Closed nitisht closed 6 years ago
@nitisht Since TLS config is not really a functional requirement - it's a compliance requirement - should we add this to minio-go functional tests or should we start non-functional tests?
Since we support ENABLE_HTTPS we could turn this test off during non tls run and enable this conditionally.
@harshavardhana Sure, my question was just about organization - Should we separate functional from non-functional tests? Like functional_tests.go
and non-functional_tests.go
(or arbitrary other name) or should we mix both. We can later reorganize of course but if we already know that we have several non-functional requirements which should be tested than we should separate...
@aead can we create a separate test directory called testssl
and use https://github.com/drwetter/testssl.sh directly in Mint? I think that is better compared to writing our own program
@nitisht In general correct. The issue here has two separate parts:
testssl.sh
testssl.sh
because I don't seen a way to use testssl.sh
to do such implementation specific testing.EDIT: As far as I can see there is no way to use testssl.sh
to just allow a specific subset of ciphers...
As far as I can see there is no way to use testssl.sh to just allow a specific subset of ciphers.
In that case, IMO we can have a separate directory with just these tests. As you indicated, it is not a good idea to have these tests added to minio-go functional tests.
The issue https://github.com/minio/minio/issues/5244 reported that Minio offers some of the known vulnerable ciphers like ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA.
The issue was fixed by https://github.com/minio/minio/pull/5245, but we should add tests to Mint to validate the ciphers and make sure none of the vulnerable ciphers are exposed again.