Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 0a3452e7cf00c51ab1af0f674b670520b09f0e39 / . / Lib / test / test_ssl.py
blob: 1a2f0fc6b69fa364ea3c2358d814793be4f286e4 [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5import unittest.mock
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]6from test import support
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]7from test.support import import_helper
8from test.support import os_helper
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]9from test.support import socket_helper
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]10from test.support import threading_helper
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]11from test.support import warnings_helper
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]13import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]14import time
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]15import datetime
16import enum
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]17import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]19import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]20import pprint
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]21import urllib.request
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]22import threading
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]23import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]24import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]25import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]26import platform
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]27import sysconfig
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]28import functools
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]29try:
30 import ctypes
31except ImportError:
32 ctypes = None
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]33
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]34ssl = import_helper.import_module("ssl")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]35import _ssl
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]36
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]37from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]38
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]39Py_DEBUG = hasattr(sys, 'gettotalrefcount')
40Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
41
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]42PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]43HOST = socket_helper.HOST
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]44IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]45PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]46
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]47PROTOCOL_TO_TLS_VERSION = {}
48for proto, ver in (
49 ("PROTOCOL_SSLv23", "SSLv3"),
50 ("PROTOCOL_TLSv1", "TLSv1"),
51 ("PROTOCOL_TLSv1_1", "TLSv1_1"),
52):
53 try:
54 proto = getattr(ssl, proto)
55 ver = getattr(ssl.TLSVersion, ver)
56 except AttributeError:
57 continue
58 PROTOCOL_TO_TLS_VERSION[proto] = ver
59
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]60def data_file(*name):
61 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]62
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]63# The custom key and certificate files used in test_ssl are generated
64# using Lib/test/make_ssl_certs.py.
65# Other certificates are simply fetched from the Internet servers they
66# are meant to authenticate.
67
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]68CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]69BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]70ONLYCERT = data_file("ssl_cert.pem")
71ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]72BYTES_ONLYCERT = os.fsencode(ONLYCERT)
73BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]74CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
75ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
76KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]77CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]78BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]79CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
80CAFILE_CACERT = data_file("capath", "5ed36f99.0")
81
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]82CERTFILE_INFO = {
83 'issuer': ((('countryName', 'XY'),),
84 (('localityName', 'Castle Anthrax'),),
85 (('organizationName', 'Python Software Foundation'),),
86 (('commonName', 'localhost'),)),
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]87 'notAfter': 'Aug 26 14:23:15 2028 GMT',
88 'notBefore': 'Aug 29 14:23:15 2018 GMT',
89 'serialNumber': '98A7CF88C74A32ED',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]90 'subject': ((('countryName', 'XY'),),
91 (('localityName', 'Castle Anthrax'),),
92 (('organizationName', 'Python Software Foundation'),),
93 (('commonName', 'localhost'),)),
94 'subjectAltName': (('DNS', 'localhost'),),
95 'version': 3
96}
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]97
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]98# empty CRL
99CRLFILE = data_file("revocation.crl")
100
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]101# Two keys and certs signed by the same CA (for SNI tests)
102SIGNED_CERTFILE = data_file("keycert3.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]103SIGNED_CERTFILE_HOSTNAME = 'localhost'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]104
105SIGNED_CERTFILE_INFO = {
106 'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
107 'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
108 'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
109 'issuer': ((('countryName', 'XY'),),
110 (('organizationName', 'Python Software Foundation CA'),),
111 (('commonName', 'our-ca-server'),)),
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]112 'notAfter': 'Oct 28 14:23:16 2037 GMT',
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]113 'notBefore': 'Aug 29 14:23:16 2018 GMT',
114 'serialNumber': 'CB2D80995A69525C',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]115 'subject': ((('countryName', 'XY'),),
116 (('localityName', 'Castle Anthrax'),),
117 (('organizationName', 'Python Software Foundation'),),
118 (('commonName', 'localhost'),)),
119 'subjectAltName': (('DNS', 'localhost'),),
120 'version': 3
121}
122
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]123SIGNED_CERTFILE2 = data_file("keycert4.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]124SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]125SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
126SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
127
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]128# Same certificate as pycacert.pem, but without extra text in file
129SIGNING_CA = data_file("capath", "ceff1710.0")
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]130# cert with all kinds of subject alt names
131ALLSANFILE = data_file("allsans.pem")
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]132IDNSANSFILE = data_file("idnsans.pem")
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]133NOSANFILE = data_file("nosan.pem")
134NOSAN_HOSTNAME = 'localhost'
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]135
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]136REMOTE_HOST = "self-signed.pythontest.net"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]137
138EMPTYCERT = data_file("nullcert.pem")
139BADCERT = data_file("badcert.pem")
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]140NONEXISTINGCERT = data_file("XXXnonexisting.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]141BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]142NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]143NULLBYTECERT = data_file("nullbytecert.pem")
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]144TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]145
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]146DHFILE = data_file("ffdh3072.pem")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]147BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]148
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]149# Not defined in all versions of OpenSSL
150OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
151OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
152OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
153OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]154OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]155OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]156
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]157# Ubuntu has patched OpenSSL and changed behavior of security level 2
158# see https://bugs.python.org/issue41561#msg389003
159def is_ubuntu():
160 try:
161 # Assume that any references of "ubuntu" implies Ubuntu-like distro
162 # The workaround is not required for 18.04, but doesn't hurt either.
163 with open("/etc/os-release", encoding="utf-8") as f:
164 return "ubuntu" in f.read()
165 except FileNotFoundError:
166 return False
167
168if is_ubuntu():
169 def seclevel_workaround(*ctxs):
170 """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
171 for ctx in ctxs:
Christian Heimes34477502021-04-12 12:00:38 +0200[diff] [blame]172 if (
173 hasattr(ctx, "minimum_version") and
174 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
175 ):
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]176 ctx.set_ciphers("@SECLEVEL=1:ALL")
177else:
178 def seclevel_workaround(*ctxs):
179 pass
180
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]181
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]182def has_tls_protocol(protocol):
183 """Check if a TLS protocol is available and enabled
184
185 :param protocol: enum ssl._SSLMethod member or name
186 :return: bool
187 """
188 if isinstance(protocol, str):
189 assert protocol.startswith('PROTOCOL_')
190 protocol = getattr(ssl, protocol, None)
191 if protocol is None:
192 return False
193 if protocol in {
194 ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
195 ssl.PROTOCOL_TLS_CLIENT
196 }:
197 # auto-negotiate protocols are always available
198 return True
199 name = protocol.name
200 return has_tls_version(name[len('PROTOCOL_'):])
201
202
203@functools.lru_cache
204def has_tls_version(version):
205 """Check if a TLS/SSL version is enabled
206
207 :param version: TLS version name or ssl.TLSVersion member
208 :return: bool
209 """
210 if version == "SSLv2":
211 # never supported and not even in TLSVersion enum
212 return False
213
214 if isinstance(version, str):
215 version = ssl.TLSVersion.__members__[version]
216
217 # check compile time flags like ssl.HAS_TLSv1_2
218 if not getattr(ssl, f'HAS_{version.name}'):
219 return False
220
Christian Heimes5151d642021-04-09 15:43:06 +0200[diff] [blame]221 if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
222 # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
223 return False
224
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]225 # check runtime and dynamic crypto policy settings. A TLS version may
226 # be compiled in but disabled by a policy or config option.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]227 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]228 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]229 hasattr(ctx, 'minimum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]230 ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
231 version < ctx.minimum_version
232 ):
233 return False
234 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]235 hasattr(ctx, 'maximum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]236 ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
237 version > ctx.maximum_version
238 ):
239 return False
240
241 return True
242
243
244def requires_tls_version(version):
245 """Decorator to skip tests when a required TLS version is not available
246
247 :param version: TLS version name or ssl.TLSVersion member
248 :return:
249 """
250 def decorator(func):
251 @functools.wraps(func)
252 def wrapper(*args, **kw):
253 if not has_tls_version(version):
254 raise unittest.SkipTest(f"{version} is not available.")
255 else:
256 return func(*args, **kw)
257 return wrapper
258 return decorator
259
260
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]261def handle_error(prefix):
262 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]263 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]264 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]265
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]266
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]267def utc_offset(): #NOTE: ignore issues like #1647654
268 # local time = utc time + utc offset
269 if time.daylight and time.localtime().tm_isdst > 0:
270 return -time.altzone # seconds
271 return -time.timezone
272
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]273
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]274ignore_deprecation = warnings_helper.ignore_warnings(
275 category=DeprecationWarning
276)
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]277
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]278
279def test_wrap_socket(sock, *,
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]280 cert_reqs=ssl.CERT_NONE, ca_certs=None,
281 ciphers=None, certfile=None, keyfile=None,
282 **kwargs):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]283 if not kwargs.get("server_side"):
284 kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
285 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
286 else:
287 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]288 if cert_reqs is not None:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]289 if cert_reqs == ssl.CERT_NONE:
290 context.check_hostname = False
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]291 context.verify_mode = cert_reqs
292 if ca_certs is not None:
293 context.load_verify_locations(ca_certs)
294 if certfile is not None or keyfile is not None:
295 context.load_cert_chain(certfile, keyfile)
296 if ciphers is not None:
297 context.set_ciphers(ciphers)
298 return context.wrap_socket(sock, **kwargs)
299
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]300
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]301def testing_context(server_cert=SIGNED_CERTFILE, *, server_chain=True):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]302 """Create context
303
304 client_context, server_context, hostname = testing_context()
305 """
306 if server_cert == SIGNED_CERTFILE:
307 hostname = SIGNED_CERTFILE_HOSTNAME
308 elif server_cert == SIGNED_CERTFILE2:
309 hostname = SIGNED_CERTFILE2_HOSTNAME
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]310 elif server_cert == NOSANFILE:
311 hostname = NOSAN_HOSTNAME
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]312 else:
313 raise ValueError(server_cert)
314
315 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
316 client_context.load_verify_locations(SIGNING_CA)
317
318 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
319 server_context.load_cert_chain(server_cert)
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]320 if server_chain:
321 server_context.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]322
323 return client_context, server_context, hostname
324
325
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]326class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]327
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]328 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]329 ssl.CERT_NONE
330 ssl.CERT_OPTIONAL
331 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]332 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]333 ssl.OP_SINGLE_DH_USE
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]334 ssl.OP_SINGLE_ECDH_USE
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]335 ssl.OP_NO_COMPRESSION
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]336 self.assertEqual(ssl.HAS_SNI, True)
337 self.assertEqual(ssl.HAS_ECDH, True)
338 self.assertEqual(ssl.HAS_TLSv1_2, True)
339 self.assertEqual(ssl.HAS_TLSv1_3, True)
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]340 ssl.OP_NO_SSLv2
341 ssl.OP_NO_SSLv3
342 ssl.OP_NO_TLSv1
343 ssl.OP_NO_TLSv1_3
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]344 ssl.OP_NO_TLSv1_1
345 ssl.OP_NO_TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]346 self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]347
Christian Heimes91554e42021-05-02 09:47:45 +0200[diff] [blame]348 def test_ssl_types(self):
349 ssl_types = [
350 _ssl._SSLContext,
351 _ssl._SSLSocket,
352 _ssl.MemoryBIO,
353 _ssl.Certificate,
354 _ssl.SSLSession,
355 _ssl.SSLError,
356 ]
357 for ssl_type in ssl_types:
358 with self.subTest(ssl_type=ssl_type):
359 with self.assertRaisesRegex(TypeError, "immutable type"):
360 ssl_type.value = None
Erlend Egeberg Aasland0a3452e2021-06-24 01:46:25 +0200[diff] [blame^]361 support.check_disallow_instantiation(self, _ssl.Certificate)
Christian Heimes91554e42021-05-02 09:47:45 +0200[diff] [blame]362
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]363 def test_private_init(self):
364 with self.assertRaisesRegex(TypeError, "public constructor"):
365 with socket.socket() as s:
366 ssl.SSLSocket(s)
367
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]368 def test_str_for_enums(self):
369 # Make sure that the PROTOCOL_* constants have enum-like string
370 # reprs.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]371 proto = ssl.PROTOCOL_TLS_CLIENT
372 self.assertEqual(str(proto), 'PROTOCOL_TLS_CLIENT')
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]373 ctx = ssl.SSLContext(proto)
374 self.assertIs(ctx.protocol, proto)
375
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]376 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]377 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]378 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]379 sys.stdout.write("\n RAND_status is %d (%s)\n"
380 % (v, (v and "sufficient randomness") or
381 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]382
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]383 with warnings_helper.check_warnings():
384 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]385 self.assertEqual(len(data), 16)
386 self.assertEqual(is_cryptographic, v == 1)
387 if v:
388 data = ssl.RAND_bytes(16)
389 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]390 else:
391 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]392
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]393 # negative num is invalid
394 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]395 with warnings_helper.check_warnings():
396 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]397
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]398 ssl.RAND_add("this is a random string", 75.0)
Serhiy Storchaka8490f5a2015-03-20 09:00:36 +0200[diff] [blame]399 ssl.RAND_add(b"this is a random bytes object", 75.0)
400 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]401
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]402 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]403 # note that this uses an 'unofficial' function in _ssl.c,
404 # provided solely for this test, to exercise the certificate
405 # parsing code
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]406 self.assertEqual(
407 ssl._ssl._test_decode_cert(CERTFILE),
408 CERTFILE_INFO
409 )
410 self.assertEqual(
411 ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
412 SIGNED_CERTFILE_INFO
413 )
414
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]415 # Issue #13034: the subjectAltName in some certificates
416 # (notably projects.developer.nokia.com:443) wasn't parsed
417 p = ssl._ssl._test_decode_cert(NOKIACERT)
418 if support.verbose:
419 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
420 self.assertEqual(p['subjectAltName'],
421 (('DNS', 'projects.developer.nokia.com'),
422 ('DNS', 'projects.forum.nokia.com'))
423 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]424 # extra OCSP and AIA fields
425 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
426 self.assertEqual(p['caIssuers'],
427 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
428 self.assertEqual(p['crlDistributionPoints'],
429 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]430
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]431 def test_parse_cert_CVE_2019_5010(self):
432 p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
433 if support.verbose:
434 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
435 self.assertEqual(
436 p,
437 {
438 'issuer': (
439 (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
440 'notAfter': 'Jun 14 18:00:58 2028 GMT',
441 'notBefore': 'Jun 18 18:00:58 2018 GMT',
442 'serialNumber': '02',
443 'subject': ((('countryName', 'UK'),),
444 (('commonName',
445 'codenomicon-vm-2.test.lal.cisco.com'),)),
446 'subjectAltName': (
447 ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
448 'version': 3
449 }
450 )
451
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]452 def test_parse_cert_CVE_2013_4238(self):
453 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
454 if support.verbose:
455 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
456 subject = ((('countryName', 'US'),),
457 (('stateOrProvinceName', 'Oregon'),),
458 (('localityName', 'Beaverton'),),
459 (('organizationName', 'Python Software Foundation'),),
460 (('organizationalUnitName', 'Python Core Development'),),
461 (('commonName', 'null.python.org\x00example.org'),),
462 (('emailAddress', 'python-dev@python.org'),))
463 self.assertEqual(p['subject'], subject)
464 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]465 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
466 san = (('DNS', 'altnull.python.org\x00example.com'),
467 ('email', 'null@python.org\x00user@example.org'),
468 ('URI', 'http://null.python.org\x00http://example.org'),
469 ('IP Address', '192.0.2.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]470 ('IP Address', '2001:DB8:0:0:0:0:0:1'))
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]471 else:
472 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
473 san = (('DNS', 'altnull.python.org\x00example.com'),
474 ('email', 'null@python.org\x00user@example.org'),
475 ('URI', 'http://null.python.org\x00http://example.org'),
476 ('IP Address', '192.0.2.1'),
477 ('IP Address', '<invalid>'))
478
479 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]480
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]481 def test_parse_all_sans(self):
482 p = ssl._ssl._test_decode_cert(ALLSANFILE)
483 self.assertEqual(p['subjectAltName'],
484 (
485 ('DNS', 'allsans'),
486 ('othername', '<unsupported>'),
487 ('othername', '<unsupported>'),
488 ('email', 'user@example.org'),
489 ('DNS', 'www.example.org'),
490 ('DirName',
491 ((('countryName', 'XY'),),
492 (('localityName', 'Castle Anthrax'),),
493 (('organizationName', 'Python Software Foundation'),),
494 (('commonName', 'dirname example'),))),
495 ('URI', 'https://www.python.org/'),
496 ('IP Address', '127.0.0.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]497 ('IP Address', '0:0:0:0:0:0:0:1'),
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]498 ('Registered ID', '1.2.3.4.5')
499 )
500 )
501
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]502 def test_DER_to_PEM(self):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]503 with open(CAFILE_CACERT, 'r') as f:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]504 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]505 d1 = ssl.PEM_cert_to_DER_cert(pem)
506 p2 = ssl.DER_cert_to_PEM_cert(d1)
507 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]508 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]509 if not p2.startswith(ssl.PEM_HEADER + '\n'):
510 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
511 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
512 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]513
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]514 def test_openssl_version(self):
515 n = ssl.OPENSSL_VERSION_NUMBER
516 t = ssl.OPENSSL_VERSION_INFO
517 s = ssl.OPENSSL_VERSION
518 self.assertIsInstance(n, int)
519 self.assertIsInstance(t, tuple)
520 self.assertIsInstance(s, str)
521 # Some sanity checks follow
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]522 # >= 1.1.1
523 self.assertGreaterEqual(n, 0x10101000)
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]524 # < 4.0
525 self.assertLess(n, 0x40000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]526 major, minor, fix, patch, status = t
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]527 self.assertGreaterEqual(major, 1)
528 self.assertLess(major, 4)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]529 self.assertGreaterEqual(minor, 0)
530 self.assertLess(minor, 256)
531 self.assertGreaterEqual(fix, 0)
532 self.assertLess(fix, 256)
533 self.assertGreaterEqual(patch, 0)
Ned Deily05784a72015-02-05 17:20:13 +1100[diff] [blame]534 self.assertLessEqual(patch, 63)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]535 self.assertGreaterEqual(status, 0)
536 self.assertLessEqual(status, 15)
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]537
538 libressl_ver = f"LibreSSL {major:d}"
539 openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
540 self.assertTrue(
541 s.startswith((openssl_ver, libressl_ver)),
542 (s, t, hex(n))
543 )
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]544
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]545 @support.cpython_only
546 def test_refcycle(self):
547 # Issue #7943: an SSL object doesn't create reference cycles with
548 # itself.
549 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]550 ss = test_wrap_socket(s)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]551 wr = weakref.ref(ss)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]552 with warnings_helper.check_warnings(("", ResourceWarning)):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]553 del ss
Victor Stinnere0b75b72016-03-21 17:26:04 +0100[diff] [blame]554 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]555
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]556 def test_wrapped_unconnected(self):
557 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]558 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]559 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]560 with test_wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]561 self.assertRaises(OSError, ss.recv, 1)
562 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
563 self.assertRaises(OSError, ss.recvfrom, 1)
564 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
565 self.assertRaises(OSError, ss.send, b'x')
566 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]567 self.assertRaises(NotImplementedError, ss.dup)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]568 self.assertRaises(NotImplementedError, ss.sendmsg,
569 [b'x'], (), 0, ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]570 self.assertRaises(NotImplementedError, ss.recvmsg, 100)
571 self.assertRaises(NotImplementedError, ss.recvmsg_into,
572 [bytearray(100)])
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]573
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]574 def test_timeout(self):
575 # Issue #8524: when creating an SSL socket, the timeout of the
576 # original socket should be retained.
