Use new minimum_version to further harden TLS context and adjust unit tests

from #491 to fit.
Tighten default context to never allow TLSv1 but force at least TLSv1_1 if
`allow_pre_tlsv12` is explicitly requested.

Author: jonasbardino

mig/shared/tlsserver.py

@@ -57,16 +57,19 @@ def hardened_ssl_context(configuration, keyfile, certfile, dhparamsfile=None,
     #       https://wiki.mozilla.org/Security/Server_Side_TLS
     ssl_options |= getattr(ssl, 'OP_NO_SSLv2', 0x1000000)
     ssl_options |= getattr(ssl, 'OP_NO_SSLv3', 0x2000000)
+    ssl_options |= getattr(ssl, 'OP_NO_TLSv1', 0x4000000)
+    ssl_ctx.minimum_version = ssl.TLSVersion.TLSv1_1
     # NOTE: refuse weak TLS protocols unless allow_pre_tlsv12
     if not allow_pre_tlsv12:
-        ssl_options |= getattr(ssl, 'OP_NO_TLSv1', 0x4000000)
         ssl_options |= getattr(ssl, 'OP_NO_TLSv1_1', 0x10000000)
+        ssl_ctx.minimum_version = ssl.TLSVersion.TLSv1_2
     # NOTE: refuse slightly dated TLS 1.2 protocol unless allow_pre_tlsv13
     if not allow_pre_tlsv13:
         if getattr(ssl, 'HAS_TLSv1_3', False):
             ssl_options |= getattr(ssl, 'OP_NO_TLSv1_2', 0x8000000)
         else:
             _logger.warning("won't disable TLS 1.2 without TLS 1.3 support")
+        ssl_ctx.minimum_version = ssl.TLSVersion.TLSv1_3
     # NOTE: refuse client TLS renegotiation unless allow_renegotiation
     if not allow_renegotiation:
         ssl_options |= getattr(ssl, 'OP_NO_RENEGOTIATION', 0x40000000)

tests/test_mig_shared_tlsserver.py

@@ -183,9 +183,11 @@ def test_hardened_ssl_context_options_default(self):
 
         # Verify the options were OR'd into the context
         self.assertEqual(context.options & expected_options, expected_options)
+        # Verify that the minimum TLS version is enforced
+        self.assertEqual(context.minimum_version, ssl.TLSVersion.TLSv1_2)
 
-    def test_hardened_ssl_context_options_tls1_1_only(self):
-        """Test SSL context options are set correctly with TLS 1.1 only"""
+    def test_hardened_ssl_context_options_tls1_1(self):
+        """Test SSL context options are set correctly with TLS 1.1 enabled"""
         config = self.configuration
         config.logger = self.logger
 
@@ -197,15 +199,15 @@ def test_hardened_ssl_context_options_tls1_1_only(self):
             STRONG_TLS_CIPHERS,
             STRONG_TLS_CURVES,
             True,
-            False,
+            True,
             False
         )
 
         # Verify options are set
         expected_options = (
             getattr(ssl, 'OP_NO_SSLv2', 0x1000000) |
             getattr(ssl, 'OP_NO_SSLv3', 0x2000000) |
-            getattr(ssl, 'OP_NO_TLSv1_2', 0x8000000) |
+            getattr(ssl, 'OP_NO_TLSv1', 0x4000000) |
             getattr(ssl, 'OP_NO_COMPRESSION', 0x20000) |
             getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0x400000) |
             getattr(ssl, 'OP_SINGLE_ECDH_USE', 0x80000) |
@@ -216,6 +218,8 @@ def test_hardened_ssl_context_options_tls1_1_only(self):
 
         # Verify the options were OR'd into the context
         self.assertEqual(context.options & expected_options, expected_options)
+        # Verify that the minimum TLS version is enforced
+        self.assertEqual(context.minimum_version, ssl.TLSVersion.TLSv1_1)
 
     def test_hardened_ssl_context_options_tls1_3_only(self):
         """Test SSL context options are set correctly with TLS 1.3 only"""
@@ -251,6 +255,8 @@ def test_hardened_ssl_context_options_tls1_3_only(self):
 
         # Verify the options were OR'd into the context
         self.assertEqual(context.options & expected_options, expected_options)
+        # Verify that the minimum TLS version is enforced
+        self.assertEqual(context.minimum_version, ssl.TLSVersion.TLSv1_3)
 
     def test_hardened_ssl_context_options_fail_reneg(self):
         """Test SSL context options fail when different"""