You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by GitBox <gi...@apache.org> on 2019/01/02 16:06:22 UTC

[GitHub] fgiorgetti closed pull request #430: DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater

fgiorgetti closed pull request #430: DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater
URL: https://github.com/apache/qpid-dispatch/pull/430
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/tests/system_tests_ssl.py b/tests/system_tests_ssl.py
index 5eb9a6f9..feabfea9 100644
--- a/tests/system_tests_ssl.py
+++ b/tests/system_tests_ssl.py
@@ -21,6 +21,8 @@
 Provides tests related with allowed TLS protocol version restrictions.
 """
 import os
+import ssl
+import sys
 from subprocess import Popen, PIPE
 from qpid_dispatch.management.client import Node
 from system_test import TestCase, main_module, Qdrouterd, DIR, SkipIfNeeded
@@ -35,6 +37,9 @@ class RouterTestSslBase(TestCase):
     """
     Base class to help with SSL related testing.
     """
+    # If unable to determine which protocol versions are allowed system wide
+    DISABLE_SSL_TESTING = False
+
     @staticmethod
     def ssl_file(name):
         """
@@ -89,6 +94,30 @@ class RouterTestSslClient(RouterTestSslBase):
     PORT_SSL3 = 0
     TIMEOUT = 3
 
+    # If using OpenSSL 1.1 or greater, TLSv1.2 is always being allowed
+    OPENSSL_VER_1_1_GT = ssl.OPENSSL_VERSION_INFO[:2] >= (1, 1)
+
+    # Following variables define TLS versions allowed by openssl
+    OPENSSL_MIN_VER = 0
+    OPENSSL_MAX_VER = 9999
+    OPENSSL_ALLOW_TLSV1 = True
+    OPENSSL_ALLOW_TLSV1_1 = True
+    OPENSSL_ALLOW_TLSV1_2 = True
+
+    # When using OpenSSL >= 1.1 and python >= 3.7, we can retrieve OpenSSL min and max protocols
+    if OPENSSL_VER_1_1_GT:
+        if sys.version_info >= (3, 7):
+            OPENSSL_CTX = ssl.create_default_context()
+            OPENSSL_MIN_VER = OPENSSL_CTX.minimum_version
+            OPENSSL_MAX_VER = OPENSSL_CTX.maximum_version if OPENSSL_CTX.maximum_version > 0 else 9999
+            OPENSSL_ALLOW_TLSV1 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1 <= OPENSSL_MAX_VER
+            OPENSSL_ALLOW_TLSV1_1 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1_1 <= OPENSSL_MAX_VER
+            OPENSSL_ALLOW_TLSV1_2 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1_2 <= OPENSSL_MAX_VER
+        else:
+            # At this point we are not able to precisely determine what are the minimum and maximum
+            # TLS versions allowed in the system, so tests will be disabled
+            RouterTestSslBase.DISABLE_SSL_TESTING = True
+
     @classmethod
     def setUpClass(cls):
         """
@@ -324,55 +353,81 @@ def is_ssl_sasl_client_accepted(self, listener_port, tls_protocol):
         connection.close()
         return True
 
+    def get_expected_tls_result(self, expected_results):
+        """
+        Expects a list with three boolean elements, representing
+        TLSv1, TLSv1.1 and TLSv1.2 (in the respective order).
+        When using OpenSSL >= 1.1.x, allowance of a given TLS version is
+        based on MinProtocol / MaxProtocol definitions.
+        It is also important
+        to mention that TLSv1.2 is being allowed even when not specified in a
+        listener when using OpenSSL >= 1.1.x.
+
+        :param expected_results:
+        :return:
+        """
+        (tlsv1, tlsv1_1, tlsv1_2) = expected_results
+        return [self.OPENSSL_ALLOW_TLSV1 and tlsv1,
+                self.OPENSSL_ALLOW_TLSV1_1 and tlsv1_1,
+                self.OPENSSL_VER_1_1_GT or (self.OPENSSL_ALLOW_TLSV1_2 and tlsv1_2)]
+
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls1_only(self):
         """
         Expects TLSv1 only is allowed
         """
-        self.assertEquals([True, False, False],
+        self.assertEquals(self.get_expected_tls_result([True, False, False]),
                           self.get_allowed_protocols(self.PORT_TLS1))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls11_only(self):
         """
         Expects TLSv1.1 only is allowed
         """
-        self.assertEquals([False, True, False],
+        self.assertEquals(self.get_expected_tls_result([False, True, False]),
                           self.get_allowed_protocols(self.PORT_TLS11))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls12_only(self):
         """
         Expects TLSv1.2 only is allowed
         """
-        self.assertEquals([False, False, True],
+        self.assertEquals(self.get_expected_tls_result([False, False, True]),
                           self.get_allowed_protocols(self.PORT_TLS12))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls1_tls11_only(self):
         """
         Expects TLSv1 and TLSv1.1 only are allowed
         """
-        self.assertEquals([True, True, False],
+        self.assertEquals(self.get_expected_tls_result([True, True, False]),
                           self.get_allowed_protocols(self.PORT_TLS1_TLS11))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls1_tls12_only(self):
         """
         Expects TLSv1 and TLSv1.2 only are allowed
         """
-        self.assertEquals([True, False, True],
+        self.assertEquals(self.get_expected_tls_result([True, False, True]),
                           self.get_allowed_protocols(self.PORT_TLS1_TLS12))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls11_tls12_only(self):
         """
         Expects TLSv1.1 and TLSv1.2 only are allowed
         """
-        self.assertEquals([False, True, True],
+        self.assertEquals(self.get_expected_tls_result([False, True, True]),
                           self.get_allowed_protocols(self.PORT_TLS11_TLS12))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls_all(self):
         """
         Expects all supported versions: TLSv1, TLSv1.1 and TLSv1.2 to be allowed
         """
-        self.assertEquals([True, True, True],
+        self.assertEquals(self.get_expected_tls_result([True, True, True]),
                           self.get_allowed_protocols(self.PORT_TLS_ALL))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_ssl_invalid(self):
         """
         Expects connection is rejected as SSL is no longer supported


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org