577 for timeout in (None, 0.0, 5.0):
578 s = socket.socket(socket.AF_INET)
579 s.settimeout(timeout)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]580 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]581 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]582
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]583 def test_openssl111_deprecations(self):
584 options = [
585 ssl.OP_NO_TLSv1,
586 ssl.OP_NO_TLSv1_1,
587 ssl.OP_NO_TLSv1_2,
588 ssl.OP_NO_TLSv1_3
589 ]
590 protocols = [
591 ssl.PROTOCOL_TLSv1,
592 ssl.PROTOCOL_TLSv1_1,
593 ssl.PROTOCOL_TLSv1_2,
594 ssl.PROTOCOL_TLS
595 ]
596 versions = [
597 ssl.TLSVersion.SSLv3,
598 ssl.TLSVersion.TLSv1,
599 ssl.TLSVersion.TLSv1_1,
600 ]
601
602 for option in options:
603 with self.subTest(option=option):
604 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
605 with self.assertWarns(DeprecationWarning) as cm:
606 ctx.options |= option
607 self.assertEqual(
Miss Islington (bot)08f2b9d2021-06-17 03:00:56 -0700[diff] [blame]608 'ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated',
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]609 str(cm.warning)
610 )
611
612 for protocol in protocols:
613 with self.subTest(protocol=protocol):
614 with self.assertWarns(DeprecationWarning) as cm:
615 ssl.SSLContext(protocol)
616 self.assertEqual(
617 f'{protocol!r} is deprecated',
618 str(cm.warning)
619 )
620
621 for version in versions:
622 with self.subTest(version=version):
623 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
624 with self.assertWarns(DeprecationWarning) as cm:
625 ctx.minimum_version = version
626 self.assertEqual(
627 f'ssl.{version!r} is deprecated',
628 str(cm.warning)
629 )
630
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]631 @ignore_deprecation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]632 def test_errors_sslwrap(self):
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]633 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]634 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]635 "certfile must be specified",
636 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]637 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]638 "certfile must be specified for server-side operations",
639 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]640 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]641 "certfile must be specified for server-side operations",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]642 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]643 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
644 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]645 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]646 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]647 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]648 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]649 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]650 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]651 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]652 ssl.wrap_socket(sock,
653 certfile=CERTFILE, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]654 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]655 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]656 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]657 ssl.wrap_socket(sock,
658 certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]659 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]660
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]661 def bad_cert_test(self, certfile):
662 """Check that trying to use the given client certificate fails"""
663 certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
664 certfile)
665 sock = socket.socket()
666 self.addCleanup(sock.close)
667 with self.assertRaises(ssl.SSLError):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]668 test_wrap_socket(sock,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]669 certfile=certfile)
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]670
671 def test_empty_cert(self):
672 """Wrapping with an empty cert file"""
673 self.bad_cert_test("nullcert.pem")
674
675 def test_malformed_cert(self):
676 """Wrapping with a badly formatted certificate (syntax error)"""
677 self.bad_cert_test("badcert.pem")
678
679 def test_malformed_key(self):
680 """Wrapping with a badly formatted key (syntax error)"""
681 self.bad_cert_test("badkey.pem")
682
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]683 @ignore_deprecation
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]684 def test_match_hostname(self):
685 def ok(cert, hostname):
686 ssl.match_hostname(cert, hostname)
687 def fail(cert, hostname):
688 self.assertRaises(ssl.CertificateError,
689 ssl.match_hostname, cert, hostname)
690
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]691 # -- Hostname matching --
692
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]693 cert = {'subject': ((('commonName', 'example.com'),),)}
694 ok(cert, 'example.com')
695 ok(cert, 'ExAmple.cOm')
696 fail(cert, 'www.example.com')
697 fail(cert, '.example.com')
698 fail(cert, 'example.org')
699 fail(cert, 'exampleXcom')
700
701 cert = {'subject': ((('commonName', '*.a.com'),),)}
702 ok(cert, 'foo.a.com')
703 fail(cert, 'bar.foo.a.com')
704 fail(cert, 'a.com')
705 fail(cert, 'Xa.com')
706 fail(cert, '.a.com')
707
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]708 # only match wildcards when they are the only thing
709 # in left-most segment
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]710 cert = {'subject': ((('commonName', 'f*.com'),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]711 fail(cert, 'foo.com')
712 fail(cert, 'f.com')
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]713 fail(cert, 'bar.com')
714 fail(cert, 'foo.a.com')
715 fail(cert, 'bar.foo.com')
716
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]717 # NULL bytes are bad, CVE-2013-4073
718 cert = {'subject': ((('commonName',
719 'null.python.org\x00example.org'),),)}
720 ok(cert, 'null.python.org\x00example.org') # or raise an error?
721 fail(cert, 'example.org')
722 fail(cert, 'null.python.org')
723
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]724 # error cases with wildcards
725 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
726 fail(cert, 'bar.foo.a.com')
727 fail(cert, 'a.com')
728 fail(cert, 'Xa.com')
729 fail(cert, '.a.com')
730
731 cert = {'subject': ((('commonName', 'a.*.com'),),)}
732 fail(cert, 'a.foo.com')
733 fail(cert, 'a..com')
734 fail(cert, 'a.com')
735
736 # wildcard doesn't match IDNA prefix 'xn--'
737 idna = 'püthon.python.org'.encode("idna").decode("ascii")
738 cert = {'subject': ((('commonName', idna),),)}
739 ok(cert, idna)
740 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
741 fail(cert, idna)
742 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
743 fail(cert, idna)
744
745 # wildcard in first fragment and IDNA A-labels in sequent fragments
746 # are supported.
747 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
748 cert = {'subject': ((('commonName', idna),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]749 fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
750 fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]751 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
752 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
753
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]754 # Slightly fake real-world example
755 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
756 'subject': ((('commonName', 'linuxfrz.org'),),),
757 'subjectAltName': (('DNS', 'linuxfr.org'),
758 ('DNS', 'linuxfr.com'),
759 ('othername', '<unsupported>'))}
760 ok(cert, 'linuxfr.org')
761 ok(cert, 'linuxfr.com')
762 # Not a "DNS" entry
763 fail(cert, '<unsupported>')
764 # When there is a subjectAltName, commonName isn't used
765 fail(cert, 'linuxfrz.org')
766
767 # A pristine real-world example
768 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
769 'subject': ((('countryName', 'US'),),
770 (('stateOrProvinceName', 'California'),),
771 (('localityName', 'Mountain View'),),
772 (('organizationName', 'Google Inc'),),
773 (('commonName', 'mail.google.com'),))}
774 ok(cert, 'mail.google.com')
775 fail(cert, 'gmail.com')
776 # Only commonName is considered
777 fail(cert, 'California')
778
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]779 # -- IPv4 matching --
780 cert = {'subject': ((('commonName', 'example.com'),),),
781 'subjectAltName': (('DNS', 'example.com'),
782 ('IP Address', '10.11.12.13'),
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]783 ('IP Address', '14.15.16.17'),
784 ('IP Address', '127.0.0.1'))}
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]785 ok(cert, '10.11.12.13')
786 ok(cert, '14.15.16.17')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]787 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
788 fail(cert, '127.1')
789 fail(cert, '14.15.16.17 ')
790 fail(cert, '14.15.16.17 extra data')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]791 fail(cert, '14.15.16.18')
792 fail(cert, 'example.net')
793
794 # -- IPv6 matching --
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]795 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]796 cert = {'subject': ((('commonName', 'example.com'),),),
797 'subjectAltName': (
798 ('DNS', 'example.com'),
799 ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
800 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
801 ok(cert, '2001::cafe')
802 ok(cert, '2003::baba')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]803 fail(cert, '2003::baba ')
804 fail(cert, '2003::baba extra data')
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]805 fail(cert, '2003::bebe')
806 fail(cert, 'example.net')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]807
808 # -- Miscellaneous --
809
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]810 # Neither commonName nor subjectAltName
811 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
812 'subject': ((('countryName', 'US'),),
813 (('stateOrProvinceName', 'California'),),
814 (('localityName', 'Mountain View'),),
815 (('organizationName', 'Google Inc'),))}
816 fail(cert, 'mail.google.com')
817
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]818 # No DNS entry in subjectAltName but a commonName
819 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
820 'subject': ((('countryName', 'US'),),
821 (('stateOrProvinceName', 'California'),),
822 (('localityName', 'Mountain View'),),
823 (('commonName', 'mail.google.com'),)),
824 'subjectAltName': (('othername', 'blabla'), )}
825 ok(cert, 'mail.google.com')
826
827 # No DNS entry subjectAltName and no commonName
828 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
829 'subject': ((('countryName', 'US'),),
830 (('stateOrProvinceName', 'California'),),
831 (('localityName', 'Mountain View'),),
832 (('organizationName', 'Google Inc'),)),
833 'subjectAltName': (('othername', 'blabla'),)}
834 fail(cert, 'google.com')
835
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]836 # Empty cert / no cert
837 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
838 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
839
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]840 # Issue #17980: avoid denials of service by refusing more than one
841 # wildcard per fragment.
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]842 cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
843 with self.assertRaisesRegex(
844 ssl.CertificateError,
845 "partial wildcards in leftmost label are not supported"):
846 ssl.match_hostname(cert, 'axxb.example.com')
847
848 cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
849 with self.assertRaisesRegex(
850 ssl.CertificateError,
851 "wildcard can only be present in the leftmost label"):
852 ssl.match_hostname(cert, 'www.sub.example.com')
853
854 cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
855 with self.assertRaisesRegex(
856 ssl.CertificateError,
857 "too many wildcards"):
858 ssl.match_hostname(cert, 'axxbxxc.example.com')
859
860 cert = {'subject': ((('commonName', '*'),),)}
861 with self.assertRaisesRegex(
862 ssl.CertificateError,
863 "sole wildcard without additional labels are not support"):
864 ssl.match_hostname(cert, 'host')
865
866 cert = {'subject': ((('commonName', '*.com'),),)}
867 with self.assertRaisesRegex(
868 ssl.CertificateError,
869 r"hostname 'com' doesn't match '\*.com'"):
870 ssl.match_hostname(cert, 'com')
871
872 # extra checks for _inet_paton()
873 for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
874 with self.assertRaises(ValueError):
875 ssl._inet_paton(invalid)
876 for ipaddr in ['127.0.0.1', '192.168.0.1']:
877 self.assertTrue(ssl._inet_paton(ipaddr))
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]878 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]879 for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
880 self.assertTrue(ssl._inet_paton(ipaddr))
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]881
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]882 def test_server_side(self):
883 # server_hostname doesn't work for server sockets
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]884 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]885 with socket.socket() as sock:
886 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
887 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]888
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]889 def test_unknown_channel_binding(self):
890 # should raise ValueError for unknown type
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]891 s = socket.create_server(('127.0.0.1', 0))
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]892 c = socket.socket(socket.AF_INET)
893 c.connect(s.getsockname())
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]894 with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]895 with self.assertRaises(ValueError):
896 ss.get_channel_binding("unknown-type")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]897 s.close()
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]898
899 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
900 "'tls-unique' channel binding not available")
901 def test_tls_unique_channel_binding(self):
902 # unconnected should return None for known type
903 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]904 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]905 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]906 # the same for server-side
907 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]908 with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]909 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]910
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]911 def test_dealloc_warn(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]912 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]913 r = repr(ss)
914 with self.assertWarns(ResourceWarning) as cm:
915 ss = None
916 support.gc_collect()
917 self.assertIn(r, str(cm.warning.args[0]))
918
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]919 def test_get_default_verify_paths(self):
920 paths = ssl.get_default_verify_paths()
921 self.assertEqual(len(paths), 6)
922 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
923
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]924 with os_helper.EnvironmentVarGuard() as env:
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]925 env["SSL_CERT_DIR"] = CAPATH
926 env["SSL_CERT_FILE"] = CERTFILE
927 paths = ssl.get_default_verify_paths()
928 self.assertEqual(paths.cafile, CERTFILE)
929 self.assertEqual(paths.capath, CAPATH)
930
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]931 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
932 def test_enum_certificates(self):
933 self.assertTrue(ssl.enum_certificates("CA"))
934 self.assertTrue(ssl.enum_certificates("ROOT"))
935
936 self.assertRaises(TypeError, ssl.enum_certificates)
937 self.assertRaises(WindowsError, ssl.enum_certificates, "")
938
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]939 trust_oids = set()
940 for storename in ("CA", "ROOT"):
941 store = ssl.enum_certificates(storename)
942 self.assertIsInstance(store, list)
943 for element in store:
944 self.assertIsInstance(element, tuple)
945 self.assertEqual(len(element), 3)
946 cert, enc, trust = element
947 self.assertIsInstance(cert, bytes)
948 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
Christian Heimes915cd3f2019-09-09 18:06:55 +0200[diff] [blame]949 self.assertIsInstance(trust, (frozenset, set, bool))
950 if isinstance(trust, (frozenset, set)):
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]951 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]952
953 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]954 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]955
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]956 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]957 def test_enum_crls(self):
958 self.assertTrue(ssl.enum_crls("CA"))
959 self.assertRaises(TypeError, ssl.enum_crls)
960 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]961
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]962 crls = ssl.enum_crls("CA")
963 self.assertIsInstance(crls, list)
964 for element in crls:
965 self.assertIsInstance(element, tuple)
966 self.assertEqual(len(element), 2)
967 self.assertIsInstance(element[0], bytes)
968 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]969
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]970
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]971 def test_asn1object(self):
972 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
973 '1.3.6.1.5.5.7.3.1')
974
975 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
976 self.assertEqual(val, expected)
977 self.assertEqual(val.nid, 129)
978 self.assertEqual(val.shortname, 'serverAuth')
979 self.assertEqual(val.longname, 'TLS Web Server Authentication')
980 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
981 self.assertIsInstance(val, ssl._ASN1Object)
982 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
983
984 val = ssl._ASN1Object.fromnid(129)
985 self.assertEqual(val, expected)
986 self.assertIsInstance(val, ssl._ASN1Object)
987 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]988 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
989 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]990 for i in range(1000):
991 try:
992 obj = ssl._ASN1Object.fromnid(i)
993 except ValueError:
994 pass
995 else:
996 self.assertIsInstance(obj.nid, int)
997 self.assertIsInstance(obj.shortname, str)
998 self.assertIsInstance(obj.longname, str)
999 self.assertIsInstance(obj.oid, (str, type(None)))
1000
1001 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
1002 self.assertEqual(val, expected)
1003 self.assertIsInstance(val, ssl._ASN1Object)
1004 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
1005 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
1006 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]1007 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
1008 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1009
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1010 def test_purpose_enum(self):
1011 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
1012 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
1013 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
1014 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
1015 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
1016 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
1017 '1.3.6.1.5.5.7.3.1')
1018
1019 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
1020 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
1021 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
1022 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
1023 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
1024 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
1025 '1.3.6.1.5.5.7.3.2')
1026
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]1027 def test_unsupported_dtls(self):
1028 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
1029 self.addCleanup(s.close)
1030 with self.assertRaises(NotImplementedError) as cx:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1031 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]1032 self.assertEqual(str(cx.exception), "only stream sockets are supported")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1033 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]1034 with self.assertRaises(NotImplementedError) as cx:
1035 ctx.wrap_socket(s)
1036 self.assertEqual(str(cx.exception), "only stream sockets are supported")
1037
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1038 def cert_time_ok(self, timestring, timestamp):
1039 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
1040
1041 def cert_time_fail(self, timestring):
1042 with self.assertRaises(ValueError):
1043 ssl.cert_time_to_seconds(timestring)
1044
1045 @unittest.skipUnless(utc_offset(),
1046 'local time needs to be different from UTC')
1047 def test_cert_time_to_seconds_timezone(self):
1048 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
1049 # results if local timezone is not UTC
1050 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
1051 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
1052
1053 def test_cert_time_to_seconds(self):
1054 timestring = "Jan 5 09:34:43 2018 GMT"
1055 ts = 1515144883.0
1056 self.cert_time_ok(timestring, ts)
1057 # accept keyword parameter, assert its name
1058 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
1059 # accept both %e and %d (space or zero generated by strftime)
1060 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
1061 # case-insensitive
1062 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
1063 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
1064 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
1065 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
1066 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
1067 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
1068 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
1069 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
1070
1071 newyear_ts = 1230768000.0
1072 # leap seconds
1073 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
1074 # same timestamp
1075 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
1076
1077 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
1078 # allow 60th second (even if it is not a leap second)
1079 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
1080 # allow 2nd leap second for compatibility with time.strptime()
1081 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
1082 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
1083
Mike53f7a7c2017-12-14 14:04:53 +0300[diff] [blame]1084 # no special treatment for the special value:
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1085 # 99991231235959Z (rfc 5280)
1086 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
1087
1088 @support.run_with_locale('LC_ALL', '')
1089 def test_cert_time_to_seconds_locale(self):
1090 # `cert_time_to_seconds()` should be locale independent
1091
1092 def local_february_name():
1093 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
1094
1095 if local_february_name().lower() == 'feb':
1096 self.skipTest("locale-specific month name needs to be "
1097 "different from C locale")
1098
1099 # locale-independent
1100 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
1101 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
1102
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1103 def test_connect_ex_error(self):
1104 server = socket.socket(socket.AF_INET)
1105 self.addCleanup(server.close)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]1106 port = socket_helper.bind_port(server) # Reserve port but don't listen
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1107 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1108 cert_reqs=ssl.CERT_REQUIRED)
1109 self.addCleanup(s.close)
1110 rc = s.connect_ex((HOST, port))
1111 # Issue #19919: Windows machines or VMs hosted on Windows
1112 # machines sometimes return EWOULDBLOCK.
1113 errors = (
1114 errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
1115 errno.EWOULDBLOCK,
1116 )
1117 self.assertIn(rc, errors)
1118
Christian Heimes89d15502021-04-19 06:55:30 +0200[diff] [blame]1119 def test_read_write_zero(self):
1120 # empty reads and writes now work, bpo-42854, bpo-31711
1121 client_context, server_context, hostname = testing_context()
1122 server = ThreadedEchoServer(context=server_context)
1123 with server:
1124 with client_context.wrap_socket(socket.socket(),
1125 server_hostname=hostname) as s:
1126 s.connect((HOST, server.port))
1127 self.assertEqual(s.recv(0), b"")
1128 self.assertEqual(s.send(b""), 0)
1129
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1130
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1131class ContextTests(unittest.TestCase):
1132
1133 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1134 for protocol in PROTOCOLS:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1135 with warnings_helper.check_warnings():
1136 ctx = ssl.SSLContext(protocol)
1137 self.assertEqual(ctx.protocol, protocol)
1138 with warnings_helper.check_warnings():
1139 ctx = ssl.SSLContext()
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1140 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1141 self.assertRaises(ValueError, ssl.SSLContext, -1)
1142 self.assertRaises(ValueError, ssl.SSLContext, 42)
1143
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1144 def test_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1145 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1146 ctx.set_ciphers("ALL")
1147 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1148 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]1149 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1150
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]1151 @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
1152 "Test applies only to Python default ciphers")
1153 def test_python_ciphers(self):
1154 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1155 ciphers = ctx.get_ciphers()
1156 for suite in ciphers:
1157 name = suite['name']
1158 self.assertNotIn("PSK", name)
1159 self.assertNotIn("SRP", name)
1160 self.assertNotIn("MD5", name)
1161 self.assertNotIn("RC4", name)
1162 self.assertNotIn("3DES", name)
1163
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1164 def test_get_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1165 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesea9b2dc2016-09-06 10:45:44 +0200[diff] [blame]1166 ctx.set_ciphers('AESGCM')
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1167 names = set(d['name'] for d in ctx.get_ciphers())
Christian Heimes582282b2016-09-06 11:27:25 +0200[diff] [blame]1168 self.assertIn('AES256-GCM-SHA384', names)
1169 self.assertIn('AES128-GCM-SHA256', names)
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1170
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1171 def test_options(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1172 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Petersona9dcdab2015-11-11 22:38:41 -0800[diff] [blame]1173 # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1174 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1175 # SSLContext also enables these by default
1176 default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]1177 OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]1178 OP_ENABLE_MIDDLEBOX_COMPAT |
1179 OP_IGNORE_UNEXPECTED_EOF)
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1180 self.assertEqual(default, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1181 with warnings_helper.check_warnings():
1182 ctx.options |= ssl.OP_NO_TLSv1
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1183 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1184 with warnings_helper.check_warnings():
1185 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]1186 self.assertEqual(default, ctx.options)
1187 ctx.options = 0
1188 # Ubuntu has OP_NO_SSLv3 forced on by default
1189 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1190
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1191 def test_verify_mode_protocol(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1192 with warnings_helper.check_warnings():
1193 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1194 # Default value
1195 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1196 ctx.verify_mode = ssl.CERT_OPTIONAL
1197 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1198 ctx.verify_mode = ssl.CERT_REQUIRED
1199 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1200 ctx.verify_mode = ssl.CERT_NONE
1201 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1202 with self.assertRaises(TypeError):
1203 ctx.verify_mode = None
1204 with self.assertRaises(ValueError):
1205 ctx.verify_mode = 42
1206
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1207 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1208 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1209 self.assertFalse(ctx.check_hostname)
1210
1211 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1212 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1213 self.assertTrue(ctx.check_hostname)
1214
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1215 def test_hostname_checks_common_name(self):
1216 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1217 self.assertTrue(ctx.hostname_checks_common_name)
1218 if ssl.HAS_NEVER_CHECK_COMMON_NAME:
1219 ctx.hostname_checks_common_name = True
1220 self.assertTrue(ctx.hostname_checks_common_name)
1221 ctx.hostname_checks_common_name = False
1222 self.assertFalse(ctx.hostname_checks_common_name)
1223 ctx.hostname_checks_common_name = True
1224 self.assertTrue(ctx.hostname_checks_common_name)
1225 else:
1226 with self.assertRaises(AttributeError):
1227 ctx.hostname_checks_common_name = True
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1228
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1229 @ignore_deprecation
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1230 def test_min_max_version(self):
1231 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1232 # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
1233 # Fedora override the setting to TLS 1.0.
