Add support for disabling OCSP and hostname checking

* Add a manpage for mount.efs * Improve warning messages in the mount helper * Improve stunnel cleanup functionality

Add support for disabling OCSP and hostname checking
* Add a manpage for mount.efs * Improve warning messages in the mount helper * Improve stunnel cleanup functionality
7c1e2b3a · Nick Fiacco · e1673be6 · 7c1e2b3a · 7c1e2b3a · 7c1e2b3a
Commit 7c1e2b3a authored Jul 09, 2018 by Nick Fiacco
--- a/Makefile
+++ b/Makefile
@@ -33,6 +33,9 @@ tarball: clean
 	cp -rp src/mount_efs $(PACKAGE_NAME)/src
 	cp -rp src/watchdog $(PACKAGE_NAME)/src

+	mkdir -p ${PACKAGE_NAME}/man
+	cp -rp man/mount.efs.8 ${PACKAGE_NAME}/man
+
 	tar -czf $(SOURCE_TARBALL) $(PACKAGE_NAME)/*

 .PHONY: specfile
@@ -60,4 +63,4 @@ deb:
 .PHONY: test
 test:
 	pytest
-	flake8
\ No newline at end of file
+	flake8
--- a/build-deb.sh
+++ b/build-deb.sh
@@ -11,7 +11,7 @@ set -ex

 BASE_DIR=$(pwd)
 BUILD_ROOT=${BASE_DIR}/build/debbuild
-VERSION=1.2
+VERSION=1.3

 echo 'Cleaning deb build workspace'
 rm -rf ${BUILD_ROOT}
@@ -24,6 +24,7 @@ mkdir -p ${BUILD_ROOT}/etc/systemd/system
 mkdir -p ${BUILD_ROOT}/sbin
 mkdir -p ${BUILD_ROOT}/usr/bin
 mkdir -p ${BUILD_ROOT}/var/log/amazon/efs
+mkdir -p ${BUILD_ROOT}/usr/share/man/man8

 echo 'Copying application files'
 install -p -m 644 dist/amazon-efs-mount-watchdog.conf ${BUILD_ROOT}/etc/init
@@ -44,6 +45,9 @@ install -p -m 644 dist/amazon-efs-utils.control ${BUILD_ROOT}/control
 echo 'Copying conffiles'
 install -p -m 644 dist/amazon-efs-utils.conffiles ${BUILD_ROOT}/conffiles

+echo 'Copying manpages'
+install -p -m 644 man/mount.efs.8 ${BUILD_ROOT}/usr/share/man/man8/mount.efs.8
+
 echo 'Creating deb binary file'
 echo '2.0'> ${BUILD_ROOT}/debian-binary


--- a/dist/amazon-efs-utils.control
+++ b/dist/amazon-efs-utils.control
 Package: amazon-efs-utils
 Architecture: all
-Version: 1.2
+Version: 1.3
 Section: utils
 Depends: python|python2, nfs-common, stunnel4 (>= 4.56)
 Priority: optional

--- a/dist/amazon-efs-utils.spec
+++ b/dist/amazon-efs-utils.spec
@@ -20,7 +20,7 @@
 %endif

 Name      : amazon-efs-utils
-Version   : 1.2
+Version   : 1.3
 Release   : 1%{?dist}
 Summary   : This package provides utilities for simplifying the use of EFS file systems

@@ -67,11 +67,13 @@ install -p -m 644 %{_builddir}/%{name}/dist/amazon-efs-mount-watchdog.conf %{bui
 mkdir -p %{buildroot}/sbin
 mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{_localstatedir}/log/amazon/efs
+mkdir -p  %{buildroot}%{_mandir}/man8

 install -p -m 644 %{_builddir}/%{name}/dist/efs-utils.conf %{buildroot}%{_sysconfdir}/amazon/efs
 install -p -m 444 %{_builddir}/%{name}/dist/efs-utils.crt %{buildroot}%{_sysconfdir}/amazon/efs
 install -p -m 755 %{_builddir}/%{name}/src/mount_efs/__init__.py %{buildroot}/sbin/mount.efs
 install -p -m 755 %{_builddir}/%{name}/src/watchdog/__init__.py %{buildroot}%{_bindir}/amazon-efs-mount-watchdog
+install -p -m 644 %{_builddir}/%{name}/man/mount.efs.8 %{buildroot}%{_mandir}/man8

