xref: /unit/test/test_tls_conf_command.py (revision 1971:3410f9d2a662)
1*1888Szelenkov@nginx.comimport ssl
2*1888Szelenkov@nginx.com
3*1888Szelenkov@nginx.comimport pytest
4*1888Szelenkov@nginx.comfrom unit.applications.tls import TestApplicationTLS
5*1888Szelenkov@nginx.com
6*1888Szelenkov@nginx.com
7*1888Szelenkov@nginx.comclass TestTLSConfCommand(TestApplicationTLS):
8*1888Szelenkov@nginx.com    prerequisites = {'modules': {'openssl': 'any'}}
9*1888Szelenkov@nginx.com
10*1888Szelenkov@nginx.com    @pytest.fixture(autouse=True)
11*1888Szelenkov@nginx.com    def setup_method_fixture(self, request):
12*1888Szelenkov@nginx.com        self.certificate()
13*1888Szelenkov@nginx.com
14*1888Szelenkov@nginx.com        assert 'success' in self.conf(
15*1888Szelenkov@nginx.com            {
16*1888Szelenkov@nginx.com                "listeners": {
17*1888Szelenkov@nginx.com                    "*:7080": {
18*1888Szelenkov@nginx.com                        "pass": "routes",
19*1888Szelenkov@nginx.com                        "tls": {"certificate": "default"},
20*1888Szelenkov@nginx.com                    }
21*1888Szelenkov@nginx.com                },
22*1888Szelenkov@nginx.com                "routes": [{"action": {"return": 200}}],
23*1888Szelenkov@nginx.com                "applications": {},
24*1888Szelenkov@nginx.com            }
25*1888Szelenkov@nginx.com        ), 'load application configuration'
26*1888Szelenkov@nginx.com
27*1888Szelenkov@nginx.com    def test_tls_conf_command(self):
28*1888Szelenkov@nginx.com        def check_no_connection():
29*1888Szelenkov@nginx.com            try:
30*1888Szelenkov@nginx.com                self.get_ssl()
31*1888Szelenkov@nginx.com                pytest.fail('Unexpected connection.')
32*1888Szelenkov@nginx.com
33*1888Szelenkov@nginx.com            except (ssl.SSLError, ConnectionRefusedError):
34*1888Szelenkov@nginx.com                pass
35*1888Szelenkov@nginx.com
36*1888Szelenkov@nginx.com        # Set one conf_commands (disable protocol).
37*1888Szelenkov@nginx.com
38*1888Szelenkov@nginx.com        (resp, sock) = self.get_ssl(start=True)
39*1888Szelenkov@nginx.com
40*1888Szelenkov@nginx.com        shared_ciphers = sock.shared_ciphers()
41*1888Szelenkov@nginx.com        protocols = list(set(c[1] for c in shared_ciphers))
42*1888Szelenkov@nginx.com        protocol = sock.cipher()[1]
43*1888Szelenkov@nginx.com
44*1888Szelenkov@nginx.com        if '/' in protocol:
45*1888Szelenkov@nginx.com            pytest.skip('Complex protocol format.')
