Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / a61d058bf97291a51cc6481a3e76c2aa5500b37c / . / Lib / test / test_ssl.py
blob: 01aa82ad90b7b4cfbc3eb456740eee16373f553e [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]5from test import support
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]6import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]7import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]8import time
Christian Heimes9424bb42013-06-17 15:32:57 +0200[diff] [blame]9import datetime
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]10import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]11import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]12import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]13import pprint
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]14import tempfile
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]15import urllib.request
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]16import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]17import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]18import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]19import platform
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]20import functools
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]21from unittest import mock
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]22
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]23ssl = support.import_module("ssl")
24
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]25PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]26HOST = support.HOST
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]27
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]28def data_file(*name):
29 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]30
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]31# The custom key and certificate files used in test_ssl are generated
32# using Lib/test/make_ssl_certs.py.
33# Other certificates are simply fetched from the Internet servers they
34# are meant to authenticate.
35
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]36CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]37BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]38ONLYCERT = data_file("ssl_cert.pem")
39ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]40BYTES_ONLYCERT = os.fsencode(ONLYCERT)
41BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]42CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
43ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
44KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]45CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]46BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]47CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
48CAFILE_CACERT = data_file("capath", "5ed36f99.0")
49
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]50
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]51# empty CRL
52CRLFILE = data_file("revocation.crl")
53
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]54# Two keys and certs signed by the same CA (for SNI tests)
55SIGNED_CERTFILE = data_file("keycert3.pem")
56SIGNED_CERTFILE2 = data_file("keycert4.pem")
57SIGNING_CA = data_file("pycacert.pem")
58
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]59SVN_PYTHON_ORG_ROOT_CERT = data_file("https_svn_python_org_root.pem")
60
61EMPTYCERT = data_file("nullcert.pem")
62BADCERT = data_file("badcert.pem")
63WRONGCERT = data_file("XXXnonexisting.pem")
64BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]65NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]66NULLBYTECERT = data_file("nullbytecert.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]67
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]68DHFILE = data_file("dh512.pem")
69BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]70
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]71
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]72def handle_error(prefix):
73 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]74 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]75 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]76
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]77def can_clear_options():
78 # 0.9.8m or higher
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]79 return ssl._OPENSSL_API_VERSION >= (0, 9, 8, 13, 15)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]80
81def no_sslv2_implies_sslv3_hello():
82 # 0.9.7h or higher
83 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)
84
Christian Heimes2427b502013-11-23 11:24:32 +0100[diff] [blame]85def have_verify_flags():
86 # 0.9.8 or higher
87 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)
88
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]89def utc_offset(): #NOTE: ignore issues like #1647654
90 # local time = utc time + utc offset
91 if time.daylight and time.localtime().tm_isdst > 0:
92 return -time.altzone # seconds
93 return -time.timezone
94
Christian Heimes9424bb42013-06-17 15:32:57 +0200[diff] [blame]95def asn1time(cert_time):
96 # Some versions of OpenSSL ignore seconds, see #18207
97 # 0.9.8.i
98 if ssl._OPENSSL_API_VERSION == (0, 9, 8, 9, 15):
99 fmt = "%b %d %H:%M:%S %Y GMT"
100 dt = datetime.datetime.strptime(cert_time, fmt)
101 dt = dt.replace(second=0)
102 cert_time = dt.strftime(fmt)
103 # %d adds leading zero but ASN1_TIME_print() uses leading space
104 if cert_time[4] == "0":
105 cert_time = cert_time[:4] + " " + cert_time[5:]
106
107 return cert_time
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]108
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]109# Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2
110def skip_if_broken_ubuntu_ssl(func):
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]111 if hasattr(ssl, 'PROTOCOL_SSLv2'):
112 @functools.wraps(func)
113 def f(*args, **kwargs):
114 try:
115 ssl.SSLContext(ssl.PROTOCOL_SSLv2)
116 except ssl.SSLError:
117 if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
118 platform.linux_distribution() == ('debian', 'squeeze/sid', '')):
119 raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")
120 return func(*args, **kwargs)
121 return f
122 else:
123 return func
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]124
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]125needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test")
126
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]127
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]128class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]129
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]130 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]131 ssl.CERT_NONE
132 ssl.CERT_OPTIONAL
133 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]134 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]135 ssl.OP_SINGLE_DH_USE
Antoine Pitrouc135fa42012-02-19 21:22:39 +0100[diff] [blame]136 if ssl.HAS_ECDH:
137 ssl.OP_SINGLE_ECDH_USE
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]138 if ssl.OPENSSL_VERSION_INFO >= (1, 0):
139 ssl.OP_NO_COMPRESSION
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]140 self.assertIn(ssl.HAS_SNI, {True, False})
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]141 self.assertIn(ssl.HAS_ECDH, {True, False})
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]142
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]143 def test_str_for_enums(self):
144 # Make sure that the PROTOCOL_* constants have enum-like string
145 # reprs.
146 proto = ssl.PROTOCOL_SSLv3
147 self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_SSLv3')
148 ctx = ssl.SSLContext(proto)
149 self.assertIs(ctx.protocol, proto)
150
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]151 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]152 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]153 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]154 sys.stdout.write("\n RAND_status is %d (%s)\n"
155 % (v, (v and "sufficient randomness") or
156 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]157
158 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
159 self.assertEqual(len(data), 16)
160 self.assertEqual(is_cryptographic, v == 1)
161 if v:
162 data = ssl.RAND_bytes(16)
163 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]164 else:
165 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]166
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]167 # negative num is invalid
168 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
169 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
170
Jesus Ceac8754a12012-09-11 02:00:58 +0200[diff] [blame]171 self.assertRaises(TypeError, ssl.RAND_egd, 1)
172 self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]173 ssl.RAND_add("this is a random string", 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]174
Christian Heimesf77b4b22013-08-21 13:26:05 +0200[diff] [blame]175 @unittest.skipUnless(os.name == 'posix', 'requires posix')
176 def test_random_fork(self):
177 status = ssl.RAND_status()
178 if not status:
179 self.fail("OpenSSL's PRNG has insufficient randomness")
180
181 rfd, wfd = os.pipe()
182 pid = os.fork()
183 if pid == 0:
184 try:
185 os.close(rfd)
186 child_random = ssl.RAND_pseudo_bytes(16)[0]
187 self.assertEqual(len(child_random), 16)
188 os.write(wfd, child_random)
189 os.close(wfd)
190 except BaseException:
191 os._exit(1)
192 else:
193 os._exit(0)
194 else:
195 os.close(wfd)
196 self.addCleanup(os.close, rfd)
197 _, status = os.waitpid(pid, 0)
198 self.assertEqual(status, 0)
199
200 child_random = os.read(rfd, 16)
201 self.assertEqual(len(child_random), 16)
202 parent_random = ssl.RAND_pseudo_bytes(16)[0]
203 self.assertEqual(len(parent_random), 16)
204
205 self.assertNotEqual(child_random, parent_random)
206
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]207 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]208 # note that this uses an 'unofficial' function in _ssl.c,
209 # provided solely for this test, to exercise the certificate
210 # parsing code
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]211 p = ssl._ssl._test_decode_cert(CERTFILE)
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]212 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]213 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]214 self.assertEqual(p['issuer'],
215 ((('countryName', 'XY'),),
216 (('localityName', 'Castle Anthrax'),),
217 (('organizationName', 'Python Software Foundation'),),
218 (('commonName', 'localhost'),))
219 )
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]220 # Note the next three asserts will fail if the keys are regenerated
Christian Heimes9424bb42013-06-17 15:32:57 +0200[diff] [blame]221 self.assertEqual(p['notAfter'], asn1time('Oct 5 23:01:56 2020 GMT'))
222 self.assertEqual(p['notBefore'], asn1time('Oct 8 23:01:56 2010 GMT'))
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]223 self.assertEqual(p['serialNumber'], 'D7C7381919AFC24E')
224 self.assertEqual(p['subject'],
225 ((('countryName', 'XY'),),
226 (('localityName', 'Castle Anthrax'),),
227 (('organizationName', 'Python Software Foundation'),),
228 (('commonName', 'localhost'),))
229 )
230 self.assertEqual(p['subjectAltName'], (('DNS', 'localhost'),))
231 # Issue #13034: the subjectAltName in some certificates
232 # (notably projects.developer.nokia.com:443) wasn't parsed
233 p = ssl._ssl._test_decode_cert(NOKIACERT)
234 if support.verbose:
235 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
236 self.assertEqual(p['subjectAltName'],
237 (('DNS', 'projects.developer.nokia.com'),
238 ('DNS', 'projects.forum.nokia.com'))
239 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]240 # extra OCSP and AIA fields
241 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
242 self.assertEqual(p['caIssuers'],
243 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
244 self.assertEqual(p['crlDistributionPoints'],
245 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]246
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]247 def test_parse_cert_CVE_2013_4238(self):
248 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
249 if support.verbose:
250 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
251 subject = ((('countryName', 'US'),),
252 (('stateOrProvinceName', 'Oregon'),),
253 (('localityName', 'Beaverton'),),
254 (('organizationName', 'Python Software Foundation'),),
255 (('organizationalUnitName', 'Python Core Development'),),
256 (('commonName', 'null.python.org\x00example.org'),),
257 (('emailAddress', 'python-dev@python.org'),))
258 self.assertEqual(p['subject'], subject)
259 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]260 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
261 san = (('DNS', 'altnull.python.org\x00example.com'),
262 ('email', 'null@python.org\x00user@example.org'),
263 ('URI', 'http://null.python.org\x00http://example.org'),
264 ('IP Address', '192.0.2.1'),
265 ('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
266 else:
267 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
268 san = (('DNS', 'altnull.python.org\x00example.com'),
269 ('email', 'null@python.org\x00user@example.org'),
270 ('URI', 'http://null.python.org\x00http://example.org'),
271 ('IP Address', '192.0.2.1'),
272 ('IP Address', '<invalid>'))
273
274 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]275
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]276 def test_DER_to_PEM(self):
277 with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
278 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]279 d1 = ssl.PEM_cert_to_DER_cert(pem)
280 p2 = ssl.DER_cert_to_PEM_cert(d1)
281 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]282 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]283 if not p2.startswith(ssl.PEM_HEADER + '\n'):
284 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
285 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
286 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]287
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]288 def test_openssl_version(self):
289 n = ssl.OPENSSL_VERSION_NUMBER
290 t = ssl.OPENSSL_VERSION_INFO
291 s = ssl.OPENSSL_VERSION
292 self.assertIsInstance(n, int)
293 self.assertIsInstance(t, tuple)
294 self.assertIsInstance(s, str)
295 # Some sanity checks follow
296 # >= 0.9
297 self.assertGreaterEqual(n, 0x900000)
Antoine Pitroudfab9352014-07-21 18:35:01 -0400[diff] [blame]298 # < 3.0
299 self.assertLess(n, 0x30000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]300 major, minor, fix, patch, status = t
301 self.assertGreaterEqual(major, 0)
Antoine Pitroudfab9352014-07-21 18:35:01 -0400[diff] [blame]302 self.assertLess(major, 3)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]303 self.assertGreaterEqual(minor, 0)
304 self.assertLess(minor, 256)
305 self.assertGreaterEqual(fix, 0)
306 self.assertLess(fix, 256)
307 self.assertGreaterEqual(patch, 0)
308 self.assertLessEqual(patch, 26)
309 self.assertGreaterEqual(status, 0)
310 self.assertLessEqual(status, 15)
Antoine Pitroudfab9352014-07-21 18:35:01 -0400[diff] [blame]311 # Version string as returned by {Open,Libre}SSL, the format might change
312 if "LibreSSL" in s:
313 self.assertTrue(s.startswith("LibreSSL {:d}.{:d}".format(major, minor)),
314 (s, t))
315 else:
316 self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),
317 (s, t))
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]318
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]319 @support.cpython_only
320 def test_refcycle(self):
321 # Issue #7943: an SSL object doesn't create reference cycles with
322 # itself.
323 s = socket.socket(socket.AF_INET)
324 ss = ssl.wrap_socket(s)
325 wr = weakref.ref(ss)
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]326 with support.check_warnings(("", ResourceWarning)):
327 del ss
328 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]329
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]330 def test_wrapped_unconnected(self):
331 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]332 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]333 s = socket.socket(socket.AF_INET)
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]334 with ssl.wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]335 self.assertRaises(OSError, ss.recv, 1)
336 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
337 self.assertRaises(OSError, ss.recvfrom, 1)
338 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
339 self.assertRaises(OSError, ss.send, b'x')
340 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]341
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]342 def test_timeout(self):
343 # Issue #8524: when creating an SSL socket, the timeout of the
344 # original socket should be retained.
