From d15c48e4041d3d7ccde3e791c9ee517af42b7447 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Wed, 10 Sep 2014 18:48:07 -0700 Subject: [PATCH 5/7] Ticket 47838,47895 - CI test: add test cases for ticket 47838 and 47895 Description: Ticket #47838: harden the list of ciphers available by default Adding test cases for default behaviour change of allowWeakCipher. Ticket #47895 - If no effective ciphers are available, disable security setting. Test case for "Even if no cipher is available, the server starts without SSL" is added. https://fedorahosted.org/389/ticket/47838 (cherry picked from commit 4fb1a04ceb9631680a9bcff844250afb4b6e5b7d) (cherry picked from commit 3877981d63fb82716b60cd1294008b2d272197c9) --- dirsrvtests/tickets/ticket47838_test.py | 221 +++++++++++++++++++++++--------- 1 file changed, 163 insertions(+), 58 deletions(-) diff --git a/dirsrvtests/tickets/ticket47838_test.py b/dirsrvtests/tickets/ticket47838_test.py index dedd61d..0e406f3 100644 --- a/dirsrvtests/tickets/ticket47838_test.py +++ b/dirsrvtests/tickets/ticket47838_test.py @@ -201,6 +201,7 @@ def test_ticket47838_init(topology): topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'on'), (ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'), + (ldap.MOD_REPLACE, 'allowWeakCipher', 'on'), (ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')]) topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-security', 'on'), @@ -217,6 +218,7 @@ def test_ticket47838_run_0(topology): """ Check nsSSL3Ciphers: +all All ciphers are enabled except null. + Note: allowWeakCipher: on """ _header(topology, 'Test Case 1 - Check the ciphers availability for "+all"') @@ -226,42 +228,78 @@ def test_ticket47838_run_0(topology): log.info("\n######################### Restarting the server ######################\n") topology.standalone.restart(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) log.info("Enabled ciphers: %d" % ecount) log.info("Disabled ciphers: %d" % dcount) - assert ecount >= 60 - assert dcount <= 7 + assert ecount >= 31 + assert dcount <= 36 global plus_all_ecount global plus_all_dcount plus_all_ecount = ecount plus_all_dcount = dcount - weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) wcount = int(weak.readline().rstrip()) log.info("Weak ciphers: %d" % wcount) assert wcount <= 29 def test_ticket47838_run_1(topology): """ + Check nsSSL3Ciphers: +all + All ciphers are enabled except null. + Note: allowWeakCipher: off for +all + """ + _header(topology, 'Test Case 2 - Check the ciphers availability for "+all" with not allowing WeakCiphers') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')]) + # Make sure allowWeakCipher is not set. + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'allowWeakCipher', None)]) + + log.info("\n######################### Restarting the server ######################\n") + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_0' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) + ecount = int(enabled.readline().rstrip()) + dcount = int(disabled.readline().rstrip()) + + log.info("Enabled ciphers: %d" % ecount) + log.info("Disabled ciphers: %d" % dcount) + assert ecount >= 31 + assert dcount <= 36 + weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + wcount = int(weak.readline().rstrip()) + log.info("Weak ciphers: %d" % wcount) + assert wcount <= 29 + +def test_ticket47838_run_2(topology): + """ Check nsSSL3Ciphers: +rsa_aes_128_sha,+rsa_aes_256_sha rsa_aes_128_sha, tls_rsa_aes_128_sha, rsa_aes_256_sha, tls_rsa_aes_256_sha are enabled. """ - _header(topology, 'Test Case 2 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"') + _header(topology, 'Test Case 3 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"') topology.standalone.simple_bind_s(DN_DM, PASSWORD) + #topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha'), + # (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')]) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_0' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_1' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -272,24 +310,24 @@ def test_ticket47838_run_1(topology): assert ecount == 2 assert dcount == (plus_all_ecount + plus_all_dcount - ecount) -def test_ticket47838_run_2(topology): +def test_ticket47838_run_3(topology): """ Check nsSSL3Ciphers: -all All ciphers are disabled. """ - _header(topology, 'Test Case 3 - Check the ciphers availability for "-all"') + _header(topology, 'Test Case 4 - Check the ciphers availability for "-all"') topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_1' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_2' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -300,24 +338,24 @@ def test_ticket47838_run_2(topology): assert ecount == 0 assert dcount == (plus_all_ecount + plus_all_dcount) -def test_ticket47838_run_3(topology): +def test_ticket47838_run_4(topology): """ Check no nsSSL3Ciphers Default ciphers are enabled. """ - _header(topology, 'Test Case 4 - Check no nssSSL3Chiphers (default setting)') + _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default setting)') topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'nsSSL3Ciphers', '-all')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_2' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_3' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -327,29 +365,29 @@ def test_ticket47838_run_3(topology): global plus_all_dcount assert ecount == 12 assert dcount == (plus_all_ecount + plus_all_dcount - ecount) - weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) wcount = int(weak.readline().rstrip()) log.info("Weak ciphers in the default setting: %d" % wcount) assert wcount == 0 -def test_ticket47838_run_4(topology): +def test_ticket47838_run_5(topology): """ Check nsSSL3Ciphers: default Default ciphers are enabled. """ - _header(topology, 'Test Case 5 - Check default nssSSL3Chiphers (default setting)') + _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default setting)') topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_3' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_4' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -359,29 +397,29 @@ def test_ticket47838_run_4(topology): global plus_all_dcount assert ecount == 12 assert dcount == (plus_all_ecount + plus_all_dcount - ecount) - weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) wcount = int(weak.readline().rstrip()) log.info("Weak ciphers in the default setting: %d" % wcount) assert wcount == 0 -def test_ticket47838_run_5(topology): +def test_ticket47838_run_6(topology): """ Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5 All ciphers are disabled. """ - _header(topology, 'Test Case 6 - Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5') + _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: +all,-tls_dhe_rsa_aes_128_gcm_sha') topology.standalone.simple_bind_s(DN_DM, PASSWORD) - topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-rsa_rc4_128_md5')]) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-tls_dhe_rsa_aes_128_gcm_sha')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_4' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_5' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -389,27 +427,29 @@ def test_ticket47838_run_5(topology): log.info("Disabled ciphers: %d" % dcount) global plus_all_ecount global plus_all_dcount + log.info("ALL Ecount: %d" % plus_all_ecount) + log.info("ALL Dcount: %d" % plus_all_dcount) assert ecount == (plus_all_ecount - 1) assert dcount == (plus_all_dcount + 1) -def test_ticket47838_run_6(topology): +def test_ticket47838_run_7(topology): """ Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5 All ciphers are disabled. """ - _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5') + _header(topology, 'Test Case 8 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5') topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all,+rsa_rc4_128_md5')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_5' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_6' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -420,25 +460,59 @@ def test_ticket47838_run_6(topology): assert ecount == 1 assert dcount == (plus_all_ecount + plus_all_dcount - ecount) -def test_ticket47838_run_7(topology): +def test_ticket47838_run_8(topology): + """ + Check nsSSL3Ciphers: default + allowWeakCipher: off + Strong Default ciphers are enabled. + """ + _header(topology, 'Test Case 9 - Check default nssSSL3Chiphers (default setting + allowWeakCipher: off)') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default'), + (ldap.MOD_REPLACE, 'allowWeakCipher', 'off')]) + + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) + ecount = int(enabled.readline().rstrip()) + dcount = int(disabled.readline().rstrip()) + + log.info("Enabled ciphers: %d" % ecount) + log.info("Disabled ciphers: %d" % dcount) + global plus_all_ecount + global plus_all_dcount + assert ecount == 12 + assert dcount == (plus_all_ecount + plus_all_dcount - ecount) + weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + wcount = int(weak.readline().rstrip()) + log.info("Weak ciphers in the default setting: %d" % wcount) + assert wcount == 0 + +def test_ticket47838_run_9(topology): """ Check no nsSSL3Ciphers Default ciphers are enabled. """ - _header(topology, 'Test Case 8 - Check