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1234 minimum_range = {
1235 # stock OpenSSL
1236 ssl.TLSVersion.MINIMUM_SUPPORTED,
1237 # Fedora 29 uses TLS 1.0 by default
1238 ssl.TLSVersion.TLSv1,
1239 # RHEL 8 uses TLS 1.2 by default
1240 ssl.TLSVersion.TLSv1_2
1241 }
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1242 maximum_range = {
1243 # stock OpenSSL
1244 ssl.TLSVersion.MAXIMUM_SUPPORTED,
1245 # Fedora 32 uses TLS 1.3 by default
1246 ssl.TLSVersion.TLSv1_3
1247 }
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1248
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1249 self.assertIn(
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1250 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1251 )
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1252 self.assertIn(
1253 ctx.maximum_version, maximum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1254 )
1255
1256 ctx.minimum_version = ssl.TLSVersion.TLSv1_1
1257 ctx.maximum_version = ssl.TLSVersion.TLSv1_2
1258 self.assertEqual(
1259 ctx.minimum_version, ssl.TLSVersion.TLSv1_1
1260 )
1261 self.assertEqual(
1262 ctx.maximum_version, ssl.TLSVersion.TLSv1_2
1263 )
1264
1265 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1266 ctx.maximum_version = ssl.TLSVersion.TLSv1
1267 self.assertEqual(
1268 ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
1269 )
1270 self.assertEqual(
1271 ctx.maximum_version, ssl.TLSVersion.TLSv1
1272 )
1273
1274 ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1275 self.assertEqual(
1276 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1277 )
1278
1279 ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1280 self.assertIn(
1281 ctx.maximum_version,
1282 {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
1283 )
1284
1285 ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1286 self.assertIn(
1287 ctx.minimum_version,
1288 {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
1289 )
1290
1291 with self.assertRaises(ValueError):
1292 ctx.minimum_version = 42
1293
1294 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
1295
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1296 self.assertIn(
1297 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1298 )
1299 self.assertEqual(
1300 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1301 )
1302 with self.assertRaises(ValueError):
1303 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1304 with self.assertRaises(ValueError):
1305 ctx.maximum_version = ssl.TLSVersion.TLSv1
1306
1307
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1308 @unittest.skipUnless(
1309 hasattr(ssl.SSLContext, 'security_level'),
1310 "requires OpenSSL >= 1.1.0"
1311 )
1312 def test_security_level(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1313 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1314 # The default security callback allows for levels between 0-5
1315 # with OpenSSL defaulting to 1, however some vendors override the
1316 # default value (e.g. Debian defaults to 2)
1317 security_level_range = {
1318 0,
1319 1, # OpenSSL default
1320 2, # Debian
1321 3,
1322 4,
1323 5,
1324 }
1325 self.assertIn(ctx.security_level, security_level_range)
1326
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1327 def test_verify_flags(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1328 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Benjamin Peterson990fcaa2015-03-04 22:49:41 -0500[diff] [blame]1329 # default value
1330 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
1331 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1332 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
1333 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
1334 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
1335 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
1336 ctx.verify_flags = ssl.VERIFY_DEFAULT
1337 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
Chris Burre0b4aa02021-03-18 09:24:01 +0100[diff] [blame]1338 ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
1339 self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1340 # supports any value
1341 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
1342 self.assertEqual(ctx.verify_flags,
1343 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
1344 with self.assertRaises(TypeError):
1345 ctx.verify_flags = None
1346
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1347 def test_load_cert_chain(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1348 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1349 # Combined key and cert in a single file
Benjamin Peterson1ea070e2014-11-03 21:05:01 -0500[diff] [blame]1350 ctx.load_cert_chain(CERTFILE, keyfile=None)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1351 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
1352 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1353 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1354 ctx.load_cert_chain(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1355 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1356 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1357 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1358 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1359 ctx.load_cert_chain(EMPTYCERT)
1360 # Separate key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1361 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1362 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
1363 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
1364 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1365 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1366 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1367 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1368 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1369 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1370 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
1371 # Mismatching key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1372 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1373 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]1374 ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1375 # Password protected key and cert
1376 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
1377 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
1378 ctx.load_cert_chain(CERTFILE_PROTECTED,
1379 password=bytearray(KEY_PASSWORD.encode()))
1380 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
1381 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
1382 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
1383 bytearray(KEY_PASSWORD.encode()))
1384 with self.assertRaisesRegex(TypeError, "should be a string"):
1385 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
1386 with self.assertRaises(ssl.SSLError):
1387 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
1388 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1389 # openssl has a fixed limit on the password buffer.
1390 # PEM_BUFSIZE is generally set to 1kb.
1391 # Return a string larger than this.
1392 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
1393 # Password callback
1394 def getpass_unicode():
1395 return KEY_PASSWORD
1396 def getpass_bytes():
1397 return KEY_PASSWORD.encode()
1398 def getpass_bytearray():
1399 return bytearray(KEY_PASSWORD.encode())
1400 def getpass_badpass():
1401 return "badpass"
1402 def getpass_huge():
1403 return b'a' * (1024 * 1024)
1404 def getpass_bad_type():
1405 return 9
1406 def getpass_exception():
1407 raise Exception('getpass error')
1408 class GetPassCallable:
1409 def __call__(self):
1410 return KEY_PASSWORD
1411 def getpass(self):
1412 return KEY_PASSWORD
1413 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
1414 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
1415 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
1416 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
1417 ctx.load_cert_chain(CERTFILE_PROTECTED,
1418 password=GetPassCallable().getpass)
1419 with self.assertRaises(ssl.SSLError):
1420 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
1421 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1422 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
1423 with self.assertRaisesRegex(TypeError, "must return a string"):
1424 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
1425 with self.assertRaisesRegex(Exception, "getpass error"):
1426 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
1427 # Make sure the password function isn't called if it isn't needed
1428 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1429
1430 def test_load_verify_locations(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1431 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1432 ctx.load_verify_locations(CERTFILE)
1433 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
1434 ctx.load_verify_locations(BYTES_CERTFILE)
1435 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
1436 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1437 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1438 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1439 ctx.load_verify_locations(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1440 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1441 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1442 ctx.load_verify_locations(BADCERT)
1443 ctx.load_verify_locations(CERTFILE, CAPATH)
1444 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
1445
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]1446 # Issue #10989: crash if the second argument type is invalid
1447 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
1448
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1449 def test_load_verify_cadata(self):
1450 # test cadata
1451 with open(CAFILE_CACERT) as f:
1452 cacert_pem = f.read()
1453 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1454 with open(CAFILE_NEURONIO) as f:
1455 neuronio_pem = f.read()
1456 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1457
1458 # test PEM
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1459 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1460 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
1461 ctx.load_verify_locations(cadata=cacert_pem)
1462 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
1463 ctx.load_verify_locations(cadata=neuronio_pem)
1464 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1465 # cert already in hash table
1466 ctx.load_verify_locations(cadata=neuronio_pem)
1467 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1468
1469 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1470 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1471 combined = "\n".join((cacert_pem, neuronio_pem))
1472 ctx.load_verify_locations(cadata=combined)
1473 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1474
1475 # with junk around the certs
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1476 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1477 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
1478 neuronio_pem, "tail"]
1479 ctx.load_verify_locations(cadata="\n".join(combined))
1480 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1481
1482 # test DER
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1483 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1484 ctx.load_verify_locations(cadata=cacert_der)
1485 ctx.load_verify_locations(cadata=neuronio_der)
1486 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1487 # cert already in hash table
1488 ctx.load_verify_locations(cadata=cacert_der)
1489 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1490
1491 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1492 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1493 combined = b"".join((cacert_der, neuronio_der))
1494 ctx.load_verify_locations(cadata=combined)
1495 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1496
1497 # error cases
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1498 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1499 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
1500
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1501 with self.assertRaisesRegex(
1502 ssl.SSLError,
1503 "no start line: cadata does not contain a certificate"
1504 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1505 ctx.load_verify_locations(cadata="broken")
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1506 with self.assertRaisesRegex(
1507 ssl.SSLError,
1508 "not enough data: cadata does not contain a certificate"
1509 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1510 ctx.load_verify_locations(cadata=b"broken")
1511
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1512 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1513 def test_load_dh_params(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1514 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1515 ctx.load_dh_params(DHFILE)
1516 if os.name != 'nt':
1517 ctx.load_dh_params(BYTES_DHFILE)
1518 self.assertRaises(TypeError, ctx.load_dh_params)
1519 self.assertRaises(TypeError, ctx.load_dh_params, None)
1520 with self.assertRaises(FileNotFoundError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1521 ctx.load_dh_params(NONEXISTINGCERT)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1522 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1523 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1524 ctx.load_dh_params(CERTFILE)
1525
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1526 def test_session_stats(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1527 for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1528 ctx = ssl.SSLContext(proto)
1529 self.assertEqual(ctx.session_stats(), {
1530 'number': 0,
1531 'connect': 0,
1532 'connect_good': 0,
1533 'connect_renegotiate': 0,
1534 'accept': 0,
1535 'accept_good': 0,
1536 'accept_renegotiate': 0,
1537 'hits': 0,
1538 'misses': 0,
1539 'timeouts': 0,
1540 'cache_full': 0,
1541 })
1542
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1543 def test_set_default_verify_paths(self):
1544 # There's not much we can do to test that it acts as expected,
1545 # so just check it doesn't crash or raise an exception.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1546 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1547 ctx.set_default_verify_paths()
1548
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1549 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1550 def test_set_ecdh_curve(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1551 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1552 ctx.set_ecdh_curve("prime256v1")
1553 ctx.set_ecdh_curve(b"prime256v1")
1554 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1555 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1556 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1557 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1558
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1559 def test_sni_callback(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1560 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1561
1562 # set_servername_callback expects a callable, or None
1563 self.assertRaises(TypeError, ctx.set_servername_callback)
1564 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1565 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1566 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1567
1568 def dummycallback(sock, servername, ctx):
1569 pass
1570 ctx.set_servername_callback(None)
1571 ctx.set_servername_callback(dummycallback)
1572
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1573 def test_sni_callback_refcycle(self):
1574 # Reference cycles through the servername callback are detected
1575 # and cleared.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1576 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1577 def dummycallback(sock, servername, ctx, cycle=ctx):
1578 pass
1579 ctx.set_servername_callback(dummycallback)
1580 wr = weakref.ref(ctx)
1581 del ctx, dummycallback
1582 gc.collect()
1583 self.assertIs(wr(), None)
1584
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1585 def test_cert_store_stats(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1586 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1587 self.assertEqual(ctx.cert_store_stats(),
1588 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1589 ctx.load_cert_chain(CERTFILE)
1590 self.assertEqual(ctx.cert_store_stats(),
1591 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1592 ctx.load_verify_locations(CERTFILE)
1593 self.assertEqual(ctx.cert_store_stats(),
1594 {'x509_ca': 0, 'crl': 0, 'x509': 1})
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1595 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1596 self.assertEqual(ctx.cert_store_stats(),
1597 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1598
1599 def test_get_ca_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1600 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1601 self.assertEqual(ctx.get_ca_certs(), [])
1602 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1603 ctx.load_verify_locations(CERTFILE)
1604 self.assertEqual(ctx.get_ca_certs(), [])
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1605 # but CAFILE_CACERT is a CA cert
1606 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1607 self.assertEqual(ctx.get_ca_certs(),
1608 [{'issuer': ((('organizationName', 'Root CA'),),
1609 (('organizationalUnitName', 'http://www.cacert.org'),),
1610 (('commonName', 'CA Cert Signing Authority'),),
1611 (('emailAddress', 'support@cacert.org'),)),
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]1612 'notAfter': 'Mar 29 12:29:49 2033 GMT',
1613 'notBefore': 'Mar 30 12:29:49 2003 GMT',
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1614 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1615 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1616 'subject': ((('organizationName', 'Root CA'),),
1617 (('organizationalUnitName', 'http://www.cacert.org'),),
1618 (('commonName', 'CA Cert Signing Authority'),),
1619 (('emailAddress', 'support@cacert.org'),)),
1620 'version': 3}])
1621
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1622 with open(CAFILE_CACERT) as f:
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1623 pem = f.read()
1624 der = ssl.PEM_cert_to_DER_cert(pem)
1625 self.assertEqual(ctx.get_ca_certs(True), [der])
1626
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1627 def test_load_default_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1628 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1629 ctx.load_default_certs()
1630
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1631 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1632 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1633 ctx.load_default_certs()
1634
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1635 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1636 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1637
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1638 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1639 self.assertRaises(TypeError, ctx.load_default_certs, None)
1640 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1641
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1642 @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1643 def test_load_default_certs_env(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1644 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1645 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1646 env["SSL_CERT_DIR"] = CAPATH
1647 env["SSL_CERT_FILE"] = CERTFILE
1648 ctx.load_default_certs()
1649 self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
1650
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1651 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Steve Dower68d663c2017-07-17 11:15:48 +0200[diff] [blame]1652 @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1653 def test_load_default_certs_env_windows(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1654 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1655 ctx.load_default_certs()
1656 stats = ctx.cert_store_stats()
1657
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1658 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1659 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1660 env["SSL_CERT_DIR"] = CAPATH
1661 env["SSL_CERT_FILE"] = CERTFILE
1662 ctx.load_default_certs()
1663 stats["x509"] += 1
1664 self.assertEqual(ctx.cert_store_stats(), stats)
1665
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1666 def _assert_context_options(self, ctx):
1667 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1668 if OP_NO_COMPRESSION != 0:
1669 self.assertEqual(ctx.options & OP_NO_COMPRESSION,
1670 OP_NO_COMPRESSION)
1671 if OP_SINGLE_DH_USE != 0:
1672 self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
1673 OP_SINGLE_DH_USE)
1674 if OP_SINGLE_ECDH_USE != 0:
1675 self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
1676 OP_SINGLE_ECDH_USE)
1677 if OP_CIPHER_SERVER_PREFERENCE != 0:
1678 self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
1679 OP_CIPHER_SERVER_PREFERENCE)
1680
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1681 def test_create_default_context(self):
1682 ctx = ssl.create_default_context()
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1683
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1684 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1685 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1686 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1687 self._assert_context_options(ctx)
1688
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1689 with open(SIGNING_CA) as f:
1690 cadata = f.read()
1691 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1692 cadata=cadata)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1693 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1694 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1695 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1696
1697 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1698 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1699 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1700 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1701
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1702
1703
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1704 def test__create_stdlib_context(self):
1705 ctx = ssl._create_stdlib_context()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1706 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1707 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1708 self.assertFalse(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1709 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1710
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1711 with warnings_helper.check_warnings():
1712 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1713 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1714 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1715 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1716
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1717 with warnings_helper.check_warnings():
1718 ctx = ssl._create_stdlib_context(
1719 ssl.PROTOCOL_TLSv1_2,
1720 cert_reqs=ssl.CERT_REQUIRED,
1721 check_hostname=True
1722 )
1723 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1724 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1725 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1726 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1727
1728 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1729 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1730 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1731 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1732
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1733 def test_check_hostname(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1734 with warnings_helper.check_warnings():
1735 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1736 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1737 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1738
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1739 # Auto set CERT_REQUIRED
1740 ctx.check_hostname = True
1741 self.assertTrue(ctx.check_hostname)
1742 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1743 ctx.check_hostname = False
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1744 ctx.verify_mode = ssl.CERT_REQUIRED
1745 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1746 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1747
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1748 # Changing verify_mode does not affect check_hostname
1749 ctx.check_hostname = False
1750 ctx.verify_mode = ssl.CERT_NONE
1751 ctx.check_hostname = False
1752 self.assertFalse(ctx.check_hostname)
1753 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1754 # Auto set
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1755 ctx.check_hostname = True
1756 self.assertTrue(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1757 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1758
1759 ctx.check_hostname = False
1760 ctx.verify_mode = ssl.CERT_OPTIONAL
1761 ctx.check_hostname = False
1762 self.assertFalse(ctx.check_hostname)
1763 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1764 # keep CERT_OPTIONAL
1765 ctx.check_hostname = True
1766 self.assertTrue(ctx.check_hostname)
1767 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1768
1769 # Cannot set CERT_NONE with check_hostname enabled
1770 with self.assertRaises(ValueError):
1771 ctx.verify_mode = ssl.CERT_NONE
1772 ctx.check_hostname = False
1773 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1774 ctx.verify_mode = ssl.CERT_NONE
1775 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1776
Christian Heimes5fe668c2016-09-12 00:01:11 +0200[diff] [blame]1777 def test_context_client_server(self):
1778 # PROTOCOL_TLS_CLIENT has sane defaults
1779 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1780 self.assertTrue(ctx.check_hostname)
1781 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1782
1783 # PROTOCOL_TLS_SERVER has different but also sane defaults
1784 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1785 self.assertFalse(ctx.check_hostname)
1786 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1787
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1788 def test_context_custom_class(self):
1789 class MySSLSocket(ssl.SSLSocket):
1790 pass
1791
1792 class MySSLObject(ssl.SSLObject):
1793 pass
1794
1795 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1796 ctx.sslsocket_class = MySSLSocket
1797 ctx.sslobject_class = MySSLObject
1798
1799 with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
1800 self.assertIsInstance(sock, MySSLSocket)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]1801 obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(), server_side=True)
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1802 self.assertIsInstance(obj, MySSLObject)
1803
Christian Heimes78c7d522019-06-03 21:00:10 +0200[diff] [blame]1804 def test_num_tickest(self):
1805 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1806 self.assertEqual(ctx.num_tickets, 2)
1807 ctx.num_tickets = 1
1808 self.assertEqual(ctx.num_tickets, 1)
1809 ctx.num_tickets = 0
1810 self.assertEqual(ctx.num_tickets, 0)
1811 with self.assertRaises(ValueError):
1812 ctx.num_tickets = -1
1813 with self.assertRaises(TypeError):
1814 ctx.num_tickets = None
1815
1816 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1817 self.assertEqual(ctx.num_tickets, 2)
1818 with self.assertRaises(ValueError):
1819 ctx.num_tickets = 1
1820
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1821
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1822class SSLErrorTests(unittest.TestCase):
1823
1824 def test_str(self):
1825 # The str() of a SSLError doesn't include the errno
1826 e = ssl.SSLError(1, "foo")
1827 self.assertEqual(str(e), "foo")
1828 self.assertEqual(e.errno, 1)
1829 # Same for a subclass
1830 e = ssl.SSLZeroReturnError(1, "foo")
1831 self.assertEqual(str(e), "foo")
1832 self.assertEqual(e.errno, 1)
1833
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1834 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1835 def test_lib_reason(self):
1836 # Test the library and reason attributes
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1837 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1838 with self.assertRaises(ssl.SSLError) as cm:
1839 ctx.load_dh_params(CERTFILE)
1840 self.assertEqual(cm.exception.library, 'PEM')
1841 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1842 s = str(cm.exception)
1843 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1844
1845 def test_subclass(self):
1846 # Check that the appropriate SSLError subclass is raised
1847 # (this only tests one of them)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1848 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1849 ctx.check_hostname = False
1850 ctx.verify_mode = ssl.CERT_NONE
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]1851 with socket.create_server(("127.0.0.1", 0)) as s:
1852 c = socket.create_connection(s.getsockname())
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1853 c.setblocking(False)
1854 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1855 with self.assertRaises(ssl.SSLWantReadError) as cm:
1856 c.do_handshake()
1857 s = str(cm.exception)
1858 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1859 # For compatibility
1860 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1861
1862
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1863 def test_bad_server_hostname(self):
1864 ctx = ssl.create_default_context()
1865 with self.assertRaises(ValueError):
1866 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1867 server_hostname="")
1868 with self.assertRaises(ValueError):
1869 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1870 server_hostname=".example.org")
Christian Heimesd02ac252018-03-25 12:36:13 +0200[diff] [blame]1871 with self.assertRaises(TypeError):
1872 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1873 server_hostname="example.org\x00evil.com")
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1874
1875
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]1876class MemoryBIOTests(unittest.TestCase):
1877
1878 def test_read_write(self):
1879 bio = ssl.MemoryBIO()
1880 bio.write(b'foo')
1881 self.assertEqual(bio.read(), b'foo')
1882 self.assertEqual(bio.read(), b'')
1883 bio.write(b'foo')
1884 bio.write(b'bar')
1885 self.assertEqual(bio.read(), b'foobar')
1886 self.assertEqual(bio.read(), b'')
1887 bio.write(b'baz')
1888 self.assertEqual(bio.read(2), b'ba')
1889 self.assertEqual(bio.read(1), b'z')
1890 self.assertEqual(bio.read(1), b'')
1891
1892 def test_eof(self):
1893 bio = ssl.MemoryBIO()
1894 self.assertFalse(bio.eof)
1895 self.assertEqual(bio.read(), b'')
1896 self.assertFalse(bio.eof)
1897 bio.write(b'foo')
1898 self.assertFalse(bio.eof)
1899 bio.write_eof()
1900 self.assertFalse(bio.eof)
1901 self.assertEqual(bio.read(2), b'fo')
1902 self.assertFalse(bio.eof)
1903 self.assertEqual(bio.read(1), b'o')
1904 self.assertTrue(bio.eof)
1905 self.assertEqual(bio.read(), b'')
1906 self.assertTrue(bio.eof)
1907
1908 def test_pending(self):
1909 bio = ssl.MemoryBIO()
1910 self.assertEqual(bio.pending, 0)
1911 bio.write(b'foo')
1912 self.assertEqual(bio.pending, 3)
1913 for i in range(3):
1914 bio.read(1)
1915 self.assertEqual(bio.pending, 3-i-1)
1916 for i in range(3):
1917 bio.write(b'x')
1918 self.assertEqual(bio.pending, i+1)
1919 bio.read()
1920 self.assertEqual(bio.pending, 0)
1921
1922 def test_buffer_types(self):
1923 bio = ssl.MemoryBIO()
1924 bio.write(b'foo')
1925 self.assertEqual(bio.read(), b'foo')
1926 bio.write(bytearray(b'bar'))
1927 self.assertEqual(bio.read(), b'bar')
1928 bio.write(memoryview(b'baz'))
1929 self.assertEqual(bio.read(), b'baz')
1930
1931 def test_error_types(self):
1932 bio = ssl.MemoryBIO()
1933 self.assertRaises(TypeError, bio.write, 'foo')
1934 self.assertRaises(TypeError, bio.write, None)
1935 self.assertRaises(TypeError, bio.write, True)
1936 self.assertRaises(TypeError, bio.write, 1)
1937
1938
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1939class SSLObjectTests(unittest.TestCase):
1940 def test_private_init(self):
1941 bio = ssl.MemoryBIO()
1942 with self.assertRaisesRegex(TypeError, "public constructor"):
1943 ssl.SSLObject(bio, bio)
1944
Nathaniel J. Smithc0da5822018-09-21 21:44:12 -0700[diff] [blame]1945 def test_unwrap(self):
1946 client_ctx, server_ctx, hostname = testing_context()
1947 c_in = ssl.MemoryBIO()
1948 c_out = ssl.MemoryBIO()
1949 s_in = ssl.MemoryBIO()
1950 s_out = ssl.MemoryBIO()
1951 client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
1952 server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
1953
1954 # Loop on the handshake for a bit to get it settled
1955 for _ in range(5):
1956 try:
1957 client.do_handshake()
1958 except ssl.SSLWantReadError:
1959 pass
1960 if c_out.pending:
1961 s_in.write(c_out.read())
1962 try:
1963 server.do_handshake()
1964 except ssl.SSLWantReadError:
1965 pass
1966 if s_out.pending:
1967 c_in.write(s_out.read())
1968 # Now the handshakes should be complete (don't raise WantReadError)
1969 client.do_handshake()
1970 server.do_handshake()
1971
1972 # Now if we unwrap one side unilaterally, it should send close-notify
1973 # and raise WantReadError:
1974 with self.assertRaises(ssl.SSLWantReadError):
1975 client.unwrap()
1976
1977 # But server.unwrap() does not raise, because it reads the client's
1978 # close-notify:
1979 s_in.write(c_out.read())
1980 server.unwrap()
1981
1982 # And now that the client gets the server's close-notify, it doesn't
1983 # raise either.
