Merge pull request #4229 from wazuh/4188-fix-openssl-errors

Skip cases that uses the deprecated protocol `TLS 1.1`

CHANGELOG.md

@@ -29,6 +29,7 @@ Release report: TBD
 
 ### Changed
 
+- Skip `test_authd_ssl_options` cases that use TLS 1.1 causing errors on several OpenSSL versions. ([#4229](https:/wazuh/wazuh-qa/pull/4229)) \- (Tests)
 - Update database version ([#4467](https:/wazuh/wazuh-qa/pull/4467)) \- (Tests)
 - Remove versionStartIncluding from NVD custom feed ([#4441](https:/wazuh/wazuh-qa/pull/4441)) \- (Tests)
 - Updated syscollector wmodules prefix ([#4384](https:/wazuh/wazuh-qa/pull/4384)) \- (Framework)

tests/integration/test_authd/data/enroll_ssl_options_tests.yaml

@@ -1,96 +1,86 @@
----
- -
- name: "SSL - Default"
- description: "Default ssl configuration"
- test_case:
- -
- expect: "output"
- input: "OSSEC A:'user1'"
- output: "OSSEC K:'"
- ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH"
- protocol: "ssl_tlsv1_2"
- -
- name: "SSL - Wrong ciphers"
- description: "Send a message with low encryption cypher suites"
- test_case:
- -
- expect: "open_error"
- input: "OSSEC A:'user1'"
- error: "handshake failure"
- ciphers: "CAMELLIA"
- protocol: "ssl_tlsv1_2"
- -
- name: "SSL - Incompatible ciphers from Agent"
- description: "Send a message with low encryption cypher suites"
- test_case:
- -
- ciphers: "CAMELLIA"
- protocol: "ssl_tlsv1_2"
- expect: "open_error"
- error: "handshake failure"
- -
- name: "SSL - Incompatible ciphers from Manger"
- description: "Send a message with low encryption cypher suites"
- test_case:
- -
- ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH"
- protocol: "ssl_tlsv1_2"
- expect: "open_error"
- error: "handshake failure"
- # Override ossec.conf
- CIPHERS: "CAMELLIA"
- -
- name: "SSL - Compatible ciphers from Agent"
- description: "Send a message with a compatible yet not default cypher"
- test_case:
- -
- expect: "output"
- input: "OSSEC A:'user1'"
- output: "OSSEC K:'"
- ciphers: "SHA256"
- protocol: "ssl_tlsv1_2"
- -
- name: "SSL - Compatible ciphers from Manger"
- description: "Send a message with a compatible yet not default cypher"
- test_case:
- -
- expect: "output"
- input: "OSSEC A:'user1'"
- output: "OSSEC K:'"
- ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH"
- protocol: "ssl_tlsv1_2"
- # Override ossec.conf
- CIPHERS: "SHA256"
- -
- name: "SSL - Wrong TLS version (TLSV1_1)"
- description: "Send a message with a different TLS version with Auto negotiate disabled"
- test_case:
- -
- ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH"
- protocol: "ssl_tlsv1_1"
- expect: "open_error"
- error: "alert protocol version"
- # Override ossec.conf
- SSL_AUTO_NEGOTIATE: 'no'
- -
- name: "SSL - Auto Negotiate TLS version (TLSV1_1)"
- description: "Send a message with a different TLS version with Auto negotiate enabled"
- test_case:
- -
- ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH"
- protocol: "ssl_tlsv1_1"
- expect: "output"
- input: "OSSEC A:'user1'"
- output: "OSSEC K:'"
- # Override ossec.conf
- SSL_AUTO_NEGOTIATE: 'yes'
- -
- name: "Valid Certificates - Manager verification without host"
- description: "Enables CA Certificate and validates that conneciton is acepted when valid certs are provided"
- test_case:
- -
- ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH"
- protocol: "ssl_tlsv1_2"
- expect: "output"
- input: "OSSEC A:'user1'"
- output: "OSSEC K:'"
+-
+ name: SSL - Default
+ description: Default ssl configuration
+ test_case:
+ expect: output
+ input: OSSEC A:'user1'
+ output: OSSEC K:'
+ ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ protocol: ssl_tlsv1_2
+-
+ name: SSL - Wrong ciphers
+ description: Send a message with low encryption cypher suites
+ test_case:
+ expect: open_error
+ input: OSSEC A:'user1'
+ error: handshake failure
+ ciphers: CAMELLIA
+ protocol: ssl_tlsv1_2
+-
+ name: SSL - Incompatible ciphers from Agent
+ description: Send a message with low encryption cypher suites
+ test_case:
+ ciphers: CAMELLIA
+ protocol: ssl_tlsv1_2
+ expect: open_error
+ error: handshake failure
+-
+ name: SSL - Incompatible ciphers from Manager
+ description: Send a message with low encryption cypher suites
+ test_case:
+ ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ protocol: ssl_tlsv1_2
+ expect: open_error
+ error: handshake failure
+ # Override ossec.conf
+ CIPHERS: CAMELLIA
+-
+ name: SSL - Compatible ciphers from Agent
+ description: Send a message with a compatible yet not default cypher
+ test_case:
+ expect: output
+ input: OSSEC A:'user1'
+ output: OSSEC K:'
+ ciphers: SHA256
+ protocol: ssl_tlsv1_2
+-
+ name: SSL - Wrong TLS version (TLSV1_1)
+ description: Send a message with a different TLS version with Auto negotiate disabled
+ test_case:
+ ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ protocol: ssl_tlsv1_1
+ expect: open_error
+ error: alert protocol version
+ # Override ossec.conf
+ SSL_AUTO_NEGOTIATE: 'no'
+-
+ name: SSL - Auto Negotiate TLS version (TLSV1_1)
+ description: Send a message with a different TLS version with Auto negotiate enabled
+ test_case:
+ ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ protocol: ssl_tlsv1_1
+ expect: output
+ input: OSSEC A:'user1'
+ output: OSSEC K:'
+ # Override ossec.conf
+ SSL_AUTO_NEGOTIATE: 'yes'
+-
+ name: SSL - Compatible ciphers from Manager
+ description: Send a message with a compatible yet not default cypher
+ test_case:
+ expect: output
+ input: OSSEC A:'user1'
+ output: OSSEC K:'
+ ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ protocol: ssl_tlsv1_2
+ # Override ossec.conf
+ CIPHERS: SHA256
+-
+ name: Valid Certificates - Manager verification without host
+ description: Enables CA Certificate and validates that conneciton is acepted when valid certs are provided
+ test_case:
+ ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ protocol: ssl_tlsv1_2
+ expect: output
+ input: OSSEC A:'user1'
+ output: OSSEC K:'