345 for timeout in (None, 0.0, 5.0):
346 s = socket.socket(socket.AF_INET)
347 s.settimeout(timeout)
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]348 with ssl.wrap_socket(s) as ss:
349 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]350
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]351 def test_errors(self):
352 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]353 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]354 "certfile must be specified",
355 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]356 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]357 "certfile must be specified for server-side operations",
358 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]359 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]360 "certfile must be specified for server-side operations",
361 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]362 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
363 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
364 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]365 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]366 with socket.socket() as sock:
367 ssl.wrap_socket(sock, certfile=WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]368 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]369 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]370 with socket.socket() as sock:
371 ssl.wrap_socket(sock, certfile=CERTFILE, keyfile=WRONGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]372 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]373 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]374 with socket.socket() as sock:
375 ssl.wrap_socket(sock, certfile=WRONGCERT, keyfile=WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]376 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]377
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]378 def test_match_hostname(self):
379 def ok(cert, hostname):
380 ssl.match_hostname(cert, hostname)
381 def fail(cert, hostname):
382 self.assertRaises(ssl.CertificateError,
383 ssl.match_hostname, cert, hostname)
384
385 cert = {'subject': ((('commonName', 'example.com'),),)}
386 ok(cert, 'example.com')
387 ok(cert, 'ExAmple.cOm')
388 fail(cert, 'www.example.com')
389 fail(cert, '.example.com')
390 fail(cert, 'example.org')
391 fail(cert, 'exampleXcom')
392
393 cert = {'subject': ((('commonName', '*.a.com'),),)}
394 ok(cert, 'foo.a.com')
395 fail(cert, 'bar.foo.a.com')
396 fail(cert, 'a.com')
397 fail(cert, 'Xa.com')
398 fail(cert, '.a.com')
399
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]400 # only match one left-most wildcard
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]401 cert = {'subject': ((('commonName', 'f*.com'),),)}
402 ok(cert, 'foo.com')
403 ok(cert, 'f.com')
404 fail(cert, 'bar.com')
405 fail(cert, 'foo.a.com')
406 fail(cert, 'bar.foo.com')
407
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]408 # NULL bytes are bad, CVE-2013-4073
409 cert = {'subject': ((('commonName',
410 'null.python.org\x00example.org'),),)}
411 ok(cert, 'null.python.org\x00example.org') # or raise an error?
412 fail(cert, 'example.org')
413 fail(cert, 'null.python.org')
414
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]415 # error cases with wildcards
416 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
417 fail(cert, 'bar.foo.a.com')
418 fail(cert, 'a.com')
419 fail(cert, 'Xa.com')
420 fail(cert, '.a.com')
421
422 cert = {'subject': ((('commonName', 'a.*.com'),),)}
423 fail(cert, 'a.foo.com')
424 fail(cert, 'a..com')
425 fail(cert, 'a.com')
426
427 # wildcard doesn't match IDNA prefix 'xn--'
428 idna = 'püthon.python.org'.encode("idna").decode("ascii")
429 cert = {'subject': ((('commonName', idna),),)}
430 ok(cert, idna)
431 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
432 fail(cert, idna)
433 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
434 fail(cert, idna)
435
436 # wildcard in first fragment and IDNA A-labels in sequent fragments
437 # are supported.
438 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
439 cert = {'subject': ((('commonName', idna),),)}
440 ok(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
441 ok(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
442 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
443 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
444
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]445 # Slightly fake real-world example
446 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
447 'subject': ((('commonName', 'linuxfrz.org'),),),
448 'subjectAltName': (('DNS', 'linuxfr.org'),
449 ('DNS', 'linuxfr.com'),
450 ('othername', '<unsupported>'))}
451 ok(cert, 'linuxfr.org')
452 ok(cert, 'linuxfr.com')
453 # Not a "DNS" entry
454 fail(cert, '<unsupported>')
455 # When there is a subjectAltName, commonName isn't used
456 fail(cert, 'linuxfrz.org')
457
458 # A pristine real-world example
459 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
460 'subject': ((('countryName', 'US'),),
461 (('stateOrProvinceName', 'California'),),
462 (('localityName', 'Mountain View'),),
463 (('organizationName', 'Google Inc'),),
464 (('commonName', 'mail.google.com'),))}
465 ok(cert, 'mail.google.com')
466 fail(cert, 'gmail.com')
467 # Only commonName is considered
468 fail(cert, 'California')
469
470 # Neither commonName nor subjectAltName
471 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
472 'subject': ((('countryName', 'US'),),
473 (('stateOrProvinceName', 'California'),),
474 (('localityName', 'Mountain View'),),
475 (('organizationName', 'Google Inc'),))}
476 fail(cert, 'mail.google.com')
477
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]478 # No DNS entry in subjectAltName but a commonName
479 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
480 'subject': ((('countryName', 'US'),),
481 (('stateOrProvinceName', 'California'),),
482 (('localityName', 'Mountain View'),),
483 (('commonName', 'mail.google.com'),)),
484 'subjectAltName': (('othername', 'blabla'), )}
485 ok(cert, 'mail.google.com')
486
487 # No DNS entry subjectAltName and no commonName
488 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
489 'subject': ((('countryName', 'US'),),
490 (('stateOrProvinceName', 'California'),),
491 (('localityName', 'Mountain View'),),
492 (('organizationName', 'Google Inc'),)),
493 'subjectAltName': (('othername', 'blabla'),)}
494 fail(cert, 'google.com')
495
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]496 # Empty cert / no cert
497 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
498 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
499
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]500 # Issue #17980: avoid denials of service by refusing more than one
501 # wildcard per fragment.
502 cert = {'subject': ((('commonName', 'a*b.com'),),)}
503 ok(cert, 'axxb.com')
504 cert = {'subject': ((('commonName', 'a*b.co*'),),)}
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]505 fail(cert, 'axxb.com')
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]506 cert = {'subject': ((('commonName', 'a*b*.com'),),)}
507 with self.assertRaises(ssl.CertificateError) as cm:
508 ssl.match_hostname(cert, 'axxbxxc.com')
509 self.assertIn("too many wildcards", str(cm.exception))
510
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]511 def test_server_side(self):
512 # server_hostname doesn't work for server sockets
513 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]514 with socket.socket() as sock:
515 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
516 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]517
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]518 def test_unknown_channel_binding(self):
519 # should raise ValueError for unknown type
520 s = socket.socket(socket.AF_INET)
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]521 with ssl.wrap_socket(s) as ss:
522 with self.assertRaises(ValueError):
523 ss.get_channel_binding("unknown-type")
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]524
525 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
526 "'tls-unique' channel binding not available")
527 def test_tls_unique_channel_binding(self):
528 # unconnected should return None for known type
529 s = socket.socket(socket.AF_INET)
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]530 with ssl.wrap_socket(s) as ss:
531 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]532 # the same for server-side
533 s = socket.socket(socket.AF_INET)
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]534 with ssl.wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
535 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]536
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]537 def test_dealloc_warn(self):
538 ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
539 r = repr(ss)
540 with self.assertWarns(ResourceWarning) as cm:
541 ss = None
542 support.gc_collect()
543 self.assertIn(r, str(cm.warning.args[0]))
544
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]545 def test_get_default_verify_paths(self):
546 paths = ssl.get_default_verify_paths()
547 self.assertEqual(len(paths), 6)
548 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
549
550 with support.EnvironmentVarGuard() as env:
551 env["SSL_CERT_DIR"] = CAPATH
552 env["SSL_CERT_FILE"] = CERTFILE
553 paths = ssl.get_default_verify_paths()
554 self.assertEqual(paths.cafile, CERTFILE)
555 self.assertEqual(paths.capath, CAPATH)
556
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]557 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
558 def test_enum_certificates(self):
559 self.assertTrue(ssl.enum_certificates("CA"))
560 self.assertTrue(ssl.enum_certificates("ROOT"))
561
562 self.assertRaises(TypeError, ssl.enum_certificates)
563 self.assertRaises(WindowsError, ssl.enum_certificates, "")
564
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]565 trust_oids = set()
566 for storename in ("CA", "ROOT"):
567 store = ssl.enum_certificates(storename)
568 self.assertIsInstance(store, list)
569 for element in store:
570 self.assertIsInstance(element, tuple)
571 self.assertEqual(len(element), 3)
572 cert, enc, trust = element
573 self.assertIsInstance(cert, bytes)
574 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
575 self.assertIsInstance(trust, (set, bool))
576 if isinstance(trust, set):
577 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]578
579 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]580 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]581
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]582 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]583 def test_enum_crls(self):
584 self.assertTrue(ssl.enum_crls("CA"))
585 self.assertRaises(TypeError, ssl.enum_crls)
586 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]587
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]588 crls = ssl.enum_crls("CA")
589 self.assertIsInstance(crls, list)
590 for element in crls:
591 self.assertIsInstance(element, tuple)
592 self.assertEqual(len(element), 2)
593 self.assertIsInstance(element[0], bytes)
594 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]595
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]596
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]597 def test_asn1object(self):
598 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
599 '1.3.6.1.5.5.7.3.1')
600
601 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
602 self.assertEqual(val, expected)
603 self.assertEqual(val.nid, 129)
604 self.assertEqual(val.shortname, 'serverAuth')
605 self.assertEqual(val.longname, 'TLS Web Server Authentication')
606 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
607 self.assertIsInstance(val, ssl._ASN1Object)
608 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
609
610 val = ssl._ASN1Object.fromnid(129)
611 self.assertEqual(val, expected)
612 self.assertIsInstance(val, ssl._ASN1Object)
613 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]614 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
615 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]616 for i in range(1000):
617 try:
618 obj = ssl._ASN1Object.fromnid(i)
619 except ValueError:
620 pass
621 else:
622 self.assertIsInstance(obj.nid, int)
623 self.assertIsInstance(obj.shortname, str)
624 self.assertIsInstance(obj.longname, str)
625 self.assertIsInstance(obj.oid, (str, type(None)))
626
627 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
628 self.assertEqual(val, expected)
629 self.assertIsInstance(val, ssl._ASN1Object)
630 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
631 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
632 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]633 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
634 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]635
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]636 def test_purpose_enum(self):
637 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
638 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
639 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
640 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
641 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
642 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
643 '1.3.6.1.5.5.7.3.1')
644
645 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
646 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
647 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
648 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
649 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
650 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
651 '1.3.6.1.5.5.7.3.2')
652
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]653 def test_unsupported_dtls(self):
654 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
655 self.addCleanup(s.close)
656 with self.assertRaises(NotImplementedError) as cx:
657 ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
658 self.assertEqual(str(cx.exception), "only stream sockets are supported")
659 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
660 with self.assertRaises(NotImplementedError) as cx:
661 ctx.wrap_socket(s)
662 self.assertEqual(str(cx.exception), "only stream sockets are supported")
663
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]664 def cert_time_ok(self, timestring, timestamp):
665 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
666
667 def cert_time_fail(self, timestring):
668 with self.assertRaises(ValueError):
669 ssl.cert_time_to_seconds(timestring)
670
671 @unittest.skipUnless(utc_offset(),
672 'local time needs to be different from UTC')
673 def test_cert_time_to_seconds_timezone(self):
674 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
675 # results if local timezone is not UTC
676 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
677 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
678
679 def test_cert_time_to_seconds(self):
680 timestring = "Jan 5 09:34:43 2018 GMT"
681 ts = 1515144883.0
682 self.cert_time_ok(timestring, ts)
683 # accept keyword parameter, assert its name
684 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
685 # accept both %e and %d (space or zero generated by strftime)
686 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
687 # case-insensitive
688 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
689 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
690 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
691 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
692 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
693 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
694 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
695 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
696
697 newyear_ts = 1230768000.0
698 # leap seconds
699 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
700 # same timestamp
701 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
702
703 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
704 # allow 60th second (even if it is not a leap second)
705 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
706 # allow 2nd leap second for compatibility with time.strptime()
707 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
708 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
709
710 # no special treatement for the special value:
711 # 99991231235959Z (rfc 5280)
712 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
713
714 @support.run_with_locale('LC_ALL', '')
715 def test_cert_time_to_seconds_locale(self):
716 # `cert_time_to_seconds()` should be locale independent
717
718 def local_february_name():
719 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
720
721 if local_february_name().lower() == 'feb':
722 self.skipTest("locale-specific month name needs to be "
723 "different from C locale")
724
725 # locale-independent
726 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
727 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
728
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]729
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]730class ContextTests(unittest.TestCase):
731
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]732 @skip_if_broken_ubuntu_ssl
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]733 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]734 for protocol in PROTOCOLS:
735 ssl.SSLContext(protocol)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]736 self.assertRaises(TypeError, ssl.SSLContext)
737 self.assertRaises(ValueError, ssl.SSLContext, -1)
738 self.assertRaises(ValueError, ssl.SSLContext, 42)
739
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]740 @skip_if_broken_ubuntu_ssl
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]741 def test_protocol(self):
742 for proto in PROTOCOLS:
743 ctx = ssl.SSLContext(proto)
744 self.assertEqual(ctx.protocol, proto)
745
746 def test_ciphers(self):
747 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
748 ctx.set_ciphers("ALL")
749 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]750 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]751 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]752
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]753 @skip_if_broken_ubuntu_ssl
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]754 def test_options(self):
755 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
Antoine Pitroucd3d7ca2014-01-09 20:02:20 +0100[diff] [blame]756 # OP_ALL | OP_NO_SSLv2 is the default value
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]757 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
758 ctx.options)
759 ctx.options |= ssl.OP_NO_SSLv3
760 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
761 ctx.options)
762 if can_clear_options():
763 ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
764 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
765 ctx.options)
766 ctx.options = 0
767 self.assertEqual(0, ctx.options)
768 else:
769 with self.assertRaises(ValueError):
770 ctx.options = 0
771
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]772 def test_verify_mode(self):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]773 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
774 # Default value
775 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
776 ctx.verify_mode = ssl.CERT_OPTIONAL
777 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
778 ctx.verify_mode = ssl.CERT_REQUIRED
779 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
780 ctx.verify_mode = ssl.CERT_NONE
781 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
782 with self.assertRaises(TypeError):
783 ctx.verify_mode = None
784 with self.assertRaises(ValueError):
785 ctx.verify_mode = 42
786
Christian Heimes2427b502013-11-23 11:24:32 +0100[diff] [blame]787 @unittest.skipUnless(have_verify_flags(),
788 "verify_flags need OpenSSL > 0.9.8")
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]789 def test_verify_flags(self):
790 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
791 # default value by OpenSSL
792 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
793 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
794 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
795 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
796 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
797 ctx.verify_flags = ssl.VERIFY_DEFAULT
798 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
799 # supports any value
800 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
801 self.assertEqual(ctx.verify_flags,
802 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
803 with self.assertRaises(TypeError):
804 ctx.verify_flags = None
805
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]806 def test_load_cert_chain(self):
807 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
808 # Combined key and cert in a single file
809 ctx.load_cert_chain(CERTFILE)
810 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
811 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]812 with self.assertRaises(OSError) as cm:
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]813 ctx.load_cert_chain(WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]814 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]815 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]816 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]817 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]818 ctx.load_cert_chain(EMPTYCERT)
819 # Separate key and cert
Antoine Pitroud0919502010-05-17 10:30:00 +0000[diff] [blame]820 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]821 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
822 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
823 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]824 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]825 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]826 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]827 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]828 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]829 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
830 # Mismatching key and cert
Antoine Pitroud0919502010-05-17 10:30:00 +0000[diff] [blame]831 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]832 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]833 ctx.load_cert_chain(SVN_PYTHON_ORG_ROOT_CERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]834 # Password protected key and cert
835 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
836 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
837 ctx.load_cert_chain(CERTFILE_PROTECTED,
838 password=bytearray(KEY_PASSWORD.encode()))
839 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
840 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
841 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
842 bytearray(KEY_PASSWORD.encode()))
843 with self.assertRaisesRegex(TypeError, "should be a string"):
844 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
845 with self.assertRaises(ssl.SSLError):
846 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
847 with self.assertRaisesRegex(ValueError, "cannot be longer"):
848 # openssl has a fixed limit on the password buffer.
