]>
Commit | Line | Data |
---|---|---|
8c15553e RG |
1 | #!/usr/bin/env python |
2 | import dns | |
13291274 | 3 | import os |
8c15553e | 4 | import subprocess |
13291274 | 5 | import unittest |
8c15553e RG |
6 | from dnsdisttests import DNSDistTest |
7 | ||
8 | class DNSDistOCSPStaplingTest(DNSDistTest): | |
9 | ||
10 | @classmethod | |
11 | def checkOCSPStaplingStatus(cls, addr, port, serverName, caFile): | |
12 | testcmd = ['openssl', 's_client', '-CAfile', caFile, '-connect', '%s:%d' % (addr, port), '-status', '-servername', serverName ] | |
13 | output = None | |
14 | try: | |
15 | process = subprocess.Popen(testcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True) | |
16 | output = process.communicate(input='') | |
17 | except subprocess.CalledProcessError as exc: | |
18 | raise AssertionError('dnsdist --check-config failed (%d): %s' % (exc.returncode, exc.output)) | |
19 | ||
20 | return output[0].decode() | |
21 | ||
13291274 | 22 | @unittest.skipIf('SKIP_DOH_TESTS' in os.environ, 'DNS over HTTPS tests are disabled') |
8c15553e RG |
23 | class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest): |
24 | ||
25 | _serverKey = 'server.key' | |
26 | _serverCert = 'server.chain' | |
27 | _serverName = 'tls.tests.dnsdist.org' | |
28 | _ocspFile = 'server.ocsp' | |
29 | _caCert = 'ca.pem' | |
30 | _caKey = 'ca.key' | |
31 | _dohServerPort = 8443 | |
32 | _config_template = """ | |
33 | newServer{address="127.0.0.1:%s"} | |
34 | ||
35 | -- generate an OCSP response file for our certificate, valid one day | |
36 | generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0) | |
37 | addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}}) | |
38 | """ | |
39 | _config_params = ['_testServerPort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohServerPort', '_serverCert', '_serverKey', '_ocspFile'] | |
40 | ||
13291274 RG |
41 | @classmethod |
42 | def setUpClass(cls): | |
43 | ||
44 | # for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python | |
45 | if 'SKIP_DOH_TESTS' in os.environ: | |
46 | raise unittest.SkipTest('DNS over HTTPS tests are disabled') | |
47 | ||
48 | cls.startResponders() | |
49 | cls.startDNSDist() | |
50 | cls.setUpSockets() | |
51 | ||
52 | print("Launching tests..") | |
53 | ||
8c15553e RG |
54 | def testOCSPStapling(self): |
55 | """ | |
56 | OCSP Stapling: DOH | |
57 | """ | |
58 | output = self.checkOCSPStaplingStatus('127.0.0.1', self._dohServerPort, self._serverName, self._caCert) | |
59 | self.assertIn('OCSP Response Status: successful (0x0)', output) | |
60 | ||
61 | class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest): | |
62 | ||
63 | _serverKey = 'server.key' | |
64 | _serverCert = 'server.chain' | |
65 | _serverName = 'tls.tests.dnsdist.org' | |
66 | _ocspFile = 'server.ocsp' | |
67 | _caCert = 'ca.pem' | |
68 | _caKey = 'ca.key' | |
69 | _tlsServerPort = 8443 | |
70 | _config_template = """ | |
71 | newServer{address="127.0.0.1:%s"} | |
72 | ||
73 | -- generate an OCSP response file for our certificate, valid one day | |
74 | generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0) | |
75 | addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}}) | |
76 | """ | |
77 | _config_params = ['_testServerPort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile'] | |
78 | ||
79 | def testOCSPStapling(self): | |
80 | """ | |
81 | OCSP Stapling: TLS (GnuTLS) | |
82 | """ | |
83 | output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert) | |
84 | self.assertIn('OCSP Response Status: successful (0x0)', output) | |
85 | ||
86 | class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest): | |
87 | ||
88 | _serverKey = 'server.key' | |
89 | _serverCert = 'server.chain' | |
90 | _serverName = 'tls.tests.dnsdist.org' | |
91 | _ocspFile = 'server.ocsp' | |
92 | _caCert = 'ca.pem' | |
93 | _caKey = 'ca.key' | |
94 | _tlsServerPort = 8443 | |
95 | _config_template = """ | |
96 | newServer{address="127.0.0.1:%s"} | |
97 | ||
98 | -- generate an OCSP response file for our certificate, valid one day | |
99 | generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0) | |
100 | addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}}) | |
101 | """ | |
102 | _config_params = ['_testServerPort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile'] | |
103 | ||
104 | def testOCSPStapling(self): | |
105 | """ | |
106 | OCSP Stapling: TLS (OpenSSL) | |
107 | """ | |
108 | output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert) | |
109 | self.assertIn('OCSP Response Status: successful (0x0)', output) |