Latest revision as of 08:40, 30 March 2017

Description

Sanity of crypto-policies

How to test

We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting

Check LEGACY profile

update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"

echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null
echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null

echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null
echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null

curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"

Check DEFAULT profile

update-crypto-policies --set DEFAULT || echo "FAIL update DEFAULT"
wget -q -O /dev/null https://rc4.badssl.com/ && echo "FAIL wget DEFAULT rc4"
wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des"
(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4"

echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null
echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null

curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4"
curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"

Check FUTURE profile

update-crypto-policies --set FUTURE || echo "FAIL update FUTURE"
wget -q -O /dev/null https://3des.badssl.com/ && echo "FAIL wget FUTURE 3des"
wget -q -O /dev/null https://mozilla-modern.badssl.com/ || echo "FAIL wget FUTURE modern"
(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null && echo "FAIL s_client FUTURE 3des"
(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect mozilla-modern.badssl.com:443 -servername mozilla-modern.badssl.com &>/dev/null || echo "FAIL s_client FUTURE modern"
curl -s https://3des.badssl.com/ >/dev/null && echo "FAIL curl FUTURE 3des"
curl -s https://mozilla-modern.badssl.com/ >/dev/null || echo "FAIL curl FUTURE modern"

Expected Results

Commands complete without FAIL being printed.

@@ Line 2: / Line 2: @@
 |description=Sanity of crypto-policies
 |actions=
-We will test if system actually pays attention to crypto policy setting
+We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting
-# Setup server using only LEGACY ciphers
+# Check LEGACY profile
 #:<pre>
-#::dir=$(mktemp -d) && cd $dir && echo CONNECTED >index.html && \
+#::update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"
-#::openssl s_server -WWW -cert TODO -key TODO -CAfile TODO -cipher TODO </pre>
+#::
-# Switch to LEGACY policy and make sure connection works
+#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null
+#::echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null
+#::
+#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null
+#::echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null
+#::
+#::curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"</pre>
+# Check DEFAULT profile
 #:<pre>
-#::update-crypto-policies --set LEGACY  curl localhost:4433 |grep CONNECTED</pre>
+#::update-crypto-policies --set DEFAULT || echo "FAIL update DEFAULT"
-# Check OpenSSL software can connect
+#::wget -q -O /dev/null https://rc4.badssl.com/ && echo "FAIL wget DEFAULT rc4"
-#: <pre>
+#::wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des"
-#:: wget -O - localhost:4433 |grep CONNECTED</pre>
+#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4"
+#::
+#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null
+#::echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null
+#::
+#::curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4"
+#::curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"</pre>
+# Check FUTURE profile
+#:<pre>
+#::update-crypto-policies --set FUTURE || echo "FAIL update FUTURE"
+#::wget -q -O /dev/null https://3des.badssl.com/ && echo "FAIL wget FUTURE 3des"
+#::wget -q -O /dev/null https://mozilla-modern.badssl.com/ || echo "FAIL wget FUTURE modern"
+#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null && echo "FAIL s_client FUTURE 3des"
+#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect mozilla-modern.badssl.com:443 -servername mozilla-modern.badssl.com &>/dev/null || echo "FAIL s_client FUTURE modern"
+#::curl -s https://3des.badssl.com/ >/dev/null && echo "FAIL curl FUTURE 3des"
+#::curl -s https://mozilla-modern.badssl.com/ >/dev/null || echo "FAIL curl FUTURE modern"</pre>
 |results=
-# Step #1 completes without error
+Commands complete without <code>FAIL</code> being printed.
-# command prints <code>CONNECTED</code>
-# command prints <code>CONNECTED</code>
 }}

Search

QA:Testcase CryptoPolicies Sanity: Difference between revisions

Latest revision as of 08:40, 30 March 2017

Description

How to test

Expected Results