Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / a89bbde83fe7f8cc347341e7ec57cda3ba312530 / . / Lib / test / test_ssl.py
blob: a485f7d4c3c0c185effa6148abe86dee5ca72d4a [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5import unittest.mock
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]6from test import support
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]7from test.support import import_helper
8from test.support import os_helper
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]9from test.support import socket_helper
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]10from test.support import threading_helper
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]11from test.support import warnings_helper
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]13import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]14import time
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]15import datetime
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]16import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]17import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]18import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]19import pprint
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]20import urllib.request
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]21import threading
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]22import traceback
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]23import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]24import platform
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]25import sysconfig
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]26import functools
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]27try:
28 import ctypes
29except ImportError:
30 ctypes = None
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]31
Miss Islington (bot)8bec9fb2021-06-24 16:38:01 -0700[diff] [blame]32import warnings
33with warnings.catch_warnings():
34 warnings.simplefilter('ignore', DeprecationWarning)
35 import asyncore
36
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]37ssl = import_helper.import_module("ssl")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]38import _ssl
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]39
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]40from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]41
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]42Py_DEBUG = hasattr(sys, 'gettotalrefcount')
43Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
44
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]45PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]46HOST = socket_helper.HOST
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]47IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]48PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]49
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]50PROTOCOL_TO_TLS_VERSION = {}
51for proto, ver in (
52 ("PROTOCOL_SSLv23", "SSLv3"),
53 ("PROTOCOL_TLSv1", "TLSv1"),
54 ("PROTOCOL_TLSv1_1", "TLSv1_1"),
55):
56 try:
57 proto = getattr(ssl, proto)
58 ver = getattr(ssl.TLSVersion, ver)
59 except AttributeError:
60 continue
61 PROTOCOL_TO_TLS_VERSION[proto] = ver
62
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]63def data_file(*name):
64 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]65
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]66# The custom key and certificate files used in test_ssl are generated
67# using Lib/test/make_ssl_certs.py.
Miss Islington (bot)6fc1efa2021-07-26 15:34:32 -0700[diff] [blame]68# Other certificates are simply fetched from the internet servers they
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]69# are meant to authenticate.
70
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]71CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]72BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]73ONLYCERT = data_file("ssl_cert.pem")
74ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]75BYTES_ONLYCERT = os.fsencode(ONLYCERT)
76BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]77CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
78ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
79KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]80CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]81BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]82CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
83CAFILE_CACERT = data_file("capath", "5ed36f99.0")
84
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]85CERTFILE_INFO = {
86 'issuer': ((('countryName', 'XY'),),
87 (('localityName', 'Castle Anthrax'),),
88 (('organizationName', 'Python Software Foundation'),),
89 (('commonName', 'localhost'),)),
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]90 'notAfter': 'Aug 26 14:23:15 2028 GMT',
91 'notBefore': 'Aug 29 14:23:15 2018 GMT',
92 'serialNumber': '98A7CF88C74A32ED',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]93 'subject': ((('countryName', 'XY'),),
94 (('localityName', 'Castle Anthrax'),),
95 (('organizationName', 'Python Software Foundation'),),
96 (('commonName', 'localhost'),)),
97 'subjectAltName': (('DNS', 'localhost'),),
98 'version': 3
99}
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]100
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]101# empty CRL
102CRLFILE = data_file("revocation.crl")
103
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]104# Two keys and certs signed by the same CA (for SNI tests)
105SIGNED_CERTFILE = data_file("keycert3.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]106SIGNED_CERTFILE_HOSTNAME = 'localhost'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]107
108SIGNED_CERTFILE_INFO = {
109 'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
110 'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
111 'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
112 'issuer': ((('countryName', 'XY'),),
113 (('organizationName', 'Python Software Foundation CA'),),
114 (('commonName', 'our-ca-server'),)),
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]115 'notAfter': 'Oct 28 14:23:16 2037 GMT',
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]116 'notBefore': 'Aug 29 14:23:16 2018 GMT',
117 'serialNumber': 'CB2D80995A69525C',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]118 'subject': ((('countryName', 'XY'),),
119 (('localityName', 'Castle Anthrax'),),
120 (('organizationName', 'Python Software Foundation'),),
121 (('commonName', 'localhost'),)),
122 'subjectAltName': (('DNS', 'localhost'),),
123 'version': 3
124}
125
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]126SIGNED_CERTFILE2 = data_file("keycert4.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]127SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]128SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
129SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
130
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]131# Same certificate as pycacert.pem, but without extra text in file
132SIGNING_CA = data_file("capath", "ceff1710.0")
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]133# cert with all kinds of subject alt names
134ALLSANFILE = data_file("allsans.pem")
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]135IDNSANSFILE = data_file("idnsans.pem")
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]136NOSANFILE = data_file("nosan.pem")
137NOSAN_HOSTNAME = 'localhost'
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]138
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]139REMOTE_HOST = "self-signed.pythontest.net"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]140
141EMPTYCERT = data_file("nullcert.pem")
142BADCERT = data_file("badcert.pem")
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]143NONEXISTINGCERT = data_file("XXXnonexisting.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]144BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]145NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]146NULLBYTECERT = data_file("nullbytecert.pem")
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]147TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]148
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]149DHFILE = data_file("ffdh3072.pem")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]150BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]151
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]152# Not defined in all versions of OpenSSL
153OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
154OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
155OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
156OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]157OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]158OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]159
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]160# Ubuntu has patched OpenSSL and changed behavior of security level 2
161# see https://bugs.python.org/issue41561#msg389003
162def is_ubuntu():
163 try:
164 # Assume that any references of "ubuntu" implies Ubuntu-like distro
165 # The workaround is not required for 18.04, but doesn't hurt either.
166 with open("/etc/os-release", encoding="utf-8") as f:
167 return "ubuntu" in f.read()
168 except FileNotFoundError:
169 return False
170
171if is_ubuntu():
172 def seclevel_workaround(*ctxs):
173 """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
174 for ctx in ctxs:
Christian Heimes34477502021-04-12 12:00:38 +0200[diff] [blame]175 if (
176 hasattr(ctx, "minimum_version") and
177 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
178 ):
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]179 ctx.set_ciphers("@SECLEVEL=1:ALL")
180else:
181 def seclevel_workaround(*ctxs):
182 pass
183
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]184
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]185def has_tls_protocol(protocol):
186 """Check if a TLS protocol is available and enabled
187
188 :param protocol: enum ssl._SSLMethod member or name
189 :return: bool
190 """
191 if isinstance(protocol, str):
192 assert protocol.startswith('PROTOCOL_')
193 protocol = getattr(ssl, protocol, None)
194 if protocol is None:
195 return False
196 if protocol in {
197 ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
198 ssl.PROTOCOL_TLS_CLIENT
199 }:
200 # auto-negotiate protocols are always available
201 return True
202 name = protocol.name
203 return has_tls_version(name[len('PROTOCOL_'):])
204
205
206@functools.lru_cache
207def has_tls_version(version):
208 """Check if a TLS/SSL version is enabled
209
210 :param version: TLS version name or ssl.TLSVersion member
211 :return: bool
212 """
213 if version == "SSLv2":
214 # never supported and not even in TLSVersion enum
215 return False
216
217 if isinstance(version, str):
218 version = ssl.TLSVersion.__members__[version]
219
220 # check compile time flags like ssl.HAS_TLSv1_2
221 if not getattr(ssl, f'HAS_{version.name}'):
222 return False
223
Christian Heimes5151d642021-04-09 15:43:06 +0200[diff] [blame]224 if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
225 # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
226 return False
227
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]228 # check runtime and dynamic crypto policy settings. A TLS version may
229 # be compiled in but disabled by a policy or config option.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]230 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]231 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]232 hasattr(ctx, 'minimum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]233 ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
234 version < ctx.minimum_version
235 ):
236 return False
237 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]238 hasattr(ctx, 'maximum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]239 ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
240 version > ctx.maximum_version
241 ):
242 return False
243
244 return True
245
246
247def requires_tls_version(version):
248 """Decorator to skip tests when a required TLS version is not available
249
250 :param version: TLS version name or ssl.TLSVersion member
251 :return:
252 """
253 def decorator(func):
254 @functools.wraps(func)
255 def wrapper(*args, **kw):
256 if not has_tls_version(version):
257 raise unittest.SkipTest(f"{version} is not available.")
258 else:
259 return func(*args, **kw)
260 return wrapper
261 return decorator
262
263
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]264def handle_error(prefix):
265 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]266 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]267 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]268
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]269
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]270def utc_offset(): #NOTE: ignore issues like #1647654
271 # local time = utc time + utc offset
272 if time.daylight and time.localtime().tm_isdst > 0:
273 return -time.altzone # seconds
274 return -time.timezone
275
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]276
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]277ignore_deprecation = warnings_helper.ignore_warnings(
278 category=DeprecationWarning
279)
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]280
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]281
282def test_wrap_socket(sock, *,
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]283 cert_reqs=ssl.CERT_NONE, ca_certs=None,
284 ciphers=None, certfile=None, keyfile=None,
285 **kwargs):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]286 if not kwargs.get("server_side"):
287 kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
288 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
289 else:
290 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]291 if cert_reqs is not None:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]292 if cert_reqs == ssl.CERT_NONE:
293 context.check_hostname = False
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]294 context.verify_mode = cert_reqs
295 if ca_certs is not None:
296 context.load_verify_locations(ca_certs)
297 if certfile is not None or keyfile is not None:
298 context.load_cert_chain(certfile, keyfile)
299 if ciphers is not None:
300 context.set_ciphers(ciphers)
301 return context.wrap_socket(sock, **kwargs)
302
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]303
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]304def testing_context(server_cert=SIGNED_CERTFILE, *, server_chain=True):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]305 """Create context
306
307 client_context, server_context, hostname = testing_context()
308 """
309 if server_cert == SIGNED_CERTFILE:
310 hostname = SIGNED_CERTFILE_HOSTNAME
311 elif server_cert == SIGNED_CERTFILE2:
312 hostname = SIGNED_CERTFILE2_HOSTNAME
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]313 elif server_cert == NOSANFILE:
314 hostname = NOSAN_HOSTNAME
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]315 else:
316 raise ValueError(server_cert)
317
318 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
319 client_context.load_verify_locations(SIGNING_CA)
320
321 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
322 server_context.load_cert_chain(server_cert)
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]323 if server_chain:
324 server_context.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]325
326 return client_context, server_context, hostname
327
328
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]329class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]330
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]331 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]332 ssl.CERT_NONE
333 ssl.CERT_OPTIONAL
334 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]335 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]336 ssl.OP_SINGLE_DH_USE
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]337 ssl.OP_SINGLE_ECDH_USE
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]338 ssl.OP_NO_COMPRESSION
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]339 self.assertEqual(ssl.HAS_SNI, True)
340 self.assertEqual(ssl.HAS_ECDH, True)
341 self.assertEqual(ssl.HAS_TLSv1_2, True)
342 self.assertEqual(ssl.HAS_TLSv1_3, True)
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]343 ssl.OP_NO_SSLv2
344 ssl.OP_NO_SSLv3
345 ssl.OP_NO_TLSv1
346 ssl.OP_NO_TLSv1_3
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]347 ssl.OP_NO_TLSv1_1
348 ssl.OP_NO_TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]349 self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]350
Christian Heimes91554e42021-05-02 09:47:45 +0200[diff] [blame]351 def test_ssl_types(self):
352 ssl_types = [
353 _ssl._SSLContext,
354 _ssl._SSLSocket,
355 _ssl.MemoryBIO,
356 _ssl.Certificate,
357 _ssl.SSLSession,
358 _ssl.SSLError,
359 ]
360 for ssl_type in ssl_types:
361 with self.subTest(ssl_type=ssl_type):
362 with self.assertRaisesRegex(TypeError, "immutable type"):
363 ssl_type.value = None
Erlend Egeberg Aasland0a3452e2021-06-24 01:46:25 +0200[diff] [blame]364 support.check_disallow_instantiation(self, _ssl.Certificate)
Christian Heimes91554e42021-05-02 09:47:45 +0200[diff] [blame]365
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]366 def test_private_init(self):
367 with self.assertRaisesRegex(TypeError, "public constructor"):
368 with socket.socket() as s:
369 ssl.SSLSocket(s)
370
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]371 def test_str_for_enums(self):
372 # Make sure that the PROTOCOL_* constants have enum-like string
373 # reprs.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]374 proto = ssl.PROTOCOL_TLS_CLIENT
Ethan Furman9bf7c2d2021-07-03 21:08:42 -0700[diff] [blame]375 self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_TLS_CLIENT')
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]376 ctx = ssl.SSLContext(proto)
377 self.assertIs(ctx.protocol, proto)
378
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]379 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]380 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]381 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]382 sys.stdout.write("\n RAND_status is %d (%s)\n"
383 % (v, (v and "sufficient randomness") or
384 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]385
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]386 with warnings_helper.check_warnings():
387 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]388 self.assertEqual(len(data), 16)
389 self.assertEqual(is_cryptographic, v == 1)
390 if v:
391 data = ssl.RAND_bytes(16)
392 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]393 else:
394 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]395
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]396 # negative num is invalid
397 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]398 with warnings_helper.check_warnings():
399 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]400
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]401 ssl.RAND_add("this is a random string", 75.0)
Serhiy Storchaka8490f5a2015-03-20 09:00:36 +0200[diff] [blame]402 ssl.RAND_add(b"this is a random bytes object", 75.0)
403 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]404
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]405 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]406 # note that this uses an 'unofficial' function in _ssl.c,
407 # provided solely for this test, to exercise the certificate
408 # parsing code
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]409 self.assertEqual(
410 ssl._ssl._test_decode_cert(CERTFILE),
411 CERTFILE_INFO
412 )
413 self.assertEqual(
414 ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
415 SIGNED_CERTFILE_INFO
416 )
417
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]418 # Issue #13034: the subjectAltName in some certificates
419 # (notably projects.developer.nokia.com:443) wasn't parsed
420 p = ssl._ssl._test_decode_cert(NOKIACERT)
421 if support.verbose:
422 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
423 self.assertEqual(p['subjectAltName'],
424 (('DNS', 'projects.developer.nokia.com'),
425 ('DNS', 'projects.forum.nokia.com'))
426 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]427 # extra OCSP and AIA fields
428 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
429 self.assertEqual(p['caIssuers'],
430 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
431 self.assertEqual(p['crlDistributionPoints'],
432 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]433
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]434 def test_parse_cert_CVE_2019_5010(self):
435 p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
436 if support.verbose:
437 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
438 self.assertEqual(
439 p,
440 {
441 'issuer': (
442 (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
443 'notAfter': 'Jun 14 18:00:58 2028 GMT',
444 'notBefore': 'Jun 18 18:00:58 2018 GMT',
445 'serialNumber': '02',
446 'subject': ((('countryName', 'UK'),),
447 (('commonName',
448 'codenomicon-vm-2.test.lal.cisco.com'),)),
449 'subjectAltName': (
450 ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
451 'version': 3
452 }
453 )
454
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]455 def test_parse_cert_CVE_2013_4238(self):
456 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
457 if support.verbose:
458 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
459 subject = ((('countryName', 'US'),),
460 (('stateOrProvinceName', 'Oregon'),),
461 (('localityName', 'Beaverton'),),
462 (('organizationName', 'Python Software Foundation'),),
463 (('organizationalUnitName', 'Python Core Development'),),
464 (('commonName', 'null.python.org\x00example.org'),),
465 (('emailAddress', 'python-dev@python.org'),))
466 self.assertEqual(p['subject'], subject)
467 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]468 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
469 san = (('DNS', 'altnull.python.org\x00example.com'),
470 ('email', 'null@python.org\x00user@example.org'),
471 ('URI', 'http://null.python.org\x00http://example.org'),
472 ('IP Address', '192.0.2.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]473 ('IP Address', '2001:DB8:0:0:0:0:0:1'))
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]474 else:
475 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
476 san = (('DNS', 'altnull.python.org\x00example.com'),
477 ('email', 'null@python.org\x00user@example.org'),
478 ('URI', 'http://null.python.org\x00http://example.org'),
479 ('IP Address', '192.0.2.1'),
480 ('IP Address', '<invalid>'))
481
482 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]483
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]484 def test_parse_all_sans(self):
485 p = ssl._ssl._test_decode_cert(ALLSANFILE)
486 self.assertEqual(p['subjectAltName'],
487 (
488 ('DNS', 'allsans'),
489 ('othername', '<unsupported>'),
490 ('othername', '<unsupported>'),
491 ('email', 'user@example.org'),
492 ('DNS', 'www.example.org'),
493 ('DirName',
494 ((('countryName', 'XY'),),
495 (('localityName', 'Castle Anthrax'),),
496 (('organizationName', 'Python Software Foundation'),),
497 (('commonName', 'dirname example'),))),
498 ('URI', 'https://www.python.org/'),
499 ('IP Address', '127.0.0.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]500 ('IP Address', '0:0:0:0:0:0:0:1'),
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]501 ('Registered ID', '1.2.3.4.5')
502 )
503 )
504
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]505 def test_DER_to_PEM(self):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]506 with open(CAFILE_CACERT, 'r') as f:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]507 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]508 d1 = ssl.PEM_cert_to_DER_cert(pem)
509 p2 = ssl.DER_cert_to_PEM_cert(d1)
510 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]511 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]512 if not p2.startswith(ssl.PEM_HEADER + '\n'):
513 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
514 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
515 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]516
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]517 def test_openssl_version(self):
518 n = ssl.OPENSSL_VERSION_NUMBER
519 t = ssl.OPENSSL_VERSION_INFO
520 s = ssl.OPENSSL_VERSION
521 self.assertIsInstance(n, int)
522 self.assertIsInstance(t, tuple)
523 self.assertIsInstance(s, str)
524 # Some sanity checks follow
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]525 # >= 1.1.1
526 self.assertGreaterEqual(n, 0x10101000)
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]527 # < 4.0
528 self.assertLess(n, 0x40000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]529 major, minor, fix, patch, status = t
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]530 self.assertGreaterEqual(major, 1)
531 self.assertLess(major, 4)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]532 self.assertGreaterEqual(minor, 0)
533 self.assertLess(minor, 256)
534 self.assertGreaterEqual(fix, 0)
535 self.assertLess(fix, 256)
536 self.assertGreaterEqual(patch, 0)
Ned Deily05784a72015-02-05 17:20:13 +1100[diff] [blame]537 self.assertLessEqual(patch, 63)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]538 self.assertGreaterEqual(status, 0)
539 self.assertLessEqual(status, 15)
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]540
541 libressl_ver = f"LibreSSL {major:d}"
542 openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
543 self.assertTrue(
544 s.startswith((openssl_ver, libressl_ver)),
545 (s, t, hex(n))
546 )
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]547
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]548 @support.cpython_only
549 def test_refcycle(self):
550 # Issue #7943: an SSL object doesn't create reference cycles with
551 # itself.