849 # PEM_BUFSIZE is generally set to 1kb.
850 # Return a string larger than this.
851 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
852 # Password callback
853 def getpass_unicode():
854 return KEY_PASSWORD
855 def getpass_bytes():
856 return KEY_PASSWORD.encode()
857 def getpass_bytearray():
858 return bytearray(KEY_PASSWORD.encode())
859 def getpass_badpass():
860 return "badpass"
861 def getpass_huge():
862 return b'a' * (1024 * 1024)
863 def getpass_bad_type():
864 return 9
865 def getpass_exception():
866 raise Exception('getpass error')
867 class GetPassCallable:
868 def __call__(self):
869 return KEY_PASSWORD
870 def getpass(self):
871 return KEY_PASSWORD
872 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
873 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
874 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
875 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
876 ctx.load_cert_chain(CERTFILE_PROTECTED,
877 password=GetPassCallable().getpass)
878 with self.assertRaises(ssl.SSLError):
879 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
880 with self.assertRaisesRegex(ValueError, "cannot be longer"):
881 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
882 with self.assertRaisesRegex(TypeError, "must return a string"):
883 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
884 with self.assertRaisesRegex(Exception, "getpass error"):
885 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
886 # Make sure the password function isn't called if it isn't needed
887 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]888
889 def test_load_verify_locations(self):
890 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
891 ctx.load_verify_locations(CERTFILE)
892 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
893 ctx.load_verify_locations(BYTES_CERTFILE)
894 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
895 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]896 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]897 with self.assertRaises(OSError) as cm:
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]898 ctx.load_verify_locations(WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]899 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]900 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]901 ctx.load_verify_locations(BADCERT)
902 ctx.load_verify_locations(CERTFILE, CAPATH)
903 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
904
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]905 # Issue #10989: crash if the second argument type is invalid
906 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
907
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]908 def test_load_verify_cadata(self):
909 # test cadata
910 with open(CAFILE_CACERT) as f:
911 cacert_pem = f.read()
912 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
913 with open(CAFILE_NEURONIO) as f:
914 neuronio_pem = f.read()
915 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
916
917 # test PEM
918 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
919 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
920 ctx.load_verify_locations(cadata=cacert_pem)
921 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
922 ctx.load_verify_locations(cadata=neuronio_pem)
923 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
924 # cert already in hash table
925 ctx.load_verify_locations(cadata=neuronio_pem)
926 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
927
928 # combined
929 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
930 combined = "\n".join((cacert_pem, neuronio_pem))
931 ctx.load_verify_locations(cadata=combined)
932 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
933
934 # with junk around the certs
935 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
936 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
937 neuronio_pem, "tail"]
938 ctx.load_verify_locations(cadata="\n".join(combined))
939 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
940
941 # test DER
942 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
943 ctx.load_verify_locations(cadata=cacert_der)
944 ctx.load_verify_locations(cadata=neuronio_der)
945 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
946 # cert already in hash table
947 ctx.load_verify_locations(cadata=cacert_der)
948 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
949
950 # combined
951 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
952 combined = b"".join((cacert_der, neuronio_der))
953 ctx.load_verify_locations(cadata=combined)
954 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
955
956 # error cases
957 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
958 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
959
960 with self.assertRaisesRegex(ssl.SSLError, "no start line"):
961 ctx.load_verify_locations(cadata="broken")
962 with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
963 ctx.load_verify_locations(cadata=b"broken")
964
965
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]966 def test_load_dh_params(self):
967 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
968 ctx.load_dh_params(DHFILE)
969 if os.name != 'nt':
970 ctx.load_dh_params(BYTES_DHFILE)
971 self.assertRaises(TypeError, ctx.load_dh_params)
972 self.assertRaises(TypeError, ctx.load_dh_params, None)
973 with self.assertRaises(FileNotFoundError) as cm:
974 ctx.load_dh_params(WRONGCERT)
975 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]976 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]977 ctx.load_dh_params(CERTFILE)
978
Antoine Pitroueb585ad2010-10-22 18:24:20 +0000[diff] [blame]979 @skip_if_broken_ubuntu_ssl
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]980 def test_session_stats(self):
981 for proto in PROTOCOLS:
982 ctx = ssl.SSLContext(proto)
983 self.assertEqual(ctx.session_stats(), {
984 'number': 0,
985 'connect': 0,
986 'connect_good': 0,
987 'connect_renegotiate': 0,
988 'accept': 0,
989 'accept_good': 0,
990 'accept_renegotiate': 0,
991 'hits': 0,
992 'misses': 0,
993 'timeouts': 0,
994 'cache_full': 0,
995 })
996
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]997 def test_set_default_verify_paths(self):
998 # There's not much we can do to test that it acts as expected,
999 # so just check it doesn't crash or raise an exception.
1000 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1001 ctx.set_default_verify_paths()
1002
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1003 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1004 def test_set_ecdh_curve(self):
1005 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1006 ctx.set_ecdh_curve("prime256v1")
1007 ctx.set_ecdh_curve(b"prime256v1")
1008 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1009 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1010 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1011 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1012
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1013 @needs_sni
1014 def test_sni_callback(self):
1015 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1016
1017 # set_servername_callback expects a callable, or None
1018 self.assertRaises(TypeError, ctx.set_servername_callback)
1019 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1020 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1021 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1022
1023 def dummycallback(sock, servername, ctx):
1024 pass
1025 ctx.set_servername_callback(None)
1026 ctx.set_servername_callback(dummycallback)
1027
1028 @needs_sni
1029 def test_sni_callback_refcycle(self):
1030 # Reference cycles through the servername callback are detected
1031 # and cleared.
1032 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1033 def dummycallback(sock, servername, ctx, cycle=ctx):
1034 pass
1035 ctx.set_servername_callback(dummycallback)
1036 wr = weakref.ref(ctx)
1037 del ctx, dummycallback
1038 gc.collect()
1039 self.assertIs(wr(), None)
1040
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1041 def test_cert_store_stats(self):
1042 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1043 self.assertEqual(ctx.cert_store_stats(),
1044 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1045 ctx.load_cert_chain(CERTFILE)
1046 self.assertEqual(ctx.cert_store_stats(),
1047 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1048 ctx.load_verify_locations(CERTFILE)
1049 self.assertEqual(ctx.cert_store_stats(),
1050 {'x509_ca': 0, 'crl': 0, 'x509': 1})
1051 ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
1052 self.assertEqual(ctx.cert_store_stats(),
1053 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1054
1055 def test_get_ca_certs(self):
1056 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1057 self.assertEqual(ctx.get_ca_certs(), [])
1058 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1059 ctx.load_verify_locations(CERTFILE)
1060 self.assertEqual(ctx.get_ca_certs(), [])
1061 # but SVN_PYTHON_ORG_ROOT_CERT is a CA cert
1062 ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
1063 self.assertEqual(ctx.get_ca_certs(),
1064 [{'issuer': ((('organizationName', 'Root CA'),),
1065 (('organizationalUnitName', 'http://www.cacert.org'),),
1066 (('commonName', 'CA Cert Signing Authority'),),
1067 (('emailAddress', 'support@cacert.org'),)),
1068 'notAfter': asn1time('Mar 29 12:29:49 2033 GMT'),
1069 'notBefore': asn1time('Mar 30 12:29:49 2003 GMT'),
1070 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1071 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1072 'subject': ((('organizationName', 'Root CA'),),
1073 (('organizationalUnitName', 'http://www.cacert.org'),),
1074 (('commonName', 'CA Cert Signing Authority'),),
1075 (('emailAddress', 'support@cacert.org'),)),
1076 'version': 3}])
1077
1078 with open(SVN_PYTHON_ORG_ROOT_CERT) as f:
1079 pem = f.read()
1080 der = ssl.PEM_cert_to_DER_cert(pem)
1081 self.assertEqual(ctx.get_ca_certs(True), [der])
1082
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1083 def test_load_default_certs(self):
1084 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1085 ctx.load_default_certs()
1086
1087 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1088 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1089 ctx.load_default_certs()
1090
1091 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1092 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1093
1094 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1095 self.assertRaises(TypeError, ctx.load_default_certs, None)
1096 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1097
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1098 def test_create_default_context(self):
1099 ctx = ssl.create_default_context()
Donald Stufft6a2ba942014-03-23 19:05:28 -0400[diff] [blame]1100 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1101 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1102 self.assertTrue(ctx.check_hostname)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1103 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
Donald Stufft6a2ba942014-03-23 19:05:28 -0400[diff] [blame]1104 self.assertEqual(
1105 ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
1106 getattr(ssl, "OP_NO_COMPRESSION", 0),
1107 )
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1108
1109 with open(SIGNING_CA) as f:
1110 cadata = f.read()
1111 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1112 cadata=cadata)
Donald Stufft6a2ba942014-03-23 19:05:28 -0400[diff] [blame]1113 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1114 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1115 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
Donald Stufft6a2ba942014-03-23 19:05:28 -0400[diff] [blame]1116 self.assertEqual(
1117 ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
1118 getattr(ssl, "OP_NO_COMPRESSION", 0),
1119 )
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1120
1121 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Donald Stufft6a2ba942014-03-23 19:05:28 -0400[diff] [blame]1122 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1123 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1124 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
Donald Stufft6a2ba942014-03-23 19:05:28 -0400[diff] [blame]1125 self.assertEqual(
1126 ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
1127 getattr(ssl, "OP_NO_COMPRESSION", 0),
1128 )
1129 self.assertEqual(
1130 ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0),
1131 getattr(ssl, "OP_SINGLE_DH_USE", 0),
1132 )
1133 self.assertEqual(
1134 ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
1135 getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
1136 )
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1137
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1138 def test__create_stdlib_context(self):
1139 ctx = ssl._create_stdlib_context()
1140 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1141 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1142 self.assertFalse(ctx.check_hostname)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1143 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1144
1145 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
1146 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1147 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1148 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1149
1150 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1151 cert_reqs=ssl.CERT_REQUIRED,
1152 check_hostname=True)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1153 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1154 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1155 self.assertTrue(ctx.check_hostname)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1156 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1157
1158 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
1159 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1160 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1161 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1162
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1163 def test_check_hostname(self):
1164 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1165 self.assertFalse(ctx.check_hostname)
1166
1167 # Requires CERT_REQUIRED or CERT_OPTIONAL
1168 with self.assertRaises(ValueError):
1169 ctx.check_hostname = True
1170 ctx.verify_mode = ssl.CERT_REQUIRED
1171 self.assertFalse(ctx.check_hostname)
1172 ctx.check_hostname = True
1173 self.assertTrue(ctx.check_hostname)
1174
1175 ctx.verify_mode = ssl.CERT_OPTIONAL
1176 ctx.check_hostname = True
1177 self.assertTrue(ctx.check_hostname)
1178
1179 # Cannot set CERT_NONE with check_hostname enabled
1180 with self.assertRaises(ValueError):
1181 ctx.verify_mode = ssl.CERT_NONE
1182 ctx.check_hostname = False
1183 self.assertFalse(ctx.check_hostname)
1184
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1185
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1186class SSLErrorTests(unittest.TestCase):
1187
1188 def test_str(self):
1189 # The str() of a SSLError doesn't include the errno
1190 e = ssl.SSLError(1, "foo")
1191 self.assertEqual(str(e), "foo")
1192 self.assertEqual(e.errno, 1)
1193 # Same for a subclass
1194 e = ssl.SSLZeroReturnError(1, "foo")
1195 self.assertEqual(str(e), "foo")
1196 self.assertEqual(e.errno, 1)
1197
1198 def test_lib_reason(self):
1199 # Test the library and reason attributes
1200 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1201 with self.assertRaises(ssl.SSLError) as cm:
1202 ctx.load_dh_params(CERTFILE)
1203 self.assertEqual(cm.exception.library, 'PEM')
1204 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1205 s = str(cm.exception)
1206 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1207
1208 def test_subclass(self):
1209 # Check that the appropriate SSLError subclass is raised
1210 # (this only tests one of them)
1211 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1212 with socket.socket() as s:
1213 s.bind(("127.0.0.1", 0))
Charles-François Natali6e204602014-07-23 19:28:13 +0100[diff] [blame]1214 s.listen()
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1215 c = socket.socket()
1216 c.connect(s.getsockname())
1217 c.setblocking(False)
1218 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1219 with self.assertRaises(ssl.SSLWantReadError) as cm:
1220 c.do_handshake()
1221 s = str(cm.exception)
1222 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1223 # For compatibility
1224 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1225
1226
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1227class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1228
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1229 def test_connect(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1230 with support.transient_internet("svn.python.org"):
1231 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1232 cert_reqs=ssl.CERT_NONE)
1233 try:
1234 s.connect(("svn.python.org", 443))
1235 self.assertEqual({}, s.getpeercert())
1236 finally:
1237 s.close()
1238
1239 # this should fail because we have no verification certs
1240 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1241 cert_reqs=ssl.CERT_REQUIRED)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1242 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1243 s.connect, ("svn.python.org", 443))
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1244 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1245
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1246 # this should succeed because we specify the root cert
1247 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1248 cert_reqs=ssl.CERT_REQUIRED,
1249 ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
1250 try:
1251 s.connect(("svn.python.org", 443))
1252 self.assertTrue(s.getpeercert())
1253 finally:
1254 s.close()
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1255
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1256 def test_connect_ex(self):
1257 # Issue #11326: check connect_ex() implementation
1258 with support.transient_internet("svn.python.org"):
1259 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1260 cert_reqs=ssl.CERT_REQUIRED,
1261 ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
1262 try:
1263 self.assertEqual(0, s.connect_ex(("svn.python.org", 443)))
1264 self.assertTrue(s.getpeercert())
1265 finally:
1266 s.close()
1267
1268 def test_non_blocking_connect_ex(self):
1269 # Issue #11326: non-blocking connect_ex() should allow handshake
1270 # to proceed after the socket gets ready.