1984 c_in.write(s_out.read())
1985 client.unwrap()
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1986
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1987class SimpleBackgroundTests(unittest.TestCase):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1988 """Tests that connect to a simple server running in the background"""
1989
1990 def setUp(self):
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]1991 self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1992 self.server_context.load_cert_chain(SIGNED_CERTFILE)
1993 server = ThreadedEchoServer(context=self.server_context)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1994 self.server_addr = (HOST, server.port)
1995 server.__enter__()
1996 self.addCleanup(server.__exit__, None, None, None)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1997
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1998 def test_connect(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1999 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2000 cert_reqs=ssl.CERT_NONE) as s:
2001 s.connect(self.server_addr)
2002 self.assertEqual({}, s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]2003 self.assertFalse(s.server_side)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]2004
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2005 # this should succeed because we specify the root cert
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2006 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2007 cert_reqs=ssl.CERT_REQUIRED,
2008 ca_certs=SIGNING_CA) as s:
2009 s.connect(self.server_addr)
2010 self.assertTrue(s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]2011 self.assertFalse(s.server_side)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2012
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2013 def test_connect_fail(self):
2014 # This should fail because we have no verification certs. Connection
2015 # failure crashes ThreadedEchoServer, so run this in an independent
2016 # test method.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2017 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2018 cert_reqs=ssl.CERT_REQUIRED)
2019 self.addCleanup(s.close)
2020 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2021 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2022
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2023 def test_connect_ex(self):
2024 # Issue #11326: check connect_ex() implementation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2025 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2026 cert_reqs=ssl.CERT_REQUIRED,
2027 ca_certs=SIGNING_CA)
2028 self.addCleanup(s.close)
2029 self.assertEqual(0, s.connect_ex(self.server_addr))
2030 self.assertTrue(s.getpeercert())
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2031
2032 def test_non_blocking_connect_ex(self):
2033 # Issue #11326: non-blocking connect_ex() should allow handshake
2034 # to proceed after the socket gets ready.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2035 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2036 cert_reqs=ssl.CERT_REQUIRED,
2037 ca_certs=SIGNING_CA,
2038 do_handshake_on_connect=False)
2039 self.addCleanup(s.close)
2040 s.setblocking(False)
2041 rc = s.connect_ex(self.server_addr)
2042 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
2043 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
2044 # Wait for connect to finish
2045 select.select([], [s], [], 5.0)
2046 # Non-blocking handshake
2047 while True:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2048 try:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2049 s.do_handshake()
2050 break
2051 except ssl.SSLWantReadError:
2052 select.select([s], [], [], 5.0)
2053 except ssl.SSLWantWriteError:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2054 select.select([], [s], [], 5.0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2055 # SSL established
2056 self.assertTrue(s.getpeercert())
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]2057
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2058 def test_connect_with_context(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2059 # Same as test_connect, but with a separately created context
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2060 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2061 ctx.check_hostname = False
2062 ctx.verify_mode = ssl.CERT_NONE
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2063 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2064 s.connect(self.server_addr)
2065 self.assertEqual({}, s.getpeercert())
2066 # Same with a server hostname
2067 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2068 server_hostname="dummy") as s:
2069 s.connect(self.server_addr)
2070 ctx.verify_mode = ssl.CERT_REQUIRED
2071 # This should succeed because we specify the root cert
2072 ctx.load_verify_locations(SIGNING_CA)
2073 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2074 s.connect(self.server_addr)
2075 cert = s.getpeercert()
2076 self.assertTrue(cert)
2077
2078 def test_connect_with_context_fail(self):
2079 # This should fail because we have no verification certs. Connection
2080 # failure crashes ThreadedEchoServer, so run this in an independent
2081 # test method.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2082 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2083 s = ctx.wrap_socket(
2084 socket.socket(socket.AF_INET),
2085 server_hostname=SIGNED_CERTFILE_HOSTNAME
2086 )
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2087 self.addCleanup(s.close)
2088 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2089 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2090
2091 def test_connect_capath(self):
2092 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]2093 # NOTE: the subject hashing algorithm has been changed between
2094 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
2095 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]2096 # filename) for this test to be portable across OpenSSL releases.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2097 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2098 ctx.load_verify_locations(capath=CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2099 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2100 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2101 s.connect(self.server_addr)
2102 cert = s.getpeercert()
2103 self.assertTrue(cert)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2104
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2105 # Same with a bytes `capath` argument
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2106 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2107 ctx.load_verify_locations(capath=BYTES_CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2108 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2109 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2110 s.connect(self.server_addr)
2111 cert = s.getpeercert()
2112 self.assertTrue(cert)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2113
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2114 def test_connect_cadata(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2115 with open(SIGNING_CA) as f:
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2116 pem = f.read()
2117 der = ssl.PEM_cert_to_DER_cert(pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2118 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2119 ctx.load_verify_locations(cadata=pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2120 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2121 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2122 s.connect(self.server_addr)
2123 cert = s.getpeercert()
2124 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2125
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2126 # same with DER
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2127 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2128 ctx.load_verify_locations(cadata=der)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2129 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2130 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2131 s.connect(self.server_addr)
2132 cert = s.getpeercert()
2133 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2134
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2135 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
2136 def test_makefile_close(self):
2137 # Issue #5238: creating a file-like object with makefile() shouldn't
2138 # delay closing the underlying "real socket" (here tested with its
2139 # file descriptor, hence skipping the test under Windows).
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2140 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2141 ss.connect(self.server_addr)
2142 fd = ss.fileno()
2143 f = ss.makefile()
2144 f.close()
2145 # The fd is still open
2146 os.read(fd, 0)
2147 # Closing the SSL socket should close the fd too
2148 ss.close()
2149 gc.collect()
2150 with self.assertRaises(OSError) as e:
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2151 os.read(fd, 0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2152 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2153
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2154 def test_non_blocking_handshake(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2155 s = socket.socket(socket.AF_INET)
2156 s.connect(self.server_addr)
2157 s.setblocking(False)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2158 s = test_wrap_socket(s,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2159 cert_reqs=ssl.CERT_NONE,
2160 do_handshake_on_connect=False)
2161 self.addCleanup(s.close)
2162 count = 0
2163 while True:
2164 try:
2165 count += 1
2166 s.do_handshake()
2167 break
2168 except ssl.SSLWantReadError:
2169 select.select([s], [], [])
2170 except ssl.SSLWantWriteError:
2171 select.select([], [s], [])
2172 if support.verbose:
2173 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2174
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2175 def test_get_server_certificate(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2176 _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]2177
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]2178 def test_get_server_certificate_sni(self):
2179 host, port = self.server_addr
2180 server_names = []
2181
2182 # We store servername_cb arguments to make sure they match the host
2183 def servername_cb(ssl_sock, server_name, initial_context):
2184 server_names.append(server_name)
2185 self.server_context.set_servername_callback(servername_cb)
2186
2187 pem = ssl.get_server_certificate((host, port))
2188 if not pem:
2189 self.fail("No server certificate on %s:%s!" % (host, port))
2190
2191 pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
2192 if not pem:
2193 self.fail("No server certificate on %s:%s!" % (host, port))
2194 if support.verbose:
2195 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
2196
2197 self.assertEqual(server_names, [host, host])
2198
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2199 def test_get_server_certificate_fail(self):
2200 # Connection failure crashes ThreadedEchoServer, so run this in an
2201 # independent test method
2202 _test_get_server_certificate_fail(self, *self.server_addr)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2203
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2204 def test_get_server_certificate_timeout(self):
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2205 def servername_cb(ssl_sock, server_name, initial_context):
2206 time.sleep(0.2)
2207 self.server_context.set_servername_callback(servername_cb)
2208
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2209 with self.assertRaises(socket.timeout):
2210 ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2211 timeout=0.1)
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2212
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]2213 def test_ciphers(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2214 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2215 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
2216 s.connect(self.server_addr)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2217 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2218 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
2219 s.connect(self.server_addr)
2220 # Error checking can happen at instantiation or when connecting
2221 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
2222 with socket.socket(socket.AF_INET) as sock:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2223 s = test_wrap_socket(sock,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2224 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
2225 s.connect(self.server_addr)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]2226
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2227 def test_get_ca_certs_capath(self):
2228 # capath certs are loaded on request
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2229 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2230 ctx.load_verify_locations(capath=CAPATH)
2231 self.assertEqual(ctx.get_ca_certs(), [])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2232 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2233 server_hostname='localhost') as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2234 s.connect(self.server_addr)
2235 cert = s.getpeercert()
2236 self.assertTrue(cert)
2237 self.assertEqual(len(ctx.get_ca_certs()), 1)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2238
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]2239 def test_context_setget(self):
2240 # Check that the context of a connected socket can be replaced.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2241 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2242 ctx1.load_verify_locations(capath=CAPATH)
2243 ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2244 ctx2.load_verify_locations(capath=CAPATH)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2245 s = socket.socket(socket.AF_INET)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2246 with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2247 ss.connect(self.server_addr)
2248 self.assertIs(ss.context, ctx1)
2249 self.assertIs(ss._sslobj.context, ctx1)
2250 ss.context = ctx2
2251 self.assertIs(ss.context, ctx2)
2252 self.assertIs(ss._sslobj.context, ctx2)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2253
2254 def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
2255 # A simple IO loop. Call func(*args) depending on the error we get
2256 # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
Victor Stinner0d63bac2019-12-11 11:30:03 +0100[diff] [blame]2257 timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2258 deadline = time.monotonic() + timeout
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2259 count = 0
2260 while True:
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2261 if time.monotonic() > deadline:
2262 self.fail("timeout")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2263 errno = None
2264 count += 1
2265 try:
2266 ret = func(*args)
2267 except ssl.SSLError as e:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2268 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
Martin Panter40b97ec2016-01-14 13:05:46 +0000[diff] [blame]2269 ssl.SSL_ERROR_WANT_WRITE):
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2270 raise
2271 errno = e.errno
2272 # Get any data from the outgoing BIO irrespective of any error, and
2273 # send it to the socket.
2274 buf = outgoing.read()
2275 sock.sendall(buf)
2276 # If there's no error, we're done. For WANT_READ, we need to get
2277 # data from the socket and put it in the incoming BIO.
2278 if errno is None:
2279 break
2280 elif errno == ssl.SSL_ERROR_WANT_READ:
2281 buf = sock.recv(32768)
2282 if buf:
2283 incoming.write(buf)
2284 else:
2285 incoming.write_eof()
2286 if support.verbose:
2287 sys.stdout.write("Needed %d calls to complete %s().\n"
2288 % (count, func.__name__))
2289 return ret
2290
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2291 def test_bio_handshake(self):
2292 sock = socket.socket(socket.AF_INET)
2293 self.addCleanup(sock.close)
2294 sock.connect(self.server_addr)
2295 incoming = ssl.MemoryBIO()
2296 outgoing = ssl.MemoryBIO()
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2297 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2298 self.assertTrue(ctx.check_hostname)
2299 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2300 ctx.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2301 sslobj = ctx.wrap_bio(incoming, outgoing, False,
2302 SIGNED_CERTFILE_HOSTNAME)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2303 self.assertIs(sslobj._sslobj.owner, sslobj)
2304 self.assertIsNone(sslobj.cipher())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2305 self.assertIsNone(sslobj.version())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2306 self.assertIsNotNone(sslobj.shared_ciphers())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2307 self.assertRaises(ValueError, sslobj.getpeercert)
2308 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2309 self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
2310 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2311 self.assertTrue(sslobj.cipher())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2312 self.assertIsNotNone(sslobj.shared_ciphers())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2313 self.assertIsNotNone(sslobj.version())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2314 self.assertTrue(sslobj.getpeercert())
2315 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2316 self.assertTrue(sslobj.get_channel_binding('tls-unique'))
2317 try:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2318 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2319 except ssl.SSLSyscallError:
2320 # If the server shuts down the TCP connection without sending a
2321 # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
2322 pass
2323 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
2324
2325 def test_bio_read_write_data(self):
2326 sock = socket.socket(socket.AF_INET)
2327 self.addCleanup(sock.close)
2328 sock.connect(self.server_addr)
2329 incoming = ssl.MemoryBIO()
2330 outgoing = ssl.MemoryBIO()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2331 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2332 ctx.check_hostname = False
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2333 ctx.verify_mode = ssl.CERT_NONE
2334 sslobj = ctx.wrap_bio(incoming, outgoing, False)
2335 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2336 req = b'FOO\n'
2337 self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
2338 buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
2339 self.assertEqual(buf, b'foo\n')
2340 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2341
2342
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2343class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2344
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2345 def test_timeout_connect_ex(self):
2346 # Issue #12065: on a timeout, connect_ex() should return the original
2347 # errno (mimicking the behaviour of non-SSL sockets).
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2348 with socket_helper.transient_internet(REMOTE_HOST):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2349 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2350 cert_reqs=ssl.CERT_REQUIRED,
2351 do_handshake_on_connect=False)
2352 self.addCleanup(s.close)
2353 s.settimeout(0.0000001)
2354 rc = s.connect_ex((REMOTE_HOST, 443))
2355 if rc == 0:
2356 self.skipTest("REMOTE_HOST responded too quickly")
Carl Meyer29c451c2021-03-27 15:52:28 -0600[diff] [blame]2357 elif rc == errno.ENETUNREACH:
2358 self.skipTest("Network unreachable.")
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2359 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
2360
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2361 @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2362 def test_get_server_certificate_ipv6(self):
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2363 with socket_helper.transient_internet('ipv6.google.com'):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2364 _test_get_server_certificate(self, 'ipv6.google.com', 443)
2365 _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
2366
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2367
2368def _test_get_server_certificate(test, host, port, cert=None):
2369 pem = ssl.get_server_certificate((host, port))
2370 if not pem:
2371 test.fail("No server certificate on %s:%s!" % (host, port))
2372
2373 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
2374 if not pem:
2375 test.fail("No server certificate on %s:%s!" % (host, port))
2376 if support.verbose:
2377 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
2378
2379def _test_get_server_certificate_fail(test, host, port):
2380 try:
2381 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
2382 except ssl.SSLError as x:
2383 #should fail
2384 if support.verbose:
2385 sys.stdout.write("%s\n" % x)
2386 else:
2387 test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
2388
2389
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2390from test.ssl_servers import make_https_server
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2391
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2392class ThreadedEchoServer(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2393
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2394 class ConnectionHandler(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2395
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2396 """A mildly complicated class, because we want it to work both
2397 with and without the SSL wrapper around the socket connection, so
2398 that we can test the STARTTLS functionality."""
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2399
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2400 def __init__(self, server, connsock, addr):
2401 self.server = server
2402 self.running = False
2403 self.sock = connsock
2404 self.addr = addr
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]2405 self.sock.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2406 self.sslconn = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2407 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]2408 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2409
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2410 def wrap_conn(self):
2411 try:
2412 self.sslconn = self.server.context.wrap_socket(
2413 self.sock, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2414 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2415 except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2416 # We treat ConnectionResetError as though it were an
2417 # SSLError - OpenSSL on Ubuntu abruptly closes the
2418 # connection when asked to use an unsupported protocol.
2419 #
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2420 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
2421 # tries to send session tickets after handshake.
2422 # https://github.com/openssl/openssl/issues/6342
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2423 #
2424 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
2425 # tries to send session tickets after handshake when using WinSock.
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2426 self.server.conn_errors.append(str(e))
2427 if self.server.chatty:
2428 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2429 self.running = False
2430 self.close()
2431 return False
2432 except (ssl.SSLError, OSError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2433 # OSError may occur with wrong protocols, e.g. both
2434 # sides use PROTOCOL_TLS_SERVER.
2435 #
2436 # XXX Various errors can have happened here, for example
2437 # a mismatching protocol version, an invalid certificate,
2438 # or a low-level bug. This should be made more discriminating.
2439 #
2440 # bpo-31323: Store the exception as string to prevent
2441 # a reference leak: server -> conn_errors -> exception
2442 # -> traceback -> self (ConnectionHandler) -> server
2443 self.server.conn_errors.append(str(e))
2444 if self.server.chatty:
2445 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2446 self.running = False
2447 self.server.stop()
2448 self.close()
2449 return False
2450 else:
2451 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
2452 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
2453 cert = self.sslconn.getpeercert()
2454 if support.verbose and self.server.chatty:
2455 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
2456 cert_binary = self.sslconn.getpeercert(True)
2457 if support.verbose and self.server.chatty:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2458 if cert_binary is None:
2459 sys.stdout.write(" client did not provide a cert\n")
2460 else:
2461 sys.stdout.write(f" cert binary is {len(cert_binary)}b\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2462 cipher = self.sslconn.cipher()
2463 if support.verbose and self.server.chatty:
2464 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2465 return True
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2466
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2467 def read(self):
2468 if self.sslconn:
2469 return self.sslconn.read()
2470 else:
2471 return self.sock.recv(1024)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2472
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2473 def write(self, bytes):
2474 if self.sslconn:
2475 return self.sslconn.write(bytes)
2476 else:
2477 return self.sock.send(bytes)
2478
2479 def close(self):
2480 if self.sslconn:
2481 self.sslconn.close()
2482 else:
2483 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2484
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2485 def run(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2486 self.running = True
2487 if not self.server.starttls_server:
2488 if not self.wrap_conn():
2489 return
2490 while self.running:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2491 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2492 msg = self.read()
2493 stripped = msg.strip()
2494 if not stripped:
2495 # eof, so quit this handler
2496 self.running = False
2497 try:
2498 self.sock = self.sslconn.unwrap()
2499 except OSError:
2500 # Many tests shut the TCP connection down
2501 # without an SSL shutdown. This causes
2502 # unwrap() to raise OSError with errno=0!
2503 pass
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2504 else:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2505 self.sslconn = None
2506 self.close()
2507 elif stripped == b'over':
2508 if support.verbose and self.server.connectionchatty:
2509 sys.stdout.write(" server: client closed connection\n")
2510 self.close()
2511 return
2512 elif (self.server.starttls_server and
2513 stripped == b'STARTTLS'):
2514 if support.verbose and self.server.connectionchatty:
2515 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
2516 self.write(b"OK\n")
2517 if not self.wrap_conn():
2518 return
2519 elif (self.server.starttls_server and self.sslconn
2520 and stripped == b'ENDTLS'):
2521 if support.verbose and self.server.connectionchatty:
2522 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
2523 self.write(b"OK\n")
2524 self.sock = self.sslconn.unwrap()
2525 self.sslconn = None
2526 if support.verbose and self.server.connectionchatty:
2527 sys.stdout.write(" server: connection is now unencrypted...\n")
2528 elif stripped == b'CB tls-unique':
2529 if support.verbose and self.server.connectionchatty:
2530 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
2531 data = self.sslconn.get_channel_binding("tls-unique")
2532 self.write(repr(data).encode("us-ascii") + b"\n")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]2533 elif stripped == b'PHA':
2534 if support.verbose and self.server.connectionchatty:
2535 sys.stdout.write(" server: initiating post handshake auth\n")
2536 try:
2537 self.sslconn.verify_client_post_handshake()
2538 except ssl.SSLError as e:
2539 self.write(repr(e).encode("us-ascii") + b"\n")
2540 else:
2541 self.write(b"OK\n")
2542 elif stripped == b'HASCERT':
2543 if self.sslconn.getpeercert() is not None:
2544 self.write(b'TRUE\n')
2545 else:
2546 self.write(b'FALSE\n')
2547 elif stripped == b'GETCERT':
2548 cert = self.sslconn.getpeercert()
2549 self.write(repr(cert).encode("us-ascii") + b"\n")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]2550 elif stripped == b'VERIFIEDCHAIN':
2551 certs = self.sslconn._sslobj.get_verified_chain()
2552 self.write(len(certs).to_bytes(1, "big") + b"\n")
2553 elif stripped == b'UNVERIFIEDCHAIN':
2554 certs = self.sslconn._sslobj.get_unverified_chain()
2555 self.write(len(certs).to_bytes(1, "big") + b"\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2556 else:
2557 if (support.verbose and
2558 self.server.connectionchatty):
2559 ctype = (self.sslconn and "encrypted") or "unencrypted"
2560 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
2561 % (msg, ctype, msg.lower(), ctype))
2562 self.write(msg.lower())
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2563 except OSError as e:
2564 # handles SSLError and socket errors
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2565 if self.server.chatty and support.verbose:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2566 if isinstance(e, ConnectionError):
2567 # OpenSSL 1.1.1 sometimes raises
2568 # ConnectionResetError when connection is not
2569 # shut down gracefully.
