|
 |
f92ce9 |
From d5d6836c9935fe4393e1d2b991271bf7ee53c609 Mon Sep 17 00:00:00 2001
|
|
|
f92ce9 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
f92ce9 |
Date: Wed, 24 Sep 2014 15:47:02 -0700
|
|
|
f92ce9 |
Subject: [PATCH 12/14] Ticket 47838 - CI test: adjusted test cases based on
|
|
|
f92ce9 |
the phase 2 fixes for ticket 47838
|
|
|
f92ce9 |
|
|
|
f92ce9 |
https://fedorahosted.org/389/ticket/47838
|
|
|
f92ce9 |
(cherry picked from commit c6c73e674ecf79fc7404758f90f4837f04bdbed0)
|
|
|
f92ce9 |
(cherry picked from commit b5ce880cc7e6df5f2a1d4bd24de2ce107cf1a5fe)
|
|
|
f92ce9 |
---
|
|
|
f92ce9 |
dirsrvtests/tickets/ticket47838_test.py | 68 ++++++++++++++++++++-------------
|
|
|
f92ce9 |
1 file changed, 41 insertions(+), 27 deletions(-)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
diff --git a/dirsrvtests/tickets/ticket47838_test.py b/dirsrvtests/tickets/ticket47838_test.py
|
|
|
f92ce9 |
index 0e406f3..1575376 100644
|
|
|
f92ce9 |
--- a/dirsrvtests/tickets/ticket47838_test.py
|
|
|
f92ce9 |
+++ b/dirsrvtests/tickets/ticket47838_test.py
|
|
|
f92ce9 |
@@ -25,6 +25,8 @@ LDAPSPORT = '10636'
|
|
|
f92ce9 |
SERVERCERT = 'Server-Cert'
|
|
|
f92ce9 |
plus_all_ecount = 0
|
|
|
f92ce9 |
plus_all_dcount = 0
|
|
|
f92ce9 |
+plus_all_ecount_noweak = 0
|
|
|
f92ce9 |
+plus_all_dcount_noweak = 0
|
|
|
f92ce9 |
|
|
|
f92ce9 |
class TopologyStandalone(object):
|
|
|
f92ce9 |
def __init__(self, standalone):
|
|
|
f92ce9 |
@@ -220,7 +222,7 @@ def test_ticket47838_run_0(topology):
|
|
|
f92ce9 |
All ciphers are enabled except null.
|
|
|
f92ce9 |
Note: allowWeakCipher: on
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 1 - Check the ciphers availability for "+all"')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 1 - Check the ciphers availability for "+all"; allowWeakCipher: on')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')])
|
|
|
f92ce9 |
@@ -235,8 +237,8 @@ def test_ticket47838_run_0(topology):
|
|
|
f92ce9 |
|
|
|
f92ce9 |
log.info("Enabled ciphers: %d" % ecount)
|
|
|
f92ce9 |
log.info("Disabled ciphers: %d" % dcount)
|
|
|
f92ce9 |
- assert ecount >= 31
|
|
|
f92ce9 |
- assert dcount <= 36
|
|
|
f92ce9 |
+ assert ecount >= 60
|
|
|
f92ce9 |
+ assert dcount <= 7
|
|
|
f92ce9 |
global plus_all_ecount
|
|
|
f92ce9 |
global plus_all_dcount
|
|
|
f92ce9 |
plus_all_ecount = ecount
|
|
|
f92ce9 |
@@ -250,9 +252,9 @@ def test_ticket47838_run_1(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check nsSSL3Ciphers: +all
|
|
|
f92ce9 |
All ciphers are enabled except null.
