From 4fa6dc027d20cea8d943937b3c0b6443a63dcc84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A7=AC=E5=B7=8D=E5=B7=9D?= Date: Mon, 25 May 2020 19:39:37 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8B=A6=E6=88=AAssl=E5=B1=9E=E6=80=A7?= =?UTF-8?q?=E8=87=AA=E5=8A=A8=E5=8C=96=E6=B5=8B=E8=AF=95=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Intercept_SSL_Decryption_Tests.robot | 761 ++++++++++++++++++ 1 file changed, 761 insertions(+) create mode 100644 01-TestCase/tsg_adc/api_security/Intercept_SSL_Decryption_Tests.robot diff --git a/01-TestCase/tsg_adc/api_security/Intercept_SSL_Decryption_Tests.robot b/01-TestCase/tsg_adc/api_security/Intercept_SSL_Decryption_Tests.robot new file mode 100644 index 0000000..4c8ceec --- /dev/null +++ b/01-TestCase/tsg_adc/api_security/Intercept_SSL_Decryption_Tests.robot @@ -0,0 +1,761 @@ +*** Settings *** +Test Teardown DeletePolicyAndObject ${policyIds} ${objectids} +Force Tags tsg_adc Security_Policy +Library OperatingSystem +Resource ../../../02-Keyword/tsg_adc/SystemCommand.robot +Resource ../../../02-Keyword/tsg_bfapi/PolicyObject.robot +Resource ../../../02-Keyword/tsg_bfapi/LogVariable.robot +Resource ../../../02-Keyword/tsg_bfapi/ApiRequest.robot +Resource ../../../03-Variable/AllFlowCaseVariable.txt + +*** Variables *** +${policyIds} ${EMPTY} +${objectids} ${EMPTY} +${url} /policy/profile/decryption +${profileId} ${EMPTY} + +*** Test Cases *** +Intercept_SSL_Decryption-00001 + [Tags] intercpt-服务器证书校验开关关闭 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*badssl.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00001 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL005.bat + ... ELSE set variable curl -kv https://wrong.host.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni wrong.host.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006.bat + ... ELSE set variable curl -kv https://untrusted-root.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni untrusted-root.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL004.bat + ... ELSE set variable curl -kv https://self-signed.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni self-signed.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL003.bat + ... ELSE set variable curl -kv https://expired.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni expired.badssl.com + +Intercept_SSL_Decryption-00002 + [Tags] 拦截intercpt-服务器证书校验打开-failclose + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*badssl.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00002 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL005.bat + ... ELSE set variable curl -kv https://wrong.host.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni wrong.host.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006.bat + ... ELSE set variable curl -kv https://untrusted-root.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni untrusted-root.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL004.bat + ... ELSE set variable curl -kv https://self-signed.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni self-signed.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL003.bat + ... ELSE set variable curl -kv https://expired.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni expired.badssl.com + +Intercept_SSL_Decryption-00003 + [Tags] 拦截intercpt-服务器证书校验打开-pass-through + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"pass-through"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*badssl.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00003 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL005.bat + ... ELSE set variable curl -kv https://wrong.host.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni wrong.host.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006.bat + ... ELSE set variable curl -kv https://untrusted-root.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni untrusted-root.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL004.bat + ... ELSE set variable curl -kv https://self-signed.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni self-signed.badssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL003.bat + ... ELSE set variable curl -kv https://expired.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni expired.badssl.com + +Intercept_SSL_Decryption-00004 + [Tags] intercpt-EV关闭 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":1,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*myssl.com,*myssl.cn + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00004 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL003_004.bat + ... ELSE set variable curl -kv https://myssl.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni myssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL005_007.bat + ... ELSE set variable curl -kv https://www.myssl.cn + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni myssl.cn + +Intercept_SSL_Decryption-00005 + [Tags] intercpt-EV开启 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":1,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*myssl.com,*myssl.cn + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00005 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL003_004.bat + ... ELSE set variable curl -kv https://myssl.