2570 print(
2571 f" Connection reset by peer: {self.addr}"
2572 )
2573 else:
2574 handle_error("Test server failure:\n")
2575 try:
2576 self.write(b"ERROR\n")
2577 except OSError:
2578 pass
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]2579 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2580 self.running = False
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2581
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2582 # normally, we'd just stop here, but for the test
2583 # harness, we want to stop the server
2584 self.server.stop()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2585
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2586 def __init__(self, certificate=None, ssl_version=None,
2587 certreqs=None, cacerts=None,
2588 chatty=True, connectionchatty=False, starttls_server=False,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2589 alpn_protocols=None,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2590 ciphers=None, context=None):
2591 if context:
2592 self.context = context
2593 else:
2594 self.context = ssl.SSLContext(ssl_version
2595 if ssl_version is not None
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2596 else ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2597 self.context.verify_mode = (certreqs if certreqs is not None
2598 else ssl.CERT_NONE)
2599 if cacerts:
2600 self.context.load_verify_locations(cacerts)
2601 if certificate:
2602 self.context.load_cert_chain(certificate)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2603 if alpn_protocols:
2604 self.context.set_alpn_protocols(alpn_protocols)
2605 if ciphers:
2606 self.context.set_ciphers(ciphers)
2607 self.chatty = chatty
2608 self.connectionchatty = connectionchatty
2609 self.starttls_server = starttls_server
2610 self.sock = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2611 self.port = socket_helper.bind_port(self.sock)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2612 self.flag = None
2613 self.active = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2614 self.selected_alpn_protocols = []
2615 self.shared_ciphers = []
2616 self.conn_errors = []
2617 threading.Thread.__init__(self)
2618 self.daemon = True
2619
2620 def __enter__(self):
2621 self.start(threading.Event())
2622 self.flag.wait()
2623 return self
2624
2625 def __exit__(self, *args):
2626 self.stop()
2627 self.join()
2628
2629 def start(self, flag=None):
2630 self.flag = flag
2631 threading.Thread.start(self)
2632
2633 def run(self):
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2634 self.sock.settimeout(1.0)
2635 self.sock.listen(5)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2636 self.active = True
2637 if self.flag:
2638 # signal an event
2639 self.flag.set()
2640 while self.active:
2641 try:
2642 newconn, connaddr = self.sock.accept()
2643 if support.verbose and self.chatty:
2644 sys.stdout.write(' server: new connection from '
2645 + repr(connaddr) + '\n')
2646 handler = self.ConnectionHandler(self, newconn, connaddr)
2647 handler.start()
2648 handler.join()
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2649 except TimeoutError as e:
2650 if support.verbose:
2651 sys.stdout.write(f' connection timeout {e!r}\n')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2652 except KeyboardInterrupt:
2653 self.stop()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2654 except BaseException as e:
2655 if support.verbose and self.chatty:
2656 sys.stdout.write(
2657 ' connection handling failed: ' + repr(e) + '\n')
2658
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2659 self.close()
2660
2661 def close(self):
2662 if self.sock is not None:
2663 self.sock.close()
2664 self.sock = None
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2665
2666 def stop(self):
2667 self.active = False
2668
2669class AsyncoreEchoServer(threading.Thread):
2670
2671 # this one's based on asyncore.dispatcher
2672
2673 class EchoServer (asyncore.dispatcher):
2674
2675 class ConnectionHandler(asyncore.dispatcher_with_send):
2676
2677 def __init__(self, conn, certfile):
2678 self.socket = test_wrap_socket(conn, server_side=True,
2679 certfile=certfile,
2680 do_handshake_on_connect=False)
2681 asyncore.dispatcher_with_send.__init__(self, self.socket)
2682 self._ssl_accepting = True
2683 self._do_ssl_handshake()
2684
2685 def readable(self):
2686 if isinstance(self.socket, ssl.SSLSocket):
2687 while self.socket.pending() > 0:
2688 self.handle_read_event()
2689 return True
2690
2691 def _do_ssl_handshake(self):
2692 try:
2693 self.socket.do_handshake()
2694 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2695 return
2696 except ssl.SSLEOFError:
2697 return self.handle_close()
2698 except ssl.SSLError:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2699 raise
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2700 except OSError as err:
2701 if err.args[0] == errno.ECONNABORTED:
2702 return self.handle_close()
2703 else:
2704 self._ssl_accepting = False
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2705
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2706 def handle_read(self):
2707 if self._ssl_accepting:
2708 self._do_ssl_handshake()
2709 else:
2710 data = self.recv(1024)
2711 if support.verbose:
2712 sys.stdout.write(" server: read %s from client\n" % repr(data))
2713 if not data:
2714 self.close()
2715 else:
2716 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2717
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2718 def handle_close(self):
2719 self.close()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2720 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2721 sys.stdout.write(" server: closed connection %s\n" % self.socket)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2722
2723 def handle_error(self):
2724 raise
2725
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2726 def __init__(self, certfile):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2727 self.certfile = certfile
2728 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2729 self.port = socket_helper.bind_port(sock, '')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2730 asyncore.dispatcher.__init__(self, sock)
2731 self.listen(5)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2732
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2733 def handle_accepted(self, sock_obj, addr):
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2734 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2735 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
2736 self.ConnectionHandler(sock_obj, self.certfile)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2737
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2738 def handle_error(self):
2739 raise
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2740
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2741 def __init__(self, certfile):
2742 self.flag = None
2743 self.active = False
2744 self.server = self.EchoServer(certfile)
2745 self.port = self.server.port
2746 threading.Thread.__init__(self)
2747 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2748
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2749 def __str__(self):
2750 return "<%s %s>" % (self.__class__.__name__, self.server)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2751
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2752 def __enter__(self):
2753 self.start(threading.Event())
2754 self.flag.wait()
2755 return self
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2756
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2757 def __exit__(self, *args):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2758 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2759 sys.stdout.write(" cleanup: stopping server.\n")
2760 self.stop()
2761 if support.verbose:
2762 sys.stdout.write(" cleanup: joining server thread.\n")
2763 self.join()
2764 if support.verbose:
2765 sys.stdout.write(" cleanup: successfully joined.\n")
2766 # make sure that ConnectionHandler is removed from socket_map
2767 asyncore.close_all(ignore_all=True)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2768
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2769 def start (self, flag=None):
2770 self.flag = flag
2771 threading.Thread.start(self)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2772
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2773 def run(self):
2774 self.active = True
2775 if self.flag:
2776 self.flag.set()
2777 while self.active:
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2778 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2779 asyncore.loop(1)
2780 except:
2781 pass
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2782
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2783 def stop(self):
2784 self.active = False
2785 self.server.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2786
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2787def server_params_test(client_context, server_context, indata=b"FOO\n",
2788 chatty=True, connectionchatty=False, sni_name=None,
2789 session=None):
2790 """
2791 Launch a server, connect a client to it and try various reads
2792 and writes.
2793 """
2794 stats = {}
2795 server = ThreadedEchoServer(context=server_context,
2796 chatty=chatty,
2797 connectionchatty=False)
2798 with server:
2799 with client_context.wrap_socket(socket.socket(),
2800 server_hostname=sni_name, session=session) as s:
2801 s.connect((HOST, server.port))
2802 for arg in [indata, bytearray(indata), memoryview(indata)]:
2803 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2804 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2805 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2806 " client: sending %r...\n" % indata)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2807 s.write(arg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2808 outdata = s.read()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2809 if connectionchatty:
2810 if support.verbose:
2811 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2812 if outdata != indata.lower():
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2813 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2814 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2815 % (outdata[:20], len(outdata),
2816 indata[:20].lower(), len(indata)))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2817 s.write(b"over\n")
2818 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2819 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2820 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2821 stats.update({
2822 'compression': s.compression(),
2823 'cipher': s.cipher(),
2824 'peercert': s.getpeercert(),
2825 'client_alpn_protocol': s.selected_alpn_protocol(),
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2826 'version': s.version(),
2827 'session_reused': s.session_reused,
2828 'session': s.session,
2829 })
2830 s.close()
2831 stats['server_alpn_protocols'] = server.selected_alpn_protocols
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2832 stats['server_shared_ciphers'] = server.shared_ciphers
2833 return stats
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2834
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2835def try_protocol_combo(server_protocol, client_protocol, expect_success,
2836 certsreqs=None, server_options=0, client_options=0):
2837 """
2838 Try to SSL-connect using *client_protocol* to *server_protocol*.
2839 If *expect_success* is true, assert that the connection succeeds,
2840 if it's false, assert that the connection fails.
2841 Also, if *expect_success* is a string, assert that it is the protocol
2842 version actually used by the connection.
2843 """
2844 if certsreqs is None:
2845 certsreqs = ssl.CERT_NONE
2846 certtype = {
2847 ssl.CERT_NONE: "CERT_NONE",
2848 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2849 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2850 }[certsreqs]
2851 if support.verbose:
2852 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
2853 sys.stdout.write(formatstr %
2854 (ssl.get_protocol_name(client_protocol),
2855 ssl.get_protocol_name(server_protocol),
2856 certtype))
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2857
2858 with warnings_helper.check_warnings():
2859 # ignore Deprecation warnings
2860 client_context = ssl.SSLContext(client_protocol)
2861 client_context.options |= client_options
2862 server_context = ssl.SSLContext(server_protocol)
2863 server_context.options |= server_options
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2864
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2865 min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
2866 if (min_version is not None
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2867 # SSLContext.minimum_version is only available on recent OpenSSL
2868 # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
2869 and hasattr(server_context, 'minimum_version')
2870 and server_protocol == ssl.PROTOCOL_TLS
2871 and server_context.minimum_version > min_version
2872 ):
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2873 # If OpenSSL configuration is strict and requires more recent TLS
2874 # version, we have to change the minimum to test old TLS versions.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2875 with warnings_helper.check_warnings():
2876 server_context.minimum_version = min_version
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2877
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2878 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
2879 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
2880 # starting from OpenSSL 1.0.0 (see issue #8322).
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2881 if client_context.protocol == ssl.PROTOCOL_TLS:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2882 client_context.set_ciphers("ALL")
2883
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]2884 seclevel_workaround(server_context, client_context)
2885
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2886 for ctx in (client_context, server_context):
2887 ctx.verify_mode = certsreqs
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]2888 ctx.load_cert_chain(SIGNED_CERTFILE)
2889 ctx.load_verify_locations(SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2890 try:
2891 stats = server_params_test(client_context, server_context,
2892 chatty=False, connectionchatty=False)
2893 # Protocol mismatch can result in either an SSLError, or a
2894 # "Connection reset by peer" error.
2895 except ssl.SSLError:
2896 if expect_success:
2897 raise
2898 except OSError as e:
2899 if expect_success or e.errno != errno.ECONNRESET:
2900 raise
2901 else:
2902 if not expect_success:
2903 raise AssertionError(
2904 "Client protocol %s succeeded with server protocol %s!"
2905 % (ssl.get_protocol_name(client_protocol),
2906 ssl.get_protocol_name(server_protocol)))
2907 elif (expect_success is not True
2908 and expect_success != stats['version']):
2909 raise AssertionError("version mismatch: expected %r, got %r"
2910 % (expect_success, stats['version']))
2911
2912
2913class ThreadedTests(unittest.TestCase):
2914
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2915 def test_echo(self):
2916 """Basic test of an SSL client connecting to a server"""
2917 if support.verbose:
2918 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2919
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2920 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2921
2922 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2923 server_params_test(client_context=client_context,
2924 server_context=server_context,
2925 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2926 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2927
2928 client_context.check_hostname = False
2929 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2930 with self.assertRaises(ssl.SSLError) as e:
2931 server_params_test(client_context=server_context,
2932 server_context=client_context,
2933 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2934 sni_name=hostname)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]2935 self.assertIn(
2936 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
2937 str(e.exception)
2938 )
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2939
2940 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2941 with self.assertRaises(ssl.SSLError) as e:
2942 server_params_test(client_context=server_context,
2943 server_context=server_context,
2944 chatty=True, connectionchatty=True)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]2945 self.assertIn(
2946 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
2947 str(e.exception)
2948 )
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2949
2950 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2951 with self.assertRaises(ssl.SSLError) as e:
2952 server_params_test(client_context=server_context,
2953 server_context=client_context,
2954 chatty=True, connectionchatty=True)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]2955 self.assertIn(
2956 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
2957 str(e.exception))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2958
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2959 def test_getpeercert(self):
2960 if support.verbose:
2961 sys.stdout.write("\n")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2962
2963 client_context, server_context, hostname = testing_context()
2964 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2965 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2966 with client_context.wrap_socket(socket.socket(),
2967 do_handshake_on_connect=False,
2968 server_hostname=hostname) as s:
2969 s.connect((HOST, server.port))
2970 # getpeercert() raise ValueError while the handshake isn't
2971 # done.
2972 with self.assertRaises(ValueError):
2973 s.getpeercert()
2974 s.do_handshake()
2975 cert = s.getpeercert()
2976 self.assertTrue(cert, "Can't get peer certificate.")
2977 cipher = s.cipher()
2978 if support.verbose:
2979 sys.stdout.write(pprint.pformat(cert) + '\n')
2980 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2981 if 'subject' not in cert:
2982 self.fail("No subject field in certificate: %s." %
2983 pprint.pformat(cert))
2984 if ((('organizationName', 'Python Software Foundation'),)
2985 not in cert['subject']):
2986 self.fail(
2987 "Missing or invalid 'organizationName' field in certificate subject; "
2988 "should be 'Python Software Foundation'.")
2989 self.assertIn('notBefore', cert)
2990 self.assertIn('notAfter', cert)
2991 before = ssl.cert_time_to_seconds(cert['notBefore'])
2992 after = ssl.cert_time_to_seconds(cert['notAfter'])
2993 self.assertLess(before, after)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2994
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2995 def test_crl_check(self):
2996 if support.verbose:
2997 sys.stdout.write("\n")
2998
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2999 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3000
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3001 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3002 self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3003
3004 # VERIFY_DEFAULT should pass
3005 server = ThreadedEchoServer(context=server_context, chatty=True)
3006 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3007 with client_context.wrap_socket(socket.socket(),
3008 server_hostname=hostname) as s:
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]3009 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3010 cert = s.getpeercert()
3011 self.assertTrue(cert, "Can't get peer certificate.")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3012
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3013 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3014 client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3015
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3016 server = ThreadedEchoServer(context=server_context, chatty=True)
3017 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3018 with client_context.wrap_socket(socket.socket(),
3019 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3020 with self.assertRaisesRegex(ssl.SSLError,
3021 "certificate verify failed"):
3022 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3023
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3024 # now load a CRL file. The CRL file is signed by the CA.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3025 client_context.load_verify_locations(CRLFILE)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3026
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3027 server = ThreadedEchoServer(context=server_context, chatty=True)
3028 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3029 with client_context.wrap_socket(socket.socket(),
3030 server_hostname=hostname) as s:
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]3031 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3032 cert = s.getpeercert()
3033 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]3034
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3035 def test_check_hostname(self):
3036 if support.verbose:
3037 sys.stdout.write("\n")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]3038
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3039 client_context, server_context, hostname = testing_context()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3040
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3041 # correct hostname should verify
3042 server = ThreadedEchoServer(context=server_context, chatty=True)
3043 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3044 with client_context.wrap_socket(socket.socket(),
3045 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3046 s.connect((HOST, server.port))
3047 cert = s.getpeercert()
3048 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3049
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3050 # incorrect hostname should raise an exception
3051 server = ThreadedEchoServer(context=server_context, chatty=True)
3052 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3053 with client_context.wrap_socket(socket.socket(),
3054 server_hostname="invalid") as s:
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]3055 with self.assertRaisesRegex(
3056 ssl.CertificateError,
3057 "Hostname mismatch, certificate is not valid for 'invalid'."):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3058 s.connect((HOST, server.port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3059
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3060 # missing server_hostname arg should cause an exception, too
3061 server = ThreadedEchoServer(context=server_context, chatty=True)
3062 with server:
3063 with socket.socket() as s:
3064 with self.assertRaisesRegex(ValueError,
3065 "check_hostname requires server_hostname"):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3066 client_context.wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3067
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]3068 @unittest.skipUnless(
3069 ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
3070 )
3071 def test_hostname_checks_common_name(self):
3072 client_context, server_context, hostname = testing_context()
3073 assert client_context.hostname_checks_common_name
3074 client_context.hostname_checks_common_name = False
3075
3076 # default cert has a SAN
3077 server = ThreadedEchoServer(context=server_context, chatty=True)
3078 with server:
3079 with client_context.wrap_socket(socket.socket(),
3080 server_hostname=hostname) as s:
3081 s.connect((HOST, server.port))
3082
3083 client_context, server_context, hostname = testing_context(NOSANFILE)
3084 client_context.hostname_checks_common_name = False
3085 server = ThreadedEchoServer(context=server_context, chatty=True)
3086 with server:
3087 with client_context.wrap_socket(socket.socket(),
3088 server_hostname=hostname) as s:
3089 with self.assertRaises(ssl.SSLCertVerificationError):
3090 s.connect((HOST, server.port))
3091
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3092 def test_ecc_cert(self):
3093 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3094 client_context.load_verify_locations(SIGNING_CA)
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3095 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3096 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3097
3098 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3099 # load ECC cert
3100 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3101
3102 # correct hostname should verify
3103 server = ThreadedEchoServer(context=server_context, chatty=True)
3104 with server:
3105 with client_context.wrap_socket(socket.socket(),
3106 server_hostname=hostname) as s:
3107 s.connect((HOST, server.port))
3108 cert = s.getpeercert()
3109 self.assertTrue(cert, "Can't get peer certificate.")
3110 cipher = s.cipher()[0].split('-')
3111 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3112
3113 def test_dual_rsa_ecc(self):
3114 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3115 client_context.load_verify_locations(SIGNING_CA)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3116 # TODO: fix TLSv1.3 once SSLContext can restrict signature
3117 # algorithms.
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]3118 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3119 # only ECDSA certs
3120 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
3121 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3122
3123 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3124 # load ECC and RSA key/cert pairs
3125 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3126 server_context.load_cert_chain(SIGNED_CERTFILE)
3127
3128 # correct hostname should verify
3129 server = ThreadedEchoServer(context=server_context, chatty=True)
3130 with server:
3131 with client_context.wrap_socket(socket.socket(),
3132 server_hostname=hostname) as s:
3133 s.connect((HOST, server.port))
3134 cert = s.getpeercert()
3135 self.assertTrue(cert, "Can't get peer certificate.")
3136 cipher = s.cipher()[0].split('-')
3137 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3138
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3139 def test_check_hostname_idn(self):
3140 if support.verbose:
3141 sys.stdout.write("\n")
3142
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3143 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3144 server_context.load_cert_chain(IDNSANSFILE)
3145
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3146 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3147 context.verify_mode = ssl.CERT_REQUIRED
3148 context.check_hostname = True
3149 context.load_verify_locations(SIGNING_CA)
3150
3151 # correct hostname should verify, when specified in several
3152 # different ways
3153 idn_hostnames = [
3154 ('könig.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3155 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3156 ('xn--knig-5qa.idn.pythontest.net',
3157 'xn--knig-5qa.idn.pythontest.net'),
3158 (b'xn--knig-5qa.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3159 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3160
3161 ('königsgäßchen.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3162 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3163 ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
3164 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3165 (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3166 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3167
3168 # ('königsgäßchen.idna2008.pythontest.net',
3169 # 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3170 ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3171 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3172 (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3173 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3174
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3175 ]
3176 for server_hostname, expected_hostname in idn_hostnames:
3177 server = ThreadedEchoServer(context=server_context, chatty=True)
3178 with server:
3179 with context.wrap_socket(socket.socket(),
3180 server_hostname=server_hostname) as s:
3181 self.assertEqual(s.server_hostname, expected_hostname)
3182 s.connect((HOST, server.port))
3183 cert = s.getpeercert()
3184 self.assertEqual(s.server_hostname, expected_hostname)
3185 self.assertTrue(cert, "Can't get peer certificate.")
3186
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3187 # incorrect hostname should raise an exception
3188 server = ThreadedEchoServer(context=server_context, chatty=True)
3189 with server:
3190 with context.wrap_socket(socket.socket(),
3191 server_hostname="python.example.org") as s:
3192 with self.assertRaises(ssl.CertificateError):
3193 s.connect((HOST, server.port))
3194
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3195 def test_wrong_cert_tls12(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3196 """Connecting when the server rejects the client's certificate
3197
3198 Launch a server with CERT_REQUIRED, and check that trying to
3199 connect to it with a wrong client certificate fails.
3200 """
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3201 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3202 # load client cert that is not signed by trusted CA
3203 client_context.load_cert_chain(CERTFILE)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3204 # require TLS client authentication
3205 server_context.verify_mode = ssl.CERT_REQUIRED
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3206 # TLS 1.3 has different handshake
3207 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3208
3209 server = ThreadedEchoServer(
3210 context=server_context, chatty=True, connectionchatty=True,
3211 )
3212
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3213 with server, \
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3214 client_context.wrap_socket(socket.socket(),
3215 server_hostname=hostname) as s:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3216 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3217 # Expect either an SSL error about the server rejecting
3218 # the connection, or a low-level connection reset (which
3219 # sometimes happens on Windows)
3220 s.connect((HOST, server.port))
3221 except ssl.SSLError as e:
3222 if support.verbose:
3223 sys.stdout.write("\nSSLError is %r\n" % e)
3224 except OSError as e:
3225 if e.errno != errno.ECONNRESET:
3226 raise
3227 if support.verbose:
3228 sys.stdout.write("\nsocket.error is %r\n" % e)
3229 else:
3230 self.fail("Use of invalid cert should have failed!")
3231
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3232 @requires_tls_version('TLSv1_3')
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3233 def test_wrong_cert_tls13(self):
3234 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3235 # load client cert that is not signed by trusted CA
3236 client_context.load_cert_chain(CERTFILE)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3237 server_context.verify_mode = ssl.CERT_REQUIRED
3238 server_context.minimum_version = ssl.TLSVersion.TLSv1_3
3239 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3240
3241 server = ThreadedEchoServer(
3242 context=server_context, chatty=True, connectionchatty=True,
3243 )
3244 with server, \
3245 client_context.wrap_socket(socket.socket(),
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]3246 server_hostname=hostname,
3247 suppress_ragged_eofs=False) as s:
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3248 # TLS 1.3 perform client cert exchange after handshake
3249 s.connect((HOST, server.port))
3250 try:
3251 s.write(b'data')
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3252 s.read(1000)
3253 s.write(b'should have failed already')
3254 s.read(1000)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3255 except ssl.SSLError as e:
3256 if support.verbose:
3257 sys.stdout.write("\nSSLError is %r\n" % e)
3258 except OSError as e:
3259 if e.errno != errno.ECONNRESET:
3260 raise
3261 if support.verbose:
3262 sys.stdout.write("\nsocket.error is %r\n" % e)
3263 else:
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]3264 self.fail("Use of invalid cert should have failed!")
