Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / e8bf04de4ba045029aa8964126d8cdd2d7c282a6^! / . / Lib / test / test_ssl.py
commite8bf04de4ba045029aa8964126d8cdd2d7c282a6[log] [tgz]
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Tue Feb 19 09:24:16 2019 -0800
committerGitHub <noreply@github.com>Tue Feb 19 09:24:16 2019 -0800
treedb1d28f8a7e88edc2f20c07c9a28a9f119724306
parent64ca72822338e0ba6e4f14d0a1cd3a9dcfa6c9ac [diff] [blame]
bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940)


Fix test_ssl for strict OpenSSL configuration like RHEL8 strict crypto policy.
Use older TLS version for minimum TLS version of the server SSL context if
needed, to test TLS version older than default minimum TLS version.
(cherry picked from commit 3ef6344ee53f59ee86831ec36ed2c6f93a56229d)

Co-authored-by: Victor Stinner <vstinner@redhat.com>
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 38ecddd..8eab447 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py

@@ -34,6 +34,19 @@
 IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)
 PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
 
+PROTOCOL_TO_TLS_VERSION = {}
+for proto, ver in (
+    ("PROTOCOL_SSLv23", "SSLv3"),
+    ("PROTOCOL_TLSv1", "TLSv1"),
+    ("PROTOCOL_TLSv1_1", "TLSv1_1"),
+):
+    try:
+        proto = getattr(ssl, proto)
+        ver = getattr(ssl.TLSVersion, ver)
+    except AttributeError:
+        continue
+    PROTOCOL_TO_TLS_VERSION[proto] = ver
+
 def data_file(*name):
     return os.path.join(os.path.dirname(__file__), *name)
 
@@ -1112,7 +1125,11 @@
         # Fedora override the setting to TLS 1.0.
         self.assertIn(
             ctx.minimum_version,
-            {ssl.TLSVersion.MINIMUM_SUPPORTED, ssl.TLSVersion.TLSv1}
+            {ssl.TLSVersion.MINIMUM_SUPPORTED,
+             # Fedora 29 uses TLS 1.0 by default
+             ssl.TLSVersion.TLSv1,
+             # RHEL 8 uses TLS 1.2 by default
+             ssl.TLSVersion.TLSv1_2}
         )
         self.assertEqual(
             ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
@@ -2630,6 +2647,17 @@
     server_context = ssl.SSLContext(server_protocol)
     server_context.options |= server_options
 
+    min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
+    if (min_version is not None
+    # SSLContext.minimum_version is only available on recent OpenSSL
+    # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
+    and hasattr(server_context, 'minimum_version')
+    and server_protocol == ssl.PROTOCOL_TLS
+    and server_context.minimum_version > min_version):
+        # If OpenSSL configuration is strict and requires more recent TLS
+        # version, we have to change the minimum to test old TLS versions.
+        server_context.minimum_version = min_version
+
     # NOTE: we must enable "ALL" ciphers on the client, otherwise an
     # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
     # starting from OpenSSL 1.0.0 (see issue #8322).