Issue #5639: Add a *server_hostname* argument to `SSLContext.wrap_socket`
in order to support the TLS SNI extension. `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0c8a8e6..67bc01a 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -89,6 +89,7 @@
ssl.CERT_NONE
ssl.CERT_OPTIONAL
ssl.CERT_REQUIRED
+ self.assertIn(ssl.HAS_SNI, {True, False})
def test_random(self):
v = ssl.RAND_status()
@@ -277,6 +278,12 @@
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+ def test_server_side(self):
+ # server_hostname doesn't work for server sockets
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ sock = socket.socket()
+ self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
+ server_hostname="some.hostname")
class ContextTests(unittest.TestCase):
@@ -441,6 +448,14 @@
self.assertEqual({}, s.getpeercert())
finally:
s.close()
+ # Same with a server hostname
+ s = ctx.wrap_socket(socket.socket(socket.AF_INET),
+ server_hostname="svn.python.org")
+ if ssl.HAS_SNI:
+ s.connect(("svn.python.org", 443))
+ s.close()
+ else:
+ self.assertRaises(ValueError, s.connect, ("svn.python.org", 443))
# This should fail because we have no verification certs
ctx.verify_mode = ssl.CERT_REQUIRED
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
@@ -1500,6 +1515,7 @@
print("test_ssl: testing with %r %r" %
(ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
print(" under %s" % plat)
+ print(" HAS_SNI = %r" % ssl.HAS_SNI)
for filename in [
CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE,
diff --git a/Lib/test/test_urllib2net.py b/Lib/test/test_urllib2net.py
index a4af01a..0a777c4 100644
--- a/Lib/test/test_urllib2net.py
+++ b/Lib/test/test_urllib2net.py
@@ -9,6 +9,10 @@
import urllib.error
import urllib.request
import sys
+try:
+ import ssl
+except ImportError:
+ ssl = None
TIMEOUT = 60 # seconds
@@ -278,13 +282,34 @@
self.assertEqual(u.fp.fp.raw._sock.gettimeout(), 60)
+@unittest.skipUnless(ssl, "requires SSL support")
+class HTTPSTests(unittest.TestCase):
+
+ def test_sni(self):
+ # Checks that Server Name Indication works, if supported by the
+ # OpenSSL linked to.
+ # The ssl module itself doesn't have server-side support for SNI,
+ # so we rely on a third-party test site.
+ expect_sni = ssl.HAS_SNI
+ with support.transient_internet("bob.sni.velox.ch"):
+ u = urllib.request.urlopen("https://bob.sni.velox.ch/")
+ contents = u.readall()
+ if expect_sni:
+ self.assertIn(b"Great", contents)
+ self.assertNotIn(b"Unfortunately", contents)
+ else:
+ self.assertNotIn(b"Great", contents)
+ self.assertIn(b"Unfortunately", contents)
+
+
def test_main():
support.requires("network")
support.run_unittest(AuthTests,
- OtherNetworkTests,
- CloseSocketTest,
- TimeoutTest,
- )
+ HTTPSTests,
+ OtherNetworkTests,
+ CloseSocketTest,
+ TimeoutTest,
+ )
if __name__ == "__main__":
test_main()