test dhparams ONE_DIR both cases

This commit is contained in:
youtous 2020-04-26 21:36:03 +02:00
parent 03b8f87ffc
commit 4d031f73e3
No known key found for this signature in database
GPG key ID: 592173AE8CD254A5
5 changed files with 130 additions and 27 deletions

View file

@ -155,4 +155,4 @@ clean:
sudo rm -rf test/config ;\ sudo rm -rf test/config ;\
mv testconfig.bak test/config ;\ mv testconfig.bak test/config ;\
fi fi
-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf -sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf test/config/dhparams.pem

View file

@ -0,0 +1,67 @@
load 'test_helper/common'
function setup() {
run_setup_file_if_necessary
}
function teardown() {
run_teardown_file_if_necessary
}
function setup_file() {
docker run -d --name mail_default_dhparams_one_dir \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-e DMS_DEBUG=0 \
-e ONE_DIR=1 \
-h mail.my-domain.com -t ${NAME}
docker run -d --name mail_default_dhparams_not_one_dir \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-e DMS_DEBUG=0 \
-e ONE_DIR=0 \
-h mail.my-domain.com -t ${NAME}
wait_for_finished_setup_in_container mail_default_dhparams_one_dir
wait_for_finished_setup_in_container mail_default_dhparams_not_one_dir
}
function teardown_file() {
docker rm -f mail_default_dhparams_one_dir
docker rm -f mail_default_dhparams_not_one_dir
}
@test "first" {
skip 'this test must come first to reliably identify when to run setup_file'
}
@test "checking ssl: checking dhe params are sufficient" {
# reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
# check ffdhe params are inchanged
repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
assert_equal "$repo_checksum" "$mozilla_checksum"
run echo "$repo_checksum"
refute_output '' # checksum must not be empty
# by default, ffdhe4096 should be used
# ONE_DIR=1
docker_dovecot_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum_one_dir" "$repo_checksum"
assert_equal "$docker_postfix_checksum_one_dir" "$repo_checksum"
# ONE_DIR=0
docker_dovecot_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum_not_one_dir" "$repo_checksum"
assert_equal "$docker_postfix_checksum_not_one_dir" "$repo_checksum"
}
@test "last" {
skip 'this test is only there to reliably mark the end for the teardown_file'
}

View file

@ -0,0 +1,53 @@
load 'test_helper/common'
function setup() {
run_setup_file_if_necessary
}
function teardown() {
run_teardown_file_if_necessary
}
function setup_file() {
# copy the custom DHE params in local config
cp `pwd`/test/test-files/ssl/ffdhe2048.pem `pwd`/test/config/dhparams.pem
docker run -d --name mail_manual_dhparams_not_one_dir \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-e DMS_DEBUG=0 \
-e ONE_DIR=0 \
-h mail.my-domain.com -t ${NAME}
wait_for_finished_setup_in_container mail_manual_dhparams_not_one_dir
}
function teardown_file() {
# remove custom dhe file
rm `pwd`/test/config/dhparams.pem
docker rm -f mail_manual_dhparams_not_one_dir
}
@test "first" {
skip 'this test must come first to reliably identify when to run setup_file'
}
@test "checking dhparams: ONE_DIR=0 check manual dhparams is used" {
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
run echo "$test_checksum"
refute_output '' # checksum must not be empty
docker_dovecot_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum" "$test_checksum"
assert_equal "$docker_postfix_checksum" "$test_checksum"
}
@test "checking dhparams: ONE_DIR=0 check warning output when using manual dhparams" {
run sh -c "docker logs mail_manual_dhparams_not_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
assert_success
}
@test "last" {
skip 'this test is only there to reliably mark the end for the teardown_file'
}

View file

@ -9,38 +9,38 @@ function teardown() {
} }
function setup_file() { function setup_file() {
docker run -d --name mail_manual_dhparams \ docker run -d --name mail_manual_dhparams_one_dir \
-v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \ -v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
-e DMS_DEBUG=0 \ -e DMS_DEBUG=0 \
-e ONE_DIR=1 \ -e ONE_DIR=1 \
-h mail.my-domain.com -t ${NAME} -h mail.my-domain.com -t ${NAME}
wait_for_finished_setup_in_container mail_manual_dhparams
wait_for_finished_setup_in_container mail_manual_dhparams_one_dir
} }
function teardown_file() { function teardown_file() {
skip docker rm -f mail_manual_dhparams_one_dir
docker rm -f mail_manual_dhparams
} }
@test "first" { @test "first" {
skip 'this test must come first to reliably identify when to run setup_file' skip 'this test must come first to reliably identify when to run setup_file'
} }
@test "checking dhparams: check manual dhparams is used" { @test "checking dhparams: ONE_DIR=1 check manual dhparams is used" {
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}') test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
run echo "$test_checksum" run echo "$test_checksum"
refute_output '' # checksum must not be empty refute_output '' # checksum must not be empty
docker_dovecot_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}') docker_dovecot_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}') docker_postfix_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum" "$test_checksum" assert_equal "$docker_dovecot_checksum" "$test_checksum"
assert_equal "$docker_postfix_checksum" "$test_checksum" assert_equal "$docker_postfix_checksum" "$test_checksum"
} }
@test "checking dhparams: check warning output when using manual dhparams" { @test "checking dhparams: ONE_DIR=1 check warning output when using manual dhparams" {
run sh -c "docker logs mail_manual_dhparams | grep 'Using self-generated dhparams is considered as insecure'" run sh -c "docker logs mail_manual_dhparams_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
assert_success assert_success
} }

View file

@ -667,23 +667,6 @@ EOF
assert_success assert_success
} }
@test "checking ssl: checking dhe params are sufficient" {
# reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
# check ffdhe params are inchanged
repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
assert_equal "$repo_checksum" "$mozilla_checksum"
run echo "$repo_checksum"
refute_output '' # checksum must not be empty
# by default, ffdhe4096 should be used
docker_dovecot_checksum=$(docker exec mail sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum=$(docker exec mail sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum" "$repo_checksum"
assert_equal "$docker_postfix_checksum" "$repo_checksum"
}
# #
# postsrsd # postsrsd
# #