552 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]553 ss = test_wrap_socket(s)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]554 wr = weakref.ref(ss)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]555 with warnings_helper.check_warnings(("", ResourceWarning)):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]556 del ss
Victor Stinnere0b75b72016-03-21 17:26:04 +0100[diff] [blame]557 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]558
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]559 def test_wrapped_unconnected(self):
560 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]561 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]562 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]563 with test_wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]564 self.assertRaises(OSError, ss.recv, 1)
565 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
566 self.assertRaises(OSError, ss.recvfrom, 1)
567 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
568 self.assertRaises(OSError, ss.send, b'x')
569 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]570 self.assertRaises(NotImplementedError, ss.dup)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]571 self.assertRaises(NotImplementedError, ss.sendmsg,
572 [b'x'], (), 0, ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]573 self.assertRaises(NotImplementedError, ss.recvmsg, 100)
574 self.assertRaises(NotImplementedError, ss.recvmsg_into,
575 [bytearray(100)])
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]576
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]577 def test_timeout(self):
578 # Issue #8524: when creating an SSL socket, the timeout of the
579 # original socket should be retained.
580 for timeout in (None, 0.0, 5.0):
581 s = socket.socket(socket.AF_INET)
582 s.settimeout(timeout)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]583 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]584 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]585
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]586 def test_openssl111_deprecations(self):
587 options = [
588 ssl.OP_NO_TLSv1,
589 ssl.OP_NO_TLSv1_1,
590 ssl.OP_NO_TLSv1_2,
591 ssl.OP_NO_TLSv1_3
592 ]
593 protocols = [
594 ssl.PROTOCOL_TLSv1,
595 ssl.PROTOCOL_TLSv1_1,
596 ssl.PROTOCOL_TLSv1_2,
597 ssl.PROTOCOL_TLS
598 ]
599 versions = [
600 ssl.TLSVersion.SSLv3,
601 ssl.TLSVersion.TLSv1,
602 ssl.TLSVersion.TLSv1_1,
603 ]
604
605 for option in options:
606 with self.subTest(option=option):
607 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
608 with self.assertWarns(DeprecationWarning) as cm:
609 ctx.options |= option
610 self.assertEqual(
Miss Islington (bot)08f2b9d2021-06-17 03:00:56 -0700[diff] [blame]611 'ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated',
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]612 str(cm.warning)
613 )
614
615 for protocol in protocols:
616 with self.subTest(protocol=protocol):
617 with self.assertWarns(DeprecationWarning) as cm:
618 ssl.SSLContext(protocol)
619 self.assertEqual(
Ethan Furman9bf7c2d2021-07-03 21:08:42 -0700[diff] [blame]620 f'ssl.{protocol.name} is deprecated',
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]621 str(cm.warning)
622 )
623
624 for version in versions:
625 with self.subTest(version=version):
626 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
627 with self.assertWarns(DeprecationWarning) as cm:
628 ctx.minimum_version = version
629 self.assertEqual(
Ethan Furman9bf7c2d2021-07-03 21:08:42 -0700[diff] [blame]630 f'ssl.{version!s} is deprecated',
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]631 str(cm.warning)
632 )
633
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]634 @ignore_deprecation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]635 def test_errors_sslwrap(self):
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]636 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]637 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]638 "certfile must be specified",
639 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]640 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]641 "certfile must be specified for server-side operations",
642 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]643 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]644 "certfile must be specified for server-side operations",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]645 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]646 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
647 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]648 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]649 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]650 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]651 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]652 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]653 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]654 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]655 ssl.wrap_socket(sock,
656 certfile=CERTFILE, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]657 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]658 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]659 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]660 ssl.wrap_socket(sock,
661 certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]662 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]663
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]664 def bad_cert_test(self, certfile):
665 """Check that trying to use the given client certificate fails"""
666 certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
667 certfile)
668 sock = socket.socket()
669 self.addCleanup(sock.close)
670 with self.assertRaises(ssl.SSLError):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]671 test_wrap_socket(sock,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]672 certfile=certfile)
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]673
674 def test_empty_cert(self):
675 """Wrapping with an empty cert file"""
676 self.bad_cert_test("nullcert.pem")
677
678 def test_malformed_cert(self):
679 """Wrapping with a badly formatted certificate (syntax error)"""
680 self.bad_cert_test("badcert.pem")
681
682 def test_malformed_key(self):
683 """Wrapping with a badly formatted key (syntax error)"""
684 self.bad_cert_test("badkey.pem")
685
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]686 @ignore_deprecation
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]687 def test_match_hostname(self):
688 def ok(cert, hostname):
689 ssl.match_hostname(cert, hostname)
690 def fail(cert, hostname):
691 self.assertRaises(ssl.CertificateError,
692 ssl.match_hostname, cert, hostname)
693
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]694 # -- Hostname matching --
695
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]696 cert = {'subject': ((('commonName', 'example.com'),),)}
697 ok(cert, 'example.com')
698 ok(cert, 'ExAmple.cOm')
699 fail(cert, 'www.example.com')
700 fail(cert, '.example.com')
701 fail(cert, 'example.org')
702 fail(cert, 'exampleXcom')
703
704 cert = {'subject': ((('commonName', '*.a.com'),),)}
705 ok(cert, 'foo.a.com')
706 fail(cert, 'bar.foo.a.com')
707 fail(cert, 'a.com')
708 fail(cert, 'Xa.com')
709 fail(cert, '.a.com')
710
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]711 # only match wildcards when they are the only thing
712 # in left-most segment
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]713 cert = {'subject': ((('commonName', 'f*.com'),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]714 fail(cert, 'foo.com')
715 fail(cert, 'f.com')
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]716 fail(cert, 'bar.com')
717 fail(cert, 'foo.a.com')
718 fail(cert, 'bar.foo.com')
719
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]720 # NULL bytes are bad, CVE-2013-4073
721 cert = {'subject': ((('commonName',
722 'null.python.org\x00example.org'),),)}
723 ok(cert, 'null.python.org\x00example.org') # or raise an error?
724 fail(cert, 'example.org')
725 fail(cert, 'null.python.org')
726
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]727 # error cases with wildcards
728 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
729 fail(cert, 'bar.foo.a.com')
730 fail(cert, 'a.com')
731 fail(cert, 'Xa.com')
732 fail(cert, '.a.com')
733
734 cert = {'subject': ((('commonName', 'a.*.com'),),)}
735 fail(cert, 'a.foo.com')
736 fail(cert, 'a..com')
737 fail(cert, 'a.com')
738
739 # wildcard doesn't match IDNA prefix 'xn--'
740 idna = 'püthon.python.org'.encode("idna").decode("ascii")
741 cert = {'subject': ((('commonName', idna),),)}
742 ok(cert, idna)
743 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
744 fail(cert, idna)
745 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
746 fail(cert, idna)
747
748 # wildcard in first fragment and IDNA A-labels in sequent fragments
749 # are supported.
750 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
751 cert = {'subject': ((('commonName', idna),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]752 fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
753 fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]754 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
755 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
756
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]757 # Slightly fake real-world example
758 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
759 'subject': ((('commonName', 'linuxfrz.org'),),),
760 'subjectAltName': (('DNS', 'linuxfr.org'),
761 ('DNS', 'linuxfr.com'),
762 ('othername', '<unsupported>'))}
763 ok(cert, 'linuxfr.org')
764 ok(cert, 'linuxfr.com')
765 # Not a "DNS" entry
766 fail(cert, '<unsupported>')
767 # When there is a subjectAltName, commonName isn't used
768 fail(cert, 'linuxfrz.org')
769
770 # A pristine real-world example
771 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
772 'subject': ((('countryName', 'US'),),
773 (('stateOrProvinceName', 'California'),),
774 (('localityName', 'Mountain View'),),
775 (('organizationName', 'Google Inc'),),
776 (('commonName', 'mail.google.com'),))}
777 ok(cert, 'mail.google.com')
778 fail(cert, 'gmail.com')
779 # Only commonName is considered
780 fail(cert, 'California')
781
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]782 # -- IPv4 matching --
783 cert = {'subject': ((('commonName', 'example.com'),),),
784 'subjectAltName': (('DNS', 'example.com'),
785 ('IP Address', '10.11.12.13'),
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]786 ('IP Address', '14.15.16.17'),
787 ('IP Address', '127.0.0.1'))}
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]788 ok(cert, '10.11.12.13')
789 ok(cert, '14.15.16.17')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]790 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
791 fail(cert, '127.1')
792 fail(cert, '14.15.16.17 ')
793 fail(cert, '14.15.16.17 extra data')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]794 fail(cert, '14.15.16.18')
795 fail(cert, 'example.net')
796
797 # -- IPv6 matching --
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]798 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]799 cert = {'subject': ((('commonName', 'example.com'),),),
800 'subjectAltName': (
801 ('DNS', 'example.com'),
802 ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
803 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
804 ok(cert, '2001::cafe')
805 ok(cert, '2003::baba')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]806 fail(cert, '2003::baba ')
807 fail(cert, '2003::baba extra data')
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]808 fail(cert, '2003::bebe')
809 fail(cert, 'example.net')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]810
811 # -- Miscellaneous --
812
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]813 # Neither commonName nor subjectAltName
814 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
815 'subject': ((('countryName', 'US'),),
816 (('stateOrProvinceName', 'California'),),
817 (('localityName', 'Mountain View'),),
818 (('organizationName', 'Google Inc'),))}
819 fail(cert, 'mail.google.com')
820
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]821 # No DNS entry in subjectAltName but a commonName
822 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
823 'subject': ((('countryName', 'US'),),
824 (('stateOrProvinceName', 'California'),),
825 (('localityName', 'Mountain View'),),
826 (('commonName', 'mail.google.com'),)),
827 'subjectAltName': (('othername', 'blabla'), )}
828 ok(cert, 'mail.google.com')
829
830 # No DNS entry subjectAltName and no commonName
831 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
832 'subject': ((('countryName', 'US'),),
833 (('stateOrProvinceName', 'California'),),
834 (('localityName', 'Mountain View'),),
835 (('organizationName', 'Google Inc'),)),
836 'subjectAltName': (('othername', 'blabla'),)}
837 fail(cert, 'google.com')
838
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]839 # Empty cert / no cert
840 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
841 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
842
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]843 # Issue #17980: avoid denials of service by refusing more than one
844 # wildcard per fragment.
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]845 cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
846 with self.assertRaisesRegex(
847 ssl.CertificateError,
848 "partial wildcards in leftmost label are not supported"):
849 ssl.match_hostname(cert, 'axxb.example.com')
850
851 cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
852 with self.assertRaisesRegex(
853 ssl.CertificateError,
854 "wildcard can only be present in the leftmost label"):
855 ssl.match_hostname(cert, 'www.sub.example.com')
856
857 cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
858 with self.assertRaisesRegex(
859 ssl.CertificateError,
860 "too many wildcards"):
861 ssl.match_hostname(cert, 'axxbxxc.example.com')
862
863 cert = {'subject': ((('commonName', '*'),),)}
864 with self.assertRaisesRegex(
865 ssl.CertificateError,
866 "sole wildcard without additional labels are not support"):
867 ssl.match_hostname(cert, 'host')
868
869 cert = {'subject': ((('commonName', '*.com'),),)}
870 with self.assertRaisesRegex(
871 ssl.CertificateError,
872 r"hostname 'com' doesn't match '\*.com'"):
873 ssl.match_hostname(cert, 'com')
874
875 # extra checks for _inet_paton()
876 for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
877 with self.assertRaises(ValueError):
878 ssl._inet_paton(invalid)
879 for ipaddr in ['127.0.0.1', '192.168.0.1']:
880 self.assertTrue(ssl._inet_paton(ipaddr))
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]881 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]882 for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
883 self.assertTrue(ssl._inet_paton(ipaddr))
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]884
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]885 def test_server_side(self):
886 # server_hostname doesn't work for server sockets
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]887 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]888 with socket.socket() as sock:
889 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
890 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]891
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]892 def test_unknown_channel_binding(self):
893 # should raise ValueError for unknown type
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]894 s = socket.create_server(('127.0.0.1', 0))
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]895 c = socket.socket(socket.AF_INET)
896 c.connect(s.getsockname())
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]897 with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]898 with self.assertRaises(ValueError):
899 ss.get_channel_binding("unknown-type")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]900 s.close()
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]901
902 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
903 "'tls-unique' channel binding not available")
904 def test_tls_unique_channel_binding(self):
905 # unconnected should return None for known type
906 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]907 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]908 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]909 # the same for server-side
910 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]911 with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]912 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]913
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]914 def test_dealloc_warn(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]915 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]916 r = repr(ss)
917 with self.assertWarns(ResourceWarning) as cm:
918 ss = None
919 support.gc_collect()
920 self.assertIn(r, str(cm.warning.args[0]))
921
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]922 def test_get_default_verify_paths(self):
923 paths = ssl.get_default_verify_paths()
924 self.assertEqual(len(paths), 6)
925 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
926
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]927 with os_helper.EnvironmentVarGuard() as env:
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]928 env["SSL_CERT_DIR"] = CAPATH
929 env["SSL_CERT_FILE"] = CERTFILE
930 paths = ssl.get_default_verify_paths()
931 self.assertEqual(paths.cafile, CERTFILE)
932 self.assertEqual(paths.capath, CAPATH)
933
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]934 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
935 def test_enum_certificates(self):
936 self.assertTrue(ssl.enum_certificates("CA"))
937 self.assertTrue(ssl.enum_certificates("ROOT"))
938
939 self.assertRaises(TypeError, ssl.enum_certificates)
940 self.assertRaises(WindowsError, ssl.enum_certificates, "")
941
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]942 trust_oids = set()
943 for storename in ("CA", "ROOT"):
944 store = ssl.enum_certificates(storename)
945 self.assertIsInstance(store, list)
946 for element in store:
947 self.assertIsInstance(element, tuple)
948 self.assertEqual(len(element), 3)
949 cert, enc, trust = element
950 self.assertIsInstance(cert, bytes)
951 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
Christian Heimes915cd3f2019-09-09 18:06:55 +0200[diff] [blame]952 self.assertIsInstance(trust, (frozenset, set, bool))
953 if isinstance(trust, (frozenset, set)):
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]954 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]955
956 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]957 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]958
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]959 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]960 def test_enum_crls(self):
961 self.assertTrue(ssl.enum_crls("CA"))
962 self.assertRaises(TypeError, ssl.enum_crls)
963 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]964
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]965 crls = ssl.enum_crls("CA")
966 self.assertIsInstance(crls, list)
967 for element in crls:
968 self.assertIsInstance(element, tuple)
969 self.assertEqual(len(element), 2)
970 self.assertIsInstance(element[0], bytes)
971 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]972
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]973
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]974 def test_asn1object(self):
975 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
976 '1.3.6.1.5.5.7.3.1')
977
978 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
979 self.assertEqual(val, expected)
980 self.assertEqual(val.nid, 129)
981 self.assertEqual(val.shortname, 'serverAuth')
982 self.assertEqual(val.longname, 'TLS Web Server Authentication')
983 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
984 self.assertIsInstance(val, ssl._ASN1Object)
985 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
986
987 val = ssl._ASN1Object.fromnid(129)
988 self.assertEqual(val, expected)
989 self.assertIsInstance(val, ssl._ASN1Object)
990 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]991 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
992 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]993 for i in range(1000):
994 try:
995 obj = ssl._ASN1Object.fromnid(i)
996 except ValueError:
997 pass
998 else:
999 self.assertIsInstance(obj.nid, int)
1000 self.assertIsInstance(obj.shortname, str)
1001 self.assertIsInstance(obj.longname, str)
1002 self.assertIsInstance(obj.oid, (str, type(None)))
1003
1004 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
1005 self.assertEqual(val, expected)
1006 self.assertIsInstance(val, ssl._ASN1Object)
1007 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
1008 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
1009 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]1010 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
1011 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1012
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1013 def test_purpose_enum(self):
1014 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
1015 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
1016 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
1017 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
1018 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
1019 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
1020 '1.3.6.1.5.5.7.3.1')
1021
1022 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
1023 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
1024 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
1025 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
1026 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
1027 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
1028 '1.3.6.1.5.5.7.3.2')
1029
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]1030 def test_unsupported_dtls(self):
1031 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
1032 self.addCleanup(s.close)
1033 with self.assertRaises(NotImplementedError) as cx:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1034 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]1035 self.assertEqual(str(cx.exception), "only stream sockets are supported")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1036 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]1037 with self.assertRaises(NotImplementedError) as cx:
1038 ctx.wrap_socket(s)
1039 self.assertEqual(str(cx.exception), "only stream sockets are supported")
1040
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1041 def cert_time_ok(self, timestring, timestamp):
1042 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
1043
1044 def cert_time_fail(self, timestring):
1045 with self.assertRaises(ValueError):
1046 ssl.cert_time_to_seconds(timestring)
1047
1048 @unittest.skipUnless(utc_offset(),
1049 'local time needs to be different from UTC')
1050 def test_cert_time_to_seconds_timezone(self):
1051 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
1052 # results if local timezone is not UTC
1053 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
1054 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
1055
1056 def test_cert_time_to_seconds(self):
1057 timestring = "Jan 5 09:34:43 2018 GMT"
1058 ts = 1515144883.0
1059 self.cert_time_ok(timestring, ts)
1060 # accept keyword parameter, assert its name
1061 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
1062 # accept both %e and %d (space or zero generated by strftime)
1063 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
1064 # case-insensitive
1065 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
1066 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
1067 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
1068 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
1069 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
1070 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
1071 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
1072 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
1073
1074 newyear_ts = 1230768000.0
1075 # leap seconds
1076 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
1077 # same timestamp
1078 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
1079
1080 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
1081 # allow 60th second (even if it is not a leap second)
1082 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
1083 # allow 2nd leap second for compatibility with time.strptime()
1084 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
1085 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
1086
Mike53f7a7c2017-12-14 14:04:53 +0300[diff] [blame]1087 # no special treatment for the special value:
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1088 # 99991231235959Z (rfc 5280)
1089 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
1090
1091 @support.run_with_locale('LC_ALL', '')
1092 def test_cert_time_to_seconds_locale(self):
1093 # `cert_time_to_seconds()` should be locale independent
1094
1095 def local_february_name():
1096 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
1097
1098 if local_february_name().lower() == 'feb':
1099 self.skipTest("locale-specific month name needs to be "
1100 "different from C locale")
1101
1102 # locale-independent
1103 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
1104 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
1105
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1106 def test_connect_ex_error(self):
1107 server = socket.socket(socket.AF_INET)
1108 self.addCleanup(server.close)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]1109 port = socket_helper.bind_port(server) # Reserve port but don't listen
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1110 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1111 cert_reqs=ssl.CERT_REQUIRED)
1112 self.addCleanup(s.close)
1113 rc = s.connect_ex((HOST, port))
1114 # Issue #19919: Windows machines or VMs hosted on Windows
1115 # machines sometimes return EWOULDBLOCK.
