122. curves = s.curves_preference
  123. expect(curves).to be :client
  124. s = server :rsa, curves: %i(sect571r1 prime256v1), server_preference: false
  125. curves = s.curves_preference
  126. expect(curves).to be :client
  127. end
  128. it 'must report N/A if a single curve on ECDSA' do
  129. curves = server.curves_preference
  130. expect(curves).to be_nil
  131. curves = server(server_preference: false).curves_preference
  132. expect(curves).to be_nil
  133. end
  134. # No luck here :'(
  135. it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
  136. curves = server(curves: %i(prime256v1 sect571r1)).curves_preference
  137. expect(curves).to be_nil
  138. end
  139. it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
  140. s = server curves: %i(sect571r1 prime256v1)
  141. curves = s.curves_preference.collect &:name
  142. expect(curves).to eq %i(sect571r1 prime256v1)
  143. end
  144. it 'must report client preference if server preference not enforced on ECDSA' do
  145. s = server curves: %i(prime256v1 sect571r1), server_preference: false
  146. curves = s.curves_preference
  147. expect(curves).to be :client
  148. s = server curves: %i(sect571r1 prime256v1), server_preference: false
  149. curves = s.curves_preference
  150. expect(curves).to be :client
  151. end
  152. end
  153. end
  154. end