|
|
|
|
@ -85,30 +85,48 @@
|
|
|
|
|
- "result.changed == true"
|
|
|
|
|
- "stat_result.stat.exists == true"
|
|
|
|
|
|
|
|
|
|
# SNI Tests
|
|
|
|
|
# SNI is only built into the stdlib from python-2.7.9 onwards
|
|
|
|
|
# At the moment, AWS can't make an https request to velox.ch... connection
|
|
|
|
|
# timed out. So we'll use a different test until/unless the problem is resolved
|
|
|
|
|
## SNI Tests
|
|
|
|
|
## SNI is only built into the stdlib from python-2.7.9 onwards
|
|
|
|
|
#- name: Test that SNI works
|
|
|
|
|
# get_url:
|
|
|
|
|
# # A test site that returns a page with information on what SNI information
|
|
|
|
|
# # the client sent. A failure would have the string: did not send a TLS server name indication extension
|
|
|
|
|
# url: 'https://foo.sni.velox.ch/'
|
|
|
|
|
# dest: "{{ output_dir }}/sni.html"
|
|
|
|
|
# register: get_url_result
|
|
|
|
|
# ignore_errors: True
|
|
|
|
|
#
|
|
|
|
|
#- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html"
|
|
|
|
|
# register: data_result
|
|
|
|
|
# when: "{{ python_has_ssl_context }}"
|
|
|
|
|
#
|
|
|
|
|
#- debug: var=get_url_result
|
|
|
|
|
#- name: Assert that SNI works with this python version
|
|
|
|
|
# assert:
|
|
|
|
|
# that:
|
|
|
|
|
# - 'data_result.rc == 0'
|
|
|
|
|
# - '"failed" not in get_url_result'
|
|
|
|
|
# when: "{{ python_has_ssl_context }}"
|
|
|
|
|
#
|
|
|
|
|
## If the client doesn't support SNI then get_url should have failed with a certificate mismatch
|
|
|
|
|
#- name: Assert that hostname verification failed because SNI is not supported on this version of python
|
|
|
|
|
# assert:
|
|
|
|
|
# that:
|
|
|
|
|
# - 'get_url_result["failed"]'
|
|
|
|
|
# when: "{{ not python_has_ssl_context }}"
|
|
|
|
|
|
|
|
|
|
# These tests are just side effects of how the site is hosted. It's not
|
|
|
|
|
# specifically a test site. So the tests may break due to the hosting changing
|
|
|
|
|
- name: Test that SNI works
|
|
|
|
|
get_url:
|
|
|
|
|
# A test site that returns a page with information on what SNI information
|
|
|
|
|
# the client sent. A failure would have the string: did not send a TLS server name indication extension
|
|
|
|
|
url: 'https://foo.sni.velox.ch/'
|
|
|
|
|
url: 'https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing'
|
|
|
|
|
dest: "{{ output_dir }}/sni.html"
|
|
|
|
|
register: get_url_result
|
|
|
|
|
ignore_errors: True
|
|
|
|
|
|
|
|
|
|
- name: TROUBLESHOOTING
|
|
|
|
|
shell: curl https://foo.sni.velox.ch/ > /var/tmp/velox.html
|
|
|
|
|
register: trouble
|
|
|
|
|
ignore_errors: True
|
|
|
|
|
when: "{{ python_has_ssl_context }}"
|
|
|
|
|
|
|
|
|
|
- debug: var=trouble
|
|
|
|
|
when: "{{ python_has_ssl_context }}"
|
|
|
|
|
|
|
|
|
|
- debug: var=get_url_result
|
|
|
|
|
when: "{{ python_has_ssl_context }}"
|
|
|
|
|
|
|
|
|
|
- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html"
|
|
|
|
|
- command: "grep '<h2>If You Can Read This, You're SNIing</h2>' {{ output_dir}}/sni.html"
|
|
|
|
|
register: data_result
|
|
|
|
|
when: "{{ python_has_ssl_context }}"
|
|
|
|
|
|
|
|
|
|
@ -126,3 +144,4 @@
|
|
|
|
|
that:
|
|
|
|
|
- 'get_url_result["failed"]'
|
|
|
|
|
when: "{{ not python_has_ssl_context }}"
|
|
|
|
|
# End hacky SNI test section
|
|
|
|
|
|
Toshio Kuratomi
9 years ago