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni myssl.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL005_007.bat + ... ELSE set variable curl -kv https://www.myssl.cn + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni myssl.cn + +Intercept_SSL_Decryption-00006 + [Tags] 拦截intercpt-CT关闭 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*vip.com,*jd.com,*mail.ru + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00006 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_008.bat + ... ELSE set variable curl -kv https://coll.jd.com/?e=illegalTopic/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni coll.jd.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_010.bat + ... ELSE set variable curl -kv https://www.vip.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni www.vip.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_007.bat + ... ELSE set variable curl -kv https://mail.ru/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni mail.ru + +Intercept_SSL_Decryption-00007 + [Tags] 拦截intercpt-CT开启 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":1,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*vip.com,*jd.com,*mail.ru + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00007 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_008.bat + ... ELSE set variable curl -kv https://coll.jd.com/?e=illegalTopic/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable GlobalSign RSA OV SSL CA 2018 + ... ELSE set variable GlobalSign RSA OV SSL CA 2018 + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni coll.jd.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_010.bat + ... ELSE set variable curl -kv https://www.vip.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Secure Site Pro CA G2 + ... ELSE set variable Secure Site Pro CA G2 + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni www.vip.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_007.bat + ... ELSE set variable curl -kv https://mail.ru/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni mail.ru + +Intercept_SSL_Decryption-00008 + [Tags] 拦截intercpt-MA关闭 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":0,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*badssl.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00008 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL008_9.bat + ... ELSE set variable curl -kv https://client.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni client.badssl.com + +Intercept_SSL_Decryption-00009 + [Tags] 拦截intercpt-MA开启 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":1,"cert_pinning":0,"cert_transparency":0,"protocol_errors":0,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*badssl.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00009 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL008_9.bat + ... ELSE set variable curl -kv https://client.badssl.com/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable DigiCert SHA2 Secure Server CA + ... ELSE set variable DigiCert SHA2 Secure Server CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni client.badssl.com + +Intercept_SSL_Decryption-00010 + [Tags] 拦截intercpt-协议版本-SSL3 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":1,"cert_pinning":1,"cert_transparency":0,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"ssl3","max":"ssl3","mirror_client":0,"allow_http2":0} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*newdaynews.ru,*ya.ru,*yandex.ru + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00010 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL010_10.bat + ... ELSE set variable curl -kv https://newdaynews.ru/moskow/665390.html/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni newdaynews.ru + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL010_11.bat + ... ELSE set variable curl -kv https://ya.ru + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni ya.ru + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL010_12.bat + ... ELSE set variable curl -kv https://yandex.ru + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni yandex.ru + +Intercept_SSL_Decryption-00011 + [Tags] 拦截intercpt-协议版本-TLS1.0 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":1,"cert_pinning":1,"cert_transparency":0,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"tls10","max":"tls10","mirror_client":0,"allow_http2":0} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*newdaynews.ru,*github.com,*jd.com,*mi.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00011 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL010_10.bat + ... ELSE set variable curl -kv https://newdaynews.ru/moskow/665390.html/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni newdaynews.ru + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL011_12.bat + ... ELSE set variable curl -kv https://github.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni github.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL009.bat + ... ELSE set variable curl -kv https:///www.mi.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni mi.