 %files
 %defattr(-,root,root,-)
@@ -84,6 +86,7 @@ install -p -m 755 %{_builddir}/%{name}/src/watchdog/__init__.py %{buildroot}%{_b
 /sbin/mount.efs
 %{_bindir}/amazon-efs-mount-watchdog
 /var/log/amazon
+%{_mandir}/man8/mount.efs.8.gz

 %config(noreplace) %{_sysconfdir}/amazon/efs/efs-utils.conf


--- a/dist/scriptlets/after-install-upgrade
+++ b/dist/scriptlets/after-install-upgrade
-if [ $(cat /proc/1/comm) = init ]; then
-    /sbin/restart amazon-efs-mount-watchdog &> /dev/null || true
-elif [ $(cat /proc/1/comm) = systemd ]; then
-    systemctl try-restart amazon-efs-mount-watchdog.service &> /dev/null || true
-fi
+#!/bin/sh
+set -e
+
+if [ -n $2 ]; then
+    if [ "$(cat /proc/1/comm)" = "init" ]; then
+        /sbin/restart amazon-efs-mount-watchdog &> /dev/null || true
+    elif [ "$(cat /proc/1/comm)" = "systemd" ]; then
+        if systemctl is-active --quiet amazon-efs-mount-watchdog; then
+            systemctl try-restart amazon-efs-mount-watchdog.service &> /dev/null || true
+        fi
+    fi
+fi
\ No newline at end of file
--- a/dist/scriptlets/after-remove
+++ b/dist/scriptlets/after-remove
-if [ -z "$2" ]; then
-    if [ $(cat /proc/1/comm) = systemd ]; then
+#!/bin/sh
+set -e
+
+reload() {
+    if [ "$(cat /proc/1/comm)" = "systemd" ]; then
        systemctl daemon-reload
    fi
+}
+
+if [ "$1" = "remove" ]; then
+    reload
+elif [ "$1" = "purge" ]; then
+    reload
+    rm -f /var/log/amazon/efs/*
 fi
\ No newline at end of file
--- a/dist/scriptlets/before-remove
+++ b/dist/scriptlets/before-remove
-if [ -z "$2" ]; then
-    if [ $(cat /proc/1/comm) = init ]; then
+#!/bin/sh
+set -e
+
+if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then
+    if [ "$(cat /proc/1/comm)" = "init" ]; then
        /sbin/stop amazon-efs-mount-watchdog &> /dev/null || true
-    elif [ $(cat /proc/1/comm) = systemd ]; then
-        systemctl --no-reload disable amazon-efs-mount-watchdog.service &> /dev/null || true
-        systemctl stop amazon-efs-mount-watchdog.service &> /dev/null || true
+    elif [ "$(cat /proc/1/comm)" = "systemd" ]; then
+        if systemctl is-active --quiet amazon-efs-mount-watchdog; then
+            systemctl --no-reload disable amazon-efs-mount-watchdog.service &> /dev/null || true
+            systemctl stop amazon-efs-mount-watchdog.service &> /dev/null || true
+        fi
    fi
-fi
+fi
\ No newline at end of file
--- a/man/mount.efs.8
+++ b/man/mount.efs.8
+.TH "EFS" "8"
+.SH "NAME"
+\fBmount\&.efs\fR \- Mount helper for using Amazon EFS file systems\&.
+.SH "SYNOPSIS"
+.sp
+\fBmount\&.efs\fR \fIfile\-system\-id\fR \fImount-point\fR [\fB\-o\fR \fIoptions\fR]
+.SH "DESCRIPTION"
+.sp
+\fBmount\&.efs\fR is part of the \fBamazon\-efs\-utils\fR \
+package, which simplifies using EFS file systems\&.
+.sp
+\fBmount\&.efs\fR is meant to be used through the \
+\fBmount\fR(8) command for mounting EFS file systems\&.
+.sp
+\fIfile\-system\-id\fR is an EFS file system ID in the \
+form of "fs\-abcd1234", generated when the file system \
+is created\&. \fImount-point\fR is the local directory \
+on which the file system will be mounted\&.
+.sp
+\fBmount\&.efs\fR automatically applies the following NFS options:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+nfsvers=4\&.1
+rsize=1048576
+wsize=1048576
+hard
+timeo=600
+retrans=2
+noresvport
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+By default, when using the Amazon EFS mount helper with Transport \
