From 8a412f7c540ac2925ad33ee633e60bf7e55e929c Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Wed, 22 Oct 2014 17:11:17 -0700 Subject: [PATCH 23/28] Ticket 47928 - CI test: added test cases for ticket 47928 Description: test_ticket47928_run_0 - Test Case 13 - No SSL version config parameters test_ticket47928_run_1 - Test Case 14 - No nsSSL3, nsTLS1; sslVersionMin > sslVersionMax test_ticket47928_run_2 - Test Case 15 - nsSSL3: on; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2 test_ticket47928_run_3 - Test Case 16 - nsSSL3: on; nsTLS1: off; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2 (cherry picked from commit 958be1271ab440a15649046e7927b44b57a4e19a) Signed-off-by: Noriko Hosoi --- dirsrvtests/tickets/ticket47838_test.py | 165 +++++++++++++++++++++++++++++++- 1 file changed, 161 insertions(+), 4 deletions(-) diff --git a/dirsrvtests/tickets/ticket47838_test.py b/dirsrvtests/tickets/ticket47838_test.py index c98c36e..50a4b50 100644 --- a/dirsrvtests/tickets/ticket47838_test.py +++ b/dirsrvtests/tickets/ticket47838_test.py @@ -201,7 +201,8 @@ def test_ticket47838_init(topology): log.info("\n######################### enable SSL in the directory server with all ciphers ######################\n") topology.standalone.simple_bind_s(DN_DM, PASSWORD) - topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'on'), + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'), + (ldap.MOD_REPLACE, 'nsTLS1', 'on'), (ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'), (ldap.MOD_REPLACE, 'allowWeakCipher', 'on'), (ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')]) @@ -645,19 +646,171 @@ def test_ticket47838_run_11(topology): comp_nsSSLEnableCipherCount(topology, 0) +def test_ticket47928_run_0(topology): + """ + No SSL version config parameters. + Check SSL3 (TLS1.0) is off. + """ + _header(topology, 'Test Case 13 - No SSL version config parameters') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + # add them once and remove them + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'), + (ldap.MOD_REPLACE, 'nsTLS1', 'on'), + (ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.1'), + (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.2')]) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'nsSSL3', None), + (ldap.MOD_DELETE, 'nsTLS1', None), + (ldap.MOD_DELETE, 'sslVersionMin', None), + (ldap.MOD_DELETE, 'sslVersionMax', None)]) + topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')]) + + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_11' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "Default SSL Version settings; Configuring the version range as min: TLS1.1"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + +def test_ticket47928_run_1(topology): + """ + No nsSSL3, nsTLS1; sslVersionMin > sslVersionMax + Check sslVersionMax is ignored. + """ + _header(topology, 'Test Case 14 - No nsSSL3, nsTLS1; sslVersionMin > sslVersionMax') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.2'), + (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.1')]) + + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_12' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "The min value of NSS version range"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + + errmsg = os.popen('egrep "SSL Initialization" %s | egrep "Configured SSL version range: min: TLS1.2, max: TLS1"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + +def test_ticket47928_run_2(topology): + """ + nsSSL3: on; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2 + Conflict between nsSSL3 and range; nsSSL3 is disabled + """ + _header(topology, 'Test Case 15 - nsSSL3: on; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.1'), + (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.2'), + (ldap.MOD_REPLACE, 'nsSSL3', 'on')]) + + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_13' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "Found unsecure configuration: nsSSL3: on"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "Respect the supported range."' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + + errmsg = os.popen('egrep "SSL Initialization" %s | egrep "Configured SSL version range: min: TLS1.1, max: TLS1"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + +def test_ticket47928_run_3(topology): + """ + nsSSL3: on; nsTLS1: off; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2 + Conflict between nsSSL3/nsTLS1 and range; nsSSL3 is disabled; nsTLS1 is enabled. + """ + _header(topology, 'Test Case 16 - nsSSL3: on; nsTLS1: off; sslVersionMin: TLS1.1; sslVersionMax: TLS1.2') + + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'sslVersionMin', 'TLS1.1'), + (ldap.MOD_REPLACE, 'sslVersionMax', 'TLS1.2'), + (ldap.MOD_REPLACE, 'nsSSL3', 'on'), + (ldap.MOD_REPLACE, 'nsTLS1', 'off')]) + + log.info("\n######################### Restarting the server ######################\n") + topology.standalone.stop(timeout=10) + os.system('mv %s %s.47838_14' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('touch %s' % (topology.standalone.errlog)) + topology.standalone.start(timeout=120) + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "Found unsecure configuration: nsSSL3: on"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + + errmsg = os.popen('egrep "SSL alert:" %s | egrep "Respect the configured range."' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + + errmsg = os.popen('egrep "SSL Initialization" %s | egrep "Configured SSL version range: min: TLS1.1, max: TLS1"' % topology.standalone.errlog) + if errmsg != "": + log.info("Expected message:") + log.info("%s" % errmsg.readline()) + else: + log.info("Expected message was not found") + assert False + def test_ticket47838_run_last(topology): """ Check nssSSL3Chiphers: all <== invalid value All ciphers are disabled. """ - _header(topology, 'Test Case 13 - Check nssSSL3Chiphers: all, which is invalid') + _header(topology, 'Test Case 17 - Check nssSSL3Chiphers: all, which is invalid') topology.standalone.simple_bind_s(DN_DM, PASSWORD) + topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)]) topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'all')]) log.info("\n######################### Restarting the server ######################\n") topology.standalone.stop(timeout=10) - os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog)) + os.system('mv %s %s.47838_15' % (topology.standalone.errlog, topology.standalone.errlog)) os.system('touch %s' % (topology.standalone.errlog)) topology.standalone.start(timeout=120) @@ -671,7 +824,7 @@ def test_ticket47838_run_last(topology): comp_nsSSLEnableCipherCount(topology, 0) - topology.standalone.log.info("ticket47838, 47880, 47908 were successfully verified."); + topology.standalone.log.info("ticket47838, 47880, 47908, 47928 were successfully verified."); def test_ticket47838_final(topology): topology.standalone.simple_bind_s(DN_DM, PASSWORD) @@ -706,6 +859,10 @@ def run_isolated(): test_ticket47838_run_9(topo) test_ticket47838_run_10(topo) test_ticket47838_run_11(topo) + test_ticket47928_run_0(topo) + test_ticket47928_run_1(topo) + test_ticket47928_run_2(topo) + test_ticket47928_run_3(topo) test_ticket47838_run_last(topo) -- 1.9.3