http: align tls version with ruleset

Change-Id: I32e364a0271a84dff949fcd06fe6c68105687055
Checkmk · Feb 12, 2025 · 8a38f7d · 8a38f7d
1 parent e17961d
commit 8a38f7d
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 10 deletions.
diff --git a/cmk/update_config/http/conflicts.py b/cmk/update_config/http/conflicts.py
@@ -17,6 +17,8 @@
 
 
 class MigratableUrl(V1Url):
+    ssl: Literal["auto", "ssl_1_2"] | None = None
+
     def migrate_expect_response(self) -> None | list[int]:
         if self.expect_response is None:
             return None
@@ -127,7 +129,7 @@ def detect_conflicts(rule_value: Mapping[str, object]) -> Conflict | MigratableV
                 type_="add_headers_incompatible",
                 mode_fields=["add_headers"],
             )
-        if mode.ssl in ["ssl_1", "ssl_2", "ssl_3"]:
+        if mode.ssl in ["ssl_1", "ssl_2", "ssl_3", "ssl_1_1"]:
             return Conflict(
                 type_="ssl_incompatible",
                 mode_fields=["ssl"],

diff --git a/cmk/update_config/http/migrate.py b/cmk/update_config/http/migrate.py
@@ -5,6 +5,7 @@
 
 
 from collections.abc import Mapping
+from typing import assert_never
 
 from cmk.update_config.http.conflicts import (
     MigratableCert,
@@ -29,8 +30,8 @@ def _migrate_url_params(
             tls_versions = {"tls_versions": {"min_version": "auto", "allow_higher": True}}
         case "ssl_1_2":
             tls_versions = {"tls_versions": {"min_version": "tls_1_2", "allow_higher": False}}
-        case "ssl_1_3":
-            tls_versions = {"tls_versions": {"min_version": "tls_1_3", "allow_higher": False}}
+        case too_old:
+            assert_never(too_old)
     match url_params.response_time:
         case None:
             response_time: Mapping[str, object] = {}

diff --git a/cmk/update_config/http/v1_scheme.py b/cmk/update_config/http/v1_scheme.py
@@ -60,8 +60,8 @@ class V1Url(BaseModel, extra="forbid"):
     ssl: (
         Literal[
             "auto",  # use with auto-negotiation
+            "ssl_1_1",  # enforce TLS 1.1
             "ssl_1_2",  # enforce TLS 1.2
-            "ssl_1_3",  # enforce TLS 1.3
             "ssl_1",  # enforce TLS 1.0
             "ssl_2",  # enforce SSL 2.0
             "ssl_3",  # enforce SSL 3.0

diff --git a/tests/unit/cmk/update_config/http/test_migrate.py b/tests/unit/cmk/update_config/http/test_migrate.py
@@ -194,7 +194,7 @@
 }
 
 EXAMPLE_22: Mapping[str, object] = {
-    "name": "tls1",
+    "name": "tls_1_0",
     "host": HOST_1,
     "mode": ("url", {"ssl": "ssl_1"}),
 }
@@ -218,9 +218,9 @@
 }
 
 EXAMPLE_26: Mapping[str, object] = {
-    "name": "tls_1_3",
+    "name": "tls_1_2",
     "host": {"address": ("direct", "google.com")},
-    "mode": ("url", {"ssl": "ssl_1_3"}),
+    "mode": ("url", {"ssl": "ssl_1_2"}),
 }
 
 
@@ -621,7 +621,7 @@
 EXAMPLE_79: Mapping[str, object] = {
     "name": "name",
     "host": HOST_1,
-    "mode": ("url", {"ssl": "ssl_1_3"}),
+    "mode": ("url", {"ssl": "ssl_1_2"}),
 }
 
 EXAMPLE_80: Mapping[str, object] = {
@@ -724,7 +724,7 @@
 EXAMPLE_89: Mapping[str, object] = {
     "name": "disable_sni",
     "host": HOST_1,
-    "mode": ("url", {"ssl": "ssl_1_3"}),
+    "mode": ("url", {"ssl": "ssl_1_2"}),
     "disable_sni": True,
 }
 
@@ -748,6 +748,12 @@
     "mode": ("url", {}),
 }
 
+EXAMPLE_93: Mapping[str, object] = {
+    "name": "tls_1_1",
+    "host": HOST_1,
+    "mode": ("url", {"ssl": "ssl_1_1"}),
+}
+
 
 @pytest.mark.parametrize(
     "rule_value",
@@ -950,7 +956,6 @@ def test_migrate_expect_regex(rule_value: Mapping[str, object], expected: object
     [
         (EXAMPLE_17, None),
         (EXAMPLE_25, {"min_version": TlsVersion.TLS_1_2, "allow_higher": False}),
-        (EXAMPLE_26, {"min_version": TlsVersion.TLS_1_3, "allow_higher": False}),
         (EXAMPLE_27, {"min_version": TlsVersion.AUTO, "allow_higher": True}),
     ],
 )
@@ -1199,6 +1204,13 @@ def test_migrate_ssl(rule_value: Mapping[str, object], expected: str) -> None:
                 cant_load=True,
             ),
         ),
+        (
+            EXAMPLE_93,
+            Conflict(
+                type_="ssl_incompatible",
+                mode_fields=["ssl"],
+            ),
+        ),
     ],
 )
 def test_detect_conflicts(rule_value: Mapping[str, object], conflict: Conflict) -> None: