Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 89c2051a554d2053ac87b0adbf11ed0f1bb65db3^! / . / Lib / test
commit89c2051a554d2053ac87b0adbf11ed0f1bb65db3[log] [tgz]
authorChristian Heimes <christian@python.org>Tue Feb 27 11:17:32 2018 +0100
committerGitHub <noreply@github.com>Tue Feb 27 11:17:32 2018 +0100
treeeb47cd7a5da6ae5458f952197151d528c6f7193c
parent102d5204add249248d1a0fa1dd3f673e884b06b4 [diff]
[3.7] bpo-32951: Disable SSLSocket/SSLObject constructor (GH-5864) (#5925)

Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.

SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.

The only test case for direct instantiation was added a couple of days
ago for IDNA testing.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 9d50ab563df6307cabbcc9883cb8c52c614b0f22)

Co-authored-by: Christian Heimes <christian@python.org>
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d978a9e..ca2357e 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py

@@ -263,6 +263,11 @@
             ssl.OP_NO_TLSv1_2
         self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
 
+    def test_private_init(self):
+        with self.assertRaisesRegex(TypeError, "public constructor"):
+            with socket.socket() as s:
+                ssl.SSLSocket(s)
+
     def test_str_for_enums(self):
         # Make sure that the PROTOCOL_* constants have enum-like string
         # reprs.
@@ -1657,6 +1662,13 @@
         self.assertRaises(TypeError, bio.write, 1)
 
 
+class SSLObjectTests(unittest.TestCase):
+    def test_private_init(self):
+        bio = ssl.MemoryBIO()
+        with self.assertRaisesRegex(TypeError, "public constructor"):
+            ssl.SSLObject(bio, bio)
+
+
 class SimpleBackgroundTests(unittest.TestCase):
     """Tests that connect to a simple server running in the background"""
 
@@ -2735,12 +2747,6 @@
                     self.assertEqual(s.server_hostname, expected_hostname)
                     self.assertTrue(cert, "Can't get peer certificate.")
 
-                with ssl.SSLSocket(socket.socket(),
-                                   server_hostname=server_hostname) as s:
-                    s.connect((HOST, server.port))
-                    s.getpeercert()
-                    self.assertEqual(s.server_hostname, expected_hostname)
-
         # incorrect hostname should raise an exception
         server = ThreadedEchoServer(context=server_context, chatty=True)
         with server:
@@ -3999,7 +4005,7 @@
 
     tests = [
         ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
-        SimpleBackgroundTests, ThreadedTests,
+        SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
     ]
 
     if support.is_resource_enabled('network'):