1116 errors = (
1117 errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
1118 errno.EWOULDBLOCK,
1119 )
1120 self.assertIn(rc, errors)
1121
Christian Heimes89d15502021-04-19 06:55:30 +0200[diff] [blame]1122 def test_read_write_zero(self):
1123 # empty reads and writes now work, bpo-42854, bpo-31711
1124 client_context, server_context, hostname = testing_context()
1125 server = ThreadedEchoServer(context=server_context)
1126 with server:
1127 with client_context.wrap_socket(socket.socket(),
1128 server_hostname=hostname) as s:
1129 s.connect((HOST, server.port))
1130 self.assertEqual(s.recv(0), b"")
1131 self.assertEqual(s.send(b""), 0)
1132
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1133
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1134class ContextTests(unittest.TestCase):
1135
1136 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1137 for protocol in PROTOCOLS:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1138 with warnings_helper.check_warnings():
1139 ctx = ssl.SSLContext(protocol)
1140 self.assertEqual(ctx.protocol, protocol)
1141 with warnings_helper.check_warnings():
1142 ctx = ssl.SSLContext()
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1143 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1144 self.assertRaises(ValueError, ssl.SSLContext, -1)
1145 self.assertRaises(ValueError, ssl.SSLContext, 42)
1146
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1147 def test_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1148 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1149 ctx.set_ciphers("ALL")
1150 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1151 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]1152 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1153
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]1154 @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
1155 "Test applies only to Python default ciphers")
1156 def test_python_ciphers(self):
1157 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1158 ciphers = ctx.get_ciphers()
1159 for suite in ciphers:
1160 name = suite['name']
1161 self.assertNotIn("PSK", name)
1162 self.assertNotIn("SRP", name)
1163 self.assertNotIn("MD5", name)
1164 self.assertNotIn("RC4", name)
1165 self.assertNotIn("3DES", name)
1166
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1167 def test_get_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1168 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesea9b2dc2016-09-06 10:45:44 +0200[diff] [blame]1169 ctx.set_ciphers('AESGCM')
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1170 names = set(d['name'] for d in ctx.get_ciphers())
Christian Heimes582282b2016-09-06 11:27:25 +0200[diff] [blame]1171 self.assertIn('AES256-GCM-SHA384', names)
1172 self.assertIn('AES128-GCM-SHA256', names)
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1173
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1174 def test_options(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1175 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Petersona9dcdab2015-11-11 22:38:41 -0800[diff] [blame]1176 # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1177 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1178 # SSLContext also enables these by default
1179 default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]1180 OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]1181 OP_ENABLE_MIDDLEBOX_COMPAT |
1182 OP_IGNORE_UNEXPECTED_EOF)
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1183 self.assertEqual(default, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1184 with warnings_helper.check_warnings():
1185 ctx.options |= ssl.OP_NO_TLSv1
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1186 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1187 with warnings_helper.check_warnings():
1188 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]1189 self.assertEqual(default, ctx.options)
1190 ctx.options = 0
1191 # Ubuntu has OP_NO_SSLv3 forced on by default
1192 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1193
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1194 def test_verify_mode_protocol(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1195 with warnings_helper.check_warnings():
1196 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1197 # Default value
1198 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1199 ctx.verify_mode = ssl.CERT_OPTIONAL
1200 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1201 ctx.verify_mode = ssl.CERT_REQUIRED
1202 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1203 ctx.verify_mode = ssl.CERT_NONE
1204 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1205 with self.assertRaises(TypeError):
1206 ctx.verify_mode = None
1207 with self.assertRaises(ValueError):
1208 ctx.verify_mode = 42
1209
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1210 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1211 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1212 self.assertFalse(ctx.check_hostname)
1213
1214 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1215 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1216 self.assertTrue(ctx.check_hostname)
1217
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1218 def test_hostname_checks_common_name(self):
1219 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1220 self.assertTrue(ctx.hostname_checks_common_name)
1221 if ssl.HAS_NEVER_CHECK_COMMON_NAME:
1222 ctx.hostname_checks_common_name = True
1223 self.assertTrue(ctx.hostname_checks_common_name)
1224 ctx.hostname_checks_common_name = False
1225 self.assertFalse(ctx.hostname_checks_common_name)
1226 ctx.hostname_checks_common_name = True
1227 self.assertTrue(ctx.hostname_checks_common_name)
1228 else:
1229 with self.assertRaises(AttributeError):
1230 ctx.hostname_checks_common_name = True
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1231
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1232 @ignore_deprecation
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1233 def test_min_max_version(self):
1234 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1235 # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
1236 # Fedora override the setting to TLS 1.0.
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1237 minimum_range = {
1238 # stock OpenSSL
1239 ssl.TLSVersion.MINIMUM_SUPPORTED,
1240 # Fedora 29 uses TLS 1.0 by default
1241 ssl.TLSVersion.TLSv1,
1242 # RHEL 8 uses TLS 1.2 by default
1243 ssl.TLSVersion.TLSv1_2
1244 }
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1245 maximum_range = {
1246 # stock OpenSSL
1247 ssl.TLSVersion.MAXIMUM_SUPPORTED,
1248 # Fedora 32 uses TLS 1.3 by default
1249 ssl.TLSVersion.TLSv1_3
1250 }
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1251
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1252 self.assertIn(
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1253 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1254 )
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1255 self.assertIn(
1256 ctx.maximum_version, maximum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1257 )
1258
1259 ctx.minimum_version = ssl.TLSVersion.TLSv1_1
1260 ctx.maximum_version = ssl.TLSVersion.TLSv1_2
1261 self.assertEqual(
1262 ctx.minimum_version, ssl.TLSVersion.TLSv1_1
1263 )
1264 self.assertEqual(
1265 ctx.maximum_version, ssl.TLSVersion.TLSv1_2
1266 )
1267
1268 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1269 ctx.maximum_version = ssl.TLSVersion.TLSv1
1270 self.assertEqual(
1271 ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
1272 )
1273 self.assertEqual(
1274 ctx.maximum_version, ssl.TLSVersion.TLSv1
1275 )
1276
1277 ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1278 self.assertEqual(
1279 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1280 )
1281
1282 ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1283 self.assertIn(
1284 ctx.maximum_version,
1285 {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
1286 )
1287
1288 ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1289 self.assertIn(
1290 ctx.minimum_version,
1291 {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
1292 )
1293
1294 with self.assertRaises(ValueError):
1295 ctx.minimum_version = 42
1296
1297 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
1298
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1299 self.assertIn(
1300 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1301 )
1302 self.assertEqual(
1303 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1304 )
1305 with self.assertRaises(ValueError):
1306 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1307 with self.assertRaises(ValueError):
1308 ctx.maximum_version = ssl.TLSVersion.TLSv1
1309
1310
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1311 @unittest.skipUnless(
1312 hasattr(ssl.SSLContext, 'security_level'),
1313 "requires OpenSSL >= 1.1.0"
1314 )
1315 def test_security_level(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1316 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1317 # The default security callback allows for levels between 0-5
1318 # with OpenSSL defaulting to 1, however some vendors override the
1319 # default value (e.g. Debian defaults to 2)
1320 security_level_range = {
1321 0,
1322 1, # OpenSSL default
1323 2, # Debian
1324 3,
1325 4,
1326 5,
1327 }
1328 self.assertIn(ctx.security_level, security_level_range)
1329
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1330 def test_verify_flags(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1331 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Benjamin Peterson990fcaa2015-03-04 22:49:41 -0500[diff] [blame]1332 # default value
1333 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
1334 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1335 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
1336 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
1337 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
1338 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
1339 ctx.verify_flags = ssl.VERIFY_DEFAULT
1340 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
Chris Burre0b4aa02021-03-18 09:24:01 +0100[diff] [blame]1341 ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
1342 self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1343 # supports any value
1344 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
1345 self.assertEqual(ctx.verify_flags,
1346 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
1347 with self.assertRaises(TypeError):
1348 ctx.verify_flags = None
1349
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1350 def test_load_cert_chain(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1351 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1352 # Combined key and cert in a single file
Benjamin Peterson1ea070e2014-11-03 21:05:01 -0500[diff] [blame]1353 ctx.load_cert_chain(CERTFILE, keyfile=None)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1354 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
1355 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1356 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1357 ctx.load_cert_chain(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1358 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1359 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1360 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1361 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1362 ctx.load_cert_chain(EMPTYCERT)
1363 # Separate key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1364 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1365 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
1366 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
1367 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1368 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1369 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1370 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1371 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1372 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1373 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
1374 # Mismatching key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1375 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1376 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]1377 ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1378 # Password protected key and cert
1379 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
1380 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
1381 ctx.load_cert_chain(CERTFILE_PROTECTED,
1382 password=bytearray(KEY_PASSWORD.encode()))
1383 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
1384 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
1385 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
1386 bytearray(KEY_PASSWORD.encode()))
1387 with self.assertRaisesRegex(TypeError, "should be a string"):
1388 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
1389 with self.assertRaises(ssl.SSLError):
1390 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
1391 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1392 # openssl has a fixed limit on the password buffer.
1393 # PEM_BUFSIZE is generally set to 1kb.
1394 # Return a string larger than this.
