Add new endpoint for cipher testing

[sivel]

Adds new insecure.ansible.http.tests with only 1 cipher configured. The inversion for the cipher we want disabled is mostly just documentation.

[mattclay]

I think we're going to need something a bit more nuanced than this single endpoint with these two cipher suites.

The default cipher suites for our tested clients vary, so some of them will be able to connect to this endpoint without additional configuration.

[sivel]

The tests themselves handle it, because they both explicitly declare the cipher to use. Or are you saying that it doesn't really test the explicit use of a cipher as intended, because the default cipher suite in python will include this cipher?

[mattclay]

Or are you saying that it doesn't really test the explicit use of a cipher as intended, because the default cipher suite in python will include this cipher?

Correct. This endpoint should use a cipher suite that the client supports, but not by default. Otherwise a successful connection doesn't tell us whether or not the cipher suite selection had any effect.

Additionally, the test should try to connect with the default settings and verify the connection fails. That way we'll know if the client defaults are suitable for testing against this endpoint.

The reverse is actually needed for the "test bad cipher" case. We need an endpoint that works with the default cipher suite selection on the client (verified by the test), but that fails when a cipher is chosen that the server does not support.

[sivel]

Ok, think I've got this taken care of.

[sivel]

scratch that, I've expanded my testing, and need to work out details of the weak cipher a bit more.

[mattclay]

Should this second endpoint use a different port from the one above?

[sivel]

It doesn't appear to be necessary, as long as both support the same TLS protocol, they don't need to share the ciphers, but to avoid issues, and confusion, it's probably best to separate.