Improve test script

nabla-c0d3 · Feb 21, 2021 · 1f75eca · 1f75eca
1 parent 6255c8c
commit 1f75eca
Showing 1 changed file with 40 additions and 19 deletions.
diff --git a/tests/web_servers/scan_localhost.py b/tests/web_servers/scan_localhost.py
@@ -114,11 +114,31 @@ def main(server_software_running_on_localhost: WebServerSoftwareEnum) -> None:
                 ScanCommand.CERTIFICATE_INFO,
                 ScanCommand.TLS_COMPRESSION,
             }
-        elif server_software_running_on_localhost in [WebServerSoftwareEnum.NGINX, WebServerSoftwareEnum.IIS]:
+        elif server_software_running_on_localhost == WebServerSoftwareEnum.NGINX:
             # With nginx, when configured to require client authentication, more scan commands work because unlike
             # Apache2, it does complete a full TLS handshake even when a client cert was not provided. It then returns
             # an error page at the HTTP layer.
-            # With IIS, client authentication is enabled so it returns the same same result
+            expected_scan_command_results = {
+                ScanCommand.TLS_1_3_CIPHER_SUITES,
+                ScanCommand.TLS_1_2_CIPHER_SUITES,
+                ScanCommand.TLS_1_1_CIPHER_SUITES,
+                ScanCommand.TLS_1_0_CIPHER_SUITES,
+                ScanCommand.SSL_3_0_CIPHER_SUITES,
+                ScanCommand.SSL_2_0_CIPHER_SUITES,
+                ScanCommand.OPENSSL_CCS_INJECTION,
+                ScanCommand.HEARTBLEED,
+                ScanCommand.ELLIPTIC_CURVES,
+                ScanCommand.TLS_FALLBACK_SCSV,
+                ScanCommand.CERTIFICATE_INFO,
+                ScanCommand.TLS_COMPRESSION,
+                ScanCommand.SESSION_RESUMPTION,
+                ScanCommand.TLS_1_3_EARLY_DATA,
+                ScanCommand.HTTP_HEADERS,
+                ScanCommand.SESSION_RESUMPTION_RATE,
+                ScanCommand.SESSION_RENEGOTIATION,
+            }
+        elif server_software_running_on_localhost == WebServerSoftwareEnum.IIS:
+            # With IIS, client authentication is not enabled so all scan commands succeed
             expected_scan_command_results = {
                 ScanCommand.TLS_1_3_CIPHER_SUITES,
                 ScanCommand.TLS_1_2_CIPHER_SUITES,
@@ -149,9 +169,25 @@ def main(server_software_running_on_localhost: WebServerSoftwareEnum) -> None:
         else:
             print("OK: Completed all the expected scan commands.")
 
-        # Ensure TLS 1.2 and 1.3 were detected by SSLyze as enabled
+        # Ensure the right TLS versions were detected by SSLyze as enabled
         # https://github.com/nabla-c0d3/sslyze/issues/472
-        for ciphers_scan_cmd in [ScanCommand.TLS_1_3_CIPHER_SUITES, ScanCommand.TLS_1_2_CIPHER_SUITES]:
+        if server_software_running_on_localhost in [WebServerSoftwareEnum.APACHE2, WebServerSoftwareEnum.NGINX]:
+            # Apache and nginx are configured to only enable TLS 1.2 and TLS 1.3
+            expected_enabled_tls_scan_commands = {
+                ScanCommand.TLS_1_3_CIPHER_SUITES,
+                ScanCommand.TLS_1_2_CIPHER_SUITES,
+            }
+        elif server_software_running_on_localhost == WebServerSoftwareEnum.IIS:
+            # TLS 1.3 is not supported by IIS
+            expected_enabled_tls_scan_commands = {
+                ScanCommand.TLS_1_2_CIPHER_SUITES,
+                ScanCommand.TLS_1_1_CIPHER_SUITES,
+                ScanCommand.TLS_1_0_CIPHER_SUITES,
+            }
+        else:
+            raise ValueError(f"Unexpected value: {server_software_running_on_localhost}")
+
+        for ciphers_scan_cmd in expected_enabled_tls_scan_commands:
             scan_cmd_result = server_scan_result.scan_commands_results[ciphers_scan_cmd]  # type: ignore
             if not scan_cmd_result.accepted_cipher_suites:
                 raise RuntimeError(
@@ -160,21 +196,6 @@ def main(server_software_running_on_localhost: WebServerSoftwareEnum) -> None:
             else:
                 print(f"OK: Scan command {ciphers_scan_cmd} detected cipher suites.")
 
-        # Ensure all other versions of SSL/TLS were detected by SSLyze as disabled
-        for ciphers_scan_cmd in [
-            ScanCommand.TLS_1_1_CIPHER_SUITES,
-            ScanCommand.TLS_1_0_CIPHER_SUITES,
-            ScanCommand.SSL_3_0_CIPHER_SUITES,
-            ScanCommand.SSL_2_0_CIPHER_SUITES,
-        ]:
-            scan_cmd_result = server_scan_result.scan_commands_results[ciphers_scan_cmd]  # type: ignore
-            if scan_cmd_result.accepted_cipher_suites:
-                raise RuntimeError(
-                    f"SSLyze did not detect {scan_cmd_result.tls_version_used.name} to be disabled on the server."
-                )
-            else:
-                print(f"OK: Scan command {ciphers_scan_cmd} did not detect cipher suites.")
-
         # Ensure a JSON output can be generated from the results
         json_output = _SslyzeOutputAsJson(
             server_scan_results=[server_scan_result], server_connectivity_errors=[], total_scan_time=3,