From Fedora Project Wiki
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 3: | Line 3: | ||
|actions= | |actions= | ||
We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting | We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting | ||
# Check LEGACY profile | # Check LEGACY profile | ||
#:<pre> | #:<pre> | ||
#::update-crypto-policies --set LEGACY || echo "FAIL update LEGACY" | #::update-crypto-policies --set LEGACY || echo "FAIL update LEGACY" | ||
#::wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" | #:: | ||
#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4" | #::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null | ||
#::echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null | |||
#:: | |||
#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null | |||
#::echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null | |||
#:: | |||
#::curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"</pre> | #::curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"</pre> | ||
# Check DEFAULT profile | # Check DEFAULT profile | ||
| Line 15: | Line 20: | ||
#::wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des" | #::wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des" | ||
#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4" | #::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4" | ||
#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des" | #:: | ||
#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null | |||
#::echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null | |||
#:: | |||
#::curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4" | #::curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4" | ||
#::curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"</pre> | #::curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"</pre> | ||
Latest revision as of 08:40, 30 March 2017
Description
Sanity of crypto-policies
How to test
We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting
- Check LEGACY profile
- update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"
- echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null
- echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null
- echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null
- echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null
- curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"
- Check DEFAULT profile
- update-crypto-policies --set DEFAULT || echo "FAIL update DEFAULT"
- wget -q -O /dev/null https://rc4.badssl.com/ && echo "FAIL wget DEFAULT rc4"
- wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des"
- (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4"
- echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null
- echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null
- curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4"
- curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"
- Check FUTURE profile
- update-crypto-policies --set FUTURE || echo "FAIL update FUTURE"
- wget -q -O /dev/null https://3des.badssl.com/ && echo "FAIL wget FUTURE 3des"
- wget -q -O /dev/null https://mozilla-modern.badssl.com/ || echo "FAIL wget FUTURE modern"
- (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null && echo "FAIL s_client FUTURE 3des"
- (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect mozilla-modern.badssl.com:443 -servername mozilla-modern.badssl.com &>/dev/null || echo "FAIL s_client FUTURE modern"
- curl -s https://3des.badssl.com/ >/dev/null && echo "FAIL curl FUTURE 3des"
- curl -s https://mozilla-modern.badssl.com/ >/dev/null || echo "FAIL curl FUTURE modern"
Expected Results
Commands complete without FAIL being printed.