From Fedora Project Wiki

No edit summary
No edit summary
 
Line 3: Line 3:
|actions=
|actions=
We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting
We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting
# Check LEGACY profile - '''currently FAILs''' with gnutls/wget ([https://bugzilla.redhat.com/show_bug.cgi?id=1437213 bug]) and openssl/s_client ([https://bugzilla.redhat.com/show_bug.cgi?id=1437209 bug])
# Check LEGACY profile
#:<pre>
#:<pre>
#::update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"
#::update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"

Latest revision as of 08:40, 30 March 2017

Description

Sanity of crypto-policies


How to test

We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting

  1. Check LEGACY profile 
    update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"
    

    

    echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null
    

    echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null
    

    

    echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null
    

    echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null
    

    

    curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"
  2. Check DEFAULT profile 
    update-crypto-policies --set DEFAULT || echo "FAIL update DEFAULT"
    

    wget -q -O /dev/null https://rc4.badssl.com/ && echo "FAIL wget DEFAULT rc4"
    

    wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des"
    

    (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4"
    

    

    echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null
    

    echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null
    

    

    curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4"
    

    curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"
  3. Check FUTURE profile 
    update-crypto-policies --set FUTURE || echo "FAIL update FUTURE"
    

    wget -q -O /dev/null https://3des.badssl.com/ && echo "FAIL wget FUTURE 3des"
    

    wget -q -O /dev/null https://mozilla-modern.badssl.com/ || echo "FAIL wget FUTURE modern"
    

    (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null && echo "FAIL s_client FUTURE 3des"
    

    (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect mozilla-modern.badssl.com:443 -servername mozilla-modern.badssl.com &>/dev/null || echo "FAIL s_client FUTURE modern"
    

    curl -s https://3des.badssl.com/ >/dev/null && echo "FAIL curl FUTURE 3des"
    

    curl -s https://mozilla-modern.badssl.com/ >/dev/null || echo "FAIL curl FUTURE modern"

Expected Results

Commands complete without FAIL being printed.



Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_CryptoPolicies_Sanity&oldid=489607"