1271 with support.transient_internet("svn.python.org"):
1272 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1273 cert_reqs=ssl.CERT_REQUIRED,
1274 ca_certs=SVN_PYTHON_ORG_ROOT_CERT,
1275 do_handshake_on_connect=False)
1276 try:
1277 s.setblocking(False)
1278 rc = s.connect_ex(('svn.python.org', 443))
Antoine Pitrou8a14a0c2011-02-27 15:44:12 +0000[diff] [blame]1279 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
1280 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1281 # Wait for connect to finish
1282 select.select([], [s], [], 5.0)
1283 # Non-blocking handshake
1284 while True:
1285 try:
1286 s.do_handshake()
1287 break
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]1288 except ssl.SSLWantReadError:
1289 select.select([s], [], [], 5.0)
1290 except ssl.SSLWantWriteError:
1291 select.select([], [s], [], 5.0)
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1292 # SSL established
1293 self.assertTrue(s.getpeercert())
1294 finally:
1295 s.close()
1296
Antoine Pitroub4410db2011-05-18 18:51:06 +0200[diff] [blame]1297 def test_timeout_connect_ex(self):
1298 # Issue #12065: on a timeout, connect_ex() should return the original
1299 # errno (mimicking the behaviour of non-SSL sockets).
1300 with support.transient_internet("svn.python.org"):
1301 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1302 cert_reqs=ssl.CERT_REQUIRED,
1303 ca_certs=SVN_PYTHON_ORG_ROOT_CERT,
1304 do_handshake_on_connect=False)
1305 try:
1306 s.settimeout(0.0000001)
1307 rc = s.connect_ex(('svn.python.org', 443))
1308 if rc == 0:
1309 self.skipTest("svn.python.org responded too quickly")
1310 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
1311 finally:
1312 s.close()
1313
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]1314 def test_connect_ex_error(self):
Antoine Pitrouddb87ab2012-12-28 19:07:43 +0100[diff] [blame]1315 with support.transient_internet("svn.python.org"):
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]1316 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1317 cert_reqs=ssl.CERT_REQUIRED,
1318 ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
1319 try:
Christian Heimesde570742013-12-16 21:15:44 +0100[diff] [blame]1320 rc = s.connect_ex(("svn.python.org", 444))
1321 # Issue #19919: Windows machines or VMs hosted on Windows
1322 # machines sometimes return EWOULDBLOCK.
1323 self.assertIn(rc, (errno.ECONNREFUSED, errno.EWOULDBLOCK))
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]1324 finally:
1325 s.close()
1326
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1327 def test_connect_with_context(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1328 with support.transient_internet("svn.python.org"):
1329 # Same as test_connect, but with a separately created context
1330 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1331 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
1332 s.connect(("svn.python.org", 443))
1333 try:
1334 self.assertEqual({}, s.getpeercert())
1335 finally:
1336 s.close()
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]1337 # Same with a server hostname
1338 s = ctx.wrap_socket(socket.socket(socket.AF_INET),
1339 server_hostname="svn.python.org")
1340 if ssl.HAS_SNI:
1341 s.connect(("svn.python.org", 443))
1342 s.close()
1343 else:
1344 self.assertRaises(ValueError, s.connect, ("svn.python.org", 443))
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1345 # This should fail because we have no verification certs
1346 ctx.verify_mode = ssl.CERT_REQUIRED
1347 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1348 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1349 s.connect, ("svn.python.org", 443))
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1350 s.close()
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1351 # This should succeed because we specify the root cert
1352 ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
1353 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
1354 s.connect(("svn.python.org", 443))
1355 try:
1356 cert = s.getpeercert()
1357 self.assertTrue(cert)
1358 finally:
1359 s.close()
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1360
1361 def test_connect_capath(self):
1362 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]1363 # NOTE: the subject hashing algorithm has been changed between
1364 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
1365 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]1366 # filename) for this test to be portable across OpenSSL releases.
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1367 with support.transient_internet("svn.python.org"):
1368 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1369 ctx.verify_mode = ssl.CERT_REQUIRED
1370 ctx.load_verify_locations(capath=CAPATH)
1371 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
1372 s.connect(("svn.python.org", 443))
1373 try:
1374 cert = s.getpeercert()
1375 self.assertTrue(cert)
1376 finally:
1377 s.close()
1378 # Same with a bytes `capath` argument
1379 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1380 ctx.verify_mode = ssl.CERT_REQUIRED
1381 ctx.load_verify_locations(capath=BYTES_CAPATH)
1382 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
1383 s.connect(("svn.python.org", 443))
1384 try:
1385 cert = s.getpeercert()
1386 self.assertTrue(cert)
1387 finally:
1388 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1389
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1390 def test_connect_cadata(self):
1391 with open(CAFILE_CACERT) as f:
1392 pem = f.read()
1393 der = ssl.PEM_cert_to_DER_cert(pem)
1394 with support.transient_internet("svn.python.org"):
1395 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1396 ctx.verify_mode = ssl.CERT_REQUIRED
1397 ctx.load_verify_locations(cadata=pem)
1398 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
1399 s.connect(("svn.python.org", 443))
1400 cert = s.getpeercert()
1401 self.assertTrue(cert)
1402
1403 # same with DER
1404 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1405 ctx.verify_mode = ssl.CERT_REQUIRED
1406 ctx.load_verify_locations(cadata=der)
1407 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
1408 s.connect(("svn.python.org", 443))
1409 cert = s.getpeercert()
1410 self.assertTrue(cert)
1411
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]1412 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
1413 def test_makefile_close(self):
1414 # Issue #5238: creating a file-like object with makefile() shouldn't
1415 # delay closing the underlying "real socket" (here tested with its
1416 # file descriptor, hence skipping the test under Windows).
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1417 with support.transient_internet("svn.python.org"):
1418 ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
1419 ss.connect(("svn.python.org", 443))
1420 fd = ss.fileno()
1421 f = ss.makefile()
1422 f.close()
1423 # The fd is still open
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]1424 os.read(fd, 0)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1425 # Closing the SSL socket should close the fd too
1426 ss.close()
1427 gc.collect()
1428 with self.assertRaises(OSError) as e:
1429 os.read(fd, 0)
1430 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]1431
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1432 def test_non_blocking_handshake(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1433 with support.transient_internet("svn.python.org"):
1434 s = socket.socket(socket.AF_INET)
1435 s.connect(("svn.python.org", 443))
1436 s.setblocking(False)
1437 s = ssl.wrap_socket(s,
1438 cert_reqs=ssl.CERT_NONE,
1439 do_handshake_on_connect=False)
1440 count = 0
1441 while True:
1442 try:
1443 count += 1
1444 s.do_handshake()
1445 break
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]1446 except ssl.SSLWantReadError:
1447 select.select([s], [], [])
1448 except ssl.SSLWantWriteError:
1449 select.select([], [s], [])
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1450 s.close()
1451 if support.verbose:
1452 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1453
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1454 def test_get_server_certificate(self):
Antoine Pitrou15399c32011-04-28 19:23:55 +0200[diff] [blame]1455 def _test_get_server_certificate(host, port, cert=None):
1456 with support.transient_internet(host):
Antoine Pitrou94a5b662014-04-16 18:56:28 +0200[diff] [blame]1457 pem = ssl.get_server_certificate((host, port))
Antoine Pitrou15399c32011-04-28 19:23:55 +0200[diff] [blame]1458 if not pem:
1459 self.fail("No server certificate on %s:%s!" % (host, port))
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]1460
Antoine Pitrou15399c32011-04-28 19:23:55 +0200[diff] [blame]1461 try:
Benjamin Peterson10b93cc2014-03-12 18:10:57 -0500[diff] [blame]1462 pem = ssl.get_server_certificate((host, port),
Benjamin Peterson10b93cc2014-03-12 18:10:57 -0500[diff] [blame]1463 ca_certs=CERTFILE)
Antoine Pitrou15399c32011-04-28 19:23:55 +0200[diff] [blame]1464 except ssl.SSLError as x:
1465 #should fail
1466 if support.verbose:
1467 sys.stdout.write("%s\n" % x)
1468 else:
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]1469 self.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
1470
Benjamin Peterson10b93cc2014-03-12 18:10:57 -0500[diff] [blame]1471 pem = ssl.get_server_certificate((host, port),
Benjamin Peterson10b93cc2014-03-12 18:10:57 -0500[diff] [blame]1472 ca_certs=cert)
Antoine Pitrou15399c32011-04-28 19:23:55 +0200[diff] [blame]1473 if not pem:
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]1474 self.fail("No server certificate on %s:%s!" % (host, port))
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1475 if support.verbose:
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]1476 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1477
Antoine Pitrou15399c32011-04-28 19:23:55 +0200[diff] [blame]1478 _test_get_server_certificate('svn.python.org', 443, SVN_PYTHON_ORG_ROOT_CERT)
1479 if support.IPV6_ENABLED:
1480 _test_get_server_certificate('ipv6.google.com', 443)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1481
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]1482 def test_ciphers(self):
1483 remote = ("svn.python.org", 443)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1484 with support.transient_internet(remote[0]):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1485 with ssl.wrap_socket(socket.socket(socket.AF_INET),
1486 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
1487 s.connect(remote)
1488 with ssl.wrap_socket(socket.socket(socket.AF_INET),
1489 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
1490 s.connect(remote)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1491 # Error checking can happen at instantiation or when connecting
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1492 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]1493 with socket.socket(socket.AF_INET) as sock:
1494 s = ssl.wrap_socket(sock,
1495 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
1496 s.connect(remote)
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]1497
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]1498 def test_algorithms(self):
1499 # Issue #8484: all algorithms should be available when verifying a
1500 # certificate.
Antoine Pitrou29619b22010-04-22 18:43:31 +0000[diff] [blame]1501 # SHA256 was added in OpenSSL 0.9.8
1502 if ssl.OPENSSL_VERSION_INFO < (0, 9, 8, 0, 15):
1503 self.skipTest("SHA256 not available on %r" % ssl.OPENSSL_VERSION)
Antoine Pitrou16f6f832012-05-04 16:26:02 +0200[diff] [blame]1504 # sha256.tbs-internet.com needs SNI to use the correct certificate
1505 if not ssl.HAS_SNI:
1506 self.skipTest("SNI needed for this test")
Victor Stinnerf332abb2011-01-08 03:16:05 +0000[diff] [blame]1507 # https://sha2.hboeck.de/ was used until 2011-01-08 (no route to host)
1508 remote = ("sha256.tbs-internet.com", 443)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]1509 sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem")
Antoine Pitrou160fd932011-01-08 10:23:29 +0000[diff] [blame]1510 with support.transient_internet("sha256.tbs-internet.com"):
Antoine Pitrou16f6f832012-05-04 16:26:02 +0200[diff] [blame]1511 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1512 ctx.verify_mode = ssl.CERT_REQUIRED
1513 ctx.load_verify_locations(sha256_cert)
1514 s = ctx.wrap_socket(socket.socket(socket.AF_INET),
1515 server_hostname="sha256.tbs-internet.com")
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]1516 try:
1517 s.connect(remote)
1518 if support.verbose:
1519 sys.stdout.write("\nCipher with %r is %r\n" %
1520 (remote, s.cipher()))
1521 sys.stdout.write("Certificate is:\n%s\n" %
1522 pprint.pformat(s.getpeercert()))
1523 finally:
1524 s.close()
1525
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1526 def test_get_ca_certs_capath(self):
1527 # capath certs are loaded on request
1528 with support.transient_internet("svn.python.org"):
1529 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1530 ctx.verify_mode = ssl.CERT_REQUIRED
1531 ctx.load_verify_locations(capath=CAPATH)
1532 self.assertEqual(ctx.get_ca_certs(), [])
1533 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
1534 s.connect(("svn.python.org", 443))
1535 try:
1536 cert = s.getpeercert()
1537 self.assertTrue(cert)
1538 finally:
1539 s.close()
1540 self.assertEqual(len(ctx.get_ca_certs()), 1)
1541
Christian Heimes575596e2013-12-15 21:49:17 +0100[diff] [blame]1542 @needs_sni
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]1543 def test_context_setget(self):
1544 # Check that the context of a connected socket can be replaced.
