thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 09:48:14 +00:00
Code Issues Releases Wiki Activity

tests: Verify correct DH group size when negotiating

Browse Source 
Additionally allows for adding extra openssl params when needed.
This commit is contained in:
polarathene 2021-12-21 17:38:38 +13:00
parent 75528bdfcb
commit 0f15130476
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
test/test_ssl/test_dhparam.py
View File

@ -80,12 +80,17 @@ def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
raise Exception("Failed to process CLI request:\n" + e.stderr) from None raise Exception("Failed to process CLI request:\n" + e.stderr) from None
def can_negotiate_dhe_ciphersuite(sut_container): # The default `dh_bits` can vary due to configuration.
r = negotiate_cipher(sut_container, "-cipher 'EDH'") # `additional_params` allows for adjusting the request to a specific `VIRTUAL_HOST`,
# where DH size can differ from the configured global default DH size.
def can_negotiate_dhe_ciphersuite(sut_container, dh_bits=4096, additional_params=''):
openssl_params = f"-cipher 'EDH' {additional_params}"
r = negotiate_cipher(sut_container, openssl_params)
assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key") r2 = negotiate_cipher(sut_container, openssl_params, "Server Temp Key")
assert "DH" in r2 assert f"Server Temp Key: DH, {dh_bits} bits" in r2
def cannot_negotiate_dhe_ciphersuite(sut_container): def cannot_negotiate_dhe_ciphersuite(sut_container):
@ -139,7 +144,7 @@ def test_default_dhparam_is_ffdhe4096(docker_compose):
"/etc/nginx/dhparam/dhparam.pem" "/etc/nginx/dhparam/dhparam.pem"
) )
can_negotiate_dhe_ciphersuite(sut_container) can_negotiate_dhe_ciphersuite(sut_container, 4096)
# Overrides default DH group via ENV `DHPARAM_BITS=3072`: # Overrides default DH group via ENV `DHPARAM_BITS=3072`:
@ -157,7 +162,7 @@ def test_can_change_dhparam_group(docker_compose):
"/etc/nginx/dhparam/dhparam.pem" "/etc/nginx/dhparam/dhparam.pem"
) )
can_negotiate_dhe_ciphersuite(sut_container) can_negotiate_dhe_ciphersuite(sut_container, 3072)
def test_fail_if_dhparam_group_not_supported(docker_compose): def test_fail_if_dhparam_group_not_supported(docker_compose):
@ -192,7 +197,7 @@ def test_custom_dhparam_is_supported(docker_compose):
"/etc/nginx/dhparam/dhparam.pem" "/etc/nginx/dhparam/dhparam.pem"
) )
can_negotiate_dhe_ciphersuite(sut_container) can_negotiate_dhe_ciphersuite(sut_container, 3072)
def test_can_skip_dhparam(docker_compose): def test_can_skip_dhparam(docker_compose):