1395 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
1396 # Password callback
1397 def getpass_unicode():
1398 return KEY_PASSWORD
1399 def getpass_bytes():
1400 return KEY_PASSWORD.encode()
1401 def getpass_bytearray():
1402 return bytearray(KEY_PASSWORD.encode())
1403 def getpass_badpass():
1404 return "badpass"
1405 def getpass_huge():
1406 return b'a' * (1024 * 1024)
1407 def getpass_bad_type():
1408 return 9
1409 def getpass_exception():
1410 raise Exception('getpass error')
1411 class GetPassCallable:
1412 def __call__(self):
1413 return KEY_PASSWORD
1414 def getpass(self):
1415 return KEY_PASSWORD
1416 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
1417 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
1418 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
1419 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
1420 ctx.load_cert_chain(CERTFILE_PROTECTED,
1421 password=GetPassCallable().getpass)
1422 with self.assertRaises(ssl.SSLError):
1423 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
1424 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1425 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
1426 with self.assertRaisesRegex(TypeError, "must return a string"):
1427 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
1428 with self.assertRaisesRegex(Exception, "getpass error"):
1429 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
1430 # Make sure the password function isn't called if it isn't needed
1431 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1432
1433 def test_load_verify_locations(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1434 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1435 ctx.load_verify_locations(CERTFILE)
1436 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
1437 ctx.load_verify_locations(BYTES_CERTFILE)
1438 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
1439 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1440 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1441 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1442 ctx.load_verify_locations(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1443 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1444 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1445 ctx.load_verify_locations(BADCERT)
1446 ctx.load_verify_locations(CERTFILE, CAPATH)
1447 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
1448
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]1449 # Issue #10989: crash if the second argument type is invalid
1450 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
1451
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1452 def test_load_verify_cadata(self):
1453 # test cadata
1454 with open(CAFILE_CACERT) as f:
1455 cacert_pem = f.read()
1456 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1457 with open(CAFILE_NEURONIO) as f:
1458 neuronio_pem = f.read()
1459 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1460
1461 # test PEM
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1462 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1463 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
1464 ctx.load_verify_locations(cadata=cacert_pem)
1465 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
1466 ctx.load_verify_locations(cadata=neuronio_pem)
1467 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1468 # cert already in hash table
1469 ctx.load_verify_locations(cadata=neuronio_pem)
1470 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1471
1472 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1473 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1474 combined = "\n".join((cacert_pem, neuronio_pem))
1475 ctx.load_verify_locations(cadata=combined)
1476 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1477
1478 # with junk around the certs
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1479 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1480 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
1481 neuronio_pem, "tail"]
1482 ctx.load_verify_locations(cadata="\n".join(combined))
1483 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1484
1485 # test DER
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1486 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1487 ctx.load_verify_locations(cadata=cacert_der)
1488 ctx.load_verify_locations(cadata=neuronio_der)
1489 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1490 # cert already in hash table
1491 ctx.load_verify_locations(cadata=cacert_der)
1492 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1493
1494 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1495 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1496 combined = b"".join((cacert_der, neuronio_der))
1497 ctx.load_verify_locations(cadata=combined)
1498 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1499
1500 # error cases
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1501 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1502 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
1503
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1504 with self.assertRaisesRegex(
1505 ssl.SSLError,
1506 "no start line: cadata does not contain a certificate"
1507 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1508 ctx.load_verify_locations(cadata="broken")
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1509 with self.assertRaisesRegex(
1510 ssl.SSLError,
1511 "not enough data: cadata does not contain a certificate"
1512 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1513 ctx.load_verify_locations(cadata=b"broken")
1514
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1515 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1516 def test_load_dh_params(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1517 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1518 ctx.load_dh_params(DHFILE)
1519 if os.name != 'nt':
1520 ctx.load_dh_params(BYTES_DHFILE)
1521 self.assertRaises(TypeError, ctx.load_dh_params)
1522 self.assertRaises(TypeError, ctx.load_dh_params, None)
1523 with self.assertRaises(FileNotFoundError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1524 ctx.load_dh_params(NONEXISTINGCERT)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1525 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1526 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1527 ctx.load_dh_params(CERTFILE)
1528
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1529 def test_session_stats(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1530 for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1531 ctx = ssl.SSLContext(proto)
1532 self.assertEqual(ctx.session_stats(), {
1533 'number': 0,
1534 'connect': 0,
1535 'connect_good': 0,
1536 'connect_renegotiate': 0,
1537 'accept': 0,
1538 'accept_good': 0,
1539 'accept_renegotiate': 0,
1540 'hits': 0,
1541 'misses': 0,
1542 'timeouts': 0,
1543 'cache_full': 0,
1544 })
1545
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1546 def test_set_default_verify_paths(self):
1547 # There's not much we can do to test that it acts as expected,
1548 # so just check it doesn't crash or raise an exception.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1549 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1550 ctx.set_default_verify_paths()
1551
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1552 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1553 def test_set_ecdh_curve(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1554 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1555 ctx.set_ecdh_curve("prime256v1")
1556 ctx.set_ecdh_curve(b"prime256v1")
1557 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1558 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1559 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1560 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1561
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1562 def test_sni_callback(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1563 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1564
1565 # set_servername_callback expects a callable, or None
1566 self.assertRaises(TypeError, ctx.set_servername_callback)
1567 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1568 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1569 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1570
1571 def dummycallback(sock, servername, ctx):
1572 pass
1573 ctx.set_servername_callback(None)
1574 ctx.set_servername_callback(dummycallback)
1575
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1576 def test_sni_callback_refcycle(self):
1577 # Reference cycles through the servername callback are detected
1578 # and cleared.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1579 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1580 def dummycallback(sock, servername, ctx, cycle=ctx):
1581 pass
1582 ctx.set_servername_callback(dummycallback)
1583 wr = weakref.ref(ctx)
1584 del ctx, dummycallback
1585 gc.collect()
1586 self.assertIs(wr(), None)
1587
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1588 def test_cert_store_stats(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1589 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1590 self.assertEqual(ctx.cert_store_stats(),
1591 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1592 ctx.load_cert_chain(CERTFILE)
1593 self.assertEqual(ctx.cert_store_stats(),
1594 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1595 ctx.load_verify_locations(CERTFILE)
1596 self.assertEqual(ctx.cert_store_stats(),
1597 {'x509_ca': 0, 'crl': 0, 'x509': 1})
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1598 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1599 self.assertEqual(ctx.cert_store_stats(),
1600 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1601
1602 def test_get_ca_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1603 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1604 self.assertEqual(ctx.get_ca_certs(), [])
1605 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1606 ctx.load_verify_locations(CERTFILE)
1607 self.assertEqual(ctx.get_ca_certs(), [])
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1608 # but CAFILE_CACERT is a CA cert
1609 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1610 self.assertEqual(ctx.get_ca_certs(),
1611 [{'issuer': ((('organizationName', 'Root CA'),),
1612 (('organizationalUnitName', 'http://www.cacert.org'),),
1613 (('commonName', 'CA Cert Signing Authority'),),
1614 (('emailAddress', 'support@cacert.org'),)),
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]1615 'notAfter': 'Mar 29 12:29:49 2033 GMT',
1616 'notBefore': 'Mar 30 12:29:49 2003 GMT',
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1617 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1618 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1619 'subject': ((('organizationName', 'Root CA'),),
1620 (('organizationalUnitName', 'http://www.cacert.org'),),
1621 (('commonName', 'CA Cert Signing Authority'),),
1622 (('emailAddress', 'support@cacert.org'),)),
1623 'version': 3}])
1624
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1625 with open(CAFILE_CACERT) as f:
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1626 pem = f.read()
1627 der = ssl.PEM_cert_to_DER_cert(pem)
1628 self.assertEqual(ctx.get_ca_certs(True), [der])
1629
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1630 def test_load_default_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1631 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1632 ctx.load_default_certs()
1633
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1634 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1635 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1636 ctx.load_default_certs()
1637
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1638 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1639 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1640
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1641 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1642 self.assertRaises(TypeError, ctx.load_default_certs, None)
1643 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1644
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1645 @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1646 def test_load_default_certs_env(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1647 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1648 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1649 env["SSL_CERT_DIR"] = CAPATH
1650 env["SSL_CERT_FILE"] = CERTFILE
1651 ctx.load_default_certs()
1652 self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
1653
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1654 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Steve Dower68d663c2017-07-17 11:15:48 +0200[diff] [blame]1655 @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1656 def test_load_default_certs_env_windows(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1657 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1658 ctx.load_default_certs()
1659 stats = ctx.cert_store_stats()
1660
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1661 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1662 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1663 env["SSL_CERT_DIR"] = CAPATH
1664 env["SSL_CERT_FILE"] = CERTFILE
1665 ctx.load_default_certs()
1666 stats["x509"] += 1
1667 self.assertEqual(ctx.cert_store_stats(), stats)
1668
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1669 def _assert_context_options(self, ctx):
1670 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1671 if OP_NO_COMPRESSION != 0:
1672 self.assertEqual(ctx.options & OP_NO_COMPRESSION,
1673 OP_NO_COMPRESSION)
1674 if OP_SINGLE_DH_USE != 0:
1675 self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
1676 OP_SINGLE_DH_USE)
1677 if OP_SINGLE_ECDH_USE != 0:
1678 self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
1679 OP_SINGLE_ECDH_USE)
1680 if OP_CIPHER_SERVER_PREFERENCE != 0:
1681 self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
1682 OP_CIPHER_SERVER_PREFERENCE)
1683
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1684 def test_create_default_context(self):
1685 ctx = ssl.create_default_context()
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1686
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1687 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1688 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1689 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1690 self._assert_context_options(ctx)
1691
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1692 with open(SIGNING_CA) as f:
1693 cadata = f.read()
1694 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1695 cadata=cadata)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1696 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1697 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1698 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1699
1700 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1701 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1702 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1703 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1704
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1705
1706
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1707 def test__create_stdlib_context(self):
1708 ctx = ssl._create_stdlib_context()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1709 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1710 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1711 self.assertFalse(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1712 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1713
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1714 with warnings_helper.check_warnings():
1715 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1716 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1717 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1718 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1719
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1720 with warnings_helper.check_warnings():
1721 ctx = ssl._create_stdlib_context(
1722 ssl.PROTOCOL_TLSv1_2,
1723 cert_reqs=ssl.CERT_REQUIRED,
1724 check_hostname=True
1725 )
1726 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1727 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1728 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1729 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1730
1731 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1732 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1733 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1734 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1735
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1736 def test_check_hostname(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1737 with warnings_helper.check_warnings():
1738 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1739 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1740 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1741
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1742 # Auto set CERT_REQUIRED
1743 ctx.check_hostname = True
1744 self.assertTrue(ctx.check_hostname)
1745 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1746 ctx.check_hostname = False
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1747 ctx.verify_mode = ssl.CERT_REQUIRED
1748 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1749 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1750
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1751 # Changing verify_mode does not affect check_hostname
1752 ctx.check_hostname = False
1753 ctx.verify_mode = ssl.CERT_NONE
1754 ctx.check_hostname = False
1755 self.assertFalse(ctx.check_hostname)
1756 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1757 # Auto set
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1758 ctx.check_hostname = True
1759 self.assertTrue(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1760 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1761
1762 ctx.check_hostname = False
1763 ctx.verify_mode = ssl.CERT_OPTIONAL
1764 ctx.check_hostname = False
1765 self.assertFalse(ctx.check_hostname)
1766 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1767 # keep CERT_OPTIONAL
1768 ctx.check_hostname = True
1769 self.assertTrue(ctx.check_hostname)
1770 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1771
1772 # Cannot set CERT_NONE with check_hostname enabled
1773 with self.assertRaises(ValueError):
1774 ctx.verify_mode = ssl.CERT_NONE
1775 ctx.check_hostname = False
1776 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1777 ctx.verify_mode = ssl.CERT_NONE
1778 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1779
Christian Heimes5fe668c2016-09-12 00:01:11 +0200[diff] [blame]1780 def test_context_client_server(self):
1781 # PROTOCOL_TLS_CLIENT has sane defaults
1782 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1783 self.assertTrue(ctx.check_hostname)
1784 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1785
1786 # PROTOCOL_TLS_SERVER has different but also sane defaults
1787 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1788 self.assertFalse(ctx.check_hostname)
1789 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1790
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1791 def test_context_custom_class(self):
1792 class MySSLSocket(ssl.SSLSocket):
1793 pass
1794
1795 class MySSLObject(ssl.SSLObject):
1796 pass
1797
1798 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1799 ctx.sslsocket_class = MySSLSocket
1800 ctx.sslobject_class = MySSLObject
1801
1802 with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
1803 self.assertIsInstance(sock, MySSLSocket)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]1804 obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(), server_side=True)
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1805 self.assertIsInstance(obj, MySSLObject)
1806
Christian Heimes78c7d522019-06-03 21:00:10 +0200[diff] [blame]1807 def test_num_tickest(self):
1808 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1809 self.assertEqual(ctx.num_tickets, 2)
1810 ctx.num_tickets = 1
1811 self.assertEqual(ctx.num_tickets, 1)
1812 ctx.num_tickets = 0
1813 self.assertEqual(ctx.num_tickets, 0)
1814 with self.assertRaises(ValueError):
1815 ctx.num_tickets = -1
1816 with self.assertRaises(TypeError):
1817 ctx.num_tickets = None
1818
1819 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1820 self.assertEqual(ctx.num_tickets, 2)
1821 with self.assertRaises(ValueError):
1822 ctx.num_tickets = 1
1823
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1824
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1825class SSLErrorTests(unittest.TestCase):
1826
1827 def test_str(self):
1828 # The str() of a SSLError doesn't include the errno
1829 e = ssl.SSLError(1, "foo")
1830 self.assertEqual(str(e), "foo")
1831 self.assertEqual(e.errno, 1)
1832 # Same for a subclass
1833 e = ssl.SSLZeroReturnError(1, "foo")
1834 self.assertEqual(str(e), "foo")
1835 self.assertEqual(e.errno, 1)
1836
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1837 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1838 def test_lib_reason(self):
1839 # Test the library and reason attributes
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1840 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1841 with self.assertRaises(ssl.SSLError) as cm:
1842 ctx.load_dh_params(CERTFILE)
1843 self.assertEqual(cm.exception.library, 'PEM')
1844 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1845 s = str(cm.exception)
1846 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1847
1848 def test_subclass(self):
1849 # Check that the appropriate SSLError subclass is raised
1850 # (this only tests one of them)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1851 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1852 ctx.check_hostname = False
1853 ctx.verify_mode = ssl.CERT_NONE
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]1854 with socket.create_server(("127.0.0.1", 0)) as s:
1855 c = socket.create_connection(s.getsockname())
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1856 c.setblocking(False)
1857 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1858 with self.assertRaises(ssl.SSLWantReadError) as cm:
1859 c.do_handshake()
1860 s = str(cm.exception)
1861 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1862 # For compatibility
1863 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1864
1865
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1866 def test_bad_server_hostname(self):
1867 ctx = ssl.create_default_context()
1868 with self.assertRaises(ValueError):
1869 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1870 server_hostname="")
1871 with self.assertRaises(ValueError):
1872 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1873 server_hostname=".example.org")
Christian Heimesd02ac252018-03-25 12:36:13 +0200[diff] [blame]1874 with self.assertRaises(TypeError):
1875 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1876 server_hostname="example.org\x00evil.com")
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1877
1878
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]1879class MemoryBIOTests(unittest.TestCase):
1880
1881 def test_read_write(self):
1882 bio = ssl.MemoryBIO()
1883 bio.write(b'foo')
1884 self.assertEqual(bio.read(), b'foo')
1885 self.assertEqual(bio.read(), b'')
1886 bio.write(b'foo')
1887 bio.write(b'bar')
1888 self.assertEqual(bio.read(), b'foobar')
1889 self.assertEqual(bio.read(), b'')
1890 bio.write(b'baz')
1891 self.assertEqual(bio.read(2), b'ba')
1892 self.assertEqual(bio.read(1), b'z')
1893 self.assertEqual(bio.read(1), b'')
1894
1895 def test_eof(self):
1896 bio = ssl.MemoryBIO()
1897 self.assertFalse(bio.eof)
1898 self.assertEqual(bio.read(), b'')
1899 self.assertFalse(bio.eof)
1900 bio.write(b'foo')
1901 self.assertFalse(bio.eof)
1902 bio.write_eof()
1903 self.assertFalse(bio.eof)
1904 self.assertEqual(bio.read(2), b'fo')
1905 self.assertFalse(bio.eof)
1906 self.assertEqual(bio.read(1), b'o')
1907 self.assertTrue(bio.eof)
1908 self.assertEqual(bio.read(), b'')
1909 self.assertTrue(bio.eof)
1910
1911 def test_pending(self):
1912 bio = ssl.MemoryBIO()
1913 self.assertEqual(bio.pending, 0)
1914 bio.write(b'foo')
1915 self.assertEqual(bio.pending, 3)
1916 for i in range(3):
1917 bio.read(1)
1918 self.assertEqual(bio.pending, 3-i-1)
1919 for i in range(3):
1920 bio.write(b'x')
1921 self.assertEqual(bio.pending, i+1)
1922 bio.read()
1923 self.assertEqual(bio.pending, 0)
1924
1925 def test_buffer_types(self):
1926 bio = ssl.MemoryBIO()
1927 bio.write(b'foo')
1928 self.assertEqual(bio.read(), b'foo')
1929 bio.write(bytearray(b'bar'))
1930 self.assertEqual(bio.read(), b'bar')
1931 bio.write(memoryview(b'baz'))
1932 self.assertEqual(bio.read(), b'baz')
1933
1934 def test_error_types(self):
1935 bio = ssl.MemoryBIO()
1936 self.assertRaises(TypeError, bio.write, 'foo')
1937 self.assertRaises(TypeError, bio.write, None)
1938 self.assertRaises(TypeError, bio.write, True)
1939 self.assertRaises(TypeError, bio.write, 1)
1940
1941
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1942class SSLObjectTests(unittest.TestCase):
1943 def test_private_init(self):
1944 bio = ssl.MemoryBIO()
1945 with self.assertRaisesRegex(TypeError, "public constructor"):
1946 ssl.SSLObject(bio, bio)
1947
Nathaniel J. Smithc0da5822018-09-21 21:44:12 -0700[diff] [blame]1948 def test_unwrap(self):
1949 client_ctx, server_ctx, hostname = testing_context()
1950 c_in = ssl.MemoryBIO()
1951 c_out = ssl.MemoryBIO()
1952 s_in = ssl.MemoryBIO()
1953 s_out = ssl.MemoryBIO()
1954 client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
1955 server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
1956
1957 # Loop on the handshake for a bit to get it settled
1958 for _ in range(5):
1959 try:
1960 client.do_handshake()
1961 except ssl.SSLWantReadError:
1962 pass
1963 if c_out.pending:
1964 s_in.write(c_out.read())
1965 try:
1966 server.do_handshake()
1967 except ssl.SSLWantReadError:
1968 pass
1969 if s_out.pending:
1970 c_in.write(s_out.read())
1971 # Now the handshakes should be complete (don't raise WantReadError)
1972 client.do_handshake()
1973 server.do_handshake()
1974
1975 # Now if we unwrap one side unilaterally, it should send close-notify
1976 # and raise WantReadError:
1977 with self.assertRaises(ssl.SSLWantReadError):
1978 client.unwrap()
1979
1980 # But server.unwrap() does not raise, because it reads the client's
1981 # close-notify:
1982 s_in.write(c_out.read())
1983 server.unwrap()
1984
1985 # And now that the client gets the server's close-notify, it doesn't
1986 # raise either.
