thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-07-01 22:35:45 +00:00
Code Issues Releases Wiki Activity

tests: Add utility method to verify TLS chain of trust

Browse Source
This commit is contained in:
polarathene
2021-12-21 18:00:39 +13:00
parent 9dc9d90d34
commit c5166f580e
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
test/test_ssl/test_dhparam.py
View File

@ -1,5 +1,6 @@
import re
import subprocess
import os
import backoff
import docker
@ -106,6 +107,22 @@ def cannot_negotiate_dhe_ciphersuite(sut_container):
assert "X25519" in r3
# To verify self-signed certificates, the file path to their CA cert must be provided.
# Use the `fqdn` arg to specify the `VIRTUAL_HOST` to request for verification for that cert.
#
# Resolves the following stderr warnings regarding self-signed cert verification and missing SNI:
# `Can't use SSL_get_servername`
# `verify error:num=20:unable to get local issuer certificate`
# `verify error:num=21:unable to verify the first certificate`
#
# The stderr output is hidden due to running the openssl command with `stderr=subprocess.PIPE`.
def can_verify_chain_of_trust(sut_container, ca_cert, fqdn):
openssl_params = f"-CAfile '{ca_cert}' -servername '{fqdn}'"
r = negotiate_cipher(sut_container, openssl_params, "Verify return code")
assert "Verify return code: 0 (ok)" in r
def should_be_equivalent_content(sut_container, expected, actual):
expected_checksum = sut_container.exec_run(f"md5sum {expected}").output.split()[0]
actual_checksum = sut_container.exec_run(f"md5sum {actual}").output.split()[0]
@ -220,6 +237,15 @@ def test_custom_dhparam_is_supported_per_site(docker_compose):
# `-servername` required for nginx-proxy to respond with site-specific DH params used:
can_negotiate_dhe_ciphersuite(sut_container, 2048, '-servername web2.nginx-proxy.tld')
# --Unrelated to DH support--
# - `web5` is missing a certificate, but falls back to available `/etc/nginx/certs/nginx-proxy.tld.crt` via `nginx.tmpl` "closest" result.
# - `web2` has it's own cert provisioned at `/etc/nginx/certs/web2.nginx-proxy.tld.crt`.
can_verify_chain_of_trust(
sut_container,
ca_cert = f"{os.getcwd()}/certs/ca-root.crt",
fqdn = 'web2.nginx-proxy.tld'
)
# NOTE: These two tests will fail without the ENV `DEFAULT_HOST` to prevent
# accidentally falling back to `web2` as the default server, which has explicit DH params configured.