Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add new ELBv2 ssl protocols, add small helper script to fetch them (#7009)

Browse Source
This commit is contained in:
Daniel Fangl 2023-11-10 15:54:25 +01:00 committed by GitHub
parent c04ff77178
commit 5cabac5ccd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 302 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

304
moto/elbv2/responses.py
View File

@ -7,8 +7,6 @@ from .exceptions import ListenerOrBalancerMissingError
SSL_POLICIES = [
{
"name": "ELBSecurityPolicy-2016-08",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
@ -29,10 +27,151 @@ SSL_POLICIES = [
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-2016-08",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 11},
],
"name": "ELBSecurityPolicy-TLS13-1-2-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 6},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 7},
],
"name": "ELBSecurityPolicy-TLS13-1-2-Res-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 11},
{"name": "AES128-GCM-SHA256", "priority": 12},
{"name": "AES128-SHA256", "priority": 13},
{"name": "AES256-GCM-SHA384", "priority": 14},
{"name": "AES256-SHA256", "priority": 15},
],
"name": "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 8},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 12},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 13},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 14},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 15},
{"name": "AES128-GCM-SHA256", "priority": 16},
{"name": "AES128-SHA256", "priority": 17},
{"name": "AES128-SHA", "priority": 18},
{"name": "AES256-GCM-SHA384", "priority": 19},
{"name": "AES256-SHA256", "priority": 20},
{"name": "AES256-SHA", "priority": 21},
],
"name": "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 8},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 12},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 13},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 14},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 15},
{"name": "AES128-GCM-SHA256", "priority": 16},
{"name": "AES128-SHA256", "priority": 17},
{"name": "AES128-SHA", "priority": 18},
{"name": "AES256-GCM-SHA384", "priority": 19},
{"name": "AES256-SHA256", "priority": 20},
{"name": "AES256-SHA", "priority": 21},
],
"name": "ELBSecurityPolicy-TLS13-1-1-2021-06",
"ssl_protocols": ["TLSv1.1", "TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 8},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 12},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 13},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 14},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 15},
{"name": "AES128-GCM-SHA256", "priority": 16},
{"name": "AES128-SHA256", "priority": 17},
{"name": "AES128-SHA", "priority": 18},
{"name": "AES256-GCM-SHA384", "priority": 19},
{"name": "AES256-SHA256", "priority": 20},
{"name": "AES256-SHA", "priority": 21},
],
"name": "ELBSecurityPolicy-TLS13-1-0-2021-06",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
],
"name": "ELBSecurityPolicy-TLS13-1-3-2021-06",
"ssl_protocols": ["TLSv1.3"],
},
{
"name": "ELBSecurityPolicy-TLS-1-2-2017-01",
"ssl_protocols": ["TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
@ -47,10 +186,34 @@ SSL_POLICIES = [
{"name": "AES256-GCM-SHA384", "priority": 11},
{"name": "AES256-SHA256", "priority": 12},
],
"name": "ELBSecurityPolicy-TLS-1-2-2017-01",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
{"name": "AES128-GCM-SHA256", "priority": 13},
{"name": "AES128-SHA256", "priority": 14},
{"name": "AES128-SHA", "priority": 15},
{"name": "AES256-GCM-SHA384", "priority": 16},
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-TLS-1-1-2017-01",
"ssl_protocols": ["TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
@ -71,34 +234,52 @@ SSL_POLICIES = [
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
],
"name": "ELBSecurityPolicy-FS-2018-06",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
{"name": "AES128-GCM-SHA256", "priority": 13},
{"name": "AES128-SHA256", "priority": 14},
{"name": "AES128-SHA", "priority": 15},
{"name": "AES256-GCM-SHA384", "priority": 16},
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-2015-05",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
{"name": "AES128-GCM-SHA256", "priority": 13},
{"name": "AES128-SHA256", "priority": 14},
{"name": "AES128-SHA", "priority": 15},
{"name": "AES256-GCM-SHA384", "priority": 16},
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
},
{
"name": "ELBSecurityPolicy-TLS-1-0-2015-04",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
@ -120,33 +301,68 @@ SSL_POLICIES = [
{"name": "AES256-SHA", "priority": 18},
{"name": "DES-CBC3-SHA", "priority": 19},
],
"name": "ELBSecurityPolicy-TLS-1-0-2015-04",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"name": "ELBSecurityPolicy-FS-1-2-Res-2020-10",
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 5},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 8},
],
"name": "ELBSecurityPolicy-FS-1-2-Res-2019-08",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
],
"name": "ELBSecurityPolicy-FS-1-1-2019-08",
"ssl_protocols": ["TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
],
"name": "ELBSecurityPolicy-FS-1-2-2019-08",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 3},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 4},
],
},
{
"name": "ELBSecurityPolicy-TLS13-1-2-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 11},
],
"name": "ELBSecurityPolicy-FS-1-2-Res-2020-10",
"ssl_protocols": ["TLSv1.2"],
},
]

41
scripts/update_ssl_policies.py Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
import json
import boto3
import re
CAMEL_CASE_PATTERN = re.compile(r"(?<!^)(?=[A-Z])")
KEY_BLACKLIST = ["SupportedLoadBalancerTypes"]
def camel_case_to_snake_case(name: str):
return CAMEL_CASE_PATTERN.sub("_", name).lower()
def get_ssl_elb_ssl_policies():
elbv2_client = boto3.client("elbv2")
return elbv2_client.describe_ssl_policies()["SslPolicies"]
def transform_policies(ssl_policies: dict):
if isinstance(ssl_policies, list):
return [transform_policies(item) for item in ssl_policies]
if not isinstance(ssl_policies, dict):
return ssl_policies
result = {}
for key, value in sorted(ssl_policies.items()):
if key in KEY_BLACKLIST:
continue
new_key = camel_case_to_snake_case(key)
result[new_key] = transform_policies(value)
return result
def main():
policies = get_ssl_elb_ssl_policies()
transformed_policies = transform_policies(policies)
print(json.dumps(transformed_policies, indent=4))
if __name__ == "__main__":
main()

2
tests/test_elbv2/test_elbv2.py
View File

@ -1120,7 +1120,7 @@ def test_describe_ssl_policies():
client = boto3.client("elbv2", region_name="eu-central-1")
resp = client.describe_ssl_policies()
assert len(resp["SslPolicies"]) == 7
assert len(resp["SslPolicies"]) > 0
resp = client.describe_ssl_policies(
Names=["ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-2016-08"]