1987 c_in.write(s_out.read())
1988 client.unwrap()
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1989
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1990class SimpleBackgroundTests(unittest.TestCase):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1991 """Tests that connect to a simple server running in the background"""
1992
1993 def setUp(self):
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]1994 self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1995 self.server_context.load_cert_chain(SIGNED_CERTFILE)
1996 server = ThreadedEchoServer(context=self.server_context)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1997 self.server_addr = (HOST, server.port)
1998 server.__enter__()
1999 self.addCleanup(server.__exit__, None, None, None)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2000
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2001 def test_connect(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2002 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2003 cert_reqs=ssl.CERT_NONE) as s:
2004 s.connect(self.server_addr)
2005 self.assertEqual({}, s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]2006 self.assertFalse(s.server_side)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]2007
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2008 # this should succeed because we specify the root cert
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2009 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2010 cert_reqs=ssl.CERT_REQUIRED,
2011 ca_certs=SIGNING_CA) as s:
2012 s.connect(self.server_addr)
2013 self.assertTrue(s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]2014 self.assertFalse(s.server_side)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2015
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2016 def test_connect_fail(self):
2017 # This should fail because we have no verification certs. Connection
2018 # failure crashes ThreadedEchoServer, so run this in an independent
2019 # test method.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2020 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2021 cert_reqs=ssl.CERT_REQUIRED)
2022 self.addCleanup(s.close)
2023 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2024 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2025
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2026 def test_connect_ex(self):
2027 # Issue #11326: check connect_ex() implementation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2028 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2029 cert_reqs=ssl.CERT_REQUIRED,
2030 ca_certs=SIGNING_CA)
2031 self.addCleanup(s.close)
2032 self.assertEqual(0, s.connect_ex(self.server_addr))
2033 self.assertTrue(s.getpeercert())
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2034
2035 def test_non_blocking_connect_ex(self):
2036 # Issue #11326: non-blocking connect_ex() should allow handshake
2037 # to proceed after the socket gets ready.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2038 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2039 cert_reqs=ssl.CERT_REQUIRED,
2040 ca_certs=SIGNING_CA,
2041 do_handshake_on_connect=False)
2042 self.addCleanup(s.close)
2043 s.setblocking(False)
2044 rc = s.connect_ex(self.server_addr)
2045 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
2046 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
2047 # Wait for connect to finish
2048 select.select([], [s], [], 5.0)
2049 # Non-blocking handshake
2050 while True:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2051 try:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2052 s.do_handshake()
2053 break
2054 except ssl.SSLWantReadError:
2055 select.select([s], [], [], 5.0)
2056 except ssl.SSLWantWriteError:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2057 select.select([], [s], [], 5.0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2058 # SSL established
2059 self.assertTrue(s.getpeercert())
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]2060
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2061 def test_connect_with_context(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2062 # Same as test_connect, but with a separately created context
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2063 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2064 ctx.check_hostname = False
2065 ctx.verify_mode = ssl.CERT_NONE
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2066 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2067 s.connect(self.server_addr)
2068 self.assertEqual({}, s.getpeercert())
2069 # Same with a server hostname
2070 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2071 server_hostname="dummy") as s:
2072 s.connect(self.server_addr)
2073 ctx.verify_mode = ssl.CERT_REQUIRED
2074 # This should succeed because we specify the root cert
2075 ctx.load_verify_locations(SIGNING_CA)
2076 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2077 s.connect(self.server_addr)
2078 cert = s.getpeercert()
2079 self.assertTrue(cert)
2080
2081 def test_connect_with_context_fail(self):
2082 # This should fail because we have no verification certs. Connection
2083 # failure crashes ThreadedEchoServer, so run this in an independent
2084 # test method.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2085 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2086 s = ctx.wrap_socket(
2087 socket.socket(socket.AF_INET),
2088 server_hostname=SIGNED_CERTFILE_HOSTNAME
2089 )
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2090 self.addCleanup(s.close)
2091 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2092 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2093
2094 def test_connect_capath(self):
2095 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]2096 # NOTE: the subject hashing algorithm has been changed between
2097 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
2098 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]2099 # filename) for this test to be portable across OpenSSL releases.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2100 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2101 ctx.load_verify_locations(capath=CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2102 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2103 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2104 s.connect(self.server_addr)
2105 cert = s.getpeercert()
2106 self.assertTrue(cert)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2107
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2108 # Same with a bytes `capath` argument
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2109 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2110 ctx.load_verify_locations(capath=BYTES_CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2111 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2112 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2113 s.connect(self.server_addr)
2114 cert = s.getpeercert()
2115 self.assertTrue(cert)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2116
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2117 def test_connect_cadata(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2118 with open(SIGNING_CA) as f:
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2119 pem = f.read()
2120 der = ssl.PEM_cert_to_DER_cert(pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2121 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2122 ctx.load_verify_locations(cadata=pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2123 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2124 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2125 s.connect(self.server_addr)
2126 cert = s.getpeercert()
2127 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2128
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2129 # same with DER
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2130 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2131 ctx.load_verify_locations(cadata=der)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2132 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2133 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2134 s.connect(self.server_addr)
2135 cert = s.getpeercert()
2136 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2137
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2138 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
2139 def test_makefile_close(self):
2140 # Issue #5238: creating a file-like object with makefile() shouldn't
2141 # delay closing the underlying "real socket" (here tested with its
2142 # file descriptor, hence skipping the test under Windows).
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2143 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2144 ss.connect(self.server_addr)
2145 fd = ss.fileno()
2146 f = ss.makefile()
2147 f.close()
2148 # The fd is still open
2149 os.read(fd, 0)
2150 # Closing the SSL socket should close the fd too
2151 ss.close()
2152 gc.collect()
2153 with self.assertRaises(OSError) as e:
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2154 os.read(fd, 0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2155 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2156
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2157 def test_non_blocking_handshake(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2158 s = socket.socket(socket.AF_INET)
2159 s.connect(self.server_addr)
2160 s.setblocking(False)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2161 s = test_wrap_socket(s,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2162 cert_reqs=ssl.CERT_NONE,
2163 do_handshake_on_connect=False)
2164 self.addCleanup(s.close)
2165 count = 0
2166 while True:
2167 try:
2168 count += 1
2169 s.do_handshake()
2170 break
2171 except ssl.SSLWantReadError:
2172 select.select([s], [], [])
2173 except ssl.SSLWantWriteError:
2174 select.select([], [s], [])
2175 if support.verbose:
2176 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2177
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2178 def test_get_server_certificate(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2179 _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]2180
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]2181 def test_get_server_certificate_sni(self):
2182 host, port = self.server_addr
2183 server_names = []
2184
2185 # We store servername_cb arguments to make sure they match the host
2186 def servername_cb(ssl_sock, server_name, initial_context):
2187 server_names.append(server_name)
2188 self.server_context.set_servername_callback(servername_cb)
2189
2190 pem = ssl.get_server_certificate((host, port))
2191 if not pem:
2192 self.fail("No server certificate on %s:%s!" % (host, port))
2193
2194 pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
2195 if not pem:
2196 self.fail("No server certificate on %s:%s!" % (host, port))
2197 if support.verbose:
2198 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
2199
2200 self.assertEqual(server_names, [host, host])
2201
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2202 def test_get_server_certificate_fail(self):
2203 # Connection failure crashes ThreadedEchoServer, so run this in an
2204 # independent test method
2205 _test_get_server_certificate_fail(self, *self.server_addr)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2206
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2207 def test_get_server_certificate_timeout(self):
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2208 def servername_cb(ssl_sock, server_name, initial_context):
2209 time.sleep(0.2)
2210 self.server_context.set_servername_callback(servername_cb)
2211
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2212 with self.assertRaises(socket.timeout):
2213 ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2214 timeout=0.1)
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2215
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]2216 def test_ciphers(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2217 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2218 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
2219 s.connect(self.server_addr)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2220 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2221 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
2222 s.connect(self.server_addr)
2223 # Error checking can happen at instantiation or when connecting
2224 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
2225 with socket.socket(socket.AF_INET) as sock:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2226 s = test_wrap_socket(sock,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2227 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
2228 s.connect(self.server_addr)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]2229
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2230 def test_get_ca_certs_capath(self):
2231 # capath certs are loaded on request
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2232 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2233 ctx.load_verify_locations(capath=CAPATH)
2234 self.assertEqual(ctx.get_ca_certs(), [])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2235 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2236 server_hostname='localhost') as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2237 s.connect(self.server_addr)
2238 cert = s.getpeercert()
2239 self.assertTrue(cert)
2240 self.assertEqual(len(ctx.get_ca_certs()), 1)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2241
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]2242 def test_context_setget(self):
2243 # Check that the context of a connected socket can be replaced.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2244 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2245 ctx1.load_verify_locations(capath=CAPATH)
2246 ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2247 ctx2.load_verify_locations(capath=CAPATH)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2248 s = socket.socket(socket.AF_INET)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2249 with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2250 ss.connect(self.server_addr)
2251 self.assertIs(ss.context, ctx1)
2252 self.assertIs(ss._sslobj.context, ctx1)
2253 ss.context = ctx2
2254 self.assertIs(ss.context, ctx2)
2255 self.assertIs(ss._sslobj.context, ctx2)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2256
2257 def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
2258 # A simple IO loop. Call func(*args) depending on the error we get
2259 # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
Victor Stinner0d63bac2019-12-11 11:30:03 +0100[diff] [blame]2260 timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2261 deadline = time.monotonic() + timeout
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2262 count = 0
2263 while True:
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2264 if time.monotonic() > deadline:
2265 self.fail("timeout")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2266 errno = None
2267 count += 1
2268 try:
2269 ret = func(*args)
2270 except ssl.SSLError as e:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2271 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
Martin Panter40b97ec2016-01-14 13:05:46 +0000[diff] [blame]2272 ssl.SSL_ERROR_WANT_WRITE):
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2273 raise
2274 errno = e.errno
2275 # Get any data from the outgoing BIO irrespective of any error, and
2276 # send it to the socket.
2277 buf = outgoing.read()
2278 sock.sendall(buf)
2279 # If there's no error, we're done. For WANT_READ, we need to get
2280 # data from the socket and put it in the incoming BIO.
2281 if errno is None:
2282 break
2283 elif errno == ssl.SSL_ERROR_WANT_READ:
2284 buf = sock.recv(32768)
2285 if buf:
2286 incoming.write(buf)
2287 else:
2288 incoming.write_eof()
2289 if support.verbose:
2290 sys.stdout.write("Needed %d calls to complete %s().\n"
2291 % (count, func.__name__))
2292 return ret
2293
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2294 def test_bio_handshake(self):
2295 sock = socket.socket(socket.AF_INET)
2296 self.addCleanup(sock.close)
2297 sock.connect(self.server_addr)
2298 incoming = ssl.MemoryBIO()
2299 outgoing = ssl.MemoryBIO()
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2300 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2301 self.assertTrue(ctx.check_hostname)
2302 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2303 ctx.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2304 sslobj = ctx.wrap_bio(incoming, outgoing, False,
2305 SIGNED_CERTFILE_HOSTNAME)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2306 self.assertIs(sslobj._sslobj.owner, sslobj)
2307 self.assertIsNone(sslobj.cipher())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2308 self.assertIsNone(sslobj.version())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2309 self.assertIsNotNone(sslobj.shared_ciphers())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2310 self.assertRaises(ValueError, sslobj.getpeercert)
2311 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2312 self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
2313 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2314 self.assertTrue(sslobj.cipher())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2315 self.assertIsNotNone(sslobj.shared_ciphers())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2316 self.assertIsNotNone(sslobj.version())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2317 self.assertTrue(sslobj.getpeercert())
2318 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2319 self.assertTrue(sslobj.get_channel_binding('tls-unique'))
2320 try:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2321 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2322 except ssl.SSLSyscallError:
2323 # If the server shuts down the TCP connection without sending a
2324 # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
2325 pass
2326 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
2327
2328 def test_bio_read_write_data(self):
2329 sock = socket.socket(socket.AF_INET)
2330 self.addCleanup(sock.close)
2331 sock.connect(self.server_addr)
2332 incoming = ssl.MemoryBIO()
2333 outgoing = ssl.MemoryBIO()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2334 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2335 ctx.check_hostname = False
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2336 ctx.verify_mode = ssl.CERT_NONE
2337 sslobj = ctx.wrap_bio(incoming, outgoing, False)
2338 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2339 req = b'FOO\n'
2340 self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
2341 buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
2342 self.assertEqual(buf, b'foo\n')
2343 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2344
2345
Serhiy Storchakabedce352021-09-19 22:36:03 +0300[diff] [blame]2346@support.requires_resource('network')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2347class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2348
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2349 def test_timeout_connect_ex(self):
2350 # Issue #12065: on a timeout, connect_ex() should return the original
2351 # errno (mimicking the behaviour of non-SSL sockets).
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2352 with socket_helper.transient_internet(REMOTE_HOST):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2353 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2354 cert_reqs=ssl.CERT_REQUIRED,
2355 do_handshake_on_connect=False)
2356 self.addCleanup(s.close)
2357 s.settimeout(0.0000001)
2358 rc = s.connect_ex((REMOTE_HOST, 443))
2359 if rc == 0:
2360 self.skipTest("REMOTE_HOST responded too quickly")
Carl Meyer29c451c2021-03-27 15:52:28 -0600[diff] [blame]2361 elif rc == errno.ENETUNREACH:
2362 self.skipTest("Network unreachable.")
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2363 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
2364
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2365 @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2366 def test_get_server_certificate_ipv6(self):
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2367 with socket_helper.transient_internet('ipv6.google.com'):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2368 _test_get_server_certificate(self, 'ipv6.google.com', 443)
2369 _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
2370
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2371
2372def _test_get_server_certificate(test, host, port, cert=None):
2373 pem = ssl.get_server_certificate((host, port))
2374 if not pem:
2375 test.fail("No server certificate on %s:%s!" % (host, port))
2376
2377 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
2378 if not pem:
2379 test.fail("No server certificate on %s:%s!" % (host, port))
2380 if support.verbose:
2381 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
2382
2383def _test_get_server_certificate_fail(test, host, port):
2384 try:
2385 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
2386 except ssl.SSLError as x:
2387 #should fail
2388 if support.verbose:
2389 sys.stdout.write("%s\n" % x)
2390 else:
2391 test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
2392
2393
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2394from test.ssl_servers import make_https_server
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2395
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2396class ThreadedEchoServer(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2397
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2398 class ConnectionHandler(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2399
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2400 """A mildly complicated class, because we want it to work both
2401 with and without the SSL wrapper around the socket connection, so
2402 that we can test the STARTTLS functionality."""
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2403
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2404 def __init__(self, server, connsock, addr):
2405 self.server = server
2406 self.running = False
2407 self.sock = connsock
2408 self.addr = addr
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]2409 self.sock.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2410 self.sslconn = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2411 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]2412 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2413
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2414 def wrap_conn(self):
2415 try:
2416 self.sslconn = self.server.context.wrap_socket(
2417 self.sock, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2418 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2419 except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2420 # We treat ConnectionResetError as though it were an
2421 # SSLError - OpenSSL on Ubuntu abruptly closes the
2422 # connection when asked to use an unsupported protocol.
2423 #
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2424 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
2425 # tries to send session tickets after handshake.
2426 # https://github.com/openssl/openssl/issues/6342
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2427 #
2428 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
2429 # tries to send session tickets after handshake when using WinSock.
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2430 self.server.conn_errors.append(str(e))
2431 if self.server.chatty:
2432 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2433 self.running = False
2434 self.close()
2435 return False
2436 except (ssl.SSLError, OSError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2437 # OSError may occur with wrong protocols, e.g. both
2438 # sides use PROTOCOL_TLS_SERVER.
2439 #
2440 # XXX Various errors can have happened here, for example
2441 # a mismatching protocol version, an invalid certificate,
2442 # or a low-level bug. This should be made more discriminating.
2443 #
2444 # bpo-31323: Store the exception as string to prevent
2445 # a reference leak: server -> conn_errors -> exception
2446 # -> traceback -> self (ConnectionHandler) -> server
2447 self.server.conn_errors.append(str(e))
2448 if self.server.chatty:
2449 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
Miss Islington (bot)b3fac2922021-06-24 05:27:35 -0700[diff] [blame]2450
2451 # bpo-44229, bpo-43855, bpo-44237, and bpo-33450:
2452 # Ignore spurious EPROTOTYPE returned by write() on macOS.
2453 # See also http://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/
2454 if e.errno != errno.EPROTOTYPE and sys.platform != "darwin":
2455 self.running = False
2456 self.server.stop()
2457 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2458 return False
2459 else:
2460 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
2461 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
2462 cert = self.sslconn.getpeercert()
2463 if support.verbose and self.server.chatty:
2464 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
2465 cert_binary = self.sslconn.getpeercert(True)
2466 if support.verbose and self.server.chatty:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2467 if cert_binary is None:
2468 sys.stdout.write(" client did not provide a cert\n")
2469 else:
2470 sys.stdout.write(f" cert binary is {len(cert_binary)}b\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2471 cipher = self.sslconn.cipher()
2472 if support.verbose and self.server.chatty:
2473 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2474 return True
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2475
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2476 def read(self):
2477 if self.sslconn:
2478 return self.sslconn.read()
2479 else:
2480 return self.sock.recv(1024)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2481
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2482 def write(self, bytes):
2483 if self.sslconn:
2484 return self.sslconn.write(bytes)
2485 else:
2486 return self.sock.send(bytes)
2487
2488 def close(self):
2489 if self.sslconn:
2490 self.sslconn.close()
2491 else:
2492 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2493
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2494 def run(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2495 self.running = True
2496 if not self.server.starttls_server:
2497 if not self.wrap_conn():
2498 return
2499 while self.running:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2500 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2501 msg = self.read()
2502 stripped = msg.strip()
2503 if not stripped:
2504 # eof, so quit this handler
2505 self.running = False
2506 try:
2507 self.sock = self.sslconn.unwrap()
2508 except OSError:
2509 # Many tests shut the TCP connection down
2510 # without an SSL shutdown. This causes
2511 # unwrap() to raise OSError with errno=0!
