7 from dnsdisttests
import DNSDistTest
, pickAvailablePort
9 class DNSDistOCSPStaplingTest(DNSDistTest
):
12 def checkOCSPStaplingStatus(cls
, addr
, port
, serverName
, caFile
):
13 testcmd
= ['openssl', 's_client', '-CAfile', caFile
, '-connect', '%s:%d' % (addr
, port
), '-status', '-servername', serverName
]
16 process
= subprocess
.Popen(testcmd
, stdout
=subprocess
.PIPE
, stdin
=subprocess
.PIPE
, stderr
=subprocess
.STDOUT
, close_fds
=True)
17 output
= process
.communicate(input='')
18 except subprocess
.CalledProcessError
as exc
:
19 raise AssertionError('openssl s_client failed (%d): %s' % (exc
.returncode
, exc
.output
))
21 return output
[0].decode()
24 def getOCSPSerial(cls
, output
):
26 for line
in output
.splitlines():
29 if line
.startswith('Serial Number:'):
30 (_
, serialNumber
) = line
.split(':')
35 def getTLSProvider(self
):
36 return self
.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()
40 cls
.generateNewCertificateAndKey('server-ocsp')
45 @unittest.skipIf('SKIP_DOH_TESTS' in os
.environ
, 'DNS over HTTPS tests are disabled')
46 class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest
):
48 _consoleKey
= DNSDistTest
.generateConsoleKey()
49 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
50 _serverKey
= 'server-ocsp.key'
51 _serverCert
= 'server-ocsp.chain'
52 _serverName
= 'tls.tests.dnsdist.org'
53 _ocspFile
= 'server.ocsp'
56 _dohWithNGHTTP2ServerPort
= pickAvailablePort()
57 _dohWithH2OServerPort
= pickAvailablePort()
58 _config_template
= """
59 newServer{address="127.0.0.1:%d"}
61 controlSocket("127.0.0.1:%d")
63 -- generate an OCSP response file for our certificate, valid one day
64 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
65 addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='nghttp2'})
66 addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='h2o'})
68 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_ocspFile', '_dohWithH2OServerPort', '_serverCert', '_serverKey', '_ocspFile']
73 # for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
74 if 'SKIP_DOH_TESTS' in os
.environ
:
75 raise unittest
.SkipTest('DNS over HTTPS tests are disabled')
77 cls
.generateNewCertificateAndKey('server-ocsp')
82 print("Launching tests..")
84 def testOCSPStapling(self
):
88 for port
in [self
._dohWithNGHTTP
2ServerPort
, self
._dohWithH
2OServerPort
]:
89 output
= self
.checkOCSPStaplingStatus('127.0.0.1', port
, self
._serverName
, self
._caCert
)
90 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
92 serialNumber
= self
.getOCSPSerial(output
)
93 self
.assertTrue(serialNumber
)
95 self
.generateNewCertificateAndKey('server-ocsp')
96 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
97 self
.sendConsoleCommand("reloadAllCertificates()")
99 output
= self
.checkOCSPStaplingStatus('127.0.0.1', port
, self
._serverName
, self
._caCert
)
100 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
101 serialNumber2
= self
.getOCSPSerial(output
)
102 self
.assertTrue(serialNumber2
)
103 self
.assertNotEqual(serialNumber
, serialNumber2
)
105 class TestBrokenOCSPStaplingDoH(DNSDistOCSPStaplingTest
):
107 _consoleKey
= DNSDistTest
.generateConsoleKey()
108 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
109 _serverKey
= 'server-ocsp.key'
110 _serverCert
= 'server-ocsp.chain'
111 _serverName
= 'tls.tests.dnsdist.org'
114 _ocspFile
= '/dev/null'
115 _dohWithNGHTTP2ServerPort
= pickAvailablePort()
116 _dohWithH2OServerPort
= pickAvailablePort()
117 _config_template
= """
118 newServer{address="127.0.0.1:%s"}
120 controlSocket("127.0.0.1:%s")
122 addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='nghttp2'})
123 addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='h2o'})
126 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_ocspFile', '_dohWithH2OServerPort', '_serverCert', '_serverKey', '_ocspFile']
128 def testBrokenOCSPStapling(self
):
130 OCSP Stapling: Broken (DoH)
132 for port
in [self
._dohWithNGHTTP
2ServerPort
, self
._dohWithH
2OServerPort
]:
133 output
= self
.checkOCSPStaplingStatus('127.0.0.1', port
, self
._serverName
, self
._caCert
)
134 self
.assertNotIn('OCSP Response Status: successful (0x0)', output
)
136 class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest
):
138 _consoleKey
= DNSDistTest
.generateConsoleKey()
139 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
140 _serverKey
= 'server-ocsp.key'
141 _serverCert