tests/integration/test_authd/test_authd_ssl_options.py

@@ -141,7 +141,6 @@ def callback_agentd_startup(line):
 
  log_monitor = FileMonitor(LOG_FILE_PATH)
  log_monitor.start(timeout=30, callback=callback_agentd_startup)
- time.sleep(1)
 
 
 def test_ossec_auth_configurations(get_configuration, configure_environment, configure_sockets_environment):
@@ -183,35 +182,42 @@ def test_ossec_auth_configurations(get_configuration, configure_environment, con
  - ssl
  '''
  current_test = get_current_test()
+ config = ssl_configuration_tests[current_test]['test_case']
+ ciphers = config['ciphers']
+ protocol = config['protocol']
+ expect = config['expect']
+
+ if protocol == 'ssl_tlsv1_1':
+ pytest.skip('TLS 1.1 is deprecated and not working on several pyOpenSSL versions.')
 
- test_case = ssl_configuration_tests[current_test]['test_case']
  override_wazuh_conf(get_configuration)
- for config in test_case:
- address, family, connection_protocol = receiver_sockets_params[0]
- SSL_socket = SocketController(address, family=family, connection_protocol=connection_protocol,
- open_at_start=False)
- ciphers = config['ciphers']
- protocol = config['protocol']
- SSL_socket.set_ssl_configuration(ciphers=ciphers, connection_protocol=protocol)
- expect = config['expect']
- try:
- SSL_socket.open()
- except ssl.SSLError as exception:
- if expect == 'open_error':
- # We expected the error here, check message
- assert config['error'] in str(exception), 'Expected message does not match!'
- continue
- else:
- # We did not expect this error, fail test
- raise
- SSL_socket.send(config['input'], size=False)
- if expect == 'output':
- # Output is expected
- expected = config['output']
- if expected:
- response = SSL_socket.receive().decode()
- assert response, 'Failed connection stage {}: {}'.format(test_case.index(config) + 1, config['stage'])
- assert response[:len(expected)] == expected, \
- 'Failed test case stage {}: {}'.format(test_case.index(config) + 1, config['stage'])
-
- return
+
+ address, family, connection_protocol = receiver_sockets_params[0]
+ SSL_socket = SocketController(address, family=family, connection_protocol=connection_protocol,
+ open_at_start=False)
+
+ SSL_socket.set_ssl_configuration(ciphers=ciphers, connection_protocol=protocol)
+
+ try:
+ SSL_socket.open()
+ except ssl.SSLError as exception:
+ if expect == 'open_error':
+ # We expected the error here, check message.
+ assert config['error'] in exception.strerror, 'Expected message does not match!'
+ return
+ else:
+ # We did not expect this error, fail test.
+ raise
+
+ SSL_socket.send(config['input'], size=False)
+
+ if expect == 'output':
+ # Output is expected
+ expected = config['output']
+ if expected:
+ response = SSL_socket.receive().decode()
+ assert response, 'Failed connection stage: {}'.format(config['stage'])
+ assert response[:len(expected)] == expected, 'Failed test case stage: {}'.format(config['stage'])
+
+ # Finally close the socket. TODO: This must be handled on a fixture.
+ SSL_socket.close()