+Layer Security (TLS), the mount helper enforces the use of Online \
+Certificate Status Protocol (OCSP) and certificate hostname checking\&. \
+These options can be configured in the config file located at \
+\fI/etc/amazon/efs/efs\-utils\&.conf\&\fR.
+.sp
+Additionally, the Amazon EFS mount helper has built\-in logging for \
+troubleshooting purposes\&. These logs are located at \fI/var/log/amazon/efs\fR\&.
+.sp
+It is possible to configure your Amazon EC2 instance to automatically \
+remount your Amazon EFS file system when it reboots. For more information, \
+see the online documentation at: \
+\fIhttps://docs\&.aws\&.amazon\&.com/efs/latest/ug/mount\-fs\-auto\-mount\-onreboot\&.html\fR\&.
+.SH "OPTIONS"
+.sp
+\fB\-o\fR, Options are specified with a \fB\-o\fR flag followed by a \
+comma separated string of options\&. All of the options specified in \
+\fBnfs(5)\fR are available, in addition to the following EFS-specific \
+options:
+.if n \{\
+.RS 4
+.\}
+.TP
+\fBtls\fR
+Mounts the EFS file system over TLS\&.
+.TP
+\fBtlsport=\fR\fIn\fR
+Configure the TLS relay to listen on the specified port\&.
+.TP
+\fBverify=\fR\fIn\fR
+Verify TLS certificates using the specified stunnel verify level\&. For \
+more information, see \fBstunnel(8)\fR\&.
+.if n \{\
+.RE
+.\}
+.SH "EXAMPLES"
+.TP
+sudo mount -t efs fs-abcd1234 /mnt/efs
+Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
+"/mnt/efs" without encryption of data in transit\&.
+.TP
+sudo mount -t efs fs-abcd1234:/child /mnt/efs
+Mount a non-root directory of an EFS file system with file system ID \
+"fs-abcd1234" at mount point "/mnt/efs" without encryption of data in transit\&.
+.TP
+sudo mount -t efs -o tls fs-abcd1234 /mnt/efs
+Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
+"/mnt/efs" using encryption of data in transit\&.
+.TP
+sudo mount -t efs -o tls,verify=0 fs-abcd1234 /mnt/efs
+Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
+"/mnt/efs" using encryption of data in transit and a verify level of 0\&.
+.SH "FILES"
+.TP
+\fI/sbin/mount.efs\fR
+The executable for the Amazon EFS mount helper\&.
+.TP
+\fI/usr/bin/amazon-efs-mount-watchdog\fR
+The executable for the supervisor process that monitors the network relay\&.
+.TP
+\fI/etc/amazon/efs/efs-utils.conf\fR
+The configuration file for the Amazon EFS mount helper\&.
+.TP
+\fI/etc/amazon/efs/efs-utils.crt\fR
+The default Certificate Authority file used by the Amazon EFS mount helper\&.
+.TP
+\fI/etc/init/amazon-efs-mount-watchdog.conf\fR
+The configuration file for the supervisor process\&.
+.TP
+\fI/var/log/amazon/efs/\fR
+The directory where logs for the Amazon EFS mount helper, the stunnel network \
+relay, and the supervisor process are stored\&.
+.TP
+\fI/usr/share/man/man8/mount.efs.8\fR
+The man page for the Amazon EFS mount helper\&.
+.SH "NOTES"
+.sp
+For more information on using the \fBamazon\-efs\-utils\fR package, see \
+\fIhttps://docs\&.aws\&.amazon\&.com/efs/latest/ug/using\-amazon\-efs\-utils\&.html\fR \
+in the Amazon EFS User Guide\&.
+.SH "SEE ALSO"
+.sp
+\fBnfs(8)\fR, \fBstunnel(8)\fR, \fBfstab(5)\fR
+.SH "COPYING"
+.sp
+Copyright 2017\-2018 Amazon\&.com, Inc\&. and its affiliates\&. All Rights Reserved\&.
--- a/src/mount_efs/__init__.py
+++ b/src/mount_efs/__init__.py
@@ -54,7 +54,7 @@ except ImportError:
    from urllib.error import URLError
    from urllib.request import urlopen