1545 with support.transient_internet("svn.python.org"):
1546 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1547 ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1548 s = socket.socket(socket.AF_INET)
1549 with ctx1.wrap_socket(s) as ss:
1550 ss.connect(("svn.python.org", 443))
1551 self.assertIs(ss.context, ctx1)
1552 self.assertIs(ss._sslobj.context, ctx1)
1553 ss.context = ctx2
1554 self.assertIs(ss.context, ctx2)
1555 self.assertIs(ss._sslobj.context, ctx2)
1556
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1557try:
1558 import threading
1559except ImportError:
1560 _have_threads = False
1561else:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1562 _have_threads = True
1563
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]1564 from test.ssl_servers import make_https_server
1565
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1566 class ThreadedEchoServer(threading.Thread):
1567
1568 class ConnectionHandler(threading.Thread):
1569
1570 """A mildly complicated class, because we want it to work both
1571 with and without the SSL wrapper around the socket connection, so
1572 that we can test the STARTTLS functionality."""
1573
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1574 def __init__(self, server, connsock, addr):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1575 self.server = server
1576 self.running = False
1577 self.sock = connsock
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1578 self.addr = addr
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1579 self.sock.setblocking(1)
1580 self.sslconn = None
1581 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]1582 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1583
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1584 def wrap_conn(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1585 try:
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1586 self.sslconn = self.server.context.wrap_socket(
1587 self.sock, server_side=True)
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1588 self.server.selected_protocols.append(self.sslconn.selected_npn_protocol())
Nadeem Vawdaad246bf2013-03-03 22:44:22 +0100[diff] [blame]1589 except (ssl.SSLError, ConnectionResetError) as e:
1590 # We treat ConnectionResetError as though it were an
1591 # SSLError - OpenSSL on Ubuntu abruptly closes the
1592 # connection when asked to use an unsupported protocol.
1593 #
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1594 # XXX Various errors can have happened here, for example
1595 # a mismatching protocol version, an invalid certificate,
1596 # or a low-level bug. This should be made more discriminating.
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]1597 self.server.conn_errors.append(e)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1598 if self.server.chatty:
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1599 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1600 self.running = False
1601 self.server.stop()
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1602 self.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1603 return False
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1604 else:
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1605 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1606 cert = self.sslconn.getpeercert()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1607 if support.verbose and self.server.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1608 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
1609 cert_binary = self.sslconn.getpeercert(True)
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1610 if support.verbose and self.server.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1611 sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n")
1612 cipher = self.sslconn.cipher()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1613 if support.verbose and self.server.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1614 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1615 sys.stdout.write(" server: selected protocol is now "
1616 + str(self.sslconn.selected_npn_protocol()) + "\n")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1617 return True
1618
1619 def read(self):
1620 if self.sslconn:
1621 return self.sslconn.read()
1622 else:
1623 return self.sock.recv(1024)
1624
1625 def write(self, bytes):
1626 if self.sslconn:
1627 return self.sslconn.write(bytes)
1628 else:
1629 return self.sock.send(bytes)
1630
1631 def close(self):
1632 if self.sslconn:
1633 self.sslconn.close()
1634 else:
1635 self.sock.close()
1636
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1637 def run(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1638 self.running = True
1639 if not self.server.starttls_server:
1640 if not self.wrap_conn():
1641 return
1642 while self.running:
1643 try:
1644 msg = self.read()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1645 stripped = msg.strip()
1646 if not stripped:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1647 # eof, so quit this handler
1648 self.running = False
1649 self.close()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1650 elif stripped == b'over':
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1651 if support.verbose and self.server.connectionchatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1652 sys.stdout.write(" server: client closed connection\n")
1653 self.close()
1654 return
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1655 elif (self.server.starttls_server and
Antoine Pitrou764b8782010-04-28 22:57:15 +0000[diff] [blame]1656 stripped == b'STARTTLS'):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1657 if support.verbose and self.server.connectionchatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1658 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1659 self.write(b"OK\n")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1660 if not self.wrap_conn():
1661 return
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1662 elif (self.server.starttls_server and self.sslconn
Antoine Pitrou764b8782010-04-28 22:57:15 +0000[diff] [blame]1663 and stripped == b'ENDTLS'):
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1664 if support.verbose and self.server.connectionchatty:
1665 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1666 self.write(b"OK\n")
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]1667 self.sock = self.sslconn.unwrap()
1668 self.sslconn = None
1669 if support.verbose and self.server.connectionchatty:
1670 sys.stdout.write(" server: connection is now unencrypted...\n")
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]1671 elif stripped == b'CB tls-unique':
1672 if support.verbose and self.server.connectionchatty:
1673 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
1674 data = self.sslconn.get_channel_binding("tls-unique")
1675 self.write(repr(data).encode("us-ascii") + b"\n")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1676 else:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1677 if (support.verbose and
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1678 self.server.connectionchatty):
1679 ctype = (self.sslconn and "encrypted") or "unencrypted"
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1680 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
1681 % (msg, ctype, msg.lower(), ctype))
1682 self.write(msg.lower())
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]1683 except OSError:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1684 if self.server.chatty:
1685 handle_error("Test server failure:\n")
1686 self.close()
1687 self.running = False
1688 # normally, we'd just stop here, but for the test
1689 # harness, we want to stop the server
1690 self.server.stop()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1691
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1692 def __init__(self, certificate=None, ssl_version=None,
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1693 certreqs=None, cacerts=None,
Antoine Pitrou2d9cb9c2010-04-17 17:40:45 +0000[diff] [blame]1694 chatty=True, connectionchatty=False, starttls_server=False,
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1695 npn_protocols=None, ciphers=None, context=None):
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1696 if context:
1697 self.context = context
1698 else:
1699 self.context = ssl.SSLContext(ssl_version
1700 if ssl_version is not None
1701 else ssl.PROTOCOL_TLSv1)
1702 self.context.verify_mode = (certreqs if certreqs is not None
1703 else ssl.CERT_NONE)
1704 if cacerts:
1705 self.context.load_verify_locations(cacerts)
1706 if certificate:
1707 self.context.load_cert_chain(certificate)
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1708 if npn_protocols:
1709 self.context.set_npn_protocols(npn_protocols)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1710 if ciphers:
1711 self.context.set_ciphers(ciphers)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1712 self.chatty = chatty
1713 self.connectionchatty = connectionchatty
1714 self.starttls_server = starttls_server
1715 self.sock = socket.socket()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1716 self.port = support.bind_port(self.sock)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1717 self.flag = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1718 self.active = False
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1719 self.selected_protocols = []
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]1720 self.conn_errors = []
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1721 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]1722 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1723
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]1724 def __enter__(self):
1725 self.start(threading.Event())
1726 self.flag.wait()
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]1727 return self
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]1728
1729 def __exit__(self, *args):
1730 self.stop()
1731 self.join()
1732
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1733 def start(self, flag=None):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1734 self.flag = flag
1735 threading.Thread.start(self)
1736
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1737 def run(self):
Antoine Pitrouaf7c6022010-04-27 09:56:02 +0000[diff] [blame]1738 self.sock.settimeout(0.05)
Charles-François Natali6e204602014-07-23 19:28:13 +0100[diff] [blame]1739 self.sock.listen()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1740 self.active = True
1741 if self.flag:
1742 # signal an event
1743 self.flag.set()
1744 while self.active:
1745 try:
1746 newconn, connaddr = self.sock.accept()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1747 if support.verbose and self.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1748 sys.stdout.write(' server: new connection from '
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1749 + repr(connaddr) + '\n')
1750 handler = self.ConnectionHandler(self, newconn, connaddr)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1751 handler.start()
Antoine Pitroueced82e2012-01-27 17:33:01 +0100[diff] [blame]1752 handler.join()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1753 except socket.timeout:
1754 pass
1755 except KeyboardInterrupt:
1756 self.stop()
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1757 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1758
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1759 def stop(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1760 self.active = False
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1761
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1762 class AsyncoreEchoServer(threading.Thread):
1763
1764 # this one's based on asyncore.dispatcher
1765
1766 class EchoServer (asyncore.dispatcher):
1767
1768 class ConnectionHandler (asyncore.dispatcher_with_send):
1769
1770 def __init__(self, conn, certfile):
1771 self.socket = ssl.wrap_socket(conn, server_side=True,
1772 certfile=certfile,
1773 do_handshake_on_connect=False)
1774 asyncore.dispatcher_with_send.__init__(self, self.socket)
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1775 self._ssl_accepting = True
1776 self._do_ssl_handshake()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1777
1778 def readable(self):
1779 if isinstance(self.socket, ssl.SSLSocket):
1780 while self.socket.pending() > 0:
1781 self.handle_read_event()
1782 return True
1783
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1784 def _do_ssl_handshake(self):
1785 try:
1786 self.socket.do_handshake()
Antoine Pitrou41032a62011-10-27 23:56:55 +0200[diff] [blame]1787 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
1788 return
1789 except ssl.SSLEOFError:
1790 return self.handle_close()
1791 except ssl.SSLError:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1792 raise
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]1793 except OSError as err:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1794 if err.args[0] == errno.ECONNABORTED:
1795 return self.handle_close()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1796 else:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1797 self._ssl_accepting = False
1798
1799 def handle_read(self):
1800 if self._ssl_accepting:
1801 self._do_ssl_handshake()
1802 else:
1803 data = self.recv(1024)
1804 if support.verbose:
1805 sys.stdout.write(" server: read %s from client\n" % repr(data))
1806 if not data:
1807 self.close()
1808 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1809 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1810
1811 def handle_close(self):
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]1812 self.close()
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1813 if support.verbose:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1814 sys.stdout.write(" server: closed connection %s\n" % self.socket)
1815
1816 def handle_error(self):
1817 raise
1818
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1819 def __init__(self, certfile):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1820 self.certfile = certfile
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1821 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1822 self.port = support.bind_port(sock, '')
1823 asyncore.dispatcher.__init__(self, sock)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1824 self.listen(5)
1825
Giampaolo Rodolà977c7072010-10-04 21:08:36 +0000[diff] [blame]1826 def handle_accepted(self, sock_obj, addr):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1827 if support.verbose:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1828 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
1829 self.ConnectionHandler(sock_obj, self.certfile)
1830
1831 def handle_error(self):
1832 raise
1833
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]1834 def __init__(self, certfile):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1835 self.flag = None
1836 self.active = False
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1837 self.server = self.EchoServer(certfile)
1838 self.port = self.server.port
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1839 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]1840 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1841
1842 def __str__(self):
1843 return "<%s %s>" % (self.__class__.__name__, self.server)
1844
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]1845 def __enter__(self):
1846 self.start(threading.Event())
1847 self.flag.wait()
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]1848 return self
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]1849
1850 def __exit__(self, *args):
1851 if support.verbose:
1852 sys.stdout.write(" cleanup: stopping server.\n")
1853 self.stop()
1854 if support.verbose:
1855 sys.stdout.write(" cleanup: joining server thread.\n")
1856 self.join()
1857 if support.verbose:
1858 sys.stdout.write(" cleanup: successfully joined.\n")
1859
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1860 def start (self, flag=None):
1861 self.flag = flag
1862 threading.Thread.start(self)
1863
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1864 def run(self):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1865 self.active = True
1866 if self.flag:
1867 self.flag.set()
1868 while self.active:
1869 try:
1870 asyncore.loop(1)
1871 except:
1872 pass
1873
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1874 def stop(self):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1875 self.active = False
1876 self.server.close()
1877
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1878 def bad_cert_test(certfile):
1879 """
1880 Launch a server with CERT_REQUIRED, and check that trying to
1881 connect to it with the given client certificate fails.
1882 """
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]1883 server = ThreadedEchoServer(CERTFILE,
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1884 certreqs=ssl.CERT_REQUIRED,
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1885 cacerts=CERTFILE, chatty=False,
1886 connectionchatty=False)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]1887 with server:
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1888 try:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]1889 with socket.socket() as sock:
1890 s = ssl.wrap_socket(sock,
1891 certfile=certfile,
1892 ssl_version=ssl.PROTOCOL_TLSv1)
1893 s.connect((HOST, server.port))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1894 except ssl.SSLError as x:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1895 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1896 sys.stdout.write("\nSSLError is %s\n" % x.args[1])
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]1897 except OSError as x:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1898 if support.verbose:
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]1899 sys.stdout.write("\nOSError is %s\n" % x.args[1])
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1900 except OSError as x:
Giampaolo Rodolàcd9dfb92010-08-29 20:56:56 +0000[diff] [blame]1901 if x.errno != errno.ENOENT:
1902 raise
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]1903 if support.verbose:
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1904 sys.stdout.write("\OSError is %s\n" % str(x))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1905 else:
Antoine Pitroud75b2a92010-05-06 14:15:10 +0000[diff] [blame]1906 raise AssertionError("Use of invalid cert should have failed!")
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1907
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1908 def server_params_test(client_context, server_context, indata=b"FOO\n",
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1909 chatty=True, connectionchatty=False, sni_name=None):
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1910 """
1911 Launch a server, connect a client to it and try various reads
1912 and writes.
