You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2019/01/02 15:55:45 UTC

[qpid-dispatch] branch master updated: DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater

This is an automated email from the ASF dual-hosted git repository.

gmurthy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git


The following commit(s) were added to refs/heads/master by this push:
     new 826756a  DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater
826756a is described below

commit 826756a43297bd1dbbe803b255375b5eab793619
Author: Fernando Giorgetti <fg...@redhat.com>
AuthorDate: Fri Dec 21 13:52:07 2018 -0200

    DISPATCH-1230 - Fixed system_tests_ssl when using OpenSSL 1.1 or greater
---
 tests/system_tests_ssl.py | 69 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 62 insertions(+), 7 deletions(-)

diff --git a/tests/system_tests_ssl.py b/tests/system_tests_ssl.py
index 5eb9a6f..feabfea 100644
--- a/tests/system_tests_ssl.py
+++ b/tests/system_tests_ssl.py
@@ -21,6 +21,8 @@
 Provides tests related with allowed TLS protocol version restrictions.
 """
 import os
+import ssl
+import sys
 from subprocess import Popen, PIPE
 from qpid_dispatch.management.client import Node
 from system_test import TestCase, main_module, Qdrouterd, DIR, SkipIfNeeded
@@ -35,6 +37,9 @@ class RouterTestSslBase(TestCase):
     """
     Base class to help with SSL related testing.
     """
+    # If unable to determine which protocol versions are allowed system wide
+    DISABLE_SSL_TESTING = False
+
     @staticmethod
     def ssl_file(name):
         """
@@ -89,6 +94,30 @@ class RouterTestSslClient(RouterTestSslBase):
     PORT_SSL3 = 0
     TIMEOUT = 3
 
+    # If using OpenSSL 1.1 or greater, TLSv1.2 is always being allowed
+    OPENSSL_VER_1_1_GT = ssl.OPENSSL_VERSION_INFO[:2] >= (1, 1)
+
+    # Following variables define TLS versions allowed by openssl
+    OPENSSL_MIN_VER = 0
+    OPENSSL_MAX_VER = 9999
+    OPENSSL_ALLOW_TLSV1 = True
+    OPENSSL_ALLOW_TLSV1_1 = True
+    OPENSSL_ALLOW_TLSV1_2 = True
+
+    # When using OpenSSL >= 1.1 and python >= 3.7, we can retrieve OpenSSL min and max protocols
+    if OPENSSL_VER_1_1_GT:
+        if sys.version_info >= (3, 7):
+            OPENSSL_CTX = ssl.create_default_context()
+            OPENSSL_MIN_VER = OPENSSL_CTX.minimum_version
+            OPENSSL_MAX_VER = OPENSSL_CTX.maximum_version if OPENSSL_CTX.maximum_version > 0 else 9999
+            OPENSSL_ALLOW_TLSV1 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1 <= OPENSSL_MAX_VER
+            OPENSSL_ALLOW_TLSV1_1 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1_1 <= OPENSSL_MAX_VER
+            OPENSSL_ALLOW_TLSV1_2 = OPENSSL_MIN_VER <= ssl.TLSVersion.TLSv1_2 <= OPENSSL_MAX_VER
+        else:
+            # At this point we are not able to precisely determine what are the minimum and maximum
+            # TLS versions allowed in the system, so tests will be disabled
+            RouterTestSslBase.DISABLE_SSL_TESTING = True
+
     @classmethod
     def setUpClass(cls):
         """
@@ -324,55 +353,81 @@ class RouterTestSslClient(RouterTestSslBase):
         connection.close()
         return True
 
+    def get_expected_tls_result(self, expected_results):
+        """
+        Expects a list with three boolean elements, representing
+        TLSv1, TLSv1.1 and TLSv1.2 (in the respective order).
+        When using OpenSSL >= 1.1.x, allowance of a given TLS version is
+        based on MinProtocol / MaxProtocol definitions.
+        It is also important
+        to mention that TLSv1.2 is being allowed even when not specified in a
+        listener when using OpenSSL >= 1.1.x.
+
+        :param expected_results:
+        :return:
+        """
+        (tlsv1, tlsv1_1, tlsv1_2) = expected_results
+        return [self.OPENSSL_ALLOW_TLSV1 and tlsv1,
+                self.OPENSSL_ALLOW_TLSV1_1 and tlsv1_1,
+                self.OPENSSL_VER_1_1_GT or (self.OPENSSL_ALLOW_TLSV1_2 and tlsv1_2)]
+
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls1_only(self):
         """
         Expects TLSv1 only is allowed
         """
-        self.assertEquals([True, False, False],
+        self.assertEquals(self.get_expected_tls_result([True, False, False]),
                           self.get_allowed_protocols(self.PORT_TLS1))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls11_only(self):
         """
         Expects TLSv1.1 only is allowed
         """
-        self.assertEquals([False, True, False],
+        self.assertEquals(self.get_expected_tls_result([False, True, False]),
                           self.get_allowed_protocols(self.PORT_TLS11))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls12_only(self):
         """
         Expects TLSv1.2 only is allowed
         """
-        self.assertEquals([False, False, True],
+        self.assertEquals(self.get_expected_tls_result([False, False, True]),
                           self.get_allowed_protocols(self.PORT_TLS12))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls1_tls11_only(self):
         """
         Expects TLSv1 and TLSv1.1 only are allowed
         """
-        self.assertEquals([True, True, False],
+        self.assertEquals(self.get_expected_tls_result([True, True, False]),
                           self.get_allowed_protocols(self.PORT_TLS1_TLS11))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls1_tls12_only(self):
         """
         Expects TLSv1 and TLSv1.2 only are allowed
         """
-        self.assertEquals([True, False, True],
+        self.assertEquals(self.get_expected_tls_result([True, False, True]),
                           self.get_allowed_protocols(self.PORT_TLS1_TLS12))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls11_tls12_only(self):
         """
         Expects TLSv1.1 and TLSv1.2 only are allowed
         """
-        self.assertEquals([False, True, True],
+        self.assertEquals(self.get_expected_tls_result([False, True, True]),
                           self.get_allowed_protocols(self.PORT_TLS11_TLS12))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_tls_all(self):
         """
         Expects all supported versions: TLSv1, TLSv1.1 and TLSv1.2 to be allowed
         """
-        self.assertEquals([True, True, True],
+        self.assertEquals(self.get_expected_tls_result([True, True, True]),
                           self.get_allowed_protocols(self.PORT_TLS_ALL))
 
+    @SkipIfNeeded(RouterTestSslBase.DISABLE_SSL_TESTING, "Unable to determine MinProtocol")
     def test_ssl_invalid(self):
         """
         Expects connection is rejected as SSL is no longer supported


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org