|
|
|
f92ce9 |
- Note: allowWeakCipher: off for +all
|
|
|
f92ce9 |
+ Note: default allowWeakCipher (i.e., off) for +all
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 2 - Check the ciphers availability for "+all" with not allowing WeakCiphers')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 2 - Check the ciphers availability for "+all" with default allowWeakCiphers')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')])
|
|
|
f92ce9 |
@@ -271,6 +273,11 @@ def test_ticket47838_run_1(topology):
|
|
|
f92ce9 |
ecount = int(enabled.readline().rstrip())
|
|
|
f92ce9 |
dcount = int(disabled.readline().rstrip())
|
|
|
f92ce9 |
|
|
|
f92ce9 |
+ global plus_all_ecount_noweak
|
|
|
f92ce9 |
+ global plus_all_dcount_noweak
|
|
|
f92ce9 |
+ plus_all_ecount_noweak = ecount
|
|
|
f92ce9 |
+ plus_all_dcount_noweak = dcount
|
|
|
f92ce9 |
+
|
|
|
f92ce9 |
log.info("Enabled ciphers: %d" % ecount)
|
|
|
f92ce9 |
log.info("Disabled ciphers: %d" % dcount)
|
|
|
f92ce9 |
assert ecount >= 31
|
|
|
f92ce9 |
@@ -284,12 +291,11 @@ def test_ticket47838_run_2(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check nsSSL3Ciphers: +rsa_aes_128_sha,+rsa_aes_256_sha
|
|
|
f92ce9 |
rsa_aes_128_sha, tls_rsa_aes_128_sha, rsa_aes_256_sha, tls_rsa_aes_256_sha are enabled.
|
|
|
f92ce9 |
+ default allowWeakCipher
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 3 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 3 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha" with default allowWeakCipher')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
- #topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha'),
|
|
|
f92ce9 |
- # (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha')])
|
|
|
f92ce9 |
|
|
|
f92ce9 |
log.info("\n######################### Restarting the server ######################\n")
|
|
|
f92ce9 |
@@ -314,6 +320,7 @@ def test_ticket47838_run_3(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check nsSSL3Ciphers: -all
|
|
|
f92ce9 |
All ciphers are disabled.
|
|
|
f92ce9 |
+ default allowWeakCipher
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
_header(topology, 'Test Case 4 - Check the ciphers availability for "-all"')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
@@ -327,23 +334,23 @@ def test_ticket47838_run_3(topology):
|
|
|
f92ce9 |
topology.standalone.start(timeout=120)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
|
|
|
f92ce9 |
- disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
|
|
|
f92ce9 |
ecount = int(enabled.readline().rstrip())
|
|
|
f92ce9 |
- dcount = int(disabled.readline().rstrip())
|
|
|
f92ce9 |
|
|
|
f92ce9 |
log.info("Enabled ciphers: %d" % ecount)
|
|
|
f92ce9 |
- log.info("Disabled ciphers: %d" % dcount)
|
|
|
f92ce9 |
global plus_all_ecount
|
|
|
f92ce9 |
- global plus_all_dcount
|
|
|
f92ce9 |
assert ecount == 0
|
|
|
f92ce9 |
- assert dcount == (plus_all_ecount + plus_all_dcount)
|
|
|
f92ce9 |
+
|
|
|
f92ce9 |
+ disabledmsg = os.popen('egrep "Disabling SSL" %s' % topology.standalone.errlog)
|
|
|
f92ce9 |
+ log.info("Disabling SSL message?: %s" % disabledmsg.readline())
|
|
|
f92ce9 |
+ assert disabledmsg != ''
|
|
|
f92ce9 |
|
|
|
f92ce9 |
def test_ticket47838_run_4(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check no nsSSL3Ciphers
|
|
|
f92ce9 |
Default ciphers are enabled.
|
|
|
f92ce9 |
+ default allowWeakCipher
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default setting)')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default setting) with default allowWeakCipher')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'nsSSL3Ciphers', '-all')])
|
|
|
f92ce9 |
@@ -374,8 +381,9 @@ def test_ticket47838_run_5(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check nsSSL3Ciphers: default
|
|
|
f92ce9 |
Default ciphers are enabled.
|
|
|
f92ce9 |
+ default allowWeakCipher
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default setting)')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default setting) with default allowWeakCipher')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default')])
|
|
|
f92ce9 |
@@ -406,8 +414,9 @@ def test_ticket47838_run_6(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5
|
|
|
f92ce9 |
All ciphers are disabled.