-VERSION = '1.2'
+VERSION = '1.3'

 CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
 CONFIG_SECTION = 'mount'
@@ -72,13 +72,16 @@ DEFAULT_STUNNEL_VERIFY_LEVEL = 2
 DEFAULT_STUNNEL_CAFILE = '/etc/amazon/efs/efs-utils.crt'

 EFS_ONLY_OPTIONS = [
-    'cafile',
-    'capath',
    'tls',
    'tlsport',
    'verify',
 ]

+UNSUPPORTED_OPTIONS = [
+    'cafile',
+    'capath',
+]
+
 STUNNEL_GLOBAL_CONFIG = {
    'fips': 'no',
    'foreground': 'yes',
@@ -130,7 +133,10 @@ def get_region():

        return instance_identity['region']
    except URLError as e:
-        _fatal_error('Unable to reach instance metadata service at %s: %s' % (INSTANCE_METADATA_SERVICE_URL, e))
+        _fatal_error('Unable to reach the instance metadata service at %s. If this is an on-premises instance, replace '
+                     '"{region}" in the "dns_name_format" option in %s with the region of the EFS file system you are mounting.\n'
+                     'See %s for more detail. %s'
+                     % (INSTANCE_METADATA_SERVICE_URL, CONFIG_FILE, 'https://docs.aws.amazon.com/console/efs/direct-connect', e))
    except ValueError as e:
        _fatal_error('Error parsing json: %s' % (e,))
    except KeyError as e:
@@ -233,9 +239,9 @@ def get_version_specific_stunnel_options(config):
    stunnel_output = err.splitlines()

    check_host_supported = is_stunnel_option_supported(stunnel_output, 'checkHost')
-    oscp_aia_supported = is_stunnel_option_supported(stunnel_output, 'OCSPaia')
+    ocsp_aia_supported = is_stunnel_option_supported(stunnel_output, 'OCSPaia')

-    return check_host_supported, oscp_aia_supported
+    return check_host_supported, ocsp_aia_supported


 def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_port, dns_name, verify_level, log_dir=LOG_DIR):
@@ -258,21 +264,23 @@ def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_por
    if verify_level > 0:
        add_stunnel_ca_options(efs_config)

-    check_host, oscp_aia = get_version_specific_stunnel_options(config)
+    check_host_supported, ocsp_aia_supported = get_version_specific_stunnel_options(config)

    tls_controls_message = 'WARNING: Your client lacks sufficient controls to properly enforce TLS. Please upgrade stunnel, ' \
        'or disable "%%s" in %s.\nSee %s for more detail.' % (CONFIG_FILE,
                                                              'https://docs.aws.amazon.com/console/efs/troubleshooting-tls')

-    if check_host:
-        efs_config['checkHost'] = dns_name
-    elif config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_hostname'):
-        fatal_error(tls_controls_message % 'stunnel_check_cert_hostname')
+    if config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_hostname'):
+        if check_host_supported:
+            efs_config['checkHost'] = dns_name
+        else:
+            fatal_error(tls_controls_message % 'stunnel_check_cert_hostname')