2512 pass
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2513 else:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2514 self.sslconn = None
2515 self.close()
2516 elif stripped == b'over':
2517 if support.verbose and self.server.connectionchatty:
2518 sys.stdout.write(" server: client closed connection\n")
2519 self.close()
2520 return
2521 elif (self.server.starttls_server and
2522 stripped == b'STARTTLS'):
2523 if support.verbose and self.server.connectionchatty:
2524 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
2525 self.write(b"OK\n")
2526 if not self.wrap_conn():
2527 return
2528 elif (self.server.starttls_server and self.sslconn
2529 and stripped == b'ENDTLS'):
2530 if support.verbose and self.server.connectionchatty:
2531 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
2532 self.write(b"OK\n")
2533 self.sock = self.sslconn.unwrap()
2534 self.sslconn = None
2535 if support.verbose and self.server.connectionchatty:
2536 sys.stdout.write(" server: connection is now unencrypted...\n")
2537 elif stripped == b'CB tls-unique':
2538 if support.verbose and self.server.connectionchatty:
2539 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
2540 data = self.sslconn.get_channel_binding("tls-unique")
2541 self.write(repr(data).encode("us-ascii") + b"\n")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]2542 elif stripped == b'PHA':
2543 if support.verbose and self.server.connectionchatty:
2544 sys.stdout.write(" server: initiating post handshake auth\n")
2545 try:
2546 self.sslconn.verify_client_post_handshake()
2547 except ssl.SSLError as e:
2548 self.write(repr(e).encode("us-ascii") + b"\n")
2549 else:
2550 self.write(b"OK\n")
2551 elif stripped == b'HASCERT':
2552 if self.sslconn.getpeercert() is not None:
2553 self.write(b'TRUE\n')
2554 else:
2555 self.write(b'FALSE\n')
2556 elif stripped == b'GETCERT':
2557 cert = self.sslconn.getpeercert()
2558 self.write(repr(cert).encode("us-ascii") + b"\n")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]2559 elif stripped == b'VERIFIEDCHAIN':
2560 certs = self.sslconn._sslobj.get_verified_chain()
2561 self.write(len(certs).to_bytes(1, "big") + b"\n")
2562 elif stripped == b'UNVERIFIEDCHAIN':
2563 certs = self.sslconn._sslobj.get_unverified_chain()
2564 self.write(len(certs).to_bytes(1, "big") + b"\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2565 else:
2566 if (support.verbose and
2567 self.server.connectionchatty):
2568 ctype = (self.sslconn and "encrypted") or "unencrypted"
2569 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
2570 % (msg, ctype, msg.lower(), ctype))
2571 self.write(msg.lower())
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2572 except OSError as e:
2573 # handles SSLError and socket errors
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2574 if self.server.chatty and support.verbose:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2575 if isinstance(e, ConnectionError):
2576 # OpenSSL 1.1.1 sometimes raises
2577 # ConnectionResetError when connection is not
2578 # shut down gracefully.
2579 print(
2580 f" Connection reset by peer: {self.addr}"
2581 )
2582 else:
2583 handle_error("Test server failure:\n")
2584 try:
2585 self.write(b"ERROR\n")
2586 except OSError:
2587 pass
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]2588 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2589 self.running = False
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2590
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2591 # normally, we'd just stop here, but for the test
2592 # harness, we want to stop the server
2593 self.server.stop()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2594
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2595 def __init__(self, certificate=None, ssl_version=None,
2596 certreqs=None, cacerts=None,
2597 chatty=True, connectionchatty=False, starttls_server=False,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2598 alpn_protocols=None,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2599 ciphers=None, context=None):
2600 if context:
2601 self.context = context
2602 else:
2603 self.context = ssl.SSLContext(ssl_version
2604 if ssl_version is not None
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2605 else ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2606 self.context.verify_mode = (certreqs if certreqs is not None
2607 else ssl.CERT_NONE)
2608 if cacerts:
2609 self.context.load_verify_locations(cacerts)
2610 if certificate:
2611 self.context.load_cert_chain(certificate)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2612 if alpn_protocols:
2613 self.context.set_alpn_protocols(alpn_protocols)
2614 if ciphers:
2615 self.context.set_ciphers(ciphers)
2616 self.chatty = chatty
2617 self.connectionchatty = connectionchatty
2618 self.starttls_server = starttls_server
2619 self.sock = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2620 self.port = socket_helper.bind_port(self.sock)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2621 self.flag = None
2622 self.active = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2623 self.selected_alpn_protocols = []
2624 self.shared_ciphers = []
2625 self.conn_errors = []
2626 threading.Thread.__init__(self)
2627 self.daemon = True
2628
2629 def __enter__(self):
2630 self.start(threading.Event())
2631 self.flag.wait()
2632 return self
2633
2634 def __exit__(self, *args):
2635 self.stop()
2636 self.join()
2637
2638 def start(self, flag=None):
2639 self.flag = flag
2640 threading.Thread.start(self)
2641
2642 def run(self):
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2643 self.sock.settimeout(1.0)
2644 self.sock.listen(5)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2645 self.active = True
2646 if self.flag:
2647 # signal an event
2648 self.flag.set()
2649 while self.active:
2650 try:
2651 newconn, connaddr = self.sock.accept()
2652 if support.verbose and self.chatty:
2653 sys.stdout.write(' server: new connection from '
2654 + repr(connaddr) + '\n')
2655 handler = self.ConnectionHandler(self, newconn, connaddr)
2656 handler.start()
2657 handler.join()
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2658 except TimeoutError as e:
2659 if support.verbose:
2660 sys.stdout.write(f' connection timeout {e!r}\n')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2661 except KeyboardInterrupt:
2662 self.stop()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2663 except BaseException as e:
2664 if support.verbose and self.chatty:
2665 sys.stdout.write(
2666 ' connection handling failed: ' + repr(e) + '\n')
2667
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2668 self.close()
2669
2670 def close(self):
2671 if self.sock is not None:
2672 self.sock.close()
2673 self.sock = None
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2674
2675 def stop(self):
2676 self.active = False
2677
2678class AsyncoreEchoServer(threading.Thread):
2679
2680 # this one's based on asyncore.dispatcher
2681
2682 class EchoServer (asyncore.dispatcher):
2683
2684 class ConnectionHandler(asyncore.dispatcher_with_send):
2685
2686 def __init__(self, conn, certfile):
2687 self.socket = test_wrap_socket(conn, server_side=True,
2688 certfile=certfile,
2689 do_handshake_on_connect=False)
2690 asyncore.dispatcher_with_send.__init__(self, self.socket)
2691 self._ssl_accepting = True
2692 self._do_ssl_handshake()
2693
2694 def readable(self):
2695 if isinstance(self.socket, ssl.SSLSocket):
2696 while self.socket.pending() > 0:
2697 self.handle_read_event()
2698 return True
2699
2700 def _do_ssl_handshake(self):
2701 try:
2702 self.socket.do_handshake()
2703 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2704 return
2705 except ssl.SSLEOFError:
2706 return self.handle_close()
2707 except ssl.SSLError:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2708 raise
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2709 except OSError as err:
2710 if err.args[0] == errno.ECONNABORTED:
2711 return self.handle_close()
2712 else:
2713 self._ssl_accepting = False
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2714
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2715 def handle_read(self):
2716 if self._ssl_accepting:
2717 self._do_ssl_handshake()
2718 else:
2719 data = self.recv(1024)
2720 if support.verbose:
2721 sys.stdout.write(" server: read %s from client\n" % repr(data))
2722 if not data:
2723 self.close()
2724 else:
2725 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2726
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2727 def handle_close(self):
2728 self.close()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2729 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2730 sys.stdout.write(" server: closed connection %s\n" % self.socket)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2731
2732 def handle_error(self):
2733 raise
2734
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2735 def __init__(self, certfile):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2736 self.certfile = certfile
2737 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2738 self.port = socket_helper.bind_port(sock, '')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2739 asyncore.dispatcher.__init__(self, sock)
2740 self.listen(5)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2741
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2742 def handle_accepted(self, sock_obj, addr):
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2743 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2744 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
2745 self.ConnectionHandler(sock_obj, self.certfile)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2746
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2747 def handle_error(self):
2748 raise
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2749
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2750 def __init__(self, certfile):
2751 self.flag = None
2752 self.active = False
2753 self.server = self.EchoServer(certfile)
2754 self.port = self.server.port
2755 threading.Thread.__init__(self)
2756 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2757
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2758 def __str__(self):
2759 return "<%s %s>" % (self.__class__.__name__, self.server)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2760
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2761 def __enter__(self):
2762 self.start(threading.Event())
2763 self.flag.wait()
2764 return self
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2765
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2766 def __exit__(self, *args):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2767 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2768 sys.stdout.write(" cleanup: stopping server.\n")
2769 self.stop()
2770 if support.verbose:
2771 sys.stdout.write(" cleanup: joining server thread.\n")
2772 self.join()
2773 if support.verbose:
2774 sys.stdout.write(" cleanup: successfully joined.\n")
2775 # make sure that ConnectionHandler is removed from socket_map
2776 asyncore.close_all(ignore_all=True)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2777
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2778 def start (self, flag=None):
2779 self.flag = flag
2780 threading.Thread.start(self)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2781
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2782 def run(self):
2783 self.active = True
2784 if self.flag:
2785 self.flag.set()
2786 while self.active:
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2787 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2788 asyncore.loop(1)
2789 except:
2790 pass
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2791
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2792 def stop(self):
2793 self.active = False
2794 self.server.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2795
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2796def server_params_test(client_context, server_context, indata=b"FOO\n",
2797 chatty=True, connectionchatty=False, sni_name=None,
2798 session=None):
2799 """
2800 Launch a server, connect a client to it and try various reads
2801 and writes.
2802 """
2803 stats = {}
2804 server = ThreadedEchoServer(context=server_context,
2805 chatty=chatty,
2806 connectionchatty=False)
2807 with server:
2808 with client_context.wrap_socket(socket.socket(),
2809 server_hostname=sni_name, session=session) as s:
2810 s.connect((HOST, server.port))
2811 for arg in [indata, bytearray(indata), memoryview(indata)]:
2812 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2813 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2814 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2815 " client: sending %r...\n" % indata)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2816 s.write(arg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2817 outdata = s.read()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2818 if connectionchatty:
2819 if support.verbose:
2820 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2821 if outdata != indata.lower():
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2822 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2823 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2824 % (outdata[:20], len(outdata),
2825 indata[:20].lower(), len(indata)))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2826 s.write(b"over\n")
2827 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2828 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2829 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2830 stats.update({
2831 'compression': s.compression(),
2832 'cipher': s.cipher(),
2833 'peercert': s.getpeercert(),
2834 'client_alpn_protocol': s.selected_alpn_protocol(),
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2835 'version': s.version(),
2836 'session_reused': s.session_reused,
2837 'session': s.session,
2838 })
2839 s.close()
2840 stats['server_alpn_protocols'] = server.selected_alpn_protocols
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2841 stats['server_shared_ciphers'] = server.shared_ciphers
2842 return stats
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2843
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2844def try_protocol_combo(server_protocol, client_protocol, expect_success,
2845 certsreqs=None, server_options=0, client_options=0):
2846 """
2847 Try to SSL-connect using *client_protocol* to *server_protocol*.
2848 If *expect_success* is true, assert that the connection succeeds,
2849 if it's false, assert that the connection fails.
2850 Also, if *expect_success* is a string, assert that it is the protocol
2851 version actually used by the connection.
2852 """
2853 if certsreqs is None:
2854 certsreqs = ssl.CERT_NONE
2855 certtype = {
2856 ssl.CERT_NONE: "CERT_NONE",
2857 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2858 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2859 }[certsreqs]
2860 if support.verbose:
2861 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
2862 sys.stdout.write(formatstr %
2863 (ssl.get_protocol_name(client_protocol),
2864 ssl.get_protocol_name(server_protocol),
2865 certtype))
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2866
2867 with warnings_helper.check_warnings():
2868 # ignore Deprecation warnings
2869 client_context = ssl.SSLContext(client_protocol)
2870 client_context.options |= client_options
2871 server_context = ssl.SSLContext(server_protocol)
2872 server_context.options |= server_options
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2873
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2874 min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
2875 if (min_version is not None
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2876 # SSLContext.minimum_version is only available on recent OpenSSL
2877 # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
2878 and hasattr(server_context, 'minimum_version')
2879 and server_protocol == ssl.PROTOCOL_TLS
2880 and server_context.minimum_version > min_version
2881 ):
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2882 # If OpenSSL configuration is strict and requires more recent TLS
2883 # version, we have to change the minimum to test old TLS versions.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2884 with warnings_helper.check_warnings():
2885 server_context.minimum_version = min_version
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2886
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2887 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
2888 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
2889 # starting from OpenSSL 1.0.0 (see issue #8322).
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2890 if client_context.protocol == ssl.PROTOCOL_TLS:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2891 client_context.set_ciphers("ALL")
2892
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]2893 seclevel_workaround(server_context, client_context)
2894
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2895 for ctx in (client_context, server_context):
2896 ctx.verify_mode = certsreqs
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]2897 ctx.load_cert_chain(SIGNED_CERTFILE)
2898 ctx.load_verify_locations(SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2899 try:
2900 stats = server_params_test(client_context, server_context,
2901 chatty=False, connectionchatty=False)
2902 # Protocol mismatch can result in either an SSLError, or a
2903 # "Connection reset by peer" error.
2904 except ssl.SSLError:
2905 if expect_success:
2906 raise
2907 except OSError as e:
2908 if expect_success or e.errno != errno.ECONNRESET:
2909 raise
2910 else:
2911 if not expect_success:
2912 raise AssertionError(
2913 "Client protocol %s succeeded with server protocol %s!"
2914 % (ssl.get_protocol_name(client_protocol),
2915 ssl.get_protocol_name(server_protocol)))
2916 elif (expect_success is not True
2917 and expect_success != stats['version']):
2918 raise AssertionError("version mismatch: expected %r, got %r"
2919 % (expect_success, stats['version']))
2920
2921
2922class ThreadedTests(unittest.TestCase):
2923
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2924 def test_echo(self):
2925 """Basic test of an SSL client connecting to a server"""
2926 if support.verbose:
2927 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2928
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2929 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2930
2931 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2932 server_params_test(client_context=client_context,
2933 server_context=server_context,
2934 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2935 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2936
2937 client_context.check_hostname = False
2938 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2939 with self.assertRaises(ssl.SSLError) as e:
2940 server_params_test(client_context=server_context,
2941 server_context=client_context,
2942 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2943 sni_name=hostname)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]2944 self.assertIn(
2945 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
2946 str(e.exception)
2947 )
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2948
2949 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2950 with self.assertRaises(ssl.SSLError) as e:
2951 server_params_test(client_context=server_context,
2952 server_context=server_context,
2953 chatty=True, connectionchatty=True)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]2954 self.assertIn(
2955 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
2956 str(e.exception)
2957 )
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2958
2959 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2960 with self.assertRaises(ssl.SSLError) as e:
2961 server_params_test(client_context=server_context,
2962 server_context=client_context,
2963 chatty=True, connectionchatty=True)
Miss Islington (bot)d7930fb2021-06-11 00:36:17 -0700[diff] [blame]2964 self.assertIn(
2965 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
2966 str(e.exception))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2967
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2968 def test_getpeercert(self):
2969 if support.verbose:
2970 sys.stdout.write("\n")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2971
2972 client_context, server_context, hostname = testing_context()
2973 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2974 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2975 with client_context.wrap_socket(socket.socket(),
2976 do_handshake_on_connect=False,
2977 server_hostname=hostname) as s:
2978 s.connect((HOST, server.port))
2979 # getpeercert() raise ValueError while the handshake isn't
2980 # done.
2981 with self.assertRaises(ValueError):
2982 s.getpeercert()
2983 s.do_handshake()
2984 cert = s.getpeercert()
2985 self.assertTrue(cert, "Can't get peer certificate.")
