Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new endpoint for cipher testing #19

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add new endpoint for cipher testing #19

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
df9c165
Add new endpoint for cipher testing
sivel May 20, 2024
3abb709
add 2 endpoints without tls1.3, one weak, the other strong
sivel May 21, 2024
15fde50
Pick a different weak cipher, move weak endpoint to it's own port
sivel May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions create_certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,4 @@ create_cert "${ca1}" "sni1.ansible.http.tests"
create_cert "${ca1}" "sni2.ansible.http.tests"
create_cert "${ca1}" "client.ansible.http.tests"
create_cert "${ca2}" "self-signed.ansible.http.tests"
create_cert "${ca1}" "insecure.ansible.http.tests"
21 changes: 21 additions & 0 deletions nginx.sites.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,27 @@ server {
}
}

server {
listen 80;
listen 445 ssl;

server_name insecure.ansible.http.tests;

ssl_certificate /root/ca/insecure.ansible.http.tests-cert.pem;
ssl_certificate_key /root/ca/private/insecure.ansible.http.tests-key.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we're going to need something a bit more nuanced than this single endpoint with these two cipher suites.

The default cipher suites for our tested clients vary, so some of them will be able to connect to this endpoint without additional configuration.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests themselves handle it, because they both explicitly declare the cipher to use. Or are you saying that it doesn't really test the explicit use of a cipher as intended, because the default cipher suite in python will include this cipher?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or are you saying that it doesn't really test the explicit use of a cipher as intended, because the default cipher suite in python will include this cipher?

Correct. This endpoint should use a cipher suite that the client supports, but not by default. Otherwise a successful connection doesn't tell us whether or not the cipher suite selection had any effect.

Additionally, the test should try to connect with the default settings and verify the connection fails. That way we'll know if the client defaults are suitable for testing against this endpoint.

The reverse is actually needed for the "test bad cipher" case. We need an endpoint that works with the default cipher suite selection on the client (verified by the test), but that fails when a cipher is chosen that the server does not support.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, think I've got this taken care of.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

scratch that, I've expanded my testing, and need to work out details of the weak cipher a bit more.


location / {
return 200 "insecure.ansible.http.tests";
}

location /redir {
rewrite .* https://insecure.ansible.http.tests:445/ permanent;
}
}

server {
listen 80;
listen 444 ssl;
Expand Down