-    if oscp_aia:
-        efs_config['OCSPaia'] = 'yes'
-    elif config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_validity'):
-        fatal_error(tls_controls_message % 'stunnel_check_cert_validity')
+    if config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_validity'):
+        if ocsp_aia_supported:
+            efs_config['OCSPaia'] = 'yes'
+        else:
+            fatal_error(tls_controls_message % 'stunnel_check_cert_validity')

    stunnel_config = '\n'.join(serialize_stunnel_config(global_config) + serialize_stunnel_config(efs_config, 'efs'))
    logging.debug('Writing stunnel configuration:\n%s', stunnel_config)
@@ -406,6 +414,7 @@ def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, sta


 def get_nfs_mount_options(options):
+    # If you change these options, update the man page as well at man/mount.efs.8
    if 'nfsvers' not in options and 'vers' not in options:
        options['nfsvers'] = '4.1'
    if 'rsize' not in options:
@@ -418,6 +427,8 @@ def get_nfs_mount_options(options):
        options['timeo'] = '600'
    if 'retrans' not in options:
        options['retrans'] = '2'
+    if 'noresvport' not in options:
+        options['noresvport'] = None

    if 'tls' in options:
        if 'port' in options:
@@ -577,6 +588,16 @@ def mount_tls(config, init_system, dns_name, path, fs_id, mountpoint, options):
        t.join()


+def check_unsupported_options(options):
+    for unsupported_option in UNSUPPORTED_OPTIONS:
+        if unsupported_option in options:
+            warn_message = 'The "%s" option is not supported and has been ignored, as amazon-efs-utils relies on a built-in ' \
+                           'trust store.' % unsupported_option
+            sys.stderr.write('WARN: %s\n' % warn_message)
+            logging.warn(warn_message)
+            del options[unsupported_option]
+
+
 def main():
    fs_id, path, mountpoint, options = parse_arguments()
    assert_root()
@@ -585,6 +606,7 @@ def main():
    bootstrap_logging(config)

    logging.info('version=%s options=%s', VERSION, options)
+    check_unsupported_options(options)

    init_system = get_init_system()
    check_network_status(fs_id, init_system)

--- a/src/watchdog/__init__.py
+++ b/src/watchdog/__init__.py
@@ -25,7 +25,7 @@ try:
 except ImportError:
    from configparser import ConfigParser

-VERSION = '1.2'
+VERSION = '1.3'

 CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
 CONFIG_SECTION = 'mount-watchdog'
@@ -78,17 +78,19 @@ def bootstrap_logging(config, log_dir=LOG_DIR):
        logging.error('Malformed logging level "%s", setting logging level to %s', raw_level, level)


-def get_file_safe_mountpoint(mountpoint):
-    mountpoint = os.path.abspath(mountpoint).replace(os.sep, '.')
+def get_file_safe_mountpoint(mount):
+    mountpoint = os.path.abspath(mount.mountpoint).replace(os.sep, '.')
    if mountpoint.startswith('.'):
        mountpoint = mountpoint[1:]
-    return mountpoint
+
+    port = mount.options[mount.options.find('port'):].split(',')[0].split('=')[1]
+    return mountpoint + '.' + port


 def get_current_local_nfs_mounts(mount_file='/proc/mounts'):
    """
-    Return a dict of the current NFS mounts for servers running on localhost, keyed by the mountpoint as it appears in EFS
-    watchdog state files.
+    Return a dict of the current NFS mounts for servers running on localhost, keyed by the mountpoint and port as it
+    appears in EFS watchdog state files.
    """
    mounts = []

