Add a rake task tool to test used SSL algorithms
What does this MR do and why?
As per https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/1259 which was a task requested in &5104 (comment 845029643)
This MR introduces a rake task to check for a given list of cipher algorithms against a given endpoint host and port. It is a first iteration that should allow for this to be tested, if we build an SSL FIPS build we could add to CI at that point.
How to set up and validate locally
- Create a file containing ciphers to be tested of the form
algorithm tls_versioneg.ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDHE-RSA-AES256-SHA384 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 - Run against a target host/port eg.
% bundle exec rake "gitlab:algorithm_check[staging.gitlab.com,443,/Users/willmeek/fips-ciphers]" Supported specified ciphers detected on connection to to staging.gitlab.com: ["ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE- RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES256-SHA384"] Supported non-specified ciphers detected on connection to to staging.gitlab.com: ["ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "AES256-GCM-SHA384", "AES128-GCM-SHA256", "AES256-SHA256", "AES128-SHA256"]
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Will Meek