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3265
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3266 def test_rude_shutdown(self):
3267 """A brutal shutdown of an SSL server should raise an OSError
3268 in the client when attempting handshake.
3269 """
3270 listener_ready = threading.Event()
3271 listener_gone = threading.Event()
3272
3273 s = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3274 port = socket_helper.bind_port(s, HOST)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3275
3276 # `listener` runs in a thread. It sits in an accept() until
3277 # the main thread connects. Then it rudely closes the socket,
3278 # and sets Event `listener_gone` to let the main thread know
3279 # the socket is gone.
3280 def listener():
3281 s.listen()
3282 listener_ready.set()
3283 newsock, addr = s.accept()
3284 newsock.close()
3285 s.close()
3286 listener_gone.set()
3287
3288 def connector():
3289 listener_ready.wait()
3290 with socket.socket() as c:
3291 c.connect((HOST, port))
3292 listener_gone.wait()
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]3293 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3294 ssl_sock = test_wrap_socket(c)
3295 except OSError:
3296 pass
3297 else:
3298 self.fail('connecting to closed SSL socket should have failed')
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3299
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3300 t = threading.Thread(target=listener)
3301 t.start()
3302 try:
3303 connector()
3304 finally:
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3305 t.join()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3306
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3307 def test_ssl_cert_verify_error(self):
3308 if support.verbose:
3309 sys.stdout.write("\n")
3310
3311 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3312 server_context.load_cert_chain(SIGNED_CERTFILE)
3313
3314 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3315
3316 server = ThreadedEchoServer(context=server_context, chatty=True)
3317 with server:
3318 with context.wrap_socket(socket.socket(),
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3319 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3320 try:
3321 s.connect((HOST, server.port))
3322 except ssl.SSLError as e:
3323 msg = 'unable to get local issuer certificate'
3324 self.assertIsInstance(e, ssl.SSLCertVerificationError)
3325 self.assertEqual(e.verify_code, 20)
3326 self.assertEqual(e.verify_message, msg)
3327 self.assertIn(msg, repr(e))
3328 self.assertIn('certificate verify failed', repr(e))
3329
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3330 @requires_tls_version('SSLv2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3331 def test_protocol_sslv2(self):
3332 """Connecting to an SSLv2 server with various client options"""
3333 if support.verbose:
3334 sys.stdout.write("\n")
3335 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
3336 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
3337 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3338 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3339 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3340 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
3341 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
3342 # SSLv23 client with specific SSL options
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3343 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3344 client_options=ssl.OP_NO_SSLv3)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3345 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3346 client_options=ssl.OP_NO_TLSv1)
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]3347
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3348 def test_PROTOCOL_TLS(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3349 """Connecting to an SSLv23 server with various client options"""
3350 if support.verbose:
3351 sys.stdout.write("\n")
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3352 if has_tls_version('SSLv2'):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3353 try:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3354 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3355 except OSError as x:
3356 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
3357 if support.verbose:
3358 sys.stdout.write(
3359 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
3360 % str(x))
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3361 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3362 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
3363 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3364 if has_tls_version('TLSv1'):
3365 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3366
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3367 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3368 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
3369 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3370 if has_tls_version('TLSv1'):
3371 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3372
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3373 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3374 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
3375 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3376 if has_tls_version('TLSv1'):
3377 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3378
3379 # Server with specific SSL options
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3380 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3381 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3382 server_options=ssl.OP_NO_SSLv3)
3383 # Will choose TLSv1
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3384 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3385 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3386 if has_tls_version('TLSv1'):
3387 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
3388 server_options=ssl.OP_NO_TLSv1)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3389
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3390 @requires_tls_version('SSLv3')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3391 def test_protocol_sslv3(self):
3392 """Connecting to an SSLv3 server with various client options"""
3393 if support.verbose:
3394 sys.stdout.write("\n")
3395 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
3396 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
3397 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3398 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3399 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3400 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3401 client_options=ssl.OP_NO_SSLv3)
3402 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3403
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3404 @requires_tls_version('TLSv1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3405 def test_protocol_tlsv1(self):
3406 """Connecting to a TLSv1 server with various client options"""
3407 if support.verbose:
3408 sys.stdout.write("\n")
3409 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
3410 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
3411 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3412 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3413 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3414 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3415 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3416 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3417 client_options=ssl.OP_NO_TLSv1)
3418
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3419 @requires_tls_version('TLSv1_1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3420 def test_protocol_tlsv1_1(self):
3421 """Connecting to a TLSv1.1 server with various client options.
3422 Testing against older TLS versions."""
3423 if support.verbose:
3424 sys.stdout.write("\n")
3425 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3426 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3427 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3428 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3429 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3430 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3431 client_options=ssl.OP_NO_TLSv1_1)
3432
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3433 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3434 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3435 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3436
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3437 @requires_tls_version('TLSv1_2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3438 def test_protocol_tlsv1_2(self):
3439 """Connecting to a TLSv1.2 server with various client options.
3440 Testing against older TLS versions."""
3441 if support.verbose:
3442 sys.stdout.write("\n")
3443 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
3444 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
3445 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3446 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3447 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3448 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3449 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3450 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3451 client_options=ssl.OP_NO_TLSv1_2)
3452
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3453 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3454 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
3455 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
3456 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
3457 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3458
3459 def test_starttls(self):
3460 """Switching from clear text to encrypted and back again."""
3461 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
3462
3463 server = ThreadedEchoServer(CERTFILE,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3464 starttls_server=True,
3465 chatty=True,
3466 connectionchatty=True)
3467 wrapped = False
3468 with server:
3469 s = socket.socket()
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]3470 s.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3471 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3472 if support.verbose:
3473 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3474 for indata in msgs:
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3475 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3476 sys.stdout.write(
3477 " client: sending %r...\n" % indata)
3478 if wrapped:
3479 conn.write(indata)
3480 outdata = conn.read()
3481 else:
3482 s.send(indata)
3483 outdata = s.recv(1024)
3484 msg = outdata.strip().lower()
3485 if indata == b"STARTTLS" and msg.startswith(b"ok"):
3486 # STARTTLS ok, switch to secure mode
3487 if support.verbose:
3488 sys.stdout.write(
3489 " client: read %r from server, starting TLS...\n"
3490 % msg)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3491 conn = test_wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3492 wrapped = True
3493 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
3494 # ENDTLS ok, switch back to clear text
3495 if support.verbose:
3496 sys.stdout.write(
3497 " client: read %r from server, ending TLS...\n"
3498 % msg)
3499 s = conn.unwrap()
3500 wrapped = False
3501 else:
3502 if support.verbose:
3503 sys.stdout.write(
3504 " client: read %r from server\n" % msg)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3505 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3506 sys.stdout.write(" client: closing connection.\n")
3507 if wrapped:
3508 conn.write(b"over\n")
3509 else:
3510 s.send(b"over\n")
3511 if wrapped:
3512 conn.close()
3513 else:
3514 s.close()
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3515
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3516 def test_socketserver(self):
3517 """Using socketserver to create and manage SSL connections."""
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3518 server = make_https_server(self, certfile=SIGNED_CERTFILE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3519 # try to connect
3520 if support.verbose:
3521 sys.stdout.write('\n')
3522 with open(CERTFILE, 'rb') as f:
3523 d1 = f.read()
3524 d2 = ''
3525 # now fetch the same data from the HTTPS server
3526 url = 'https://localhost:%d/%s' % (
3527 server.port, os.path.split(CERTFILE)[1])
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3528 context = ssl.create_default_context(cafile=SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3529 f = urllib.request.urlopen(url, context=context)
3530 try:
3531 dlen = f.info().get("content-length")
3532 if dlen and (int(dlen) > 0):
3533 d2 = f.read(int(dlen))
3534 if support.verbose:
3535 sys.stdout.write(
3536 " client: read %d bytes from remote server '%s'\n"
3537 % (len(d2), server))
3538 finally:
3539 f.close()
3540 self.assertEqual(d1, d2)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3541
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3542 def test_asyncore_server(self):
3543 """Check the example asyncore integration."""
3544 if support.verbose:
3545 sys.stdout.write("\n")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3546
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3547 indata = b"FOO\n"
3548 server = AsyncoreEchoServer(CERTFILE)
3549 with server:
3550 s = test_wrap_socket(socket.socket())
3551 s.connect(('127.0.0.1', server.port))
3552 if support.verbose:
3553 sys.stdout.write(
3554 " client: sending %r...\n" % indata)
3555 s.write(indata)
3556 outdata = s.read()
3557 if support.verbose:
3558 sys.stdout.write(" client: read %r\n" % outdata)
3559 if outdata != indata.lower():
3560 self.fail(
3561 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
3562 % (outdata[:20], len(outdata),
3563 indata[:20].lower(), len(indata)))
3564 s.write(b"over\n")
3565 if support.verbose:
3566 sys.stdout.write(" client: closing connection.\n")
3567 s.close()
3568 if support.verbose:
3569 sys.stdout.write(" client: connection closed.\n")
Benjamin Petersoncca27322015-01-23 16:35:37 -0500[diff] [blame]3570
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3571 def test_recv_send(self):
3572 """Test recv(), send() and friends."""
3573 if support.verbose:
3574 sys.stdout.write("\n")
3575
3576 server = ThreadedEchoServer(CERTFILE,
3577 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3578 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3579 cacerts=CERTFILE,
3580 chatty=True,
3581 connectionchatty=False)
3582 with server:
3583 s = test_wrap_socket(socket.socket(),
3584 server_side=False,
3585 certfile=CERTFILE,
3586 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3587 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3588 s.connect((HOST, server.port))
3589 # helper methods for standardising recv* method signatures
3590 def _recv_into():
3591 b = bytearray(b"\0"*100)
3592 count = s.recv_into(b)
3593 return b[:count]
3594
3595 def _recvfrom_into():
3596 b = bytearray(b"\0"*100)
3597 count, addr = s.recvfrom_into(b)
3598 return b[:count]
3599
3600 # (name, method, expect success?, *args, return value func)
3601 send_methods = [
3602 ('send', s.send, True, [], len),
3603 ('sendto', s.sendto, False, ["some.address"], len),
3604 ('sendall', s.sendall, True, [], lambda x: None),
3605 ]
3606 # (name, method, whether to expect success, *args)
3607 recv_methods = [
3608 ('recv', s.recv, True, []),
3609 ('recvfrom', s.recvfrom, False, ["some.address"]),
3610 ('recv_into', _recv_into, True, []),
3611 ('recvfrom_into', _recvfrom_into, False, []),
3612 ]
3613 data_prefix = "PREFIX_"
3614
3615 for (meth_name, send_meth, expect_success, args,
3616 ret_val_meth) in send_methods:
3617 indata = (data_prefix + meth_name).encode('ascii')
3618 try:
3619 ret = send_meth(indata, *args)
3620 msg = "sending with {}".format(meth_name)
3621 self.assertEqual(ret, ret_val_meth(indata), msg=msg)
3622 outdata = s.read()
3623 if outdata != indata.lower():
3624 self.fail(
3625 "While sending with <<{name:s}>> bad data "
3626 "<<{outdata:r}>> ({nout:d}) received; "
3627 "expected <<{indata:r}>> ({nin:d})\n".format(
3628 name=meth_name, outdata=outdata[:20],
3629 nout=len(outdata),
3630 indata=indata[:20], nin=len(indata)
3631 )
3632 )
3633 except ValueError as e:
3634 if expect_success:
3635 self.fail(
3636 "Failed to send with method <<{name:s}>>; "
3637 "expected to succeed.\n".format(name=meth_name)
3638 )
3639 if not str(e).startswith(meth_name):
3640 self.fail(
3641 "Method <<{name:s}>> failed with unexpected "
3642 "exception message: {exp:s}\n".format(
3643 name=meth_name, exp=e
3644 )
3645 )
3646
3647 for meth_name, recv_meth, expect_success, args in recv_methods:
3648 indata = (data_prefix + meth_name).encode('ascii')
3649 try:
3650 s.send(indata)
3651 outdata = recv_meth(*args)
3652 if outdata != indata.lower():
3653 self.fail(
3654 "While receiving with <<{name:s}>> bad data "
3655 "<<{outdata:r}>> ({nout:d}) received; "
3656 "expected <<{indata:r}>> ({nin:d})\n".format(
3657 name=meth_name, outdata=outdata[:20],
3658 nout=len(outdata),
3659 indata=indata[:20], nin=len(indata)
3660 )
3661 )
3662 except ValueError as e:
3663 if expect_success:
3664 self.fail(
3665 "Failed to receive with method <<{name:s}>>; "
3666 "expected to succeed.\n".format(name=meth_name)
3667 )
3668 if not str(e).startswith(meth_name):
3669 self.fail(
3670 "Method <<{name:s}>> failed with unexpected "
3671 "exception message: {exp:s}\n".format(
3672 name=meth_name, exp=e
3673 )
3674 )
3675 # consume data
3676 s.read()
3677
3678 # read(-1, buffer) is supported, even though read(-1) is not
3679 data = b"data"
3680 s.send(data)
3681 buffer = bytearray(len(data))
3682 self.assertEqual(s.read(-1, buffer), len(data))
3683 self.assertEqual(buffer, data)
3684
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]3685 # sendall accepts bytes-like objects
3686 if ctypes is not None:
3687 ubyte = ctypes.c_ubyte * len(data)
3688 byteslike = ubyte.from_buffer_copy(data)
3689 s.sendall(byteslike)
3690 self.assertEqual(s.read(), data)
3691
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3692 # Make sure sendmsg et al are disallowed to avoid
3693 # inadvertent disclosure of data and/or corruption
3694 # of the encrypted data stream
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3695 self.assertRaises(NotImplementedError, s.dup)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3696 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
3697 self.assertRaises(NotImplementedError, s.recvmsg, 100)
3698 self.assertRaises(NotImplementedError,
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3699 s.recvmsg_into, [bytearray(100)])
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3700 s.write(b"over\n")
3701
3702 self.assertRaises(ValueError, s.recv, -1)
3703 self.assertRaises(ValueError, s.read, -1)
3704
3705 s.close()
3706
3707 def test_recv_zero(self):
3708 server = ThreadedEchoServer(CERTFILE)
3709 server.__enter__()
3710 self.addCleanup(server.__exit__, None, None)
3711 s = socket.create_connection((HOST, server.port))
3712 self.addCleanup(s.close)
3713 s = test_wrap_socket(s, suppress_ragged_eofs=False)
3714 self.addCleanup(s.close)
3715
3716 # recv/read(0) should return no data
3717 s.send(b"data")
3718 self.assertEqual(s.recv(0), b"")
3719 self.assertEqual(s.read(0), b"")
3720 self.assertEqual(s.read(), b"data")
3721
3722 # Should not block if the other end sends no data
3723 s.setblocking(False)
3724 self.assertEqual(s.recv(0), b"")
3725 self.assertEqual(s.recv_into(bytearray()), 0)
3726
3727 def test_nonblocking_send(self):
3728 server = ThreadedEchoServer(CERTFILE,
3729 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3730 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3731 cacerts=CERTFILE,
3732 chatty=True,
3733 connectionchatty=False)
3734 with server:
3735 s = test_wrap_socket(socket.socket(),
3736 server_side=False,
3737 certfile=CERTFILE,
3738 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3739 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3740 s.connect((HOST, server.port))
3741 s.setblocking(False)
3742
3743 # If we keep sending data, at some point the buffers
3744 # will be full and the call will block
3745 buf = bytearray(8192)
3746 def fill_buffer():
3747 while True:
3748 s.send(buf)
3749 self.assertRaises((ssl.SSLWantWriteError,
3750 ssl.SSLWantReadError), fill_buffer)
3751
3752 # Now read all the output and discard it
3753 s.setblocking(True)
3754 s.close()
3755
3756 def test_handshake_timeout(self):
3757 # Issue #5103: SSL handshake must respect the socket timeout
3758 server = socket.socket(socket.AF_INET)
3759 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3760 port = socket_helper.bind_port(server)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3761 started = threading.Event()
3762 finish = False
3763
3764 def serve():
3765 server.listen()
3766 started.set()
3767 conns = []
3768 while not finish:
3769 r, w, e = select.select([server], [], [], 0.1)
3770 if server in r:
3771 # Let the socket hang around rather than having
3772 # it closed by garbage collection.
3773 conns.append(server.accept()[0])
3774 for sock in conns:
3775 sock.close()
3776
3777 t = threading.Thread(target=serve)
3778 t.start()
3779 started.wait()
3780
3781 try:
3782 try:
3783 c = socket.socket(socket.AF_INET)
3784 c.settimeout(0.2)
3785 c.connect((host, port))
3786 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3787 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3788 test_wrap_socket, c)
3789 finally:
3790 c.close()
3791 try:
3792 c = socket.socket(socket.AF_INET)
3793 c = test_wrap_socket(c)
3794 c.settimeout(0.2)
3795 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3796 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3797 c.connect, (host, port))
3798 finally:
3799 c.close()
3800 finally:
3801 finish = True
3802 t.join()
3803 server.close()
3804
3805 def test_server_accept(self):
3806 # Issue #16357: accept() on a SSLSocket created through
3807 # SSLContext.wrap_socket().
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3808 client_ctx, server_ctx, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3809 server = socket.socket(socket.AF_INET)
3810 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3811 port = socket_helper.bind_port(server)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3812 server = server_ctx.wrap_socket(server, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3813 self.assertTrue(server.server_side)
3814
3815 evt = threading.Event()
3816 remote = None
3817 peer = None
3818 def serve():
3819 nonlocal remote, peer
3820 server.listen()
3821 # Block on the accept and wait on the connection to close.
3822 evt.set()
3823 remote, peer = server.accept()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3824 remote.send(remote.recv(4))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3825
3826 t = threading.Thread(target=serve)
3827 t.start()
3828 # Client wait until server setup and perform a connect.
3829 evt.wait()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3830 client = client_ctx.wrap_socket(
3831 socket.socket(), server_hostname=hostname
3832 )
3833 client.connect((hostname, port))
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3834 client.send(b'data')
3835 client.recv()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3836 client_addr = client.getsockname()
3837 client.close()
3838 t.join()
3839 remote.close()
3840 server.close()
3841 # Sanity checks.
3842 self.assertIsInstance(remote, ssl.SSLSocket)
3843 self.assertEqual(peer, client_addr)
3844
3845 def test_getpeercert_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3846 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3847 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3848 with context.wrap_socket(socket.socket()) as sock:
3849 with self.assertRaises(OSError) as cm:
3850 sock.getpeercert()
3851 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3852
3853 def test_do_handshake_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3854 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3855 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3856 with context.wrap_socket(socket.socket()) as sock:
3857 with self.assertRaises(OSError) as cm:
3858 sock.do_handshake()
3859 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3860
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3861 def test_no_shared_ciphers(self):
3862 client_context, server_context, hostname = testing_context()
3863 # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]3864 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Victor Stinner5e922652018-09-07 17:30:33 +0200[diff] [blame]3865 # Force different suites on client and server
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3866 client_context.set_ciphers("AES128")
3867 server_context.set_ciphers("AES256")
3868 with ThreadedEchoServer(context=server_context) as server:
3869 with client_context.wrap_socket(socket.socket(),
3870 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3871 with self.assertRaises(OSError):
3872 s.connect((HOST, server.port))
3873 self.assertIn("no shared cipher", server.conn_errors[0])
3874
3875 def test_version_basic(self):
3876 """
3877 Basic tests for SSLSocket.version().
3878 More tests are done in the test_protocol_*() methods.
3879 """
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3880 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3881 context.check_hostname = False
3882 context.verify_mode = ssl.CERT_NONE
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3883 with ThreadedEchoServer(CERTFILE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3884 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3885 chatty=False) as server:
3886 with context.wrap_socket(socket.socket()) as s:
3887 self.assertIs(s.version(), None)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3888 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3889 s.connect((HOST, server.port))
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]3890 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3891 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3892 self.assertIs(s.version(), None)
3893
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3894 @requires_tls_version('TLSv1_3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3895 def test_tls1_3(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3896 client_context, server_context, hostname = testing_context()
3897 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3898 with ThreadedEchoServer(context=server_context) as server:
3899 with client_context.wrap_socket(socket.socket(),
3900 server_hostname=hostname) as s:
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3901 s.connect((HOST, server.port))
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3902 self.assertIn(s.cipher()[0], {
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3903 'TLS_AES_256_GCM_SHA384',
3904 'TLS_CHACHA20_POLY1305_SHA256',
3905 'TLS_AES_128_GCM_SHA256',
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3906 })
3907 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3908
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3909 @requires_tls_version('TLSv1_2')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3910 @requires_tls_version('TLSv1')
3911 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3912 def test_min_max_version_tlsv1_2(self):
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3913 client_context, server_context, hostname = testing_context()
3914 # client TLSv1.0 to 1.2
3915 client_context.minimum_version = ssl.TLSVersion.TLSv1
3916 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
3917 # server only TLSv1.2
3918 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
3919 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
3920
3921 with ThreadedEchoServer(context=server_context) as server:
3922 with client_context.wrap_socket(socket.socket(),
3923 server_hostname=hostname) as s:
3924 s.connect((HOST, server.port))
3925 self.assertEqual(s.version(), 'TLSv1.2')
3926
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3927 @requires_tls_version('TLSv1_1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3928 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3929 def test_min_max_version_tlsv1_1(self):
3930 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3931 # client 1.0 to 1.2, server 1.0 to 1.1
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3932 client_context.minimum_version = ssl.TLSVersion.TLSv1
3933 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3934 server_context.minimum_version = ssl.TLSVersion.TLSv1
3935 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3936 seclevel_workaround(client_context, server_context)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3937
3938 with ThreadedEchoServer(context=server_context) as server:
3939 with client_context.wrap_socket(socket.socket(),
3940 server_hostname=hostname) as s:
3941 s.connect((HOST, server.port))
3942 self.assertEqual(s.version(), 'TLSv1.1')
3943
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3944 @requires_tls_version('TLSv1_2')
Christian Heimesce04e712020-11-18 13:10:53 +0100[diff] [blame]3945 @requires_tls_version('TLSv1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3946 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3947 def test_min_max_version_mismatch(self):
3948 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3949 # client 1.0, server 1.2 (mismatch)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3950 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc9bc49c2019-09-11 19:24:47 +0200[diff] [blame]3951 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]3952 client_context.maximum_version = ssl.TLSVersion.TLSv1
Christian Heimesde606ea2019-09-11 19:48:58 +0200[diff] [blame]3953 client_context.minimum_version = ssl.TLSVersion.TLSv1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3954 seclevel_workaround(client_context, server_context)
3955
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3956 with ThreadedEchoServer(context=server_context) as server:
3957 with client_context.wrap_socket(socket.socket(),
3958 server_hostname=hostname) as s:
3959 with self.assertRaises(ssl.SSLError) as e:
3960 s.connect((HOST, server.port))
3961 self.assertIn("alert", str(e.exception))
3962
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3963 @requires_tls_version('SSLv3')
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3964 def test_min_max_version_sslv3(self):
3965 client_context, server_context, hostname = testing_context()
3966 server_context.minimum_version = ssl.TLSVersion.SSLv3
3967 client_context.minimum_version = ssl.TLSVersion.SSLv3
3968 client_context.maximum_version = ssl.TLSVersion.SSLv3
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3969 seclevel_workaround(client_context, server_context)
3970
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3971 with ThreadedEchoServer(context=server_context) as server:
3972 with client_context.wrap_socket(socket.socket(),
3973 server_hostname=hostname) as s:
3974 s.connect((HOST, server.port))
3975 self.assertEqual(s.version(), 'SSLv3')
3976
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3977 def test_default_ecdh_curve(self):
3978 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
3979 # should be enabled by default on SSL contexts.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3980 client_context, server_context, hostname = testing_context()
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3981 # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
3982 # cipher name.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3983 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3984 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
3985 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
3986 # our default cipher list should prefer ECDH-based ciphers
3987 # automatically.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3988 with ThreadedEchoServer(context=server_context) as server:
3989 with client_context.wrap_socket(socket.socket(),
3990 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3991 s.connect((HOST, server.port))
3992 self.assertIn("ECDH", s.cipher()[0])
3993
3994 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
3995 "'tls-unique' channel binding not available")
3996 def test_tls_unique_channel_binding(self):
3997 """Test tls-unique channel binding."""