2986 cipher = s.cipher()
2987 if support.verbose:
2988 sys.stdout.write(pprint.pformat(cert) + '\n')
2989 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2990 if 'subject' not in cert:
2991 self.fail("No subject field in certificate: %s." %
2992 pprint.pformat(cert))
2993 if ((('organizationName', 'Python Software Foundation'),)
2994 not in cert['subject']):
2995 self.fail(
2996 "Missing or invalid 'organizationName' field in certificate subject; "
2997 "should be 'Python Software Foundation'.")
2998 self.assertIn('notBefore', cert)
2999 self.assertIn('notAfter', cert)
3000 before = ssl.cert_time_to_seconds(cert['notBefore'])
3001 after = ssl.cert_time_to_seconds(cert['notAfter'])
3002 self.assertLess(before, after)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3003
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3004 def test_crl_check(self):
3005 if support.verbose:
3006 sys.stdout.write("\n")
3007
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3008 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3009
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3010 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3011 self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3012
3013 # VERIFY_DEFAULT should pass
3014 server = ThreadedEchoServer(context=server_context, chatty=True)
3015 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3016 with client_context.wrap_socket(socket.socket(),
3017 server_hostname=hostname) as s:
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]3018 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3019 cert = s.getpeercert()
3020 self.assertTrue(cert, "Can't get peer certificate.")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3021
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3022 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3023 client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3024
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3025 server = ThreadedEchoServer(context=server_context, chatty=True)
3026 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3027 with client_context.wrap_socket(socket.socket(),
3028 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3029 with self.assertRaisesRegex(ssl.SSLError,
3030 "certificate verify failed"):
3031 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3032
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3033 # now load a CRL file. The CRL file is signed by the CA.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3034 client_context.load_verify_locations(CRLFILE)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]3035
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3036 server = ThreadedEchoServer(context=server_context, chatty=True)
3037 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3038 with client_context.wrap_socket(socket.socket(),
3039 server_hostname=hostname) as s:
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]3040 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3041 cert = s.getpeercert()
3042 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]3043
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3044 def test_check_hostname(self):
3045 if support.verbose:
3046 sys.stdout.write("\n")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]3047
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3048 client_context, server_context, hostname = testing_context()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3049
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3050 # correct hostname should verify
3051 server = ThreadedEchoServer(context=server_context, chatty=True)
3052 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3053 with client_context.wrap_socket(socket.socket(),
3054 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3055 s.connect((HOST, server.port))
3056 cert = s.getpeercert()
3057 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3058
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3059 # incorrect hostname should raise an exception
3060 server = ThreadedEchoServer(context=server_context, chatty=True)
3061 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3062 with client_context.wrap_socket(socket.socket(),
3063 server_hostname="invalid") as s:
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]3064 with self.assertRaisesRegex(
3065 ssl.CertificateError,
3066 "Hostname mismatch, certificate is not valid for 'invalid'."):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3067 s.connect((HOST, server.port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3068
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3069 # missing server_hostname arg should cause an exception, too
3070 server = ThreadedEchoServer(context=server_context, chatty=True)
3071 with server:
3072 with socket.socket() as s:
3073 with self.assertRaisesRegex(ValueError,
3074 "check_hostname requires server_hostname"):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3075 client_context.wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3076
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]3077 @unittest.skipUnless(
3078 ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
3079 )
3080 def test_hostname_checks_common_name(self):
3081 client_context, server_context, hostname = testing_context()
3082 assert client_context.hostname_checks_common_name
3083 client_context.hostname_checks_common_name = False
3084
3085 # default cert has a SAN
3086 server = ThreadedEchoServer(context=server_context, chatty=True)
3087 with server:
3088 with client_context.wrap_socket(socket.socket(),
3089 server_hostname=hostname) as s:
3090 s.connect((HOST, server.port))
3091
3092 client_context, server_context, hostname = testing_context(NOSANFILE)
3093 client_context.hostname_checks_common_name = False
3094 server = ThreadedEchoServer(context=server_context, chatty=True)
3095 with server:
3096 with client_context.wrap_socket(socket.socket(),
3097 server_hostname=hostname) as s:
3098 with self.assertRaises(ssl.SSLCertVerificationError):
3099 s.connect((HOST, server.port))
3100
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3101 def test_ecc_cert(self):
3102 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3103 client_context.load_verify_locations(SIGNING_CA)
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3104 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3105 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3106
3107 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3108 # load ECC cert
3109 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3110
3111 # correct hostname should verify
3112 server = ThreadedEchoServer(context=server_context, chatty=True)
3113 with server:
3114 with client_context.wrap_socket(socket.socket(),
3115 server_hostname=hostname) as s:
3116 s.connect((HOST, server.port))
3117 cert = s.getpeercert()
3118 self.assertTrue(cert, "Can't get peer certificate.")
3119 cipher = s.cipher()[0].split('-')
3120 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3121
3122 def test_dual_rsa_ecc(self):
3123 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3124 client_context.load_verify_locations(SIGNING_CA)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3125 # TODO: fix TLSv1.3 once SSLContext can restrict signature
3126 # algorithms.
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]3127 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3128 # only ECDSA certs
3129 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
3130 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3131
3132 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3133 # load ECC and RSA key/cert pairs
3134 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3135 server_context.load_cert_chain(SIGNED_CERTFILE)
3136
3137 # correct hostname should verify
3138 server = ThreadedEchoServer(context=server_context, chatty=True)
3139 with server:
3140 with client_context.wrap_socket(socket.socket(),
3141 server_hostname=hostname) as s:
3142 s.connect((HOST, server.port))
3143 cert = s.getpeercert()
3144 self.assertTrue(cert, "Can't get peer certificate.")
3145 cipher = s.cipher()[0].split('-')
3146 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3147
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3148 def test_check_hostname_idn(self):
3149 if support.verbose:
3150 sys.stdout.write("\n")
3151
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3152 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3153 server_context.load_cert_chain(IDNSANSFILE)
3154
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3155 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3156 context.verify_mode = ssl.CERT_REQUIRED
3157 context.check_hostname = True
3158 context.load_verify_locations(SIGNING_CA)
3159
3160 # correct hostname should verify, when specified in several
3161 # different ways
3162 idn_hostnames = [
3163 ('könig.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3164 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3165 ('xn--knig-5qa.idn.pythontest.net',
3166 'xn--knig-5qa.idn.pythontest.net'),
3167 (b'xn--knig-5qa.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3168 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3169
3170 ('königsgäßchen.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3171 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3172 ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
3173 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3174 (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3175 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3176
3177 # ('königsgäßchen.idna2008.pythontest.net',
3178 # 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3179 ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3180 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3181 (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3182 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3183
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3184 ]
3185 for server_hostname, expected_hostname in idn_hostnames:
3186 server = ThreadedEchoServer(context=server_context, chatty=True)
3187 with server:
3188 with context.wrap_socket(socket.socket(),
3189 server_hostname=server_hostname) as s:
3190 self.assertEqual(s.server_hostname, expected_hostname)
3191 s.connect((HOST, server.port))
3192 cert = s.getpeercert()
3193 self.assertEqual(s.server_hostname, expected_hostname)
3194 self.assertTrue(cert, "Can't get peer certificate.")
3195
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3196 # incorrect hostname should raise an exception
3197 server = ThreadedEchoServer(context=server_context, chatty=True)
3198 with server:
3199 with context.wrap_socket(socket.socket(),
3200 server_hostname="python.example.org") as s:
3201 with self.assertRaises(ssl.CertificateError):
3202 s.connect((HOST, server.port))
3203
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3204 def test_wrong_cert_tls12(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3205 """Connecting when the server rejects the client's certificate
3206
3207 Launch a server with CERT_REQUIRED, and check that trying to
3208 connect to it with a wrong client certificate fails.
3209 """
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3210 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3211 # load client cert that is not signed by trusted CA
3212 client_context.load_cert_chain(CERTFILE)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3213 # require TLS client authentication
3214 server_context.verify_mode = ssl.CERT_REQUIRED
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3215 # TLS 1.3 has different handshake
3216 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3217
3218 server = ThreadedEchoServer(
3219 context=server_context, chatty=True, connectionchatty=True,
3220 )
3221
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3222 with server, \
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3223 client_context.wrap_socket(socket.socket(),
3224 server_hostname=hostname) as s:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3225 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3226 # Expect either an SSL error about the server rejecting
3227 # the connection, or a low-level connection reset (which
3228 # sometimes happens on Windows)
3229 s.connect((HOST, server.port))
3230 except ssl.SSLError as e:
3231 if support.verbose:
3232 sys.stdout.write("\nSSLError is %r\n" % e)
3233 except OSError as e:
3234 if e.errno != errno.ECONNRESET:
3235 raise
3236 if support.verbose:
3237 sys.stdout.write("\nsocket.error is %r\n" % e)
3238 else:
3239 self.fail("Use of invalid cert should have failed!")
3240
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3241 @requires_tls_version('TLSv1_3')
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3242 def test_wrong_cert_tls13(self):
3243 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3244 # load client cert that is not signed by trusted CA
3245 client_context.load_cert_chain(CERTFILE)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3246 server_context.verify_mode = ssl.CERT_REQUIRED
3247 server_context.minimum_version = ssl.TLSVersion.TLSv1_3
3248 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3249
3250 server = ThreadedEchoServer(
3251 context=server_context, chatty=True, connectionchatty=True,
3252 )
3253 with server, \
3254 client_context.wrap_socket(socket.socket(),
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]3255 server_hostname=hostname,
3256 suppress_ragged_eofs=False) as s:
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3257 # TLS 1.3 perform client cert exchange after handshake
3258 s.connect((HOST, server.port))
3259 try:
3260 s.write(b'data')
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3261 s.read(1000)
3262 s.write(b'should have failed already')
3263 s.read(1000)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3264 except ssl.SSLError as e:
3265 if support.verbose:
3266 sys.stdout.write("\nSSLError is %r\n" % e)
3267 except OSError as e:
3268 if e.errno != errno.ECONNRESET:
3269 raise
3270 if support.verbose:
3271 sys.stdout.write("\nsocket.error is %r\n" % e)
3272 else:
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]3273 self.fail("Use of invalid cert should have failed!")
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3274
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3275 def test_rude_shutdown(self):
3276 """A brutal shutdown of an SSL server should raise an OSError
3277 in the client when attempting handshake.
3278 """
3279 listener_ready = threading.Event()
3280 listener_gone = threading.Event()
3281
3282 s = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3283 port = socket_helper.bind_port(s, HOST)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3284
3285 # `listener` runs in a thread. It sits in an accept() until
3286 # the main thread connects. Then it rudely closes the socket,
3287 # and sets Event `listener_gone` to let the main thread know
3288 # the socket is gone.
3289 def listener():
3290 s.listen()
3291 listener_ready.set()
3292 newsock, addr = s.accept()
3293 newsock.close()
3294 s.close()
3295 listener_gone.set()
3296
3297 def connector():
3298 listener_ready.wait()
3299 with socket.socket() as c:
3300 c.connect((HOST, port))
3301 listener_gone.wait()
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]3302 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3303 ssl_sock = test_wrap_socket(c)
3304 except OSError:
3305 pass
3306 else:
3307 self.fail('connecting to closed SSL socket should have failed')
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3308
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3309 t = threading.Thread(target=listener)
3310 t.start()
3311 try:
3312 connector()
3313 finally:
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3314 t.join()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3315
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3316 def test_ssl_cert_verify_error(self):
3317 if support.verbose:
3318 sys.stdout.write("\n")
3319
3320 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3321 server_context.load_cert_chain(SIGNED_CERTFILE)
3322
3323 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3324
3325 server = ThreadedEchoServer(context=server_context, chatty=True)
3326 with server:
3327 with context.wrap_socket(socket.socket(),
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3328 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3329 try:
3330 s.connect((HOST, server.port))
3331 except ssl.SSLError as e:
3332 msg = 'unable to get local issuer certificate'
3333 self.assertIsInstance(e, ssl.SSLCertVerificationError)
3334 self.assertEqual(e.verify_code, 20)
3335 self.assertEqual(e.verify_message, msg)
3336 self.assertIn(msg, repr(e))
3337 self.assertIn('certificate verify failed', repr(e))
3338
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3339 @requires_tls_version('SSLv2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3340 def test_protocol_sslv2(self):
3341 """Connecting to an SSLv2 server with various client options"""
3342 if support.verbose:
3343 sys.stdout.write("\n")
3344 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
3345 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
3346 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3347 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3348 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3349 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
3350 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
3351 # SSLv23 client with specific SSL options
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3352 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3353 client_options=ssl.OP_NO_SSLv3)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3354 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3355 client_options=ssl.OP_NO_TLSv1)
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]3356
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3357 def test_PROTOCOL_TLS(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3358 """Connecting to an SSLv23 server with various client options"""
3359 if support.verbose:
3360 sys.stdout.write("\n")
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3361 if has_tls_version('SSLv2'):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3362 try:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3363 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3364 except OSError as x:
3365 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
3366 if support.verbose:
3367 sys.stdout.write(
3368 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
3369 % str(x))
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3370 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3371 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
3372 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3373 if has_tls_version('TLSv1'):
3374 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3375
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3376 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3377 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
3378 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3379 if has_tls_version('TLSv1'):
3380 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3381
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3382 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3383 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
3384 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3385 if has_tls_version('TLSv1'):
3386 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3387
3388 # Server with specific SSL options
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3389 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3390 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3391 server_options=ssl.OP_NO_SSLv3)
3392 # Will choose TLSv1
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3393 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3394 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3395 if has_tls_version('TLSv1'):
3396 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
3397 server_options=ssl.OP_NO_TLSv1)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3398
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3399 @requires_tls_version('SSLv3')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3400 def test_protocol_sslv3(self):
3401 """Connecting to an SSLv3 server with various client options"""
3402 if support.verbose:
3403 sys.stdout.write("\n")
3404 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
3405 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
3406 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3407 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3408 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3409 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3410 client_options=ssl.OP_NO_SSLv3)
3411 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3412
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3413 @requires_tls_version('TLSv1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3414 def test_protocol_tlsv1(self):
3415 """Connecting to a TLSv1 server with various client options"""
3416 if support.verbose:
3417 sys.stdout.write("\n")
3418 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
3419 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
3420 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3421 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3422 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3423 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3424 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3425 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3426 client_options=ssl.OP_NO_TLSv1)
3427
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3428 @requires_tls_version('TLSv1_1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3429 def test_protocol_tlsv1_1(self):
3430 """Connecting to a TLSv1.1 server with various client options.
3431 Testing against older TLS versions."""
3432 if support.verbose:
3433 sys.stdout.write("\n")
3434 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3435 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3436 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3437 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3438 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3439 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3440 client_options=ssl.OP_NO_TLSv1_1)
3441
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3442 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3443 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3444 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3445
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3446 @requires_tls_version('TLSv1_2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3447 def test_protocol_tlsv1_2(self):
3448 """Connecting to a TLSv1.2 server with various client options.
3449 Testing against older TLS versions."""
3450 if support.verbose:
3451 sys.stdout.write("\n")
3452 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
3453 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
3454 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3455 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3456 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3457 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3458 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3459 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3460 client_options=ssl.OP_NO_TLSv1_2)
3461
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3462 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3463 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
3464 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
3465 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
3466 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3467
3468 def test_starttls(self):
3469 """Switching from clear text to encrypted and back again."""
3470 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
3471
3472 server = ThreadedEchoServer(CERTFILE,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3473 starttls_server=True,
3474 chatty=True,
3475 connectionchatty=True)
3476 wrapped = False
3477 with server:
3478 s = socket.socket()
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]3479 s.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3480 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3481 if support.verbose:
3482 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3483 for indata in msgs:
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3484 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3485 sys.stdout.write(
3486 " client: sending %r...\n" % indata)
3487 if wrapped:
3488 conn.write(indata)
3489 outdata = conn.read()
3490 else:
3491 s.send(indata)
3492 outdata = s.recv(1024)
3493 msg = outdata.strip().lower()
3494 if indata == b"STARTTLS" and msg.startswith(b"ok"):
3495 # STARTTLS ok, switch to secure mode
3496 if support.verbose:
3497 sys.stdout.write(
3498 " client: read %r from server, starting TLS...\n"
3499 % msg)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3500 conn = test_wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3501 wrapped = True
3502 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
3503 # ENDTLS ok, switch back to clear text
3504 if support.verbose:
3505 sys.stdout.write(
3506 " client: read %r from server, ending TLS...\n"
3507 % msg)
3508 s = conn.unwrap()
3509 wrapped = False
3510 else:
3511 if support.verbose:
3512 sys.stdout.write(
3513 " client: read %r from server\n" % msg)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3514 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3515 sys.stdout.write(" client: closing connection.\n")
3516 if wrapped:
3517 conn.write(b"over\n")
3518 else:
3519 s.send(b"over\n")
3520 if wrapped:
3521 conn.close()
3522 else:
3523 s.close()
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3524
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3525 def test_socketserver(self):
3526 """Using socketserver to create and manage SSL connections."""