1913 """
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1914 stats = {}
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1915 server = ThreadedEchoServer(context=server_context,
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1916 chatty=chatty,
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1917 connectionchatty=False)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]1918 with server:
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1919 with client_context.wrap_socket(socket.socket(),
1920 server_hostname=sni_name) as s:
Antoine Pitroueba63c42012-01-28 17:38:34 +0100[diff] [blame]1921 s.connect((HOST, server.port))
1922 for arg in [indata, bytearray(indata), memoryview(indata)]:
1923 if connectionchatty:
1924 if support.verbose:
1925 sys.stdout.write(
1926 " client: sending %r...\n" % indata)
1927 s.write(arg)
1928 outdata = s.read()
1929 if connectionchatty:
1930 if support.verbose:
1931 sys.stdout.write(" client: read %r\n" % outdata)
1932 if outdata != indata.lower():
1933 raise AssertionError(
1934 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
1935 % (outdata[:20], len(outdata),
1936 indata[:20].lower(), len(indata)))
1937 s.write(b"over\n")
Antoine Pitrou7d7aede2009-11-25 18:55:32 +0000[diff] [blame]1938 if connectionchatty:
1939 if support.verbose:
Antoine Pitroueba63c42012-01-28 17:38:34 +0100[diff] [blame]1940 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1941 stats.update({
Antoine Pitrouce816a52012-01-28 17:40:23 +0100[diff] [blame]1942 'compression': s.compression(),
1943 'cipher': s.cipher(),
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1944 'peercert': s.getpeercert(),
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1945 'client_npn_protocol': s.selected_npn_protocol()
1946 })
Antoine Pitroueba63c42012-01-28 17:38:34 +0100[diff] [blame]1947 s.close()
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]1948 stats['server_npn_protocols'] = server.selected_protocols
1949 return stats
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1950
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1951 def try_protocol_combo(server_protocol, client_protocol, expect_success,
1952 certsreqs=None, server_options=0, client_options=0):
Benjamin Peterson2a691a82008-03-31 01:51:45 +0000[diff] [blame]1953 if certsreqs is None:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1954 certsreqs = ssl.CERT_NONE
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1955 certtype = {
1956 ssl.CERT_NONE: "CERT_NONE",
1957 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
1958 ssl.CERT_REQUIRED: "CERT_REQUIRED",
1959 }[certsreqs]
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1960 if support.verbose:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1961 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1962 sys.stdout.write(formatstr %
1963 (ssl.get_protocol_name(client_protocol),
1964 ssl.get_protocol_name(server_protocol),
1965 certtype))
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1966 client_context = ssl.SSLContext(client_protocol)
Antoine Pitrou32c49152014-01-09 21:28:48 +0100[diff] [blame]1967 client_context.options |= client_options
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1968 server_context = ssl.SSLContext(server_protocol)
Antoine Pitrou32c49152014-01-09 21:28:48 +0100[diff] [blame]1969 server_context.options |= server_options
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1970
1971 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
1972 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
1973 # starting from OpenSSL 1.0.0 (see issue #8322).
1974 if client_context.protocol == ssl.PROTOCOL_SSLv23:
1975 client_context.set_ciphers("ALL")
1976
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1977 for ctx in (client_context, server_context):
1978 ctx.verify_mode = certsreqs
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1979 ctx.load_cert_chain(CERTFILE)
1980 ctx.load_verify_locations(CERTFILE)
1981 try:
1982 server_params_test(client_context, server_context,
1983 chatty=False, connectionchatty=False)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1984 # Protocol mismatch can result in either an SSLError, or a
1985 # "Connection reset by peer" error.
1986 except ssl.SSLError:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1987 if expect_success:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1988 raise
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]1989 except OSError as e:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1990 if expect_success or e.errno != errno.ECONNRESET:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1991 raise
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1992 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1993 if not expect_success:
Antoine Pitroud75b2a92010-05-06 14:15:10 +0000[diff] [blame]1994 raise AssertionError(
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1995 "Client protocol %s succeeded with server protocol %s!"
1996 % (ssl.get_protocol_name(client_protocol),
1997 ssl.get_protocol_name(server_protocol)))
1998
1999
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]2000 class ThreadedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2001
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]2002 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2003 def test_echo(self):
2004 """Basic test of an SSL client connecting to a server"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2005 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2006 sys.stdout.write("\n")
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2007 for protocol in PROTOCOLS:
Antoine Pitrou972d5bb2013-03-29 17:56:03 +0100[diff] [blame]2008 with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
2009 context = ssl.SSLContext(protocol)
2010 context.load_cert_chain(CERTFILE)
2011 server_params_test(context, context,
2012 chatty=True, connectionchatty=True)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2013
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2014 def test_getpeercert(self):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2015 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2016 sys.stdout.write("\n")
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2017 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2018 context.verify_mode = ssl.CERT_REQUIRED
2019 context.load_verify_locations(CERTFILE)
2020 context.load_cert_chain(CERTFILE)
2021 server = ThreadedEchoServer(context=context, chatty=False)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2022 with server:
Antoine Pitrou20b85552013-09-29 19:50:53 +0200[diff] [blame]2023 s = context.wrap_socket(socket.socket(),
2024 do_handshake_on_connect=False)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2025 s.connect((HOST, server.port))
Antoine Pitrou20b85552013-09-29 19:50:53 +0200[diff] [blame]2026 # getpeercert() raise ValueError while the handshake isn't
2027 # done.
2028 with self.assertRaises(ValueError):
2029 s.getpeercert()
2030 s.do_handshake()
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2031 cert = s.getpeercert()
2032 self.assertTrue(cert, "Can't get peer certificate.")
2033 cipher = s.cipher()
2034 if support.verbose:
2035 sys.stdout.write(pprint.pformat(cert) + '\n')
2036 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2037 if 'subject' not in cert:
2038 self.fail("No subject field in certificate: %s." %
2039 pprint.pformat(cert))
2040 if ((('organizationName', 'Python Software Foundation'),)
2041 not in cert['subject']):
2042 self.fail(
2043 "Missing or invalid 'organizationName' field in certificate subject; "
2044 "should be 'Python Software Foundation'.")
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]2045 self.assertIn('notBefore', cert)
2046 self.assertIn('notAfter', cert)
2047 before = ssl.cert_time_to_seconds(cert['notBefore'])
2048 after = ssl.cert_time_to_seconds(cert['notAfter'])
2049 self.assertLess(before, after)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2050 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2051
Christian Heimes2427b502013-11-23 11:24:32 +0100[diff] [blame]2052 @unittest.skipUnless(have_verify_flags(),
2053 "verify_flags need OpenSSL > 0.9.8")
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]2054 def test_crl_check(self):
2055 if support.verbose:
2056 sys.stdout.write("\n")
2057
2058 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2059 server_context.load_cert_chain(SIGNED_CERTFILE)
2060
2061 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2062 context.verify_mode = ssl.CERT_REQUIRED
2063 context.load_verify_locations(SIGNING_CA)
Christian Heimes32f0c7a2013-11-22 03:43:48 +0100[diff] [blame]2064 self.assertEqual(context.verify_flags, ssl.VERIFY_DEFAULT)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]2065
2066 # VERIFY_DEFAULT should pass
2067 server = ThreadedEchoServer(context=server_context, chatty=True)
2068 with server:
2069 with context.wrap_socket(socket.socket()) as s:
2070 s.connect((HOST, server.port))
2071 cert = s.getpeercert()
2072 self.assertTrue(cert, "Can't get peer certificate.")
2073
2074 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimes32f0c7a2013-11-22 03:43:48 +0100[diff] [blame]2075 context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]2076
2077 server = ThreadedEchoServer(context=server_context, chatty=True)
2078 with server:
2079 with context.wrap_socket(socket.socket()) as s:
2080 with self.assertRaisesRegex(ssl.SSLError,
2081 "certificate verify failed"):
2082 s.connect((HOST, server.port))
2083
2084 # now load a CRL file. The CRL file is signed by the CA.
2085 context.load_verify_locations(CRLFILE)
2086
2087 server = ThreadedEchoServer(context=server_context, chatty=True)
2088 with server:
2089 with context.wrap_socket(socket.socket()) as s:
2090 s.connect((HOST, server.port))
2091 cert = s.getpeercert()
2092 self.assertTrue(cert, "Can't get peer certificate.")
2093
Christian Heimes575596e2013-12-15 21:49:17 +0100[diff] [blame]2094 @needs_sni
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]2095 def test_check_hostname(self):
2096 if support.verbose:
2097 sys.stdout.write("\n")
2098
2099 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2100 server_context.load_cert_chain(SIGNED_CERTFILE)
2101
2102 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2103 context.verify_mode = ssl.CERT_REQUIRED
2104 context.check_hostname = True
2105 context.load_verify_locations(SIGNING_CA)
2106
2107 # correct hostname should verify
2108 server = ThreadedEchoServer(context=server_context, chatty=True)
2109 with server:
2110 with context.wrap_socket(socket.socket(),
2111 server_hostname="localhost") as s:
2112 s.connect((HOST, server.port))
2113 cert = s.getpeercert()
2114 self.assertTrue(cert, "Can't get peer certificate.")
2115
2116 # incorrect hostname should raise an exception
2117 server = ThreadedEchoServer(context=server_context, chatty=True)
2118 with server:
2119 with context.wrap_socket(socket.socket(),
2120 server_hostname="invalid") as s:
2121 with self.assertRaisesRegex(ssl.CertificateError,
2122 "hostname 'invalid' doesn't match 'localhost'"):
2123 s.connect((HOST, server.port))
2124
2125 # missing server_hostname arg should cause an exception, too
2126 server = ThreadedEchoServer(context=server_context, chatty=True)
2127 with server:
2128 with socket.socket() as s:
2129 with self.assertRaisesRegex(ValueError,
2130 "check_hostname requires server_hostname"):
2131 context.wrap_socket(s)
2132
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2133 def test_empty_cert(self):
2134 """Connecting with an empty cert file"""
2135 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
2136 "nullcert.pem"))
2137 def test_malformed_cert(self):
2138 """Connecting with a badly formatted certificate (syntax error)"""
2139 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
2140 "badcert.pem"))
2141 def test_nonexisting_cert(self):
2142 """Connecting with a non-existing cert file"""
2143 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
2144 "wrongcert.pem"))
2145 def test_malformed_key(self):
2146 """Connecting with a badly formatted key (syntax error)"""
2147 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
2148 "badkey.pem"))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2149
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2150 def test_rude_shutdown(self):
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]2151 """A brutal shutdown of an SSL server should raise an OSError
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2152 in the client when attempting handshake.
2153 """
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2154 listener_ready = threading.Event()
2155 listener_gone = threading.Event()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2156
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2157 s = socket.socket()
2158 port = support.bind_port(s, HOST)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2159
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2160 # `listener` runs in a thread. It sits in an accept() until
2161 # the main thread connects. Then it rudely closes the socket,
2162 # and sets Event `listener_gone` to let the main thread know
2163 # the socket is gone.
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2164 def listener():
Charles-François Natali6e204602014-07-23 19:28:13 +0100[diff] [blame]2165 s.listen()
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2166 listener_ready.set()
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]2167 newsock, addr = s.accept()
2168 newsock.close()
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2169 s.close()
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2170 listener_gone.set()
2171
2172 def connector():
2173 listener_ready.wait()
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]2174 with socket.socket() as c:
2175 c.connect((HOST, port))
2176 listener_gone.wait()
2177 try:
2178 ssl_sock = ssl.wrap_socket(c)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]2179 except OSError:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]2180 pass
2181 else:
2182 self.fail('connecting to closed SSL socket should have failed')
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2183
2184 t = threading.Thread(target=listener)
2185 t.start()
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2186 try:
2187 connector()
2188 finally:
2189 t.join()
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2190
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]2191 @skip_if_broken_ubuntu_ssl
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2192 @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'),
2193 "OpenSSL is compiled without SSLv2 support")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2194 def test_protocol_sslv2(self):
2195 """Connecting to an SSLv2 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2196 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2197 sys.stdout.write("\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2198 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
2199 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
2200 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Antoine Pitroucd3d7ca2014-01-09 20:02:20 +0100[diff] [blame]2201 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2202 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
2203 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2204 # SSLv23 client with specific SSL options
2205 if no_sslv2_implies_sslv3_hello():
2206 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
2207 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2208 client_options=ssl.OP_NO_SSLv2)
Antoine Pitroucd3d7ca2014-01-09 20:02:20 +0100[diff] [blame]2209 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2210 client_options=ssl.OP_NO_SSLv3)
Antoine Pitroucd3d7ca2014-01-09 20:02:20 +0100[diff] [blame]2211 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2212 client_options=ssl.OP_NO_TLSv1)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2213
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]2214 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2215 def test_protocol_sslv23(self):
2216 """Connecting to an SSLv23 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2217 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2218 sys.stdout.write("\n")
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2219 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2220 try:
2221 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]2222 except OSError as x:
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2223 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
2224 if support.verbose:
2225 sys.stdout.write(
2226 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
2227 % str(x))
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2228 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
2229 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
2230 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2231
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2232 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
2233 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
2234 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2235
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2236 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
2237 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
2238 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2239
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2240 # Server with specific SSL options
2241 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,
2242 server_options=ssl.OP_NO_SSLv3)
2243 # Will choose TLSv1
2244 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,
2245 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
2246 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, False,
2247 server_options=ssl.OP_NO_TLSv1)
2248
2249
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]2250 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2251 def test_protocol_sslv3(self):
2252 """Connecting to an SSLv3 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2253 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2254 sys.stdout.write("\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2255 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
2256 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
2257 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2258 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2259 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Barry Warsaw46ae0ef2011-10-28 16:52:17 -0400[diff] [blame]2260 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,
2261 client_options=ssl.OP_NO_SSLv3)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2262 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]2263 if no_sslv2_implies_sslv3_hello():
2264 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
2265 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True,
2266 client_options=ssl.OP_NO_SSLv2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2267
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]2268 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2269 def test_protocol_tlsv1(self):
2270 """Connecting to a TLSv1 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2271 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2272 sys.stdout.write("\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2273 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
2274 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
2275 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
Victor Stinner3de49192011-05-09 00:42:58 +0200[diff] [blame]2276 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2277 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2278 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Barry Warsaw46ae0ef2011-10-28 16:52:17 -0400[diff] [blame]2279 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
2280 client_options=ssl.OP_NO_TLSv1)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2281
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2282 @skip_if_broken_ubuntu_ssl
2283 @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
2284 "TLS version 1.1 not supported.")
2285 def test_protocol_tlsv1_1(self):
2286 """Connecting to a TLSv1.1 server with various client options.