@@ -100,13 +102,15 @@ def get_current_local_nfs_mounts(mount_file='/proc/mounts'):

    mount_dict = {}
    for m in mounts:
-        mount_dict[get_file_safe_mountpoint(m.mountpoint)] = m
+        mount_dict[get_file_safe_mountpoint(m)] = m

    return mount_dict


 def get_state_files(state_file_dir):
-    """Return a dict of the absolute path of state files in state_file_dir, keyed by the mountpoint portion of the filename."""
+    """
+    Return a dict of the absolute path of state files in state_file_dir, keyed by the mountpoint and port portion of the filename.
+    """
    state_files = {}

    if os.path.isdir(state_file_dir):
@@ -114,11 +118,12 @@ def get_state_files(state_file_dir):
            if not sf.startswith('fs-'):
                continue

+            # This translates the state file name "fs-deadbeaf.home.user.mnt.12345"
+            # into file-safe mountpoint "home.user.mnt.12345"
            first_period = sf.find('.')
-            last_period = sf.rfind('.')
-            mount_point = sf[first_period + 1:last_period]
-            logging.debug('Translating "%s" into mount point "%s"', sf, mount_point)
-            state_files[mount_point] = sf
+            mount_point_and_port = sf[first_period + 1:]
+            logging.debug('Translating "%s" into mount point and port "%s"', sf, mount_point_and_port)
+            state_files[mount_point_and_port] = sf

    return state_files


--- a/test/mount_efs_test/test_check_unsupported_options.py
+++ b/test/mount_efs_test/test_check_unsupported_options.py
+#
+# Copyright 2017-2018 Amazon.com, Inc. and its affiliates. All Rights Reserved.
+#
+# Licensed under the MIT License. See the LICENSE accompanying this file
+# for the specific language governing permissions and limitations under
+# the License.
+#
+
+import mount_efs
+import tempfile
+
+
+def create_temp_file(tmpdir, content=''):
+    temp_file = tmpdir.join(tempfile.mktemp())
+    temp_file.write(content, ensure=True)
+    return temp_file
+
+
+def test_no_unsupported_options(capsys):
+    options = {}
+
+    mount_efs.check_unsupported_options(options)
+
+    out, err = capsys.readouterr()
+    assert not out
+
+
+def test_cafile_unsupported(capsys):
+    options = {'capath': '/capath'}
+
+    mount_efs.check_unsupported_options(options)
+
+    out, err = capsys.readouterr()
+    assert 'not supported' in err
+    assert 'capath' in err
+    assert 'capath' not in options
+
+
+def test_capath_unsupported(capsys):
+    options = {'cafile': '/cafile'}
+
+    mount_efs.check_unsupported_options(options)
+
+    out, err = capsys.readouterr()
+    assert 'not supported' in err
+    assert 'cafile' in err
+    assert 'cafile' not in options
--- a/test/mount_efs_test/test_write_stunnel_config_file.py
+++ b/test/mount_efs_test/test_write_stunnel_config_file.py
@@ -81,7 +81,7 @@ def _validate_config(stunnel_config_file, expected_global_config, expected_efs_c


 def _get_expected_efs_config(port=PORT, dns_name=DNS_NAME, verify=mount_efs.DEFAULT_STUNNEL_VERIFY_LEVEL,
-                             check_cert_hostname=True, check_cert_status=True):
+                             check_cert_hostname=True, check_cert_validity=True):

    expected_efs_config = dict(mount_efs.STUNNEL_EFS_CONFIG)
    expected_efs_config['accept'] = expected_efs_config['accept'] % port
@@ -91,13 +91,43 @@ def _get_expected_efs_config(port=PORT, dns_name=DNS_NAME, verify=mount_efs.DEFA
    if check_cert_hostname:
        expected_efs_config['checkHost'] = dns_name

