[Freeipa-devel] [freeipa PR#3847][opened] [Backport][ipa-4-7] ipatests: add test to check that only TLS 1.2 is enabled in Apache

Mon, 04 Nov 2019 02:09:42 -0800 

   URL: https://github.com/freeipa/freeipa/pull/3847
Author: wladich
 Title: #3847: [Backport][ipa-4-7] ipatests: add test to check that only TLS 
1.2 is enabled in Apache
Action: opened

PR body:
"""
This is a manual backport of #3839 

Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcrit...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3847/head:pr3847
git checkout pr3847

From d5fd07163f1ea438ea642775de6e98138e334096 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sor...@redhat.com>
Date: Fri, 18 Oct 2019 14:53:02 +0200
Subject: [PATCH] ipatests: add test to check that only TLS 1.2 is enabled in
 Apache

Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcrit...@redhat.com>
---
 ipatests/test_integration/test_commands.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e99b40d856..ed717ffa40 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -603,3 +603,23 @@ def test_config_show_configured_services(self):
             # reset
             entry['ipaConfigString'] = orig_cfg
             conn.update_entry(entry)  # pylint: disable=no-member
+
+    def test_enabled_tls_protocols(self):
+        """Check that only TLS 1.2 is enabled in Apache.
+
+        This is the regression test for issue
+        https://pagure.io/freeipa/issue/7995.
+        """
+        def is_tls_version_enabled(tls_version):
+            res = self.master.run_command(
+                ['openssl', 's_client',
+                 '-connect', '{}:443'.format(self.master.hostname),
+                 '-{}'.format(tls_version)],
+                stdin_text='\n',
+                ok_returncode=[0, 1]
+            )
+            return res.returncode == 0
+
+        assert not is_tls_version_enabled('tls1')
+        assert not is_tls_version_enabled('tls1_1')
+        assert is_tls_version_enabled('tls1_2')

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to