46*1888Szelenkov@nginx.com
47*1888Szelenkov@nginx.com        assert 'success' in self.conf(
48*1888Szelenkov@nginx.com            {
49*1888Szelenkov@nginx.com                "certificate": "default",
50*1888Szelenkov@nginx.com                "conf_commands": {"protocol": '-' + protocol},
51*1888Szelenkov@nginx.com            },
52*1888Szelenkov@nginx.com            'listeners/*:7080/tls',
53*1888Szelenkov@nginx.com        ), 'protocol disabled'
54*1888Szelenkov@nginx.com
55*1888Szelenkov@nginx.com        sock.close()
56*1888Szelenkov@nginx.com
57*1888Szelenkov@nginx.com        if len(protocols) > 1:
58*1888Szelenkov@nginx.com            (resp, sock) = self.get_ssl(start=True)
59*1888Szelenkov@nginx.com
60*1888Szelenkov@nginx.com            cipher = sock.cipher()
61*1888Szelenkov@nginx.com            assert cipher[1] != protocol, 'new protocol used'
62*1888Szelenkov@nginx.com
63*1888Szelenkov@nginx.com            shared_ciphers = sock.shared_ciphers()
64*1888Szelenkov@nginx.com            ciphers = list(set(c for c in shared_ciphers if c[1] == cipher[1]))
65*1888Szelenkov@nginx.com
66*1888Szelenkov@nginx.com            sock.close()
67*1888Szelenkov@nginx.com        else:
68*1888Szelenkov@nginx.com            check_no_connection()
69*1888Szelenkov@nginx.com            pytest.skip('One TLS protocol available only.')
70*1888Szelenkov@nginx.com
71*1888Szelenkov@nginx.com        # Set two conf_commands (disable protocol and cipher).
72*1888Szelenkov@nginx.com
73*1888Szelenkov@nginx.com        assert 'success' in self.conf(
74*1888Szelenkov@nginx.com            {
75*1888Szelenkov@nginx.com                "certificate": "default",
76*1888Szelenkov@nginx.com                "conf_commands": {
77*1888Szelenkov@nginx.com                    "protocol": '-' + protocol,
78*1888Szelenkov@nginx.com                    "cipherstring": cipher[1] + ":!" + cipher[0],
79*1888Szelenkov@nginx.com                },
80*1888Szelenkov@nginx.com            },
81*1888Szelenkov@nginx.com            'listeners/*:7080/tls',
82*1888Szelenkov@nginx.com        ), 'cipher disabled'
83*1888Szelenkov@nginx.com
84*1888Szelenkov@nginx.com        if len(ciphers) > 1:
85*1888Szelenkov@nginx.com            (resp, sock) = self.get_ssl(start=True)
86*1888Szelenkov@nginx.com
87*1888Szelenkov@nginx.com            cipher_new = sock.cipher()
88*1888Szelenkov@nginx.com            assert cipher_new[1] == cipher[1], 'previous protocol used'
89*1888Szelenkov@nginx.com            assert cipher_new[0] != cipher[0], 'new cipher used'
90*1888Szelenkov@nginx.com
91*1888Szelenkov@nginx.com            sock.close()
92*1888Szelenkov@nginx.com
93*1888Szelenkov@nginx.com        else:
94*1888Szelenkov@nginx.com            check_no_connection()
95*1888Szelenkov@nginx.com
96*1888Szelenkov@nginx.com    def test_tls_conf_command_invalid(self, skip_alert):
97*1888Szelenkov@nginx.com        skip_alert(r'SSL_CONF_cmd', r'failed to apply new conf')
98*1888Szelenkov@nginx.com
99*1888Szelenkov@nginx.com        def check_conf_commands(conf_commands):
100*1888Szelenkov@nginx.com            assert 'error' in self.conf(
101*1888Szelenkov@nginx.com                {"certificate": "default", "conf_commands": conf_commands},
102*1888Szelenkov@nginx.com                'listeners/*:7080/tls',
103*1888Szelenkov@nginx.com            ), 'ivalid conf_commands'
104*1888Szelenkov@nginx.com
105*1888Szelenkov@nginx.com        check_conf_commands([])
106*1888Szelenkov@nginx.com        check_conf_commands("blah")
107*1888Szelenkov@nginx.com        check_conf_commands({"": ""})
108*1888Szelenkov@nginx.com        check_conf_commands({"blah": ""})
109*1888Szelenkov@nginx.com        check_conf_commands({"protocol": {}})
110*1888Szelenkov@nginx.com        check_conf_commands({"protocol": "blah"})
111*1888Szelenkov@nginx.com        check_conf_commands({"protocol": "TLSv1.2", "blah": ""})
112