You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
209 lines
7.4 KiB
Python
209 lines
7.4 KiB
Python
#
|
|
# All or portions of this file Copyright (c) Amazon.com, Inc. or its affiliates or
|
|
# its licensors.
|
|
#
|
|
# For complete copyright and license terms please see the LICENSE at the root of this
|
|
# distribution (the "License"). All use of this software is governed by the License,
|
|
# or, if provided, by the license below or the license accompanying this file. Do not
|
|
# remove or modify any license notices. This file is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
#
|
|
|
|
import bin_download
|
|
import contextlib
|
|
import io
|
|
import os
|
|
import shutil
|
|
import ssl
|
|
import sys
|
|
import unittest
|
|
|
|
|
|
@contextlib.contextmanager
|
|
def no_stdout():
|
|
save_stdout = sys.stdout
|
|
sys.stdout = io.BytesIO()
|
|
|
|
try:
|
|
yield
|
|
finally:
|
|
sys.stdout = save_stdout
|
|
|
|
|
|
class BadSslTestCase(unittest.TestCase):
|
|
def setUp(self):
|
|
self.working_dir_path = os.path.join(os.path.expandvars("%TEMP%"), "_temp")
|
|
self.download_file_name = "test_download.test"
|
|
self.destination = os.path.join(self.working_dir_path, self.download_file_name)
|
|
self.uncompressed_size = 1000000
|
|
|
|
if not os.path.exists(self.destination):
|
|
os.makedirs(self.destination)
|
|
|
|
def tearDown(self):
|
|
if os.path.exists(self.destination):
|
|
shutil.rmtree(self.destination)
|
|
|
|
def download_file(self, download_url):
|
|
try:
|
|
with bin_download.Downloader(20) as downloader:
|
|
with no_stdout():
|
|
downloader.download_file(download_url, self.destination, self.uncompressed_size)
|
|
|
|
except ssl.SSLError:
|
|
raise
|
|
|
|
except ssl.CertificateError:
|
|
raise
|
|
|
|
except Exception:
|
|
print "\tFATAL ERROR: Unhandled exception encountered."
|
|
raise
|
|
|
|
return True
|
|
|
|
def test_cloudfront_download(self):
|
|
self.assertTrue(self.download_file("https://s3-us-west-2.amazonaws.com/lumberyard-download-artifacts-bucket/"
|
|
"3rdParty/squish-ccr/20150601_lmbr_v1/filelist.1.0.0.common.json"))
|
|
|
|
def test_expired(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://expired.badssl.com/")
|
|
|
|
def test_wrong_host(self):
|
|
self.assertRaises(ssl.CertificateError, self.download_file, "https://wrong.host.badssl.com/")
|
|
|
|
def test_self_signed(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://self-signed.badssl.com/")
|
|
|
|
def test_untrusted_root(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://untrusted-root.badssl.com/")
|
|
|
|
def test_incomplete_chain(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://incomplete-chain.badssl.com/")
|
|
|
|
def test_sha256(self):
|
|
self.assertTrue(self.download_file("https://sha256.badssl.com/"))
|
|
|
|
def test_1000_sans(self):
|
|
self.assertTrue(self.download_file("https://1000-sans.badssl.com/"))
|
|
|
|
def test_ecc256(self):
|
|
self.assertTrue(self.download_file("https://ecc256.badssl.com/"))
|
|
|
|
def test_ecc384(self):
|
|
self.assertTrue(self.download_file("https://ecc384.badssl.com/"))
|
|
|
|
def test_cbc(self):
|
|
# cbc is supposed to be secure in TLS1_1 and TLS1_2
|
|
self.assertTrue(self.download_file("https://cbc.badssl.com/"))
|
|
|
|
def test_rc4_md5(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://rc4-md5.badssl.com/")
|
|
|
|
def test_rc4(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://rc4.badssl.com/")
|
|
|
|
def test_3des(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://3des.badssl.com/")
|
|
|
|
def test_null(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://null.badssl.com/")
