mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-20 16:40:35 +00:00
9774c146cc
This is a reproducer for issue #8827, that checks that a client which tries to connect to Scylla with an unsupported version of SSL or TLS gets the expected error alert - not some sort of unexpected EOF. Issue #8827 is still open, so this test is still xfailing. However, I verified that with a fix for this issue, the test passes. The test also prints which protocol versions worked - so it also helps checking issue #8837 (about the ancient SSL protocol being allowed). Refs #8837 Refs #8827 Signed-off-by: Nadav Har'El <nyh@scylladb.com> Message-Id: <20210610151714.1746330-1-nyh@scylladb.com>
70 lines
3.0 KiB
Python
70 lines
3.0 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Copyright 2021-present ScyllaDB
|
|
#
|
|
# This file is part of Scylla.
|
|
#
|
|
# Scylla is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Scylla is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with Scylla. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
#############################################################################
|
|
# Tests for CQL over SSL (TLS). These tests are skipped when the tests are
|
|
# *not* using SSL, so run the tests with "--ssl" to enable them.
|
|
#############################################################################
|
|
|
|
import pytest
|
|
|
|
import ssl
|
|
import cassandra.cluster
|
|
|
|
# Test that TLS 1.2 is supported (because this is what "cqlsh --ssl" uses
|
|
# by default), and that other TLS version are either supported - or if
|
|
# disallowed must result in the expected error message and not in some
|
|
# mysterious disconnection. Reproduces #8827, #8837.
|
|
@pytest.mark.xfail(reason="issue #8827")
|
|
def test_tls_versions(cql):
|
|
# To reduce code duplication, we let conftest.py set up 'cql', and then
|
|
# learn from cql.cluster whether SSL is used, and if so which contact
|
|
# points, ports, and other parameters, we should use to connect.
|
|
if not cql.cluster.ssl_context:
|
|
pytest.skip("SSL-specific tests are skipped without the '--ssl' option")
|
|
|
|
# TLS v1.2 must be supported, because this is the default version that
|
|
# "cqlsh --ssl" uses. If this fact changes in the future, we may need
|
|
# to reconsider this test.
|
|
try_connect(cql.cluster, ssl.PROTOCOL_TLSv1_2)
|
|
print(f"{ssl.PROTOCOL_TLSv1_2} supported")
|
|
|
|
# All other protocol versions should either work (if Scylla is configured
|
|
# to allow them) or fail with the expected error message.
|
|
for ssl_version in [ssl.PROTOCOL_TLSv1_1,
|
|
ssl.PROTOCOL_TLSv1,
|
|
ssl.PROTOCOL_SSLv23]:
|
|
try:
|
|
try_connect(cql.cluster, ssl_version)
|
|
print(f"{ssl_version} supported")
|
|
except cassandra.cluster.NoHostAvailable as e:
|
|
# TODO: For SSLv23, maybe the error string is different because
|
|
# 'protocol version' was introduced in TLSv1?
|
|
assert 'protocol version' in str(e)
|
|
print(f"{ssl_version} not supported")
|
|
|
|
def try_connect(orig_cluster, ssl_version):
|
|
cluster = cassandra.cluster.Cluster(
|
|
contact_points=orig_cluster.contact_points,
|
|
port=orig_cluster.port,
|
|
protocol_version=orig_cluster.protocol_version,
|
|
auth_provider=orig_cluster.auth_provider,
|
|
ssl_context=ssl.SSLContext(ssl_version))
|
|
cluster.connect()
|
|
cluster.shutdown()
|