From 9ff74d4370f0a5f66c303074796dab8b1ca5c4a5 Mon Sep 17 00:00:00 2001
From: Alex W <embezzle.dev@proton.me>
Date: Mon, 29 Apr 2024 20:53:51 +0100
Subject: openconnect: T4982: Support defining minimum TLS version in
 openconnect VPN

---
 smoketest/scripts/cli/test_vpn_openconnect.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'smoketest/scripts')

diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index 96e858fdb..a2e426dc7 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -210,6 +210,9 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
         # Verify configuration
         daemon_config = read_file(config_file)
 
+        # Verify TLS string (with default setting)
+        self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"', daemon_config)
+
         # authentication mode local password-otp
         self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config)
         self.assertIn(f'listen-host = {listen_ip_no_cidr}', daemon_config)
@@ -253,5 +256,13 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
         self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
         self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)
 
+        # Set TLS version to the highest security (v1.3 min)
+        self.cli_set(base_path + ['tls-version-min', '1.3'])
+        self.cli_commit()
+
+        # Verify TLS string
+        daemon_config = read_file(config_file)
+        self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"', daemon_config)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
-- 
cgit v1.2.3