You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2019/01/02 15:55:45 UTC
[qpid-dispatch] branch master updated: DISPATCH-1230 - Fixed
system_tests_ssl when using OpenSSL 1.1 or greater
This is an automated email from the ASF dual-hosted git repository.
gmurthy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new 826756a DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater
826756a is described below
commit 826756a43297bd1dbbe803b255375b5eab793619
Author: Fernando Giorgetti <fg...@redhat.com>
AuthorDate: Fri Dec 21 13:52:07 2018 -0200
DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater
---
tests/system_tests_ssl.py | 69 ++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 62 insertions(+), 7 deletions(-)
diff --git a/tests/system_tests_ssl.py b/tests/system_tests_ssl.py
index 5eb9a6f..feabfea 100644
--- a/tests/system_tests_ssl.py
+++ b/tests/system_tests_ssl.py
@@ -21,6 +21,8 @@
Provides tests related with allowed TLS protocol version restrictions.
"""
import os
+import ssl
+import sys
from subprocess import Popen, PIPE
from qpid_dispatch.management.client import Node
from system_test import TestCase, main_module, Qdrouterd, DIR, SkipIfNeeded
@@ -35,6 +37,9 @@ class RouterTestSslBase(TestCase):
"""
Base class to help with SSL related testing.
"""
+ # If unable to determine which protocol versions are allowed system wide
+ DISABLE_SSL_TESTING = False
+
@staticmethod
def ssl_file(name):
"""
@@ -89,6 +94,30 @@ class RouterTestSslClient(RouterTestSslBase):
PORT_SSL3 = 0
TIMEOUT = 3
+ # If using OpenSSL 1.1 or greater, TLSv1.2 is always being allowed
+ OPENSSL_VER_1_1_GT = ssl.OPENSSL_VERSION_INFO[:2] >= (1, 1)
+
+ # Following variables define TLS versions allowed by openssl
+ OPENSSL_MIN_VER = 0
+ OPENSSL_MAX_VER = 9999
+ OPENSSL_ALLOW_TLSV1 = True
+ OPENSSL_ALLOW_TLSV1_1 = True
+ OPENSSL_ALLOW_TLSV1_2 = True
+
+ # When using OpenSSL >= 1.1 and python >= 3.7, we can retrieve OpenSSL min and max protocols
+ if OPENSSL_VER_1_1_GT:
+ if sys.version_info >= (3, 7):
+ OPENSSL_CTX = ssl.create_default_context()
+ OPENSSL_MIN_VER = OPENSSL_CTX.minimum_version
+ OPENSSL_MAX_VER = OPENSSL_CTX.maximum_version if OPENSSL_CTX.maximum_version > 0 else 9999
+ OPENSSL_ALLOW_TLSV1 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1 <= OPENSSL_MAX_VER
+ OPENSSL_ALLOW_TLSV1_1 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1_1 <= OPENSSL_MAX_VER
+ OPENSSL_ALLOW_TLSV1_2 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1_2 <= OPENSSL_MAX_VER
+ else:
+ # At this point we are not able to precisely determine what are the minimum and maximum
+ # TLS versions allowed in the system, so tests will be disabled
+ RouterTestSslBase.DISABLE_SSL_TESTING = True
+
@classmethod
def setUpClass(cls):
"""
@@ -324,55 +353,81 @@ class RouterTestSslClient(RouterTestSslBase):
connection.close()
return True
+ def get_expected_tls_result(self, expected_results):
+ """
+ Expects a list with three boolean elements, representing
+ TLSv1, TLSv1.1 and TLSv1.2 (in the respective order).
+ When using OpenSSL >= 1.1.x, allowance of a given TLS version is
+ based on MinProtocol / MaxProtocol definitions.
+ It is also important
+ to mention that TLSv1.2 is being allowed even when not specified in a
+ listener when using OpenSSL >= 1.1.x.
+
+ :param expected_results:
+ :return:
+ """
+ (tlsv1, tlsv1_1, tlsv1_2) = expected_results
+ return [self.OPENSSL_ALLOW_TLSV1 and tlsv1,
+ self.OPENSSL_ALLOW_TLSV1_1 and tlsv1_1,
+ self.OPENSSL_VER_1_1_GT or (self.OPENSSL_ALLOW_TLSV1_2 and tlsv1_2)]
+
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls1_only(self):
"""
Expects TLSv1 only is allowed
"""
- self.assertEquals([True, False, False],
+ self.assertEquals(self.get_expected_tls_result([True, False, False]),
self.get_allowed_protocols(self.PORT_TLS1))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls11_only(self):
"""
Expects TLSv1.1 only is allowed
"""
- self.assertEquals([False, True, False],
+ self.assertEquals(self.get_expected_tls_result([False, True, False]),
self.get_allowed_protocols(self.PORT_TLS11))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls12_only(self):
"""
Expects TLSv1.2 only is allowed
"""
- self.assertEquals([False, False, True],
+ self.assertEquals(self.get_expected_tls_result([False, False, True]),
self.get_allowed_protocols(self.PORT_TLS12))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls1_tls11_only(self):
"""
Expects TLSv1 and TLSv1.1 only are allowed
"""
- self.assertEquals([True, True, False],
+ self.assertEquals(self.get_expected_tls_result([True, True, False]),
self.get_allowed_protocols(self.PORT_TLS1_TLS11))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls1_tls12_only(self):
"""
Expects TLSv1 and TLSv1.2 only are allowed
"""
- self.assertEquals([True, False, True],
+ self.assertEquals(self.get_expected_tls_result([True, False, True]),
self.get_allowed_protocols(self.PORT_TLS1_TLS12))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls11_tls12_only(self):
"""
Expects TLSv1.1 and TLSv1.2 only are allowed
"""
- self.assertEquals([False, True, True],
+ self.assertEquals(self.get_expected_tls_result([False, True, True]),
self.get_allowed_protocols(self.PORT_TLS11_TLS12))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_tls_all(self):
"""
Expects all supported versions: TLSv1, TLSv1.1 and TLSv1.2 to be allowed
"""
- self.assertEquals([True, True, True],
+ self.assertEquals(self.get_expected_tls_result([True, True, True]),
self.get_allowed_protocols(self.PORT_TLS_ALL))
+ @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
def test_ssl_invalid(self):
"""
Expects connection is rejected as SSL is no longer supported
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org