Add client_protocols test to long-test job, and different golden fi…

…le on Azure Linux (#6852)

.github/workflows/long-test.yml

@@ -217,7 +217,7 @@ jobs:
           git config --global --add safe.directory /__w/CCF/CCF
           mkdir build
           cd build
-          cmake -GNinja -DCOMPILE_TARGET=virtual -DCMAKE_BUILD_TYPE=Release ..
+          cmake -GNinja -DCOMPILE_TARGET=virtual -DCMAKE_BUILD_TYPE=Release -DCLIENT_PROTOCOLS_TEST=ON ..
           ninja
 
       - name: "Test"

tests/client_protocols.py

@@ -14,10 +14,20 @@
 H2SPEC_BIN = "/opt/h2spec/h2spec"
 
 
+def is_azure_linux():
+    os_release = subprocess.check_output(
+        "cat /etc/os-release", universal_newlines=True, shell=True
+    ).lower()
+    return "ubuntu" not in os_release
+
+
 def compare_golden():
     script_path = os.path.realpath(__file__)
     script_dir = os.path.dirname(script_path)
-    golden_file = os.path.join(script_dir, "tls_report.csv")
+    golden_file = os.path.join(
+        script_dir,
+        "tls_report_azure_linux.csv" if is_azure_linux() else "tls_report.csv",
+    )
     print(f"Comparing output to golden file: {golden_file}")
 