3998 if support.verbose:
3999 sys.stdout.write("\n")
4000
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4001 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4002
4003 server = ThreadedEchoServer(context=server_context,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4004 chatty=True,
4005 connectionchatty=False)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4006
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4007 with server:
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4008 with client_context.wrap_socket(
4009 socket.socket(),
4010 server_hostname=hostname) as s:
4011 s.connect((HOST, server.port))
4012 # get the data
4013 cb_data = s.get_channel_binding("tls-unique")
4014 if support.verbose:
4015 sys.stdout.write(
4016 " got channel binding data: {0!r}\n".format(cb_data))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4017
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4018 # check if it is sane
4019 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]4020 if s.version() == 'TLSv1.3':
4021 self.assertEqual(len(cb_data), 48)
4022 else:
4023 self.assertEqual(len(cb_data), 12) # True for TLSv1
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4024
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4025 # and compare with the peers version
4026 s.write(b"CB tls-unique\n")
4027 peer_data_repr = s.read().strip()
4028 self.assertEqual(peer_data_repr,
4029 repr(cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4030
4031 # now, again
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4032 with client_context.wrap_socket(
4033 socket.socket(),
4034 server_hostname=hostname) as s:
4035 s.connect((HOST, server.port))
4036 new_cb_data = s.get_channel_binding("tls-unique")
4037 if support.verbose:
4038 sys.stdout.write(
4039 "got another channel binding data: {0!r}\n".format(
4040 new_cb_data)
4041 )
4042 # is it really unique
4043 self.assertNotEqual(cb_data, new_cb_data)
4044 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]4045 if s.version() == 'TLSv1.3':
4046 self.assertEqual(len(cb_data), 48)
4047 else:
4048 self.assertEqual(len(cb_data), 12) # True for TLSv1
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4049 s.write(b"CB tls-unique\n")
4050 peer_data_repr = s.read().strip()
4051 self.assertEqual(peer_data_repr,
4052 repr(new_cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4053
4054 def test_compression(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4055 client_context, server_context, hostname = testing_context()
4056 stats = server_params_test(client_context, server_context,
4057 chatty=True, connectionchatty=True,
4058 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4059 if support.verbose:
4060 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
4061 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
4062
4063 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
4064 "ssl.OP_NO_COMPRESSION needed for this test")
4065 def test_compression_disabled(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4066 client_context, server_context, hostname = testing_context()
4067 client_context.options |= ssl.OP_NO_COMPRESSION
4068 server_context.options |= ssl.OP_NO_COMPRESSION
4069 stats = server_params_test(client_context, server_context,
4070 chatty=True, connectionchatty=True,
4071 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4072 self.assertIs(stats['compression'], None)
4073
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4074 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4075 def test_dh_params(self):
4076 # Check we can get a connection with ephemeral Diffie-Hellman
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4077 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4078 # test scenario needs TLS <= 1.2
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4079 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4080 server_context.load_dh_params(DHFILE)
4081 server_context.set_ciphers("kEDH")
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4082 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4083 stats = server_params_test(client_context, server_context,
4084 chatty=True, connectionchatty=True,
4085 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4086 cipher = stats["cipher"][0]
4087 parts = cipher.split("-")
4088 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
4089 self.fail("Non-DH cipher: " + cipher[0])
4090
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4091 def test_ecdh_curve(self):
4092 # server secp384r1, client auto
4093 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4094
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4095 server_context.set_ecdh_curve("secp384r1")
4096 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4097 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4098 stats = server_params_test(client_context, server_context,
4099 chatty=True, connectionchatty=True,
4100 sni_name=hostname)
4101
4102 # server auto, client secp384r1
4103 client_context, server_context, hostname = testing_context()
4104 client_context.set_ecdh_curve("secp384r1")
4105 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4106 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4107 stats = server_params_test(client_context, server_context,
4108 chatty=True, connectionchatty=True,
4109 sni_name=hostname)
4110
4111 # server / client curve mismatch
4112 client_context, server_context, hostname = testing_context()
4113 client_context.set_ecdh_curve("prime256v1")
4114 server_context.set_ecdh_curve("secp384r1")
4115 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4116 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
4117 with self.assertRaises(ssl.SSLError):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4118 server_params_test(client_context, server_context,
4119 chatty=True, connectionchatty=True,
4120 sni_name=hostname)
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4121
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4122 def test_selected_alpn_protocol(self):
4123 # selected_alpn_protocol() is None unless ALPN is used.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4124 client_context, server_context, hostname = testing_context()
4125 stats = server_params_test(client_context, server_context,
4126 chatty=True, connectionchatty=True,
4127 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4128 self.assertIs(stats['client_alpn_protocol'], None)
4129
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4130 def test_selected_alpn_protocol_if_server_uses_alpn(self):
4131 # selected_alpn_protocol() is None unless ALPN is used by the client.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4132 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4133 server_context.set_alpn_protocols(['foo', 'bar'])
4134 stats = server_params_test(client_context, server_context,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4135 chatty=True, connectionchatty=True,
4136 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4137 self.assertIs(stats['client_alpn_protocol'], None)
4138
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4139 def test_alpn_protocols(self):
4140 server_protocols = ['foo', 'bar', 'milkshake']
4141 protocol_tests = [
4142 (['foo', 'bar'], 'foo'),
4143 (['bar', 'foo'], 'foo'),
4144 (['milkshake'], 'milkshake'),
4145 (['http/3.0', 'http/4.0'], None)
4146 ]
4147 for client_protocols, expected in protocol_tests:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4148 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4149 server_context.set_alpn_protocols(server_protocols)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4150 client_context.set_alpn_protocols(client_protocols)
4151
4152 try:
4153 stats = server_params_test(client_context,
4154 server_context,
4155 chatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4156 connectionchatty=True,
4157 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4158 except ssl.SSLError as e:
4159 stats = e
4160
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4161 msg = "failed trying %s (s) and %s (c).\n" \
4162 "was expecting %s, but got %%s from the %%s" \
4163 % (str(server_protocols), str(client_protocols),
4164 str(expected))
4165 client_result = stats['client_alpn_protocol']
4166 self.assertEqual(client_result, expected,
4167 msg % (client_result, "client"))
4168 server_result = stats['server_alpn_protocols'][-1] \
4169 if len(stats['server_alpn_protocols']) else 'nothing'
4170 self.assertEqual(server_result, expected,
4171 msg % (server_result, "server"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4172
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4173 def test_npn_protocols(self):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4174 assert not ssl.HAS_NPN
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4175
4176 def sni_contexts(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4177 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4178 server_context.load_cert_chain(SIGNED_CERTFILE)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4179 other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4180 other_context.load_cert_chain(SIGNED_CERTFILE2)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4181 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4182 client_context.load_verify_locations(SIGNING_CA)
4183 return server_context, other_context, client_context
4184
4185 def check_common_name(self, stats, name):
4186 cert = stats['peercert']
4187 self.assertIn((('commonName', name),), cert['subject'])
4188
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4189 def test_sni_callback(self):
4190 calls = []
4191 server_context, other_context, client_context = self.sni_contexts()
4192
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4193 client_context.check_hostname = False
4194
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4195 def servername_cb(ssl_sock, server_name, initial_context):
4196 calls.append((server_name, initial_context))
4197 if server_name is not None:
4198 ssl_sock.context = other_context
4199 server_context.set_servername_callback(servername_cb)
4200
4201 stats = server_params_test(client_context, server_context,
4202 chatty=True,
4203 sni_name='supermessage')
4204 # The hostname was fetched properly, and the certificate was
4205 # changed for the connection.
4206 self.assertEqual(calls, [("supermessage", server_context)])
4207 # CERTFILE4 was selected
4208 self.check_common_name(stats, 'fakehostname')
4209
4210 calls = []
4211 # The callback is called with server_name=None
4212 stats = server_params_test(client_context, server_context,
4213 chatty=True,
4214 sni_name=None)
4215 self.assertEqual(calls, [(None, server_context)])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4216 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4217
4218 # Check disabling the callback
4219 calls = []
4220 server_context.set_servername_callback(None)
4221
4222 stats = server_params_test(client_context, server_context,
4223 chatty=True,
4224 sni_name='notfunny')
4225 # Certificate didn't change
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4226 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4227 self.assertEqual(calls, [])
4228
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4229 def test_sni_callback_alert(self):
4230 # Returning a TLS alert is reflected to the connecting client
4231 server_context, other_context, client_context = self.sni_contexts()
4232
4233 def cb_returning_alert(ssl_sock, server_name, initial_context):
4234 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
4235 server_context.set_servername_callback(cb_returning_alert)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4236 with self.assertRaises(ssl.SSLError) as cm:
4237 stats = server_params_test(client_context, server_context,
4238 chatty=False,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4239 sni_name='supermessage')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4240 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4241
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4242 def test_sni_callback_raising(self):
4243 # Raising fails the connection with a TLS handshake failure alert.
4244 server_context, other_context, client_context = self.sni_contexts()
4245
4246 def cb_raising(ssl_sock, server_name, initial_context):
4247 1/0
4248 server_context.set_servername_callback(cb_raising)
4249
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4250 with support.catch_unraisable_exception() as catch:
4251 with self.assertRaises(ssl.SSLError) as cm:
4252 stats = server_params_test(client_context, server_context,
4253 chatty=False,
4254 sni_name='supermessage')
4255
4256 self.assertEqual(cm.exception.reason,
4257 'SSLV3_ALERT_HANDSHAKE_FAILURE')
4258 self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]4259
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4260 def test_sni_callback_wrong_return_type(self):
4261 # Returning the wrong return type terminates the TLS connection
4262 # with an internal error alert.
4263 server_context, other_context, client_context = self.sni_contexts()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4264
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4265 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
4266 return "foo"
4267 server_context.set_servername_callback(cb_wrong_return_type)
4268
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4269 with support.catch_unraisable_exception() as catch:
4270 with self.assertRaises(ssl.SSLError) as cm:
4271 stats = server_params_test(client_context, server_context,
4272 chatty=False,
4273 sni_name='supermessage')
4274
4275
4276 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
4277 self.assertEqual(catch.unraisable.exc_type, TypeError)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4278
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4279 def test_shared_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4280 client_context, server_context, hostname = testing_context()
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4281 client_context.set_ciphers("AES128:AES256")
4282 server_context.set_ciphers("AES256")
4283 expected_algs = [
4284 "AES256", "AES-256",
4285 # TLS 1.3 ciphers are always enabled
4286 "TLS_CHACHA20", "TLS_AES",
4287 ]
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4288
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4289 stats = server_params_test(client_context, server_context,
4290 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4291 ciphers = stats['server_shared_ciphers'][0]
4292 self.assertGreater(len(ciphers), 0)
4293 for name, tls_version, bits in ciphers:
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4294 if not any(alg in name for alg in expected_algs):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4295 self.fail(name)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4296
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4297 def test_read_write_after_close_raises_valuerror(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4298 client_context, server_context, hostname = testing_context()
4299 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4300
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4301 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4302 s = client_context.wrap_socket(socket.socket(),
4303 server_hostname=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4304 s.connect((HOST, server.port))
4305 s.close()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4306
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4307 self.assertRaises(ValueError, s.read, 1024)
4308 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4309
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4310 def test_sendfile(self):
4311 TEST_DATA = b"x" * 512
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4312 with open(os_helper.TESTFN, 'wb') as f:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4313 f.write(TEST_DATA)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4314 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4315 client_context, server_context, hostname = testing_context()
4316 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4317 with server:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4318 with client_context.wrap_socket(socket.socket(),
4319 server_hostname=hostname) as s:
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4320 s.connect((HOST, server.port))
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4321 with open(os_helper.TESTFN, 'rb') as file:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4322 s.sendfile(file)
4323 self.assertEqual(s.recv(1024), TEST_DATA)
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4324
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4325 def test_session(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4326 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4327 # TODO: sessions aren't compatible with TLSv1.3 yet
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4328 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4329
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4330 # first connection without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4331 stats = server_params_test(client_context, server_context,
4332 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4333 session = stats['session']
4334 self.assertTrue(session.id)
4335 self.assertGreater(session.time, 0)
4336 self.assertGreater(session.timeout, 0)
4337 self.assertTrue(session.has_ticket)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4338 self.assertGreater(session.ticket_lifetime_hint, 0)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4339 self.assertFalse(stats['session_reused'])
4340 sess_stat = server_context.session_stats()
4341 self.assertEqual(sess_stat['accept'], 1)
4342 self.assertEqual(sess_stat['hits'], 0)
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]4343
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4344 # reuse session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4345 stats = server_params_test(client_context, server_context,
4346 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4347 sess_stat = server_context.session_stats()
4348 self.assertEqual(sess_stat['accept'], 2)
4349 self.assertEqual(sess_stat['hits'], 1)
4350 self.assertTrue(stats['session_reused'])
4351 session2 = stats['session']
4352 self.assertEqual(session2.id, session.id)
4353 self.assertEqual(session2, session)
4354 self.assertIsNot(session2, session)
4355 self.assertGreaterEqual(session2.time, session.time)
4356 self.assertGreaterEqual(session2.timeout, session.timeout)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4357
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4358 # another one without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4359 stats = server_params_test(client_context, server_context,
4360 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4361 self.assertFalse(stats['session_reused'])
4362 session3 = stats['session']
4363 self.assertNotEqual(session3.id, session.id)
4364 self.assertNotEqual(session3, session)
4365 sess_stat = server_context.session_stats()
4366 self.assertEqual(sess_stat['accept'], 3)
4367 self.assertEqual(sess_stat['hits'], 1)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4368
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4369 # reuse session again
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4370 stats = server_params_test(client_context, server_context,
4371 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4372 self.assertTrue(stats['session_reused'])
4373 session4 = stats['session']
4374 self.assertEqual(session4.id, session.id)
4375 self.assertEqual(session4, session)
4376 self.assertGreaterEqual(session4.time, session.time)
4377 self.assertGreaterEqual(session4.timeout, session.timeout)
4378 sess_stat = server_context.session_stats()
4379 self.assertEqual(sess_stat['accept'], 4)
4380 self.assertEqual(sess_stat['hits'], 2)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4381
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4382 def test_session_handling(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4383 client_context, server_context, hostname = testing_context()
4384 client_context2, _, _ = testing_context()
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4385
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4386 # TODO: session reuse does not work with TLSv1.3
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4387 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4388 client_context2.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]4389
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4390 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4391 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4392 with client_context.wrap_socket(socket.socket(),
4393 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4394 # session is None before handshake
4395 self.assertEqual(s.session, None)
4396 self.assertEqual(s.session_reused, None)
4397 s.connect((HOST, server.port))
4398 session = s.session
4399 self.assertTrue(session)
4400 with self.assertRaises(TypeError) as e:
4401 s.session = object
Ned Deily4531ec72018-06-11 20:26:28 -0400[diff] [blame]4402 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4403
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4404 with client_context.wrap_socket(socket.socket(),
4405 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4406 s.connect((HOST, server.port))
4407 # cannot set session after handshake
4408 with self.assertRaises(ValueError) as e:
4409 s.session = session
4410 self.assertEqual(str(e.exception),
4411 'Cannot set session after handshake.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4412
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4413 with client_context.wrap_socket(socket.socket(),
4414 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4415 # can set session before handshake and before the
4416 # connection was established
4417 s.session = session
4418 s.connect((HOST, server.port))
4419 self.assertEqual(s.session.id, session.id)
4420 self.assertEqual(s.session, session)
4421 self.assertEqual(s.session_reused, True)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4422
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4423 with client_context2.wrap_socket(socket.socket(),
4424 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4425 # cannot re-use session with a different SSLContext
4426 with self.assertRaises(ValueError) as e:
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4427 s.session = session
4428 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4429 self.assertEqual(str(e.exception),
4430 'Session refers to a different SSLContext.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4431
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]4432
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]4433@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4434class TestPostHandshakeAuth(unittest.TestCase):
4435 def test_pha_setter(self):
4436 protocols = [
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4437 ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4438 ]
4439 for protocol in protocols:
4440 ctx = ssl.SSLContext(protocol)
4441 self.assertEqual(ctx.post_handshake_auth, False)
4442
4443 ctx.post_handshake_auth = True
4444 self.assertEqual(ctx.post_handshake_auth, True)
4445
4446 ctx.verify_mode = ssl.CERT_REQUIRED
4447 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4448 self.assertEqual(ctx.post_handshake_auth, True)
4449
4450 ctx.post_handshake_auth = False
4451 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4452 self.assertEqual(ctx.post_handshake_auth, False)
4453
4454 ctx.verify_mode = ssl.CERT_OPTIONAL
4455 ctx.post_handshake_auth = True
4456 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
4457 self.assertEqual(ctx.post_handshake_auth, True)
4458
4459 def test_pha_required(self):
4460 client_context, server_context, hostname = testing_context()
4461 server_context.post_handshake_auth = True
4462 server_context.verify_mode = ssl.CERT_REQUIRED
4463 client_context.post_handshake_auth = True
4464 client_context.load_cert_chain(SIGNED_CERTFILE)
4465
4466 server = ThreadedEchoServer(context=server_context, chatty=False)
4467 with server:
4468 with client_context.wrap_socket(socket.socket(),
4469 server_hostname=hostname) as s:
4470 s.connect((HOST, server.port))
4471 s.write(b'HASCERT')
4472 self.assertEqual(s.recv(1024), b'FALSE\n')
4473 s.write(b'PHA')
4474 self.assertEqual(s.recv(1024), b'OK\n')
4475 s.write(b'HASCERT')
4476 self.assertEqual(s.recv(1024), b'TRUE\n')
4477 # PHA method just returns true when cert is already available
4478 s.write(b'PHA')
4479 self.assertEqual(s.recv(1024), b'OK\n')
4480 s.write(b'GETCERT')
4481 cert_text = s.recv(4096).decode('us-ascii')
4482 self.assertIn('Python Software Foundation CA', cert_text)
4483
4484 def test_pha_required_nocert(self):
4485 client_context, server_context, hostname = testing_context()
4486 server_context.post_handshake_auth = True
4487 server_context.verify_mode = ssl.CERT_REQUIRED
4488 client_context.post_handshake_auth = True
4489
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4490 def msg_cb(conn, direction, version, content_type, msg_type, data):
4491 if support.verbose and content_type == _TLSContentType.ALERT:
4492 info = (conn, direction, version, content_type, msg_type, data)
4493 sys.stdout.write(f"TLS: {info!r}\n")
4494
4495 server_context._msg_callback = msg_cb
4496 client_context._msg_callback = msg_cb
4497
4498 server = ThreadedEchoServer(context=server_context, chatty=True)
4499 with server:
4500 with client_context.wrap_socket(socket.socket(),
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]4501 server_hostname=hostname,
4502 suppress_ragged_eofs=False) as s:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4503 s.connect((HOST, server.port))
4504 s.write(b'PHA')
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4505 # test sometimes fails with EOF error. Test passes as long as
4506 # server aborts connection with an error.