no nssSSL3Chiphers (default setting) with no errorlog-level') + _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with no errorlog-level') topology.standalone.simple_bind_s(DN_DM, PASSWORD) - topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None)]) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None), + (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')]) topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_6' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_8' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -446,12 +520,12 @@ def test_ticket47838_run_7(topology): log.info("Disabled ciphers: %d" % dcount) assert ecount == 12 assert dcount == 0 - weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) wcount = int(weak.readline().rstrip()) log.info("Weak ciphers in the default setting: %d" % wcount) assert wcount == 0 -def test_ticket47838_run_8(topology): +def test_ticket47838_run_10(topology): """ Check nssSSL3Chiphers: -TLS_RSA_WITH_NULL_MD5,+TLS_RSA_WITH_RC4_128_MD5, +TLS_RSA_EXPORT_WITH_RC4_40_MD5,+TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, @@ -462,7 +536,7 @@ def test_ticket47838_run_8(topology): -SSL_CK_RC2_128_CBC_WITH_MD5,-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, -SSL_CK_DES_64_CBC_WITH_MD5,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5 """ - _header(topology, 'Test Case 9 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name') + _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name') topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', @@ -470,12 +544,12 @@ def test_ticket47838_run_8(topology): log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_9' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog) - disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog) + enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog) + disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog) ecount = int(enabled.readline().rstrip()) dcount = int(disabled.readline().rstrip()) @@ -485,32 +559,56 @@ def test_ticket47838_run_8(topology): global plus_all_dcount assert ecount == 9 assert dcount == 0 - weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) + weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog) wcount = int(weak.readline().rstrip()) log.info("Weak ciphers in the default setting: %d" % wcount) -def test_ticket47838_run_9(topology): + topology.standalone.log.info("ticket47838 was successfully verified."); + +def test_ticket47838_run_11(topology): + """ + Check nssSSL3Chiphers: +fortezza + SSL_GetImplementedCiphers does not return this as a secuire cipher suite + """ + _header(topology, 'Test Case 12 - Check nssSSL3Chiphers: +fortezza, which is not supported') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+fortezza')]) + + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "is not available in NSS"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected error message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected error message was not found") + assert False + +def test_ticket47838_run_last(topology): """ - NOTE: Currently, this test case is commented out since if the server fails to start, - it repeatedly restarted. Check nssSSL3Chiphers: all <== invalid value All ciphers are disabled. """ - _header(topology, 'Test Case 10 - Check nssSSL3Chiphers: all, which is invalid') + _header(topology, 'Test Case 13 - Check nssSSL3Chiphers: all, which is invalid') topology.standalone.simple_bind_s(DN_DM, PASSWORD) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'all')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) - errmsg = os.popen('egrep "SSL alert:" %s | egrep "invalid ciphers"' % topology.standalone.errlog) + errmsg = os.popen('egrep "SSL alert:" %s | egrep "invalid ciphers"' % topology.standalone.errlog) if errmsg != "": log.info("Expected error message:") - log.info("%s" % errmsg) + log.info("%s" % errmsg.readline()) else: log.info("Expected error message was not found") assert False @@ -519,6 +617,9 @@ def test_ticket47838_run_9(topology): def test_ticket47838_final(topology): topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)]) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default'), + (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')]) topology.standalone.stop(timeout=10) def run_isolated(): @@ -544,7 +645,11 @@ def run_isolated(): test_ticket47838_run_6(topo) test_ticket47838_run_7(topo) test_ticket47838_run_8(topo) - # test_ticket47838_run_9(topo) + test_ticket47838_run_9(topo) + test_ticket47838_run_10(topo) + test_ticket47838_run_11(topo) + + test_ticket47838_run_last(topo) test_ticket47838_final(topo) -- 1.9.3