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_008.bat + ... ELSE set variable curl -kv https://coll.jd.com/?e=illegalTopic/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni coll.jd.com + +Intercept_SSL_Decryption-00012 + [Tags] 拦截intercpt-协议版本-TLS1.1 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":1,"cert_pinning":1,"cert_transparency":0,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"tls11","max":"tls11","mirror_client":0,"allow_http2":0} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*newdaynews.ru,*github.com,*jd.com,*mi.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00012 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL010_10.bat + ... ELSE set variable curl -kv https://newdaynews.ru/moskow/665390.html/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni newdaynews.ru + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL011_12.bat + ... ELSE set variable curl -kv https://github.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni github.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL009.bat + ... ELSE set variable curl -kv https:///www.mi.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni mi.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_008.bat + ... ELSE set variable curl -kv https://coll.jd.com/?e=illegalTopic/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni coll.jd.com + +Intercept_SSL_Decryption-00013 + [Tags] 拦截intercpt-协议版本-TLS1.2 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":1,"cert_pinning":1,"cert_transparency":0,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"tls12","max":"tls12","mirror_client":0,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*jd.com,*taobao.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00013 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_008.bat + ... ELSE set variable curl -kv https://coll.jd.com/?e=illegalTopic/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni coll.jd.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL011.bat + ... ELSE set variable curl -kv https://www.taobao.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni taobao.com + +Intercept_SSL_Decryption-00014 + [Tags] 拦截intercpt-协议版本-TLS1.3 + Comment 创建Decryption Profile + ${dynamic_bypass} set variable "dynamic_bypass":{"mutual_authentication":1,"cert_pinning":1,"cert_transparency":0,"protocol_errors":1,"ev_cert":0,"trusted_root_cert_is_not_installed_on_client":0} + ${protocol_version} set variable "protocol_version":{"min":"tls13","max":"tls13","mirror_client":0,"allow_http2":1} + ${certificate_checks} set variable "certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"fail-close"} + ${data} set variable {"opAction":"add","returnData":1,"list":[{"profileName":"autotest_decryption_add","profileId":"","decryption":{${dynamic_bypass},${protocol_version},${certificate_checks}},"isValid":1,"isInitialize":0,"profileDesc":""}]} + ${response} CreatePolicyFileNoFile ${url} ${data} + ${profiledId} Get From Dictionary ${response} profileId + Comment 创建fqdn + ${objectDict} Create Dictionary objectType=fqdn isValid=${1} addItemList=*vip.com,*github.com,*halfrost.com,*mi.com + ${rescode} ${object_fqdn_Id} AddObject2 ${1} ${objectDict} + ${objectids} set Variable ${object_fqdn_Id} + Comment 创建安全策略 + ${policyDict} Create Dictionary policyName=SecurityPolicy-Intercept-SSL-00014 policyType=tsg_security policyDesc=autotest userTags= action=intercept effectiveRange= userRegion={"protocol":"SSL","keyring":1,"decryption":${profiledId},"decrypt_mirror":{"enable":0,"mirror_profile":null}} referenceObject=${object_fqdn_Id}|TSG_FIELD_SSL_SNI isValid=${1} appObjectIdArray=3 + ${rescode} ${policyId} AddPolicy2 ${1} ${policyDict} + #删除策略 + ${policyIds} Create List {"policyType":"tsg_security","policyIds":[${policyId}]} + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL006_010.bat + ... ELSE set variable curl -kv https://www.vip.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + #日志验证 + ${s} Convert to String ${policyId} + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni vip.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL012.bat + ... ELSE set variable curl -kv https://halfrost.com/tls1-3_start/ + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni halfrost.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL009.bat + ... ELSE set variable curl -kv https:///www.mi.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Connection was reset + ... ELSE set variable Connection reset by peer + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni mi.com + Comment 功能端验证HTTP验证 + ${commandstr} run keyword if '${systemType}'=='Windows' set variable ${curlbatpath}/SecurityPolicy_Intercept_SSL011_12.bat + ... ELSE set variable curl -kv https://github.com + ${stringlist} run keyword if '${systemType}'=='Windows' set variable Tango Secure Gateway CA + ... ELSE set variable Tango Secure Gateway CA + ${starttime} Get Time + Sleep ${policyVerificationSleepSeconds}s + ${rescode} SystemCommand ${commandstr} ${stringlist} + Sleep ${policyLogVerificationSleepSeconds}s + ${endtime} Get Time + GetLogList security_event_log ${starttime} ${endtime} ${testClentIP} ${s} ssl_sni github.com