Conversation
nginx.sites.conf
Outdated
| ssl_certificate_key /root/ca/private/insecure.ansible.http.tests-key.pem; | ||
|
|
||
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| ssl_ciphers ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA; |
There was a problem hiding this comment.
I think we're going to need something a bit more nuanced than this single endpoint with these two cipher suites.
The default cipher suites for our tested clients vary, so some of them will be able to connect to this endpoint without additional configuration.
There was a problem hiding this comment.
The tests themselves handle it, because they both explicitly declare the cipher to use. Or are you saying that it doesn't really test the explicit use of a cipher as intended, because the default cipher suite in python will include this cipher?
There was a problem hiding this comment.
Or are you saying that it doesn't really test the explicit use of a cipher as intended, because the default cipher suite in python will include this cipher?
Correct. This endpoint should use a cipher suite that the client supports, but not by default. Otherwise a successful connection doesn't tell us whether or not the cipher suite selection had any effect.
Additionally, the test should try to connect with the default settings and verify the connection fails. That way we'll know if the client defaults are suitable for testing against this endpoint.
The reverse is actually needed for the "test bad cipher" case. We need an endpoint that works with the default cipher suite selection on the client (verified by the test), but that fails when a cipher is chosen that the server does not support.
There was a problem hiding this comment.
Ok, think I've got this taken care of.
There was a problem hiding this comment.
scratch that, I've expanded my testing, and need to work out details of the weak cipher a bit more.
nginx.sites.conf
Outdated
|
|
||
| server { | ||
| listen 80; | ||
| listen 445 ssl; |
There was a problem hiding this comment.
Should this second endpoint use a different port from the one above?
There was a problem hiding this comment.
It doesn't appear to be necessary, as long as both support the same TLS protocol, they don't need to share the ciphers, but to avoid issues, and confusion, it's probably best to separate.
|
@sivel Is this something you still want to work on? Do you need further review from me? |
|
wow, I have completely forgotten about this. I have no idea where it was left. I'll look over it and get back to you. |
2 participants
Adds new
insecure.ansible.http.testswith only 1 cipher configured. The inversion for the cipher we want disabled is mostly just documentation.