mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 09:11:55 -06:00
639bb71940
Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
75 lines
2.3 KiB
Python
75 lines
2.3 KiB
Python
#
|
|
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Tests for ipalib.util module
|
|
"""
|
|
|
|
import os
|
|
import ssl
|
|
from unittest import mock
|
|
|
|
import pytest
|
|
|
|
from ipalib.util import (
|
|
get_pager, create_https_connection, get_proper_tls_version_span
|
|
)
|
|
from ipaplatform.constants import constants
|
|
|
|
|
|
@pytest.mark.parametrize('pager,expected_result', [
|
|
# Valid values
|
|
('cat', '/bin/cat'),
|
|
('/bin/cat', '/bin/cat'),
|
|
# Invalid values (wrong command, package is not installed, etc)
|
|
('cat_', None),
|
|
('', None)
|
|
])
|
|
def test_get_pager(pager, expected_result):
|
|
with mock.patch.dict(os.environ, {'PAGER': pager}):
|
|
pager = get_pager()
|
|
assert(pager == expected_result or pager.endswith(expected_result))
|
|
|
|
|
|
BASE_CTX = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
|
if constants.TLS_HIGH_CIPHERS is not None:
|
|
BASE_CTX.set_ciphers(constants.TLS_HIGH_CIPHERS)
|
|
else:
|
|
BASE_CTX.set_ciphers("PROFILE=SYSTEM")
|
|
|
|
# options: IPA still supports Python 3.6 without min/max version setters
|
|
BASE_OPT = BASE_CTX.options
|
|
BASE_OPT |= (
|
|
ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE |
|
|
ssl.OP_SINGLE_ECDH_USE
|
|
)
|
|
TLS_OPT = (
|
|
ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 |
|
|
ssl.OP_NO_TLSv1_1
|
|
)
|
|
OP_NO_TLSv1_3 = getattr(ssl, "OP_NO_TLSv1_3", 0) # make pylint happy
|
|
|
|
|
|
@pytest.mark.parametrize('minver,maxver,opt,expected', [
|
|
(None, None, BASE_OPT, None),
|
|
(None, "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
|
("tls1.2", "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
|
("tls1.2", None, BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
|
("tls1.2", "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
|
|
(None, "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
|
|
("tls1.3", "tls1.3", BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
|
|
("tls1.3", None, BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
|
|
])
|
|
def test_tls_version_span(minver, maxver, opt, expected):
|
|
assert get_proper_tls_version_span(minver, maxver) == expected
|
|
# file must exist and contain certs
|
|
cafile = ssl.get_default_verify_paths().cafile
|
|
conn = create_https_connection(
|
|
"invalid.test",
|
|
cafile=cafile,
|
|
tls_version_min=minver,
|
|
tls_version_max=maxver
|
|
)
|
|
ctx = getattr(conn, "_context")
|
|
assert ctx.options == BASE_OPT | opt
|
|
assert ctx.get_ciphers() == BASE_CTX.get_ciphers()
|