From Fedora Project Wiki

No edit summary
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 2: Line 2:
|description=Sanity of crypto-policies
|description=Sanity of crypto-policies
|actions=
|actions=
We will test if system actually pays attention to crypto policy setting
We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting
# Prepare test directory for simple https server
# Check LEGACY profile
#:<pre>
#:<pre>
#::dir=$(mktemp -d) && cd $dir && echo CONNECTED >index.html</pre>
#::update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"
# Switch to LEGACY policy
#::
#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null
#::echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null
#::
#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null
#::echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null
#::
#::curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"</pre>
# Check DEFAULT profile
#:<pre>
#:<pre>
#::update-crypto-policies --set LEGACY || echo FAIL</pre>
#::update-crypto-policies --set DEFAULT || echo "FAIL update DEFAULT"
# Setup server using only LEGACY ciphers
#::wget -q -O /dev/null https://rc4.badssl.com/ && echo "FAIL wget DEFAULT rc4"
#::wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des"
#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4"
#::
#::echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null
#::echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null
#::
#::curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4"
#::curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"</pre>
# Check FUTURE profile
#:<pre>
#:<pre>
#::openssl s_server -WWW -cert TODO -key TODO -CAfile TODO -cipher TODO &</pre>
#::update-crypto-policies --set FUTURE || echo "FAIL update FUTURE"
# Check that OpenSSL software can connect
#::wget -q -O /dev/null https://3des.badssl.com/ && echo "FAIL wget FUTURE 3des"
#: <pre>
#::wget -q -O /dev/null https://mozilla-modern.badssl.com/ || echo "FAIL wget FUTURE modern"
#:: wget -O - localhost:4433 |grep CONNECTED || echo FAIL</pre>
#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null && echo "FAIL s_client FUTURE 3des"
# Check that NSS software can connect
#::(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect mozilla-modern.badssl.com:443 -servername mozilla-modern.badssl.com &>/dev/null || echo "FAIL s_client FUTURE modern"
#:<pre>
#::curl -s https://3des.badssl.com/ >/dev/null && echo "FAIL curl FUTURE 3des"
#::curl localhost:4433 |grep CONNECTED || echo FAIL</pre>
#::curl -s https://mozilla-modern.badssl.com/ >/dev/null || echo "FAIL curl FUTURE modern"</pre>
# Switch to policy NORMAL
#:<pre>
#::update-crypto-policies --set NORMAL || echo FAIL</pre>
# Check OpenSSL software can NOT connect
#:<pre>
#::wget -O - localhost:4433 |grep CONNECTED && echo FAIL</pre>
# Check NSS software can NOT connect
#:<pre>
#::curl localhost:4433 |grep CONNECTED && echo FAIL</pre>
# Switch to policy FUTURE
#:<pre>
#::update-crypto-policies --set FUTURE || echo FAIL</pre>
# Check OpenSSL software can NOT connect
#:<pre>
#::wget -O - localhost:4433 |grep CONNECTED && echo FAIL</pre>
# Check NSS software can NOT connect
#:<pre>
#::curl localhost:4433 |grep CONNECTED && echo FAIL</pre>
# Cleanup test directory
#:<pre>
#::rm -rf $dir</pre>
|results=
|results=
# Step #1 completes without error
Commands complete without <code>FAIL</code> being printed.
# commands complete without <code>FAIL</code> being printed
}}
}}

Latest revision as of 08:40, 30 March 2017

Description

Sanity of crypto-policies


How to test

We will test if at least some utilities using different libraries (gnutls, openssl, nss) pay attention to crypto policy setting

  1. Check LEGACY profile
    update-crypto-policies --set LEGACY || echo "FAIL update LEGACY"
    echo https://bugzilla.redhat.com/show_bug.cgi?id=1437213 >/dev/null
    echo wget -q -O /dev/null https://rc4.badssl.com/ || echo "FAIL wget LEGACY rc4" >/dev/null
    echo https://bugzilla.redhat.com/show_bug.cgi?id=1437209 >/dev/null
    echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null || echo "FAIL s_client LEGACY rc4"' >/dev/null
    curl -s https://rc4.badssl.com/ >/dev/null|| echo "FAIL curl LEGACY rc4"
  2. Check DEFAULT profile
    update-crypto-policies --set DEFAULT || echo "FAIL update DEFAULT"
    wget -q -O /dev/null https://rc4.badssl.com/ && echo "FAIL wget DEFAULT rc4"
    wget -q -O /dev/null https://3des.badssl.com/ || echo "FAIL wget DEFAULT 3des"
    (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com &>/dev/null && echo "FAIL s_client DEFAULT rc4"
    echo https://bugzilla.redhat.com/show_bug.cgi?id=1437363 >/dev/null
    echo '(sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null || echo "FAIL s_client DEFAULT 3des"' >/dev/null
    curl -s https://rc4.badssl.com/ >/dev/null && echo "FAIL curl DEFAULT rc4"
    curl -s https://3des.badssl.com/ >/dev/null || echo "FAIL curl DEFAULT 3des"
  3. Check FUTURE profile
    update-crypto-policies --set FUTURE || echo "FAIL update FUTURE"
    wget -q -O /dev/null https://3des.badssl.com/ && echo "FAIL wget FUTURE 3des"
    wget -q -O /dev/null https://mozilla-modern.badssl.com/ || echo "FAIL wget FUTURE modern"
    (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com &>/dev/null && echo "FAIL s_client FUTURE 3des"
    (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect mozilla-modern.badssl.com:443 -servername mozilla-modern.badssl.com &>/dev/null || echo "FAIL s_client FUTURE modern"
    curl -s https://3des.badssl.com/ >/dev/null && echo "FAIL curl FUTURE 3des"
    curl -s https://mozilla-modern.badssl.com/ >/dev/null || echo "FAIL curl FUTURE modern"

Expected Results

Commands complete without FAIL being printed.