-    if check_cert_status:
+    if check_cert_validity:
        expected_efs_config['OCSPaia'] = 'yes'

    return expected_efs_config


-def test_write_stunnel_config_file(mocker, tmpdir):
+def _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported, stunnel_check_cert_hostname,
+                              expected_check_cert_hostname_config_value):
+    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
+
+    config_file = mount_efs.write_stunnel_config_file(
+        _get_config(mocker, stunnel_check_cert_hostname_supported=stunnel_check_cert_hostname_supported,
+                    stunnel_check_cert_hostname=stunnel_check_cert_hostname),
+        str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
+
+    ca_mocker.assert_called_once()
+
+    _validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG,
+                     _get_expected_efs_config(check_cert_hostname=expected_check_cert_hostname_config_value))
+
+
+def _test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported, stunnel_check_cert_validity,
+                              expected_check_cert_validity_config_value):
+    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
+
+    config_file = mount_efs.write_stunnel_config_file(
+        _get_config(mocker, stunnel_check_cert_validity_supported=stunnel_check_cert_validity_supported,
+                    stunnel_check_cert_validity=stunnel_check_cert_validity),
+        str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
+
+    ca_mocker.assert_called_once()
+
+    _validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG,
+                     _get_expected_efs_config(check_cert_validity=expected_check_cert_validity_config_value))
+
+
+def _test_write_stunnel_config_file(mocker, tmpdir):
    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
    state_file_dir = str(tmpdir)

@@ -125,18 +155,33 @@ def test_write_stunnel_config_with_debug(mocker, tmpdir):
    _validate_config(config_file, expected_global_config, _get_expected_efs_config())


-def test_write_stunnel_config_with_check_cert_hostname(mocker, tmpdir):
-    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
+def test_write_stunnel_config_check_cert_hostname_supported_flag_not_set(mocker, tmpdir):
+    _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=True, stunnel_check_cert_hostname=None,
+                              expected_check_cert_hostname_config_value=True)

-    config_file = mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_hostname=True), str(tmpdir), FS_ID,
-                                                      MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
-    ca_mocker.assert_called_once()

-    _validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG, _get_expected_efs_config(check_cert_hostname=True))
+def test_write_stunnel_config_check_cert_hostname_supported_flag_set_false(mocker, capsys, tmpdir):
+    _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=True, stunnel_check_cert_hostname=False,
+                              expected_check_cert_hostname_config_value=False)


-def test_write_stunnel_config_without_check_cert_hostname(mocker, capsys, tmpdir):
-    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
+def test_write_stunnel_config_check_cert_hostname_supported_flag_set_true(mocker, tmpdir):
+    _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=True, stunnel_check_cert_hostname=True,
+                              expected_check_cert_hostname_config_value=True)
+
+
+def test_write_stunnel_config_check_cert_hostname_not_supported_flag_not_specified(mocker, capsys, tmpdir):
+    _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=False, stunnel_check_cert_hostname=None,
+                              expected_check_cert_hostname_config_value=False)
+
+
+def test_write_stunnel_config_check_cert_hostname_not_supported_flag_set_false(mocker, capsys, tmpdir):
+    _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=False, stunnel_check_cert_hostname=False,
+                              expected_check_cert_hostname_config_value=False)
+
+
+def test_write_stunnel_config_check_cert_hostname_not_supported_flag_set_true(mocker, capsys, tmpdir):
+    mocker.patch('mount_efs.add_stunnel_ca_options')

    with pytest.raises(SystemExit) as ex:
        mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_hostname_supported=False,
@@ -150,18 +195,33 @@ def test_write_stunnel_config_without_check_cert_hostname(mocker, capsys, tmpdir
    assert 'stunnel_check_cert_hostname' in err


-def test_write_stunnel_config_with_check_cert_status(mocker, tmpdir):
-    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
+def test_write_stunnel_config_check_cert_validity_supported_flag_not_set(mocker, capsys, tmpdir):
+    _test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=None,
+                              expected_check_cert_validity_config_value=True)

-    config_file = mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_validity=True), str(tmpdir), FS_ID,
-                                                      MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
-    ca_mocker.assert_called_once()

-    _validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG, _get_expected_efs_config(check_cert_status=True))
+def test_write_stunnel_config_check_cert_validity_supported_flag_set_false(mocker, capsys, tmpdir):
+    _test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=False,
+                              expected_check_cert_validity_config_value=False)


-def test_write_stunnel_config_without_check_cert_status(mocker, capsys, tmpdir):
-    ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')