|
|
|
|
def test_mozilla_intermediate(self):
|
|
self.assertTrue(self.download_file("https://mozilla-intermediate.badssl.com/"))
|
|
|
|
def test_mozilla_modern(self):
|
|
self.assertTrue(self.download_file("https://mozilla-modern.badssl.com/"))
|
|
|
|
def test_dh480(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://dh480.badssl.com/")
|
|
|
|
def test_dh512(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://dh512.badssl.com/")
|
|
|
|
def test_dh_small(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://dh-small.badssl.com/")
|
|
|
|
def test_dh_composite(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://dh-composite.badssl.com/")
|
|
|
|
def test_static_rsa(self):
|
|
# Static RSA is still supported in TLS1_2 but is probably going to be removed in TLS1_3
|
|
self.assertTrue(self.download_file("https://static-rsa.badssl.com/"))
|
|
|
|
def test_hsts(self):
|
|
self.assertTrue(self.download_file("https://hsts.badssl.com/"))
|
|
|
|
def test_upgrade(self):
|
|
self.assertTrue(self.download_file("https://upgrade.badssl.com/"))
|
|
|
|
def test_preloaded_hsts(self):
|
|
self.assertTrue(self.download_file("https://preloaded-hsts.badssl.com/"))
|
|
|
|
def test_subdomain_preloaded_hsts(self):
|
|
self.assertRaises(ssl.CertificateError, self.download_file, "https://subdomain.preloaded-hsts.badssl.com/")
|
|
|
|
def test_https_everywhere(self):
|
|
self.assertTrue(self.download_file("https://https-everywhere.badssl.com/"))
|
|
|
|
def test_http(self):
|
|
self.assertTrue(self.download_file("https://http.badssl.com/"))
|
|
|
|
def test_spoofed_favicon(self):
|
|
self.assertTrue(self.download_file("https://spoofed-favicon.badssl.com/"))
|
|
|
|
def test_long_dashes(self):
|
|
self.assertTrue(self.download_file(
|
|
"https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/"))
|
|
|
|
def test_long_without_dashes(self):
|
|
self.assertTrue(self.download_file(
|
|
"https://longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com/"))
|
|
|
|
def test_superfish(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://superfish.badssl.com/")
|
|
|
|
def test_edellroot(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://edellroot.badssl.com/")
|
|
|
|
def test_dsdtestprovider(self):
|
|
self.assertRaises(ssl.SSLError, self.download_file, "https://dsdtestprovider.badssl.com/")
|
|
|
|
# I can't successfully load get CRL to work
|
|
# This is a new test in badssl.com is failing
|
|
# as well since I don't think Qt has support for it.
|
|
# "https://revoked.badssl.com/"
|
|
|
|
# Excessive message size error
|
|
# "https://10000-sans.badssl.com/"
|
|
|
|
# This check is platform specific.
|
|
# 8192-bit RSA keys were not supported in OSX between 2006 and 2015.
|
|
# "https://rsa8192.badssl.com/"
|
|
|
|
# We don't download web pages
|
|
# "https://mixed-script.badssl.com/"
|
|
# "https://very.badssl.com/"
|
|
# mixed HTTP content in site
|
|
# "https://mixed.badssl.com/"
|
|
# implicit favicon redirects to HTTP
|
|
# "https://mixed-favicon.badssl.com/"
|
|
# "http://http-password.badssl.com/"
|
|
# "http://http-login.badssl.com/"
|
|
# "http://http-dynamic-login.badssl.com/"
|
|
# "http://http-credit-card.badssl.com/"
|
|
|
|
# We're not yet sure how to reject mozilla old SSL certs.
|
|
# "https://mozilla-old.badssl.com/"
|
|
|
|
# For some reason SSLv3 is used in these cases and we are blocking the use of SSLv3
|
|
# "https://dh1024.badssl.com/"
|
|
# "https://dh2048.badssl.com/"
|
|
|
|
# This test is failing in Setup Assistant as well
|
|
# "https://pinning-test.badssl.com/"
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|