From 4487fc43d036481a315574bfe719b10a57c54a64 Mon Sep 17 00:00:00 2001 From: Sergey Orlov Date: Nov 06 2019 08:42:12 +0000 Subject: ipatests: add test to check that only TLS 1.2 is enabled in Apache Related to: https://pagure.io/freeipa/issue/7995 Reviewed-By: Rob Crittenden Reviewed-By: Rob Crittenden --- diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index f510a8d..39c2977 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -540,3 +540,23 @@ class TestIPACommand(IntegrationTest): # reset entry['ipaConfigString'] = orig_cfg conn.update_entry(entry) # pylint: disable=no-member + + def test_enabled_tls_protocols(self): + """Check that only TLS 1.2 is enabled in Apache. + + This is the regression test for issue + https://pagure.io/freeipa/issue/7995. + """ + def is_tls_version_enabled(tls_version): + res = self.master.run_command( + ['openssl', 's_client', + '-connect', '{}:443'.format(self.master.hostname), + '-{}'.format(tls_version)], + stdin_text='\n', + ok_returncode=[0, 1] + ) + return res.returncode == 0 + + assert not is_tls_version_enabled('tls1') + assert not is_tls_version_enabled('tls1_1') + assert is_tls_version_enabled('tls1_2')