summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_vpn_openconnect.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-04-30 21:02:33 +0200
committerGitHub <noreply@github.com>2024-04-30 21:02:33 +0200
commit982221bb2649a7cef622d179f029f26bc3e1f3ed (patch)
tree12c974d444d15b6277b2ebb501baec52dc725dc0 /smoketest/scripts/cli/test_vpn_openconnect.py
parent021cc22ebf3cb9f81edb4ae6772385d5dc1c2c23 (diff)
parentef665adb7e44ef03e7f3e6f2cd1db88315ffcbe1 (diff)
downloadvyos-1x-982221bb2649a7cef622d179f029f26bc3e1f3ed.tar.gz
vyos-1x-982221bb2649a7cef622d179f029f26bc3e1f3ed.zip
Merge pull request #3377 from vyos/mergify/bp/sagitta/pr-3371
openconnect: T4982: Support defining minimum TLS version in openconnect VPN (backport #3371)
Diffstat (limited to 'smoketest/scripts/cli/test_vpn_openconnect.py')
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_openconnect.py11
1 files changed, 11 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index 96e858fdb..a2e426dc7 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -210,6 +210,9 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
# Verify configuration
daemon_config = read_file(config_file)
+ # Verify TLS string (with default setting)
+ self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"', daemon_config)
+
# authentication mode local password-otp
self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config)
self.assertIn(f'listen-host = {listen_ip_no_cidr}', daemon_config)
@@ -253,5 +256,13 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)
+ # Set TLS version to the highest security (v1.3 min)
+ self.cli_set(base_path + ['tls-version-min', '1.3'])
+ self.cli_commit()
+
+ # Verify TLS string
+ daemon_config = read_file(config_file)
+ self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"', daemon_config)
+
if __name__ == '__main__':
unittest.main(verbosity=2)