|
|
|
f92ce9 |
+ default allowWeakCipher
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: +all,-tls_dhe_rsa_aes_128_gcm_sha')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: +all,-tls_dhe_rsa_aes_128_gcm_sha with default allowWeakCipher')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-tls_dhe_rsa_aes_128_gcm_sha')])
|
|
|
f92ce9 |
@@ -425,19 +434,20 @@ def test_ticket47838_run_6(topology):
|
|
|
f92ce9 |
|
|
|
f92ce9 |
log.info("Enabled ciphers: %d" % ecount)
|
|
|
f92ce9 |
log.info("Disabled ciphers: %d" % dcount)
|
|
|
f92ce9 |
- global plus_all_ecount
|
|
|
f92ce9 |
- global plus_all_dcount
|
|
|
f92ce9 |
- log.info("ALL Ecount: %d" % plus_all_ecount)
|
|
|
f92ce9 |
- log.info("ALL Dcount: %d" % plus_all_dcount)
|
|
|
f92ce9 |
- assert ecount == (plus_all_ecount - 1)
|
|
|
f92ce9 |
- assert dcount == (plus_all_dcount + 1)
|
|
|
f92ce9 |
+ global plus_all_ecount_noweak
|
|
|
f92ce9 |
+ global plus_all_dcount_noweak
|
|
|
f92ce9 |
+ log.info("ALL Ecount: %d" % plus_all_ecount_noweak)
|
|
|
f92ce9 |
+ log.info("ALL Dcount: %d" % plus_all_dcount_noweak)
|
|
|
f92ce9 |
+ assert ecount == (plus_all_ecount_noweak - 1)
|
|
|
f92ce9 |
+ assert dcount == (plus_all_dcount_noweak + 1)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
def test_ticket47838_run_7(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5
|
|
|
f92ce9 |
All ciphers are disabled.
|
|
|
f92ce9 |
+ default allowWeakCipher
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 8 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 8 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5 with default allowWeakCipher')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all,+rsa_rc4_128_md5')])
|
|
|
f92ce9 |
@@ -497,8 +507,10 @@ def test_ticket47838_run_9(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
Check no nsSSL3Ciphers
|
|
|
f92ce9 |
Default ciphers are enabled.
|
|
|
f92ce9 |
+ allowWeakCipher: on
|
|
|
f92ce9 |
+ nsslapd-errorlog-level: 0
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with no errorlog-level')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with no errorlog-level & allowWeakCipher on')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None),
|
|
|
f92ce9 |
@@ -518,12 +530,12 @@ def test_ticket47838_run_9(topology):
|
|
|
f92ce9 |
|
|
|
f92ce9 |
log.info("Enabled ciphers: %d" % ecount)
|
|
|
f92ce9 |
log.info("Disabled ciphers: %d" % dcount)
|
|
|
f92ce9 |
- assert ecount == 12
|
|
|
f92ce9 |
+ assert ecount == 23
|
|
|
f92ce9 |
assert dcount == 0
|
|
|
f92ce9 |
weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
|
|
|
f92ce9 |
wcount = int(weak.readline().rstrip())
|
|
|
f92ce9 |
log.info("Weak ciphers in the default setting: %d" % wcount)
|
|
|
f92ce9 |
- assert wcount == 0
|
|
|
f92ce9 |
+ assert wcount == 11
|
|
|
f92ce9 |
|
|
|
f92ce9 |
def test_ticket47838_run_10(topology):
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
@@ -535,8 +547,10 @@ def test_ticket47838_run_10(topology):
|
|
|
f92ce9 |
-SSL_CK_RC4_128_WITH_MD5,-SSL_CK_RC4_128_EXPORT40_WITH_MD5,
|
|
|
f92ce9 |
-SSL_CK_RC2_128_CBC_WITH_MD5,-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
|
|
|
f92ce9 |
-SSL_CK_DES_64_CBC_WITH_MD5,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5
|
|
|
f92ce9 |
+ allowWeakCipher: on
|
|
|
f92ce9 |
+ nsslapd-errorlog-level: 0
|
|
|
f92ce9 |
"""
|
|
|
f92ce9 |
- _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name')
|
|
|
f92ce9 |
+ _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name with allowWeakCipher on')
|
|
|
f92ce9 |
|
|
|
f92ce9 |
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
f92ce9 |
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers',
|
|
|
f92ce9 |
--
|
|
|
f92ce9 |
1.9.3
|
|
|
f92ce9 |
|