     # Read both files into arrays

tests/tls_report_azure_linux.csv

@@ -0,0 +1,150 @@
+"ALPN","","INFO","http/1.1","",""
+"BEAST","","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
+"BREACH","","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
+"CCS","","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"CRIME_TLS","","OK","not vulnerable","CVE-2012-4929","CWE-310"
+"DNS_CAArecord","","LOW","--","",""
+"DROWN","","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"DROWN_hint","","INFO","no RSA certificate, can't be used with SSLv2 elsewhere","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"FREAK","","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"FS","","OK","offered","",""
+"FS_ECDHE_curves","","OK","prime256v1 secp384r1 secp521r1","",""
+"FS_TLS12_sig_algs","","INFO","ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA-BRAINPOOL+SHA256 ECDSA-BRAINPOOL+SHA384 ECDSA-BRAINPOOL+SHA512 ECDSA+SHA224","",""
+"FS_TLS13_sig_algs","","INFO","ECDSA+SHA384","",""
+"FS_ciphers","","INFO","TLS_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256","",""
+"HPKP","","INFO","No support for HTTP Public Key Pinning","",""
+"HSTS","","LOW","not offered","",""
+"HTTP_clock_skew","","INFO","Got no HTTP time, maybe try different URL?","",""
+"HTTP_status_code","","INFO","404 NOT_FOUND ('/')","",""
+"LOGJAM","","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
+"LUCKY13","","OK","not vulnerable","CVE-2013-0169","CWE-310"
+"NPN","","INFO","not offered","",""
+"OCSP_stapling","","INFO","not offered","",""
+"POODLE_SSL","","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"RC4","","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"ROBOT","","OK","not vulnerable, no RSA key transport cipher","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"SSL_sessionID_support","","INFO","yes","",""
+"SSLv2","","OK","not offered","",""
+"SSLv3","","OK","not offered","",""
+"SWEET32","","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
+"TLS1","","INFO","not offered","",""
+"TLS1_1","","INFO","not offered","",""
+"TLS1_2","","OK","offered","",""
+"TLS1_3","","OK","offered with final","",""
+"TLS_extensions","","INFO","'renegotiation info/#65281' 'EC point formats/#11' 'session ticket/#35' 'supported versions/#43' 'key share/#51' 'supported_groups/#10' 'max fragment length/#1' 'application layer protocol negotiation/#16' 'extended master secret/#23'","",""
+"TLS_session_ticket","","INFO","valid for 7200 seconds only (<daily)","",""
+"TLS_timestamp","","INFO","random","",""
+"banner_application","","INFO","No application banner found","",""
+"banner_reverseproxy","","INFO","--","","CWE-200"
+"banner_server","","INFO","No Server banner line in header, interesting!","",""
+"cert","","INFO","----------","",""
+"cert_caIssuers","","INFO","CCF Test Service","",""
+"cert_certificatePolicies_EV","","INFO","no","",""
+"cert_chain_of_trust","","CRITICAL","failed (chain incomplete).","",""
+"cert_commonName","","OK","CCF Node","",""
+"cert_commonName_wo_SNI","","INFO","CCF Node","",""
+"cert_crlDistributionPoints","","INFO","--","",""
+"cert_eTLS","","INFO","not present","",""
+"cert_expirationStatus","","HIGH","expires < 30 days (0)","",""
+"cert_extKeyUsage","","INFO","No server extended key usage information","",""
+"cert_extlifeSpan","","OK","certificate has no extended life time according to browser forum","",""
+"cert_fingerprintSHA1","","INFO","","",""
+"cert_fingerprintSHA256","","INFO","","",""
+"cert_keySize","","OK","EC 384 bits (curve P-384)","",""
+"cert_keyUsage","","INFO","No server key usage information","",""
+"cert_mustStapleExtension","","INFO","--","",""
+"cert_notAfter","","HIGH","","",""
+"cert_notBefore","","INFO","","",""
+"cert_numbers","","INFO","1","",""
+"cert_ocspURL","","INFO","--","",""
+"cert_revocation","","HIGH","Neither CRL nor OCSP URI provided","",""
+"cert_serialNumber","","INFO","","",""
+"cert_serialNumberLen","","INFO","","",""
+"cert_signatureAlgorithm","","OK","ECDSA with SHA384","",""
+"cert_subjectAltName","","INFO","","",""
+"cert_trust","","OK","Ok via SAN","",""
+"certificate_compression","","INFO","none","",""
+"certificate_transparency","","INFO","--","",""
+"certs_countServer","","INFO","1","",""
+"certs_list_ordering_problem","","INFO","no","",""
+"cipher-tls1_2_xc02b","","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 521   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc02c","","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1301","","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 256   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipher-tls1_3_x1302","","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 256   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher_order","","OK","server","",""
+"cipher_order-tls1_2","","OK","server","",""
+"cipher_order-tls1_3","","OK","server","",""
+"cipher_strength_score","","INFO","0","",""
+"cipher_strength_score_weighted","","INFO","0","",""
+"cipherlist_3DES_IDEA","","INFO","not offered","","CWE-310"
+"cipherlist_EXPORT","","OK","not offered","","CWE-327"
+"cipherlist_LOW","","OK","not offered","","CWE-327"
+"cipherlist_NULL","","OK","not offered","","CWE-327"
+"cipherlist_OBSOLETED","","INFO","not offered","","CWE-310"
+"cipherlist_STRONG_FS","","OK","offered","",""
+"cipherlist_STRONG_NOFS","","INFO","not offered","",""
+"cipherlist_aNULL","","OK","not offered","","CWE-327"
+"cipherorder_TLSv1_2","","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256","",""
+"cipherorder_TLSv1_3","","INFO","TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256","",""
+"clientAuth","","INFO","optional","",""
+"clientAuth_CA_list","","INFO","empty","",""
+"clientsimulation-android_11","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_12","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_60","","INFO","TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256","",""
+"clientsimulation-android_70","","INFO","No connection","",""
+"clientsimulation-android_81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_90","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_X","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_mail_16_0","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-chrome_101_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_79_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_101_win10_21h2","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_15_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-firefox_100_win10","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_66_win81","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-go_1178","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-ie_11_win10","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win7","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_winphone81","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_6_xp","","INFO","No connection","",""
+"clientsimulation-ie_8_win7","","INFO","No connection","",""
+"clientsimulation-ie_8_xp","","INFO","No connection","",""
+"clientsimulation-java1102","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java1703","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_7u25","","INFO","No connection","",""
+"clientsimulation-java_8u161","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-libressl_283","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_102e","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_110l","","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_111d","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_303","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_121_ios_122","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_130_osx_10146","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_154_osx_1231","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-thunderbird_91_9","","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"cookie_count","","INFO","0 at '/' (30x detected, better try target URL of 30x)","",""
+"fallback_SCSV","","OK","no protocol below TLS 1.2 offered","",""
+"final_score","","INFO","0","",""
+"grade_cap_reason_1","","INFO","Grade capped to T. Issues with the chain of trust (chain incomplete)","",""
+"grade_cap_reason_2","","INFO","Grade capped to A. HSTS is not offered","",""
+"heartbleed","","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"intermediate_cert_badOCSP","","OK","intermediate certificate(s) is/are ok","",""
+"key_exchange_score","","INFO","0","",""
+"key_exchange_score_weighted","","INFO","0","",""
+"overall_grade","","CRITICAL","T","",""
+"pre_128cipher","","INFO","No 128 cipher limit bug","",""
+"protocol_support_score","","INFO","0","",""
+"protocol_support_score_weighted","","INFO","0","",""
+"rating_doc","","INFO","https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide","",""
+"rating_spec","","INFO","SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)","",""
+"secure_client_renego","","OK","not vulnerable","CVE-2011-1473","CWE-310"
+"secure_renego","","OK","supported","","CWE-310"
+"security_headers","","MEDIUM","--","",""
+"service","","INFO","HTTP","",""
+"sessionresumption_ID","","INFO","not supported","",""
+"sessionresumption_ticket","","INFO","not supported","",""
+"ticketbleed","","OK","not vulnerable","CVE-2016-9244","CWE-200"
+"winshock","","OK","not vulnerable","CVE-2014-6321","CWE-94"