= 'server-ocsp.chain'
142 _serverName
= 'tls.tests.dnsdist.org'
143 _ocspFile
= 'server.ocsp'
146 _tlsServerPort
= pickAvailablePort()
147 _config_template
= """
148 newServer{address="127.0.0.1:%s"}
150 controlSocket("127.0.0.1:%s")
152 -- generate an OCSP response file for our certificate, valid one day
153 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
154 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
156 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
158 def testOCSPStapling(self
):
160 OCSP Stapling: TLS (GnuTLS)
162 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
163 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
164 self
.assertEqual(self
.getTLSProvider(), "gnutls")
166 serialNumber
= self
.getOCSPSerial(output
)
167 self
.assertTrue(serialNumber
)
169 self
.generateNewCertificateAndKey('server-ocsp')
170 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
171 self
.sendConsoleCommand("reloadAllCertificates()")
173 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
174 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
175 serialNumber2
= self
.getOCSPSerial(output
)
176 self
.assertTrue(serialNumber2
)
177 self
.assertNotEqual(serialNumber
, serialNumber2
)
179 class TestBrokenOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest
):
181 _consoleKey
= DNSDistTest
.generateConsoleKey()
182 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
183 _serverKey
= 'server-ocsp.key'
184 _serverCert
= 'server-ocsp.chain'
185 _serverName
= 'tls.tests.dnsdist.org'
188 _ocspFile
= '/dev/null'
189 _tlsServerPort
= pickAvailablePort()
190 _config_template
= """
191 newServer{address="127.0.0.1:%s"}
193 controlSocket("127.0.0.1:%s")
195 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
197 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
199 def testBrokenOCSPStapling(self
):
201 OCSP Stapling: Broken (GnuTLS)
203 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
204 self
.assertNotIn('OCSP Response Status: successful (0x0)', output
)
205 self
.assertEqual(self
.getTLSProvider(), "gnutls")
207 class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest
):
209 _consoleKey
= DNSDistTest
.generateConsoleKey()
210 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
211 _serverKey
= 'server-ocsp.key'
212 _serverCert
= 'server-ocsp.chain'
213 _serverName
= 'tls.tests.dnsdist.org'
214 _ocspFile
= 'server.ocsp'
217 _tlsServerPort
= pickAvailablePort()
218 _config_template
= """
219 newServer{address="127.0.0.1:%s"}
221 controlSocket("127.0.0.1:%s")
223 -- generate an OCSP response file for our certificate, valid one day
224 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
225 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
227 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
229 def testOCSPStapling(self
):
231 OCSP Stapling: TLS (OpenSSL)
233 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
234 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
235 self
.assertEqual(self
.getTLSProvider(), "openssl")
237 serialNumber
= self
.getOCSPSerial(output
)
238 self
.assertTrue(serialNumber
)
240 self
.generateNewCertificateAndKey('server-ocsp')
241 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
242 self
.sendConsoleCommand("reloadAllCertificates()")
244 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
245 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
246 serialNumber2
= self
.getOCSPSerial(output
)
247 self
.assertTrue(serialNumber2
)
248 self
.assertNotEqual(serialNumber
, serialNumber2
)
250 class TestBrokenOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest
):
252 _consoleKey
= DNSDistTest
.generateConsoleKey()
253 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
254 _serverKey
= 'server-ocsp.key'
255 _serverCert
= 'server-ocsp.chain'
256 _serverName
= 'tls.tests.dnsdist.org'
259 _ocspFile
= '/dev/null'
260 _tlsServerPort
= pickAvailablePort()
261 _config_template
= """
262 newServer{address="127.0.0.1:%s"}
264 controlSocket("127.0.0.1:%s")
266 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
268 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
270 def testBrokenOCSPStapling(self
):
272 OCSP Stapling: Broken (OpenSSL)
274 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
275 self
.assertNotIn('OCSP Response Status: successful (0x0)', output
)
276 self
.assertEqual(self
.getTLSProvider(), "openssl")