2287 Testing against older TLS versions."""
2288 if support.verbose:
2289 sys.stdout.write("\n")
2290 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True)
2291 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2292 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
2293 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
2294 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
2295 client_options=ssl.OP_NO_TLSv1_1)
2296
2297 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, True)
2298 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
2299 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
2300
2301
2302 @skip_if_broken_ubuntu_ssl
2303 @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
2304 "TLS version 1.2 not supported.")
2305 def test_protocol_tlsv1_2(self):
2306 """Connecting to a TLSv1.2 server with various client options.
2307 Testing against older TLS versions."""
2308 if support.verbose:
2309 sys.stdout.write("\n")
2310 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True,
2311 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
2312 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
2313 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2314 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
2315 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
2316 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv23, False,
2317 client_options=ssl.OP_NO_TLSv1_2)
2318
2319 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_2, True)
2320 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
2321 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
2322 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
2323 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
2324
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2325 def test_starttls(self):
2326 """Switching from clear text to encrypted and back again."""
2327 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2328
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2329 server = ThreadedEchoServer(CERTFILE,
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2330 ssl_version=ssl.PROTOCOL_TLSv1,
2331 starttls_server=True,
2332 chatty=True,
2333 connectionchatty=True)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2334 wrapped = False
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2335 with server:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2336 s = socket.socket()
2337 s.setblocking(1)
2338 s.connect((HOST, server.port))
2339 if support.verbose:
2340 sys.stdout.write("\n")
2341 for indata in msgs:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2342 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2343 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2344 " client: sending %r...\n" % indata)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2345 if wrapped:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2346 conn.write(indata)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2347 outdata = conn.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2348 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2349 s.send(indata)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2350 outdata = s.recv(1024)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2351 msg = outdata.strip().lower()
2352 if indata == b"STARTTLS" and msg.startswith(b"ok"):
2353 # STARTTLS ok, switch to secure mode
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2354 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2355 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2356 " client: read %r from server, starting TLS...\n"
2357 % msg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2358 conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
2359 wrapped = True
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2360 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
2361 # ENDTLS ok, switch back to clear text
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2362 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2363 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2364 " client: read %r from server, ending TLS...\n"
2365 % msg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2366 s = conn.unwrap()
2367 wrapped = False
2368 else:
2369 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2370 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2371 " client: read %r from server\n" % msg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2372 if support.verbose:
2373 sys.stdout.write(" client: closing connection.\n")
2374 if wrapped:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2375 conn.write(b"over\n")
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2376 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2377 s.send(b"over\n")
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]2378 if wrapped:
2379 conn.close()
2380 else:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2381 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2382
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2383 def test_socketserver(self):
2384 """Using a SocketServer to create and manage SSL connections."""
Antoine Pitrouda232592013-02-05 21:20:51 +0100[diff] [blame]2385 server = make_https_server(self, certfile=CERTFILE)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2386 # try to connect
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2387 if support.verbose:
2388 sys.stdout.write('\n')
2389 with open(CERTFILE, 'rb') as f:
2390 d1 = f.read()
2391 d2 = ''
2392 # now fetch the same data from the HTTPS server
2393 url = 'https://%s:%d/%s' % (
2394 HOST, server.port, os.path.split(CERTFILE)[1])
2395 f = urllib.request.urlopen(url)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2396 try:
Barry Warsaw820c1202008-06-12 04:06:45 +0000[diff] [blame]2397 dlen = f.info().get("content-length")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2398 if dlen and (int(dlen) > 0):
2399 d2 = f.read(int(dlen))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2400 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2401 sys.stdout.write(
2402 " client: read %d bytes from remote server '%s'\n"
2403 % (len(d2), server))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2404 finally:
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2405 f.close()
2406 self.assertEqual(d1, d2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2407
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2408 def test_asyncore_server(self):
2409 """Check the example asyncore integration."""
2410 indata = "TEST MESSAGE of mixed case\n"
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2411
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2412 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2413 sys.stdout.write("\n")
2414
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2415 indata = b"FOO\n"
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2416 server = AsyncoreEchoServer(CERTFILE)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2417 with server:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2418 s = ssl.wrap_socket(socket.socket())
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2419 s.connect(('127.0.0.1', server.port))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2420 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2421 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2422 " client: sending %r...\n" % indata)
2423 s.write(indata)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2424 outdata = s.read()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2425 if support.verbose:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2426 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2427 if outdata != indata.lower():
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2428 self.fail(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2429 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2430 % (outdata[:20], len(outdata),
2431 indata[:20].lower(), len(indata)))
2432 s.write(b"over\n")
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2433 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2434 sys.stdout.write(" client: closing connection.\n")
2435 s.close()
Antoine Pitroued986362010-08-15 23:28:10 +0000[diff] [blame]2436 if support.verbose:
2437 sys.stdout.write(" client: connection closed.\n")
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2438
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2439 def test_recv_send(self):
2440 """Test recv(), send() and friends."""
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2441 if support.verbose:
2442 sys.stdout.write("\n")
2443
2444 server = ThreadedEchoServer(CERTFILE,
2445 certreqs=ssl.CERT_NONE,
2446 ssl_version=ssl.PROTOCOL_TLSv1,
2447 cacerts=CERTFILE,
2448 chatty=True,
2449 connectionchatty=False)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2450 with server:
2451 s = ssl.wrap_socket(socket.socket(),
2452 server_side=False,
2453 certfile=CERTFILE,
2454 ca_certs=CERTFILE,
2455 cert_reqs=ssl.CERT_NONE,
2456 ssl_version=ssl.PROTOCOL_TLSv1)
2457 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2458 # helper methods for standardising recv* method signatures
2459 def _recv_into():
2460 b = bytearray(b"\0"*100)
2461 count = s.recv_into(b)
2462 return b[:count]
2463
2464 def _recvfrom_into():
2465 b = bytearray(b"\0"*100)
2466 count, addr = s.recvfrom_into(b)
2467 return b[:count]
2468
2469 # (name, method, whether to expect success, *args)
2470 send_methods = [
2471 ('send', s.send, True, []),
2472 ('sendto', s.sendto, False, ["some.address"]),
2473 ('sendall', s.sendall, True, []),
2474 ]
2475 recv_methods = [
2476 ('recv', s.recv, True, []),
2477 ('recvfrom', s.recvfrom, False, ["some.address"]),
2478 ('recv_into', _recv_into, True, []),
2479 ('recvfrom_into', _recvfrom_into, False, []),
2480 ]
2481 data_prefix = "PREFIX_"
2482
2483 for meth_name, send_meth, expect_success, args in send_methods:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2484 indata = (data_prefix + meth_name).encode('ascii')
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2485 try:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2486 send_meth(indata, *args)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2487 outdata = s.read()
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2488 if outdata != indata.lower():
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]2489 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2490 "While sending with <<{name:s}>> bad data "
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2491 "<<{outdata:r}>> ({nout:d}) received; "
2492 "expected <<{indata:r}>> ({nin:d})\n".format(
2493 name=meth_name, outdata=outdata[:20],
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2494 nout=len(outdata),
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2495 indata=indata[:20], nin=len(indata)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2496 )
2497 )
2498 except ValueError as e:
2499 if expect_success:
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]2500 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2501 "Failed to send with method <<{name:s}>>; "
2502 "expected to succeed.\n".format(name=meth_name)
2503 )
2504 if not str(e).startswith(meth_name):
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]2505 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2506 "Method <<{name:s}>> failed with unexpected "
2507 "exception message: {exp:s}\n".format(
2508 name=meth_name, exp=e
2509 )
2510 )
2511
2512 for meth_name, recv_meth, expect_success, args in recv_methods:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2513 indata = (data_prefix + meth_name).encode('ascii')
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2514 try:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2515 s.send(indata)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2516 outdata = recv_meth(*args)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2517 if outdata != indata.lower():
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]2518 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2519 "While receiving with <<{name:s}>> bad data "
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2520 "<<{outdata:r}>> ({nout:d}) received; "
2521 "expected <<{indata:r}>> ({nin:d})\n".format(
2522 name=meth_name, outdata=outdata[:20],
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2523 nout=len(outdata),
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2524 indata=indata[:20], nin=len(indata)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2525 )
2526 )
2527 except ValueError as e:
2528 if expect_success:
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]2529 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2530 "Failed to receive with method <<{name:s}>>; "
2531 "expected to succeed.\n".format(name=meth_name)
2532 )
2533 if not str(e).startswith(meth_name):
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]2534 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2535 "Method <<{name:s}>> failed with unexpected "
2536 "exception message: {exp:s}\n".format(
2537 name=meth_name, exp=e
2538 )
2539 )
2540 # consume data
2541 s.read()
2542
Nick Coghlan513886a2011-08-28 00:00:27 +1000[diff] [blame]2543 # Make sure sendmsg et al are disallowed to avoid
2544 # inadvertent disclosure of data and/or corruption
2545 # of the encrypted data stream
2546 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
2547 self.assertRaises(NotImplementedError, s.recvmsg, 100)
2548 self.assertRaises(NotImplementedError,
2549 s.recvmsg_into, bytearray(100))
2550
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2551 s.write(b"over\n")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2552 s.close()
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2553
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2554 def test_nonblocking_send(self):
2555 server = ThreadedEchoServer(CERTFILE,
2556 certreqs=ssl.CERT_NONE,
2557 ssl_version=ssl.PROTOCOL_TLSv1,
2558 cacerts=CERTFILE,
2559 chatty=True,
2560 connectionchatty=False)
2561 with server:
2562 s = ssl.wrap_socket(socket.socket(),
2563 server_side=False,
2564 certfile=CERTFILE,
2565 ca_certs=CERTFILE,
2566 cert_reqs=ssl.CERT_NONE,
2567 ssl_version=ssl.PROTOCOL_TLSv1)
2568 s.connect((HOST, server.port))
2569 s.setblocking(False)
2570
2571 # If we keep sending data, at some point the buffers
2572 # will be full and the call will block
2573 buf = bytearray(8192)
2574 def fill_buffer():
2575 while True:
2576 s.send(buf)
2577 self.assertRaises((ssl.SSLWantWriteError,
2578 ssl.SSLWantReadError), fill_buffer)
2579
2580 # Now read all the output and discard it
2581 s.setblocking(True)
2582 s.close()
2583
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2584 def test_handshake_timeout(self):
2585 # Issue #5103: SSL handshake must respect the socket timeout
2586 server = socket.socket(socket.AF_INET)
2587 host = "127.0.0.1"
2588 port = support.bind_port(server)
2589 started = threading.Event()
2590 finish = False
2591
2592 def serve():
Charles-François Natali6e204602014-07-23 19:28:13 +0100[diff] [blame]2593 server.listen()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2594 started.set()
2595 conns = []
2596 while not finish:
2597 r, w, e = select.select([server], [], [], 0.1)
2598 if server in r:
2599 # Let the socket hang around rather than having
2600 # it closed by garbage collection.
2601 conns.append(server.accept()[0])
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]2602 for sock in conns:
2603 sock.close()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2604
2605 t = threading.Thread(target=serve)
2606 t.start()
2607 started.wait()
2608
2609 try:
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]2610 try:
2611 c = socket.socket(socket.AF_INET)
2612 c.settimeout(0.2)
2613 c.connect((host, port))
2614 # Will attempt handshake and time out
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]2615 self.assertRaisesRegex(socket.timeout, "timed out",
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]2616 ssl.wrap_socket, c)
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]2617 finally:
2618 c.close()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2619 try:
2620 c = socket.socket(socket.AF_INET)
2621 c = ssl.wrap_socket(c)
2622 c.settimeout(0.2)
2623 # Will attempt handshake and time out
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]2624 self.assertRaisesRegex(socket.timeout, "timed out",
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]2625 c.connect, (host, port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2626 finally:
2627 c.close()
2628 finally:
2629 finish = True
2630 t.join()
2631 server.close()
2632
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]2633 def test_server_accept(self):
2634 # Issue #16357: accept() on a SSLSocket created through
2635 # SSLContext.wrap_socket().
2636 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2637 context.verify_mode = ssl.CERT_REQUIRED
2638 context.load_verify_locations(CERTFILE)
2639 context.load_cert_chain(CERTFILE)
2640 server = socket.socket(socket.AF_INET)
2641 host = "127.0.0.1"
2642 port = support.bind_port(server)
2643 server = context.wrap_socket(server, server_side=True)
2644
2645 evt = threading.Event()
2646 remote = None
2647 peer = None
2648 def serve():
2649 nonlocal remote, peer
Charles-François Natali6e204602014-07-23 19:28:13 +0100[diff] [blame]2650 server.listen()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]2651 # Block on the accept and wait on the connection to close.
2652 evt.set()
2653 remote, peer = server.accept()
2654 remote.recv(1)
2655
2656 t = threading.Thread(target=serve)
2657 t.start()
2658 # Client wait until server setup and perform a connect.
2659 evt.wait()
2660 client = context.wrap_socket(socket.socket())
2661 client.connect((host, port))
2662 client_addr = client.getsockname()
2663 client.close()
2664 t.join()
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]2665 remote.close()
2666 server.close()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]2667 # Sanity checks.