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4507 with self.assertRaisesRegex(
4508 ssl.SSLError,
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4509 '(certificate required|EOF occurred)'
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4510 ):
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4511 # receive CertificateRequest
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame]4512 data = s.recv(1024)
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame]4513 self.assertEqual(data, b'OK\n')
4514
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4515 # send empty Certificate + Finish
4516 s.write(b'HASCERT')
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame]4517
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4518 # receive alert
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]4519 s.recv(1024)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4520
4521 def test_pha_optional(self):
4522 if support.verbose:
4523 sys.stdout.write("\n")
4524
4525 client_context, server_context, hostname = testing_context()
4526 server_context.post_handshake_auth = True
4527 server_context.verify_mode = ssl.CERT_REQUIRED
4528 client_context.post_handshake_auth = True
4529 client_context.load_cert_chain(SIGNED_CERTFILE)
4530
4531 # check CERT_OPTIONAL
4532 server_context.verify_mode = ssl.CERT_OPTIONAL
4533 server = ThreadedEchoServer(context=server_context, chatty=False)
4534 with server:
4535 with client_context.wrap_socket(socket.socket(),
4536 server_hostname=hostname) as s:
4537 s.connect((HOST, server.port))
4538 s.write(b'HASCERT')
4539 self.assertEqual(s.recv(1024), b'FALSE\n')
4540 s.write(b'PHA')
4541 self.assertEqual(s.recv(1024), b'OK\n')
4542 s.write(b'HASCERT')
4543 self.assertEqual(s.recv(1024), b'TRUE\n')
4544
4545 def test_pha_optional_nocert(self):
4546 if support.verbose:
4547 sys.stdout.write("\n")
4548
4549 client_context, server_context, hostname = testing_context()
4550 server_context.post_handshake_auth = True
4551 server_context.verify_mode = ssl.CERT_OPTIONAL
4552 client_context.post_handshake_auth = True
4553
4554 server = ThreadedEchoServer(context=server_context, chatty=False)
4555 with server:
4556 with client_context.wrap_socket(socket.socket(),
4557 server_hostname=hostname) as s:
4558 s.connect((HOST, server.port))
4559 s.write(b'HASCERT')
4560 self.assertEqual(s.recv(1024), b'FALSE\n')
4561 s.write(b'PHA')
4562 self.assertEqual(s.recv(1024), b'OK\n')
penguindustin96466302019-05-06 14:57:17 -0400[diff] [blame]4563 # optional doesn't fail when client does not have a cert
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4564 s.write(b'HASCERT')
4565 self.assertEqual(s.recv(1024), b'FALSE\n')
4566
4567 def test_pha_no_pha_client(self):
4568 client_context, server_context, hostname = testing_context()
4569 server_context.post_handshake_auth = True
4570 server_context.verify_mode = ssl.CERT_REQUIRED
4571 client_context.load_cert_chain(SIGNED_CERTFILE)
4572
4573 server = ThreadedEchoServer(context=server_context, chatty=False)
4574 with server:
4575 with client_context.wrap_socket(socket.socket(),
4576 server_hostname=hostname) as s:
4577 s.connect((HOST, server.port))
4578 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
4579 s.verify_client_post_handshake()
4580 s.write(b'PHA')
4581 self.assertIn(b'extension not received', s.recv(1024))
4582
4583 def test_pha_no_pha_server(self):
4584 # server doesn't have PHA enabled, cert is requested in handshake
4585 client_context, server_context, hostname = testing_context()
4586 server_context.verify_mode = ssl.CERT_REQUIRED
4587 client_context.post_handshake_auth = True
4588 client_context.load_cert_chain(SIGNED_CERTFILE)
4589
4590 server = ThreadedEchoServer(context=server_context, chatty=False)
4591 with server:
4592 with client_context.wrap_socket(socket.socket(),
4593 server_hostname=hostname) as s:
4594 s.connect((HOST, server.port))
4595 s.write(b'HASCERT')
4596 self.assertEqual(s.recv(1024), b'TRUE\n')
4597 # PHA doesn't fail if there is already a cert
4598 s.write(b'PHA')
4599 self.assertEqual(s.recv(1024), b'OK\n')
4600 s.write(b'HASCERT')
4601 self.assertEqual(s.recv(1024), b'TRUE\n')
4602
4603 def test_pha_not_tls13(self):
4604 # TLS 1.2
4605 client_context, server_context, hostname = testing_context()
4606 server_context.verify_mode = ssl.CERT_REQUIRED
4607 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4608 client_context.post_handshake_auth = True
4609 client_context.load_cert_chain(SIGNED_CERTFILE)
4610
4611 server = ThreadedEchoServer(context=server_context, chatty=False)
4612 with server:
4613 with client_context.wrap_socket(socket.socket(),
4614 server_hostname=hostname) as s:
4615 s.connect((HOST, server.port))
4616 # PHA fails for TLS != 1.3
4617 s.write(b'PHA')
4618 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
4619
Christian Heimesf0f59302019-07-01 08:29:17 +0200[diff] [blame]4620 def test_bpo37428_pha_cert_none(self):
4621 # verify that post_handshake_auth does not implicitly enable cert
4622 # validation.
4623 hostname = SIGNED_CERTFILE_HOSTNAME
4624 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4625 client_context.post_handshake_auth = True
4626 client_context.load_cert_chain(SIGNED_CERTFILE)
4627 # no cert validation and CA on client side
4628 client_context.check_hostname = False
4629 client_context.verify_mode = ssl.CERT_NONE
4630
4631 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
4632 server_context.load_cert_chain(SIGNED_CERTFILE)
4633 server_context.load_verify_locations(SIGNING_CA)
4634 server_context.post_handshake_auth = True
4635 server_context.verify_mode = ssl.CERT_REQUIRED
4636
4637 server = ThreadedEchoServer(context=server_context, chatty=False)
4638 with server:
4639 with client_context.wrap_socket(socket.socket(),
4640 server_hostname=hostname) as s:
4641 s.connect((HOST, server.port))
4642 s.write(b'HASCERT')
4643 self.assertEqual(s.recv(1024), b'FALSE\n')
4644 s.write(b'PHA')
4645 self.assertEqual(s.recv(1024), b'OK\n')
4646 s.write(b'HASCERT')
4647 self.assertEqual(s.recv(1024), b'TRUE\n')
4648 # server cert has not been validated
4649 self.assertEqual(s.getpeercert(), {})
4650
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]4651 def test_internal_chain_client(self):
4652 client_context, server_context, hostname = testing_context(
4653 server_chain=False
4654 )
4655 server = ThreadedEchoServer(context=server_context, chatty=False)
4656 with server:
4657 with client_context.wrap_socket(
4658 socket.socket(),
4659 server_hostname=hostname
4660 ) as s:
4661 s.connect((HOST, server.port))
4662 vc = s._sslobj.get_verified_chain()
4663 self.assertEqual(len(vc), 2)
4664 ee, ca = vc
4665 uvc = s._sslobj.get_unverified_chain()
4666 self.assertEqual(len(uvc), 1)
4667
4668 self.assertEqual(ee, uvc[0])
4669 self.assertEqual(hash(ee), hash(uvc[0]))
4670 self.assertEqual(repr(ee), repr(uvc[0]))
4671
4672 self.assertNotEqual(ee, ca)
4673 self.assertNotEqual(hash(ee), hash(ca))
4674 self.assertNotEqual(repr(ee), repr(ca))
4675 self.assertNotEqual(ee.get_info(), ca.get_info())
4676 self.assertIn("CN=localhost", repr(ee))
4677 self.assertIn("CN=our-ca-server", repr(ca))
4678
4679 pem = ee.public_bytes(_ssl.ENCODING_PEM)
4680 der = ee.public_bytes(_ssl.ENCODING_DER)
4681 self.assertIsInstance(pem, str)
4682 self.assertIn("-----BEGIN CERTIFICATE-----", pem)
4683 self.assertIsInstance(der, bytes)
4684 self.assertEqual(
4685 ssl.PEM_cert_to_DER_cert(pem), der
4686 )
4687
4688 def test_internal_chain_server(self):
4689 client_context, server_context, hostname = testing_context()
4690 client_context.load_cert_chain(SIGNED_CERTFILE)
4691 server_context.verify_mode = ssl.CERT_REQUIRED
4692 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
4693
4694 server = ThreadedEchoServer(context=server_context, chatty=False)
4695 with server:
4696 with client_context.wrap_socket(
4697 socket.socket(),
4698 server_hostname=hostname
4699 ) as s:
4700 s.connect((HOST, server.port))
4701 s.write(b'VERIFIEDCHAIN\n')
4702 res = s.recv(1024)
4703 self.assertEqual(res, b'\x02\n')
4704 s.write(b'UNVERIFIEDCHAIN\n')
4705 res = s.recv(1024)
4706 self.assertEqual(res, b'\x02\n')
4707
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4708
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4709HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
4710requires_keylog = unittest.skipUnless(
4711 HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
4712
4713class TestSSLDebug(unittest.TestCase):
4714
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4715 def keylog_lines(self, fname=os_helper.TESTFN):
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4716 with open(fname) as f:
4717 return len(list(f))
4718
4719 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4720 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4721 def test_keylog_defaults(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4722 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4723 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4724 self.assertEqual(ctx.keylog_filename, None)
4725
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4726 self.assertFalse(os.path.isfile(os_helper.TESTFN))
4727 ctx.keylog_filename = os_helper.TESTFN
4728 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
4729 self.assertTrue(os.path.isfile(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4730 self.assertEqual(self.keylog_lines(), 1)
4731
4732 ctx.keylog_filename = None
4733 self.assertEqual(ctx.keylog_filename, None)
4734
4735 with self.assertRaises((IsADirectoryError, PermissionError)):
4736 # Windows raises PermissionError
4737 ctx.keylog_filename = os.path.dirname(
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4738 os.path.abspath(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4739
4740 with self.assertRaises(TypeError):
4741 ctx.keylog_filename = 1
4742
4743 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4744 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4745 def test_keylog_filename(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4746 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4747 client_context, server_context, hostname = testing_context()
4748
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4749 client_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4750 server = ThreadedEchoServer(context=server_context, chatty=False)
4751 with server:
4752 with client_context.wrap_socket(socket.socket(),
4753 server_hostname=hostname) as s:
4754 s.connect((HOST, server.port))
4755 # header, 5 lines for TLS 1.3
4756 self.assertEqual(self.keylog_lines(), 6)
4757
4758 client_context.keylog_filename = None
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4759 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4760 server = ThreadedEchoServer(context=server_context, chatty=False)
4761 with server:
4762 with client_context.wrap_socket(socket.socket(),
4763 server_hostname=hostname) as s:
4764 s.connect((HOST, server.port))
4765 self.assertGreaterEqual(self.keylog_lines(), 11)
4766
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4767 client_context.keylog_filename = os_helper.TESTFN
4768 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4769 server = ThreadedEchoServer(context=server_context, chatty=False)
4770 with server:
4771 with client_context.wrap_socket(socket.socket(),
4772 server_hostname=hostname) as s:
4773 s.connect((HOST, server.port))
4774 self.assertGreaterEqual(self.keylog_lines(), 21)
4775
4776 client_context.keylog_filename = None
4777 server_context.keylog_filename = None
4778
4779 @requires_keylog
4780 @unittest.skipIf(sys.flags.ignore_environment,
4781 "test is not compatible with ignore_environment")
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4782 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4783 def test_keylog_env(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4784 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4785 with unittest.mock.patch.dict(os.environ):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4786 os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
4787 self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4788
4789 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4790 self.assertEqual(ctx.keylog_filename, None)
4791
4792 ctx = ssl.create_default_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4793 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4794
4795 ctx = ssl._create_stdlib_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4796 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4797
4798 def test_msg_callback(self):
4799 client_context, server_context, hostname = testing_context()
4800
4801 def msg_cb(conn, direction, version, content_type, msg_type, data):
4802 pass
4803
4804 self.assertIs(client_context._msg_callback, None)
4805 client_context._msg_callback = msg_cb
4806 self.assertIs(client_context._msg_callback, msg_cb)
4807 with self.assertRaises(TypeError):
4808 client_context._msg_callback = object()
4809
4810 def test_msg_callback_tls12(self):
4811 client_context, server_context, hostname = testing_context()
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4812 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4813
4814 msg = []
4815
4816 def msg_cb(conn, direction, version, content_type, msg_type, data):
4817 self.assertIsInstance(conn, ssl.SSLSocket)
4818 self.assertIsInstance(data, bytes)
4819 self.assertIn(direction, {'read', 'write'})
4820 msg.append((direction, version, content_type, msg_type))
4821
4822 client_context._msg_callback = msg_cb
4823
4824 server = ThreadedEchoServer(context=server_context, chatty=False)
4825 with server:
4826 with client_context.wrap_socket(socket.socket(),
4827 server_hostname=hostname) as s:
4828 s.connect((HOST, server.port))
4829
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4830 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4831 ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
4832 _TLSMessageType.SERVER_KEY_EXCHANGE),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4833 msg
4834 )
4835 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4836 ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
4837 _TLSMessageType.CHANGE_CIPHER_SPEC),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4838 msg
4839 )
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4840
Christian Heimes77cde502021-03-21 16:13:09 +0100[diff] [blame]4841 def test_msg_callback_deadlock_bpo43577(self):
4842 client_context, server_context, hostname = testing_context()
4843 server_context2 = testing_context()[1]
4844
4845 def msg_cb(conn, direction, version, content_type, msg_type, data):
4846 pass
4847
4848 def sni_cb(sock, servername, ctx):
4849 sock.context = server_context2
4850
4851 server_context._msg_callback = msg_cb
4852 server_context.sni_callback = sni_cb
4853
4854 server = ThreadedEchoServer(context=server_context, chatty=False)
4855 with server:
4856 with client_context.wrap_socket(socket.socket(),
4857 server_hostname=hostname) as s:
4858 s.connect((HOST, server.port))
4859 with client_context.wrap_socket(socket.socket(),
4860 server_hostname=hostname) as s:
4861 s.connect((HOST, server.port))
4862
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4863
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]4864class TestEnumerations(unittest.TestCase):
4865
4866 def test_tlsversion(self):
4867 class CheckedTLSVersion(enum.IntEnum):
4868 MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
4869 SSLv3 = _ssl.PROTO_SSLv3
4870 TLSv1 = _ssl.PROTO_TLSv1
4871 TLSv1_1 = _ssl.PROTO_TLSv1_1
4872 TLSv1_2 = _ssl.PROTO_TLSv1_2
4873 TLSv1_3 = _ssl.PROTO_TLSv1_3
4874 MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
4875 enum._test_simple_enum(CheckedTLSVersion, TLSVersion)
4876
4877 def test_tlscontenttype(self):
4878 class Checked_TLSContentType(enum.IntEnum):
4879 """Content types (record layer)
4880
4881 See RFC 8446, section B.1
4882 """
4883 CHANGE_CIPHER_SPEC = 20
4884 ALERT = 21
4885 HANDSHAKE = 22
4886 APPLICATION_DATA = 23
4887 # pseudo content types
4888 HEADER = 0x100
4889 INNER_CONTENT_TYPE = 0x101
4890 enum._test_simple_enum(Checked_TLSContentType, _TLSContentType)
4891
4892 def test_tlsalerttype(self):
4893 class Checked_TLSAlertType(enum.IntEnum):
4894 """Alert types for TLSContentType.ALERT messages
4895
4896 See RFC 8466, section B.2
4897 """
4898 CLOSE_NOTIFY = 0
4899 UNEXPECTED_MESSAGE = 10
4900 BAD_RECORD_MAC = 20
4901 DECRYPTION_FAILED = 21
4902 RECORD_OVERFLOW = 22
4903 DECOMPRESSION_FAILURE = 30
4904 HANDSHAKE_FAILURE = 40
4905 NO_CERTIFICATE = 41
4906 BAD_CERTIFICATE = 42
4907 UNSUPPORTED_CERTIFICATE = 43
4908 CERTIFICATE_REVOKED = 44
4909 CERTIFICATE_EXPIRED = 45
4910 CERTIFICATE_UNKNOWN = 46
4911 ILLEGAL_PARAMETER = 47
4912 UNKNOWN_CA = 48
4913 ACCESS_DENIED = 49
4914 DECODE_ERROR = 50
4915 DECRYPT_ERROR = 51
4916 EXPORT_RESTRICTION = 60
4917 PROTOCOL_VERSION = 70
4918 INSUFFICIENT_SECURITY = 71
4919 INTERNAL_ERROR = 80
4920 INAPPROPRIATE_FALLBACK = 86
4921 USER_CANCELED = 90
4922 NO_RENEGOTIATION = 100
4923 MISSING_EXTENSION = 109
4924 UNSUPPORTED_EXTENSION = 110
4925 CERTIFICATE_UNOBTAINABLE = 111
4926 UNRECOGNIZED_NAME = 112
4927 BAD_CERTIFICATE_STATUS_RESPONSE = 113
4928 BAD_CERTIFICATE_HASH_VALUE = 114
4929 UNKNOWN_PSK_IDENTITY = 115
4930 CERTIFICATE_REQUIRED = 116
4931 NO_APPLICATION_PROTOCOL = 120
4932 enum._test_simple_enum(Checked_TLSAlertType, _TLSAlertType)
4933
4934 def test_tlsmessagetype(self):
4935 class Checked_TLSMessageType(enum.IntEnum):
4936 """Message types (handshake protocol)
4937
4938 See RFC 8446, section B.3
4939 """
4940 HELLO_REQUEST = 0
4941 CLIENT_HELLO = 1
4942 SERVER_HELLO = 2
4943 HELLO_VERIFY_REQUEST = 3
4944 NEWSESSION_TICKET = 4
4945 END_OF_EARLY_DATA = 5
4946 HELLO_RETRY_REQUEST = 6
4947 ENCRYPTED_EXTENSIONS = 8
4948 CERTIFICATE = 11
4949 SERVER_KEY_EXCHANGE = 12
4950 CERTIFICATE_REQUEST = 13
4951 SERVER_DONE = 14
4952 CERTIFICATE_VERIFY = 15
4953 CLIENT_KEY_EXCHANGE = 16
4954 FINISHED = 20
4955 CERTIFICATE_URL = 21
4956 CERTIFICATE_STATUS = 22
4957 SUPPLEMENTAL_DATA = 23
4958 KEY_UPDATE = 24
4959 NEXT_PROTO = 67
4960 MESSAGE_HASH = 254
4961 CHANGE_CIPHER_SPEC = 0x0101
4962 enum._test_simple_enum(Checked_TLSMessageType, _TLSMessageType)
4963
4964 def test_sslmethod(self):
4965 Checked_SSLMethod = enum._old_convert_(
4966 enum.IntEnum, '_SSLMethod', 'ssl',
4967 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4968 source=ssl._ssl,
4969 )
4970 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4971
4972 def test_options(self):
4973 CheckedOptions = enum._old_convert_(
4974 enum.FlagEnum, 'Options', 'ssl',
4975 lambda name: name.startswith('OP_'),
4976 source=ssl._ssl,
4977 )
4978 enum._test_simple_enum(CheckedOptions, ssl.Options)
4979
4980
4981 def test_alertdescription(self):
4982 CheckedAlertDescription = enum._old_convert_(
4983 enum.IntEnum, 'AlertDescription', 'ssl',
4984 lambda name: name.startswith('ALERT_DESCRIPTION_'),
4985 source=ssl._ssl,
4986 )
4987 enum._test_simple_enum(CheckedAlertDescription, ssl.AlertDescription)
4988
4989 def test_sslerrornumber(self):
4990 Checked_SSLMethod = enum._old_convert_(
4991 enum.IntEnum, '_SSLMethod', 'ssl',
4992 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4993 source=ssl._ssl,
4994 )
4995 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4996
4997 def test_verifyflags(self):
4998 CheckedVerifyFlags = enum._old_convert_(
4999 enum.FlagEnum, 'VerifyFlags', 'ssl',
5000 lambda name: name.startswith('VERIFY_'),
5001 source=ssl._ssl,
5002 )
5003 enum._test_simple_enum(CheckedVerifyFlags, ssl.VerifyFlags)
5004
5005 def test_verifymode(self):
5006 CheckedVerifyMode = enum._old_convert_(
5007 enum.IntEnum, 'VerifyMode', 'ssl',
5008 lambda name: name.startswith('CERT_'),
5009 source=ssl._ssl,
5010 )
5011 enum._test_simple_enum(CheckedVerifyMode, ssl.VerifyMode)
5012
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5013def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]5014 if support.verbose:
5015 plats = {
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]5016 'Mac': platform.mac_ver,
5017 'Windows': platform.win32_ver,
5018 }
Petr Viktorin8b94b412018-05-16 11:51:18 -0400[diff] [blame]5019 for name, func in plats.items():
5020 plat = func()
5021 if plat and plat[0]:
5022 plat = '%s %r' % (name, plat)
5023 break
5024 else:
5025 plat = repr(platform.platform())
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]5026 print("test_ssl: testing with %r %r" %
5027 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
5028 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]5029 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]5030 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
5031 try:
5032 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
5033 except AttributeError:
5034 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]5035
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]5036 for filename in [
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]5037 CERTFILE, BYTES_CERTFILE,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]5038 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]5039 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]5040 BADCERT, BADKEY, EMPTYCERT]:
5041 if not os.path.exists(filename):
5042 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]5043
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]5044 tests = [
5045 ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]5046 SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5047 TestPostHandshakeAuth, TestSSLDebug
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]5048 ]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5049
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]5050 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]5051 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5052
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]5053 thread_info = threading_helper.threading_setup()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]5054 try:
5055 support.run_unittest(*tests)
5056 finally:
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]5057 threading_helper.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5058
5059if __name__ == "__main__":
5060 test_main()