Sfoglia il codice sorgente

tests: Verify correct DH group size when negotiating

Additionally allows for adding extra openssl params when needed.
polarathene 3 anni fa
parent
commit
0f15130476
1 ha cambiato i file con 12 aggiunte e 7 eliminazioni
  1. 12 7
      test/test_ssl/test_dhparam.py

+ 12 - 7
test/test_ssl/test_dhparam.py

@@ -80,12 +80,17 @@ def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
         raise Exception("Failed to process CLI request:\n" + e.stderr) from None
 
 
-def can_negotiate_dhe_ciphersuite(sut_container):
-    r = negotiate_cipher(sut_container, "-cipher 'EDH'")
+# The default `dh_bits` can vary due to configuration.
+# `additional_params` allows for adjusting the request to a specific `VIRTUAL_HOST`,
+# where DH size can differ from the configured global default DH size.
+def can_negotiate_dhe_ciphersuite(sut_container, dh_bits=4096, additional_params=''):
+    openssl_params = f"-cipher 'EDH' {additional_params}"
+
+    r = negotiate_cipher(sut_container, openssl_params)
     assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
 
-    r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key")
-    assert "DH" in r2
+    r2 = negotiate_cipher(sut_container, openssl_params, "Server Temp Key")
+    assert f"Server Temp Key: DH, {dh_bits} bits" in r2
 
 
 def cannot_negotiate_dhe_ciphersuite(sut_container):
@@ -139,7 +144,7 @@ def test_default_dhparam_is_ffdhe4096(docker_compose):
         "/etc/nginx/dhparam/dhparam.pem"
     )
 
-    can_negotiate_dhe_ciphersuite(sut_container)
+    can_negotiate_dhe_ciphersuite(sut_container, 4096)
 
 
 # Overrides default DH group via ENV `DHPARAM_BITS=3072`:
@@ -157,7 +162,7 @@ def test_can_change_dhparam_group(docker_compose):
         "/etc/nginx/dhparam/dhparam.pem"
     )
 
-    can_negotiate_dhe_ciphersuite(sut_container)
+    can_negotiate_dhe_ciphersuite(sut_container, 3072)
 
 
 def test_fail_if_dhparam_group_not_supported(docker_compose):
@@ -192,7 +197,7 @@ def test_custom_dhparam_is_supported(docker_compose):
         "/etc/nginx/dhparam/dhparam.pem"
     )
 
-    can_negotiate_dhe_ciphersuite(sut_container)
+    can_negotiate_dhe_ciphersuite(sut_container, 3072)
 
 
 def test_can_skip_dhparam(docker_compose):