2668 self.assertIsInstance(remote, ssl.SSLSocket)
2669 self.assertEqual(peer, client_addr)
2670
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]2671 def test_getpeercert_enotconn(self):
2672 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2673 with context.wrap_socket(socket.socket()) as sock:
2674 with self.assertRaises(OSError) as cm:
2675 sock.getpeercert()
2676 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
2677
2678 def test_do_handshake_enotconn(self):
2679 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2680 with context.wrap_socket(socket.socket()) as sock:
2681 with self.assertRaises(OSError) as cm:
2682 sock.do_handshake()
2683 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
2684
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]2685 def test_default_ciphers(self):
2686 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2687 try:
2688 # Force a set of weak ciphers on our client context
2689 context.set_ciphers("DES")
2690 except ssl.SSLError:
2691 self.skipTest("no DES cipher available")
2692 with ThreadedEchoServer(CERTFILE,
2693 ssl_version=ssl.PROTOCOL_SSLv23,
2694 chatty=False) as server:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]2695 with context.wrap_socket(socket.socket()) as s:
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]2696 with self.assertRaises(OSError):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]2697 s.connect((HOST, server.port))
2698 self.assertIn("no shared cipher", str(server.conn_errors[0]))
2699
Antoine Pitrou0bebbc32014-03-22 18:13:50 +0100[diff] [blame]2700 @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
2701 def test_default_ecdh_curve(self):
2702 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
2703 # should be enabled by default on SSL contexts.
2704 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2705 context.load_cert_chain(CERTFILE)
Antoine Pitrouc0430612014-04-16 18:33:39 +0200[diff] [blame]2706 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
2707 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
2708 # our default cipher list should prefer ECDH-based ciphers
2709 # automatically.
2710 if ssl.OPENSSL_VERSION_INFO < (1, 0, 0):
2711 context.set_ciphers("ECCdraft:ECDH")
Antoine Pitrou0bebbc32014-03-22 18:13:50 +0100[diff] [blame]2712 with ThreadedEchoServer(context=context) as server:
2713 with context.wrap_socket(socket.socket()) as s:
2714 s.connect((HOST, server.port))
2715 self.assertIn("ECDH", s.cipher()[0])
2716
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]2717 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
2718 "'tls-unique' channel binding not available")
2719 def test_tls_unique_channel_binding(self):
2720 """Test tls-unique channel binding."""
2721 if support.verbose:
2722 sys.stdout.write("\n")
2723
2724 server = ThreadedEchoServer(CERTFILE,
2725 certreqs=ssl.CERT_NONE,
2726 ssl_version=ssl.PROTOCOL_TLSv1,
2727 cacerts=CERTFILE,
2728 chatty=True,
2729 connectionchatty=False)
Antoine Pitrou6b15c902011-12-21 16:54:45 +0100[diff] [blame]2730 with server:
2731 s = ssl.wrap_socket(socket.socket(),
2732 server_side=False,
2733 certfile=CERTFILE,
2734 ca_certs=CERTFILE,
2735 cert_reqs=ssl.CERT_NONE,
2736 ssl_version=ssl.PROTOCOL_TLSv1)
2737 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]2738 # get the data
2739 cb_data = s.get_channel_binding("tls-unique")
2740 if support.verbose:
2741 sys.stdout.write(" got channel binding data: {0!r}\n"
2742 .format(cb_data))
2743
2744 # check if it is sane
2745 self.assertIsNotNone(cb_data)
2746 self.assertEqual(len(cb_data), 12) # True for TLSv1
2747
2748 # and compare with the peers version
2749 s.write(b"CB tls-unique\n")
2750 peer_data_repr = s.read().strip()
2751 self.assertEqual(peer_data_repr,
2752 repr(cb_data).encode("us-ascii"))
2753 s.close()
2754
2755 # now, again
2756 s = ssl.wrap_socket(socket.socket(),
2757 server_side=False,
2758 certfile=CERTFILE,
2759 ca_certs=CERTFILE,
2760 cert_reqs=ssl.CERT_NONE,
2761 ssl_version=ssl.PROTOCOL_TLSv1)
2762 s.connect((HOST, server.port))
2763 new_cb_data = s.get_channel_binding("tls-unique")
2764 if support.verbose:
2765 sys.stdout.write(" got another channel binding data: {0!r}\n"
2766 .format(new_cb_data))
2767 # is it really unique
2768 self.assertNotEqual(cb_data, new_cb_data)
2769 self.assertIsNotNone(cb_data)
2770 self.assertEqual(len(cb_data), 12) # True for TLSv1
2771 s.write(b"CB tls-unique\n")
2772 peer_data_repr = s.read().strip()
2773 self.assertEqual(peer_data_repr,
2774 repr(new_cb_data).encode("us-ascii"))
2775 s.close()
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2776
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]2777 def test_compression(self):
2778 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2779 context.load_cert_chain(CERTFILE)
2780 stats = server_params_test(context, context,
2781 chatty=True, connectionchatty=True)
2782 if support.verbose:
2783 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
2784 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
2785
2786 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
2787 "ssl.OP_NO_COMPRESSION needed for this test")
2788 def test_compression_disabled(self):
2789 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2790 context.load_cert_chain(CERTFILE)
Antoine Pitrou8691bff2011-12-20 10:47:42 +0100[diff] [blame]2791 context.options |= ssl.OP_NO_COMPRESSION
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]2792 stats = server_params_test(context, context,
2793 chatty=True, connectionchatty=True)
2794 self.assertIs(stats['compression'], None)
2795
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]2796 def test_dh_params(self):
2797 # Check we can get a connection with ephemeral Diffie-Hellman
2798 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2799 context.load_cert_chain(CERTFILE)
2800 context.load_dh_params(DHFILE)
2801 context.set_ciphers("kEDH")
2802 stats = server_params_test(context, context,
2803 chatty=True, connectionchatty=True)
2804 cipher = stats["cipher"][0]
2805 parts = cipher.split("-")
2806 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
2807 self.fail("Non-DH cipher: " + cipher[0])
2808
Antoine Pitroud5d17eb2012-03-22 00:23:03 +0100[diff] [blame]2809 def test_selected_npn_protocol(self):
2810 # selected_npn_protocol() is None unless NPN is used
2811 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2812 context.load_cert_chain(CERTFILE)
2813 stats = server_params_test(context, context,
2814 chatty=True, connectionchatty=True)
2815 self.assertIs(stats['client_npn_protocol'], None)
2816
2817 @unittest.skipUnless(ssl.HAS_NPN, "NPN support needed for this test")
2818 def test_npn_protocols(self):
2819 server_protocols = ['http/1.1', 'spdy/2']
2820 protocol_tests = [
2821 (['http/1.1', 'spdy/2'], 'http/1.1'),
2822 (['spdy/2', 'http/1.1'], 'http/1.1'),
2823 (['spdy/2', 'test'], 'spdy/2'),
2824 (['abc', 'def'], 'abc')
2825 ]
2826 for client_protocols, expected in protocol_tests:
2827 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2828 server_context.load_cert_chain(CERTFILE)
2829 server_context.set_npn_protocols(server_protocols)
2830 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2831 client_context.load_cert_chain(CERTFILE)
2832 client_context.set_npn_protocols(client_protocols)
2833 stats = server_params_test(client_context, server_context,
2834 chatty=True, connectionchatty=True)
2835
2836 msg = "failed trying %s (s) and %s (c).\n" \
2837 "was expecting %s, but got %%s from the %%s" \
2838 % (str(server_protocols), str(client_protocols),
2839 str(expected))
2840 client_result = stats['client_npn_protocol']
2841 self.assertEqual(client_result, expected, msg % (client_result, "client"))
2842 server_result = stats['server_npn_protocols'][-1] \
2843 if len(stats['server_npn_protocols']) else 'nothing'
2844 self.assertEqual(server_result, expected, msg % (server_result, "server"))
2845
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2846 def sni_contexts(self):
2847 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2848 server_context.load_cert_chain(SIGNED_CERTFILE)
2849 other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2850 other_context.load_cert_chain(SIGNED_CERTFILE2)
2851 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2852 client_context.verify_mode = ssl.CERT_REQUIRED
2853 client_context.load_verify_locations(SIGNING_CA)
2854 return server_context, other_context, client_context
2855
2856 def check_common_name(self, stats, name):
2857 cert = stats['peercert']
2858 self.assertIn((('commonName', name),), cert['subject'])
2859
2860 @needs_sni
2861 def test_sni_callback(self):
2862 calls = []
2863 server_context, other_context, client_context = self.sni_contexts()
2864
2865 def servername_cb(ssl_sock, server_name, initial_context):
2866 calls.append((server_name, initial_context))
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]2867 if server_name is not None:
2868 ssl_sock.context = other_context
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2869 server_context.set_servername_callback(servername_cb)
2870
2871 stats = server_params_test(client_context, server_context,
2872 chatty=True,
2873 sni_name='supermessage')
2874 # The hostname was fetched properly, and the certificate was
2875 # changed for the connection.
2876 self.assertEqual(calls, [("supermessage", server_context)])
2877 # CERTFILE4 was selected
2878 self.check_common_name(stats, 'fakehostname')
2879
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]2880 calls = []
2881 # The callback is called with server_name=None
2882 stats = server_params_test(client_context, server_context,
2883 chatty=True,
2884 sni_name=None)
2885 self.assertEqual(calls, [(None, server_context)])
2886 self.check_common_name(stats, 'localhost')
2887
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]2888 # Check disabling the callback
2889 calls = []
2890 server_context.set_servername_callback(None)
2891
2892 stats = server_params_test(client_context, server_context,
2893 chatty=True,
2894 sni_name='notfunny')
2895 # Certificate didn't change
2896 self.check_common_name(stats, 'localhost')
2897 self.assertEqual(calls, [])
2898
2899 @needs_sni
2900 def test_sni_callback_alert(self):
2901 # Returning a TLS alert is reflected to the connecting client
2902 server_context, other_context, client_context = self.sni_contexts()
2903
2904 def cb_returning_alert(ssl_sock, server_name, initial_context):
2905 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
2906 server_context.set_servername_callback(cb_returning_alert)
2907
2908 with self.assertRaises(ssl.SSLError) as cm:
2909 stats = server_params_test(client_context, server_context,
2910 chatty=False,
2911 sni_name='supermessage')
2912 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
2913
2914 @needs_sni
2915 def test_sni_callback_raising(self):
2916 # Raising fails the connection with a TLS handshake failure alert.
2917 server_context, other_context, client_context = self.sni_contexts()
2918
2919 def cb_raising(ssl_sock, server_name, initial_context):
2920 1/0
2921 server_context.set_servername_callback(cb_raising)
2922
2923 with self.assertRaises(ssl.SSLError) as cm, \
2924 support.captured_stderr() as stderr:
2925 stats = server_params_test(client_context, server_context,
2926 chatty=False,
2927 sni_name='supermessage')
2928 self.assertEqual(cm.exception.reason, 'SSLV3_ALERT_HANDSHAKE_FAILURE')
2929 self.assertIn("ZeroDivisionError", stderr.getvalue())
2930
2931 @needs_sni
2932 def test_sni_callback_wrong_return_type(self):
2933 # Returning the wrong return type terminates the TLS connection
2934 # with an internal error alert.
2935 server_context, other_context, client_context = self.sni_contexts()
2936
2937 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
2938 return "foo"
2939 server_context.set_servername_callback(cb_wrong_return_type)
2940
2941 with self.assertRaises(ssl.SSLError) as cm, \
2942 support.captured_stderr() as stderr:
2943 stats = server_params_test(client_context, server_context,
2944 chatty=False,
2945 sni_name='supermessage')
2946 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
2947 self.assertIn("TypeError", stderr.getvalue())
2948
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]2949 def test_read_write_after_close_raises_valuerror(self):
2950 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2951 context.verify_mode = ssl.CERT_REQUIRED
2952 context.load_verify_locations(CERTFILE)
2953 context.load_cert_chain(CERTFILE)
2954 server = ThreadedEchoServer(context=context, chatty=False)
2955
2956 with server:
2957 s = context.wrap_socket(socket.socket())
2958 s.connect((HOST, server.port))
2959 s.close()
2960
2961 self.assertRaises(ValueError, s.read, 1024)
Antoine Pitrou28940732013-07-20 19:36:15 +0200[diff] [blame]2962 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]2963
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]2964 def test_sendfile(self):
2965 TEST_DATA = b"x" * 512
2966 with open(support.TESTFN, 'wb') as f:
2967 f.write(TEST_DATA)
2968 self.addCleanup(support.unlink, support.TESTFN)
2969 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2970 context.verify_mode = ssl.CERT_REQUIRED
2971 context.load_verify_locations(CERTFILE)
2972 context.load_cert_chain(CERTFILE)
2973 server = ThreadedEchoServer(context=context, chatty=False)
2974 with server:
2975 with context.wrap_socket(socket.socket()) as s:
2976 s.connect((HOST, server.port))
2977 with open(support.TESTFN, 'rb') as file:
2978 s.sendfile(file)
2979 self.assertEqual(s.recv(1024), TEST_DATA)
2980
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]2981
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2982def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]2983 if support.verbose:
2984 plats = {
2985 'Linux': platform.linux_distribution,
2986 'Mac': platform.mac_ver,
2987 'Windows': platform.win32_ver,
2988 }
2989 for name, func in plats.items():
2990 plat = func()
2991 if plat and plat[0]:
2992 plat = '%s %r' % (name, plat)
2993 break
2994 else:
2995 plat = repr(platform.platform())
2996 print("test_ssl: testing with %r %r" %
2997 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
2998 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]2999 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]3000 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
3001 try:
3002 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
3003 except AttributeError:
3004 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]3005
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]3006 for filename in [
3007 CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE,
3008 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]3009 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]3010 BADCERT, BADKEY, EMPTYCERT]:
3011 if not os.path.exists(filename):
3012 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]3013
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]3014 tests = [ContextTests, BasicSocketTests, SSLErrorTests]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]3015
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]3016 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]3017 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]3018
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]3019 if _have_threads:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]3020 thread_info = support.threading_setup()
Antoine Pitroudb5012a2013-01-12 22:00:09 +0100[diff] [blame]3021 if thread_info:
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]3022 tests.append(ThreadedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]3023
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]3024 try:
3025 support.run_unittest(*tests)
3026 finally:
3027 if _have_threads:
3028 support.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]3029
3030if __name__ == "__main__":
3031 test_main()