diff options
author | Christian Breunig <christian@breunig.cc> | 2024-04-30 08:29:28 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-04-30 08:29:28 +0200 |
commit | a107a93ca1cf3b8b9b9223319d91e1741414fd40 (patch) | |
tree | 091f3049b59eda617ad1879f158bb8bd4f4ec60d /smoketest | |
parent | 08115436b454fff8bed09129963a04d1b1411227 (diff) | |
parent | 9ff74d4370f0a5f66c303074796dab8b1ca5c4a5 (diff) | |
download | vyos-1x-a107a93ca1cf3b8b9b9223319d91e1741414fd40.tar.gz vyos-1x-a107a93ca1cf3b8b9b9223319d91e1741414fd40.zip |
Merge pull request #3371 from Embezzle/T4982
openconnect: T4982: Support defining minimum TLS version in openconnect VPN
Diffstat (limited to 'smoketest')
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_openconnect.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index 96e858fdb..a2e426dc7 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -210,6 +210,9 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): # Verify configuration daemon_config = read_file(config_file) + # Verify TLS string (with default setting) + self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"', daemon_config) + # authentication mode local password-otp self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config) self.assertIn(f'listen-host = {listen_ip_no_cidr}', daemon_config) @@ -253,5 +256,13 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): self.assertIn('included-http-headers = Pragma: no-cache', daemon_config) self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config) + # Set TLS version to the highest security (v1.3 min) + self.cli_set(base_path + ['tls-version-min', '1.3']) + self.cli_commit() + + # Verify TLS string + daemon_config = read_file(config_file) + self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"', daemon_config) + if __name__ == '__main__': unittest.main(verbosity=2) |