Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / ffa29b5aca1aaeae46af2582c401ef0ed20d4153^! / . / Lib / test / test_httplib.py
commitffa29b5aca1aaeae46af2582c401ef0ed20d4153[log] [tgz]
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Mon May 06 20:51:25 2019 -0700
committerGitHub <noreply@github.com>Mon May 06 20:51:25 2019 -0700
treefe7e7b2b8f170ccf310577872bbaa3781cf305b8
parentb2d29bfa5be5a0794c7c69078c43953967fcacf4 [diff] [blame]
bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124)


Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default.  This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.

Fixing the network servers is a separate issue.
(cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 4755f8b..49263a8 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py

@@ -4,6 +4,7 @@
 import itertools
 import os
 import array
+import re
 import socket
 import threading
 
@@ -1622,14 +1623,30 @@
         # We feed the server's cert as a validating cert
         import ssl
         support.requires('network')
-        with support.transient_internet('self-signed.pythontest.net'):
+        selfsigned_pythontestdotnet = 'self-signed.pythontest.net'
+        with support.transient_internet(selfsigned_pythontestdotnet):
             context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
             self.assertEqual(context.verify_mode, ssl.CERT_REQUIRED)
             self.assertEqual(context.check_hostname, True)
             context.load_verify_locations(CERT_selfsigned_pythontestdotnet)
-            h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
-            h.request('GET', '/')
-            resp = h.getresponse()
+            try:
+                h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
+                                           context=context)
+                h.request('GET', '/')
+                resp = h.getresponse()
+            except ssl.SSLError as ssl_err:
+                ssl_err_str = str(ssl_err)
+                # In the error message of [SSL: CERTIFICATE_VERIFY_FAILED] on
+                # modern Linux distros (Debian Buster, etc) default OpenSSL
+                # configurations it'll fail saying "key too weak" until we
+                # address https://bugs.python.org/issue36816 to use a proper
+                # key size on self-signed.pythontest.net.
+                if re.search(r'(?i)key.too.weak', ssl_err_str):
+                    raise unittest.SkipTest(
+                        f'Got {ssl_err_str} trying to connect '
+                        f'to {selfsigned_pythontestdotnet}. '
+                        'See https://bugs.python.org/issue36816.')
+                raise
             server_string = resp.getheader('server')
             resp.close()
             h.close()