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3527 server = make_https_server(self, certfile=SIGNED_CERTFILE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3528 # try to connect
3529 if support.verbose:
3530 sys.stdout.write('\n')
3531 with open(CERTFILE, 'rb') as f:
3532 d1 = f.read()
3533 d2 = ''
3534 # now fetch the same data from the HTTPS server
3535 url = 'https://localhost:%d/%s' % (
3536 server.port, os.path.split(CERTFILE)[1])
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3537 context = ssl.create_default_context(cafile=SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3538 f = urllib.request.urlopen(url, context=context)
3539 try:
3540 dlen = f.info().get("content-length")
3541 if dlen and (int(dlen) > 0):
3542 d2 = f.read(int(dlen))
3543 if support.verbose:
3544 sys.stdout.write(
3545 " client: read %d bytes from remote server '%s'\n"
3546 % (len(d2), server))
3547 finally:
3548 f.close()
3549 self.assertEqual(d1, d2)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3550
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3551 def test_asyncore_server(self):
3552 """Check the example asyncore integration."""
3553 if support.verbose:
3554 sys.stdout.write("\n")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3555
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3556 indata = b"FOO\n"
3557 server = AsyncoreEchoServer(CERTFILE)
3558 with server:
3559 s = test_wrap_socket(socket.socket())
3560 s.connect(('127.0.0.1', server.port))
3561 if support.verbose:
3562 sys.stdout.write(
3563 " client: sending %r...\n" % indata)
3564 s.write(indata)
3565 outdata = s.read()
3566 if support.verbose:
3567 sys.stdout.write(" client: read %r\n" % outdata)
3568 if outdata != indata.lower():
3569 self.fail(
3570 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
3571 % (outdata[:20], len(outdata),
3572 indata[:20].lower(), len(indata)))
3573 s.write(b"over\n")
3574 if support.verbose:
3575 sys.stdout.write(" client: closing connection.\n")
3576 s.close()
3577 if support.verbose:
3578 sys.stdout.write(" client: connection closed.\n")
Benjamin Petersoncca27322015-01-23 16:35:37 -0500[diff] [blame]3579
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3580 def test_recv_send(self):
3581 """Test recv(), send() and friends."""
3582 if support.verbose:
3583 sys.stdout.write("\n")
3584
3585 server = ThreadedEchoServer(CERTFILE,
3586 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3587 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3588 cacerts=CERTFILE,
3589 chatty=True,
3590 connectionchatty=False)
3591 with server:
3592 s = test_wrap_socket(socket.socket(),
3593 server_side=False,
3594 certfile=CERTFILE,
3595 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3596 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3597 s.connect((HOST, server.port))
3598 # helper methods for standardising recv* method signatures
3599 def _recv_into():
3600 b = bytearray(b"\0"*100)
3601 count = s.recv_into(b)
3602 return b[:count]
3603
3604 def _recvfrom_into():
3605 b = bytearray(b"\0"*100)
3606 count, addr = s.recvfrom_into(b)
3607 return b[:count]
3608
3609 # (name, method, expect success?, *args, return value func)
3610 send_methods = [
3611 ('send', s.send, True, [], len),
3612 ('sendto', s.sendto, False, ["some.address"], len),
3613 ('sendall', s.sendall, True, [], lambda x: None),
3614 ]
3615 # (name, method, whether to expect success, *args)
3616 recv_methods = [
3617 ('recv', s.recv, True, []),
3618 ('recvfrom', s.recvfrom, False, ["some.address"]),
3619 ('recv_into', _recv_into, True, []),
3620 ('recvfrom_into', _recvfrom_into, False, []),
3621 ]
3622 data_prefix = "PREFIX_"
3623
3624 for (meth_name, send_meth, expect_success, args,
3625 ret_val_meth) in send_methods:
3626 indata = (data_prefix + meth_name).encode('ascii')
3627 try:
3628 ret = send_meth(indata, *args)
3629 msg = "sending with {}".format(meth_name)
3630 self.assertEqual(ret, ret_val_meth(indata), msg=msg)
3631 outdata = s.read()
3632 if outdata != indata.lower():
3633 self.fail(
3634 "While sending with <<{name:s}>> bad data "
3635 "<<{outdata:r}>> ({nout:d}) received; "
3636 "expected <<{indata:r}>> ({nin:d})\n".format(
3637 name=meth_name, outdata=outdata[:20],
3638 nout=len(outdata),
3639 indata=indata[:20], nin=len(indata)
3640 )
3641 )
3642 except ValueError as e:
3643 if expect_success:
3644 self.fail(
3645 "Failed to send with method <<{name:s}>>; "
3646 "expected to succeed.\n".format(name=meth_name)
3647 )
3648 if not str(e).startswith(meth_name):
3649 self.fail(
3650 "Method <<{name:s}>> failed with unexpected "
3651 "exception message: {exp:s}\n".format(
3652 name=meth_name, exp=e
3653 )
3654 )
3655
3656 for meth_name, recv_meth, expect_success, args in recv_methods:
3657 indata = (data_prefix + meth_name).encode('ascii')
3658 try:
3659 s.send(indata)
3660 outdata = recv_meth(*args)
3661 if outdata != indata.lower():
3662 self.fail(
3663 "While receiving with <<{name:s}>> bad data "
3664 "<<{outdata:r}>> ({nout:d}) received; "
3665 "expected <<{indata:r}>> ({nin:d})\n".format(
3666 name=meth_name, outdata=outdata[:20],
3667 nout=len(outdata),
3668 indata=indata[:20], nin=len(indata)
3669 )
3670 )
3671 except ValueError as e:
3672 if expect_success:
3673 self.fail(
3674 "Failed to receive with method <<{name:s}>>; "
3675 "expected to succeed.\n".format(name=meth_name)
3676 )
3677 if not str(e).startswith(meth_name):
3678 self.fail(
3679 "Method <<{name:s}>> failed with unexpected "
3680 "exception message: {exp:s}\n".format(
3681 name=meth_name, exp=e
3682 )
3683 )
3684 # consume data
3685 s.read()
3686
3687 # read(-1, buffer) is supported, even though read(-1) is not
3688 data = b"data"
3689 s.send(data)
3690 buffer = bytearray(len(data))
3691 self.assertEqual(s.read(-1, buffer), len(data))
3692 self.assertEqual(buffer, data)
3693
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]3694 # sendall accepts bytes-like objects
3695 if ctypes is not None:
3696 ubyte = ctypes.c_ubyte * len(data)
3697 byteslike = ubyte.from_buffer_copy(data)
3698 s.sendall(byteslike)
3699 self.assertEqual(s.read(), data)
3700
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3701 # Make sure sendmsg et al are disallowed to avoid
3702 # inadvertent disclosure of data and/or corruption
3703 # of the encrypted data stream
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3704 self.assertRaises(NotImplementedError, s.dup)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3705 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
3706 self.assertRaises(NotImplementedError, s.recvmsg, 100)
3707 self.assertRaises(NotImplementedError,
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3708 s.recvmsg_into, [bytearray(100)])
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3709 s.write(b"over\n")
3710
3711 self.assertRaises(ValueError, s.recv, -1)
3712 self.assertRaises(ValueError, s.read, -1)
3713
3714 s.close()
3715
3716 def test_recv_zero(self):
3717 server = ThreadedEchoServer(CERTFILE)
3718 server.__enter__()
3719 self.addCleanup(server.__exit__, None, None)
3720 s = socket.create_connection((HOST, server.port))
3721 self.addCleanup(s.close)
3722 s = test_wrap_socket(s, suppress_ragged_eofs=False)
3723 self.addCleanup(s.close)
3724
3725 # recv/read(0) should return no data
3726 s.send(b"data")
3727 self.assertEqual(s.recv(0), b"")
3728 self.assertEqual(s.read(0), b"")
3729 self.assertEqual(s.read(), b"data")
3730
3731 # Should not block if the other end sends no data
3732 s.setblocking(False)
3733 self.assertEqual(s.recv(0), b"")
3734 self.assertEqual(s.recv_into(bytearray()), 0)
3735
3736 def test_nonblocking_send(self):
3737 server = ThreadedEchoServer(CERTFILE,
3738 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3739 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3740 cacerts=CERTFILE,
3741 chatty=True,
3742 connectionchatty=False)
3743 with server:
3744 s = test_wrap_socket(socket.socket(),
3745 server_side=False,
3746 certfile=CERTFILE,
3747 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3748 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3749 s.connect((HOST, server.port))
3750 s.setblocking(False)
3751
3752 # If we keep sending data, at some point the buffers
3753 # will be full and the call will block
3754 buf = bytearray(8192)
3755 def fill_buffer():
3756 while True:
3757 s.send(buf)
3758 self.assertRaises((ssl.SSLWantWriteError,
3759 ssl.SSLWantReadError), fill_buffer)
3760
3761 # Now read all the output and discard it
3762 s.setblocking(True)
3763 s.close()
3764
3765 def test_handshake_timeout(self):
3766 # Issue #5103: SSL handshake must respect the socket timeout
3767 server = socket.socket(socket.AF_INET)
3768 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3769 port = socket_helper.bind_port(server)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3770 started = threading.Event()
3771 finish = False
3772
3773 def serve():
3774 server.listen()
3775 started.set()
3776 conns = []
3777 while not finish:
3778 r, w, e = select.select([server], [], [], 0.1)
3779 if server in r:
3780 # Let the socket hang around rather than having
3781 # it closed by garbage collection.
3782 conns.append(server.accept()[0])
3783 for sock in conns:
3784 sock.close()
3785
3786 t = threading.Thread(target=serve)
3787 t.start()
3788 started.wait()
3789
3790 try:
3791 try:
3792 c = socket.socket(socket.AF_INET)
3793 c.settimeout(0.2)
3794 c.connect((host, port))
3795 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3796 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3797 test_wrap_socket, c)
3798 finally:
3799 c.close()
3800 try:
3801 c = socket.socket(socket.AF_INET)
3802 c = test_wrap_socket(c)
3803 c.settimeout(0.2)
3804 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3805 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3806 c.connect, (host, port))
3807 finally:
3808 c.close()
3809 finally:
3810 finish = True
3811 t.join()
3812 server.close()
3813
3814 def test_server_accept(self):
3815 # Issue #16357: accept() on a SSLSocket created through
3816 # SSLContext.wrap_socket().
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3817 client_ctx, server_ctx, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3818 server = socket.socket(socket.AF_INET)
3819 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3820 port = socket_helper.bind_port(server)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3821 server = server_ctx.wrap_socket(server, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3822 self.assertTrue(server.server_side)
3823
3824 evt = threading.Event()
3825 remote = None
3826 peer = None
3827 def serve():
3828 nonlocal remote, peer
3829 server.listen()
3830 # Block on the accept and wait on the connection to close.
3831 evt.set()
3832 remote, peer = server.accept()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3833 remote.send(remote.recv(4))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3834
3835 t = threading.Thread(target=serve)
3836 t.start()
3837 # Client wait until server setup and perform a connect.
3838 evt.wait()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3839 client = client_ctx.wrap_socket(
3840 socket.socket(), server_hostname=hostname
3841 )
3842 client.connect((hostname, port))
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3843 client.send(b'data')
3844 client.recv()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3845 client_addr = client.getsockname()
3846 client.close()
3847 t.join()
3848 remote.close()
3849 server.close()
3850 # Sanity checks.
3851 self.assertIsInstance(remote, ssl.SSLSocket)
3852 self.assertEqual(peer, client_addr)
3853
3854 def test_getpeercert_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3855 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3856 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3857 with context.wrap_socket(socket.socket()) as sock:
3858 with self.assertRaises(OSError) as cm:
3859 sock.getpeercert()
3860 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3861
3862 def test_do_handshake_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3863 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3864 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3865 with context.wrap_socket(socket.socket()) as sock:
3866 with self.assertRaises(OSError) as cm:
3867 sock.do_handshake()
3868 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3869
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3870 def test_no_shared_ciphers(self):
3871 client_context, server_context, hostname = testing_context()
3872 # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]3873 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Victor Stinner5e922652018-09-07 17:30:33 +0200[diff] [blame]3874 # Force different suites on client and server
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3875 client_context.set_ciphers("AES128")
3876 server_context.set_ciphers("AES256")
3877 with ThreadedEchoServer(context=server_context) as server:
3878 with client_context.wrap_socket(socket.socket(),
3879 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3880 with self.assertRaises(OSError):
3881 s.connect((HOST, server.port))
3882 self.assertIn("no shared cipher", server.conn_errors[0])
3883
3884 def test_version_basic(self):
3885 """
3886 Basic tests for SSLSocket.version().
3887 More tests are done in the test_protocol_*() methods.
3888 """
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3889 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3890 context.check_hostname = False
3891 context.verify_mode = ssl.CERT_NONE
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3892 with ThreadedEchoServer(CERTFILE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3893 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3894 chatty=False) as server:
3895 with context.wrap_socket(socket.socket()) as s:
3896 self.assertIs(s.version(), None)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3897 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3898 s.connect((HOST, server.port))
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]3899 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3900 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3901 self.assertIs(s.version(), None)
3902
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3903 @requires_tls_version('TLSv1_3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3904 def test_tls1_3(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3905 client_context, server_context, hostname = testing_context()
3906 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3907 with ThreadedEchoServer(context=server_context) as server:
3908 with client_context.wrap_socket(socket.socket(),
3909 server_hostname=hostname) as s:
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3910 s.connect((HOST, server.port))
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3911 self.assertIn(s.cipher()[0], {
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3912 'TLS_AES_256_GCM_SHA384',
3913 'TLS_CHACHA20_POLY1305_SHA256',
3914 'TLS_AES_128_GCM_SHA256',
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3915 })
3916 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3917
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3918 @requires_tls_version('TLSv1_2')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3919 @requires_tls_version('TLSv1')
3920 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3921 def test_min_max_version_tlsv1_2(self):
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3922 client_context, server_context, hostname = testing_context()
3923 # client TLSv1.0 to 1.2
3924 client_context.minimum_version = ssl.TLSVersion.TLSv1
3925 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
3926 # server only TLSv1.2
3927 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
3928 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
3929
3930 with ThreadedEchoServer(context=server_context) as server:
3931 with client_context.wrap_socket(socket.socket(),
3932 server_hostname=hostname) as s:
3933 s.connect((HOST, server.port))
3934 self.assertEqual(s.version(), 'TLSv1.2')
3935
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3936 @requires_tls_version('TLSv1_1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3937 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3938 def test_min_max_version_tlsv1_1(self):
3939 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3940 # client 1.0 to 1.2, server 1.0 to 1.1
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3941 client_context.minimum_version = ssl.TLSVersion.TLSv1
3942 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3943 server_context.minimum_version = ssl.TLSVersion.TLSv1
3944 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3945 seclevel_workaround(client_context, server_context)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3946
3947 with ThreadedEchoServer(context=server_context) as server:
3948 with client_context.wrap_socket(socket.socket(),
3949 server_hostname=hostname) as s:
3950 s.connect((HOST, server.port))
3951 self.assertEqual(s.version(), 'TLSv1.1')
3952
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3953 @requires_tls_version('TLSv1_2')
Christian Heimesce04e712020-11-18 13:10:53 +0100[diff] [blame]3954 @requires_tls_version('TLSv1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3955 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3956 def test_min_max_version_mismatch(self):
3957 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3958 # client 1.0, server 1.2 (mismatch)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3959 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc9bc49c2019-09-11 19:24:47 +0200[diff] [blame]3960 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]3961 client_context.maximum_version = ssl.TLSVersion.TLSv1
Christian Heimesde606ea2019-09-11 19:48:58 +0200[diff] [blame]3962 client_context.minimum_version = ssl.TLSVersion.TLSv1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3963 seclevel_workaround(client_context, server_context)
3964
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3965 with ThreadedEchoServer(context=server_context) as server:
3966 with client_context.wrap_socket(socket.socket(),
3967 server_hostname=hostname) as s:
3968 with self.assertRaises(ssl.SSLError) as e:
3969 s.connect((HOST, server.port))
3970 self.assertIn("alert", str(e.exception))
3971
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3972 @requires_tls_version('SSLv3')
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3973 def test_min_max_version_sslv3(self):
3974 client_context, server_context, hostname = testing_context()
3975 server_context.minimum_version = ssl.TLSVersion.SSLv3
3976 client_context.minimum_version = ssl.TLSVersion.SSLv3
3977 client_context.maximum_version = ssl.TLSVersion.SSLv3
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3978 seclevel_workaround(client_context, server_context)
3979
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3980 with ThreadedEchoServer(context=server_context) as server:
3981 with client_context.wrap_socket(socket.socket(),
3982 server_hostname=hostname) as s:
3983 s.connect((HOST, server.port))
3984 self.assertEqual(s.version(), 'SSLv3')
3985
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3986 def test_default_ecdh_curve(self):
3987 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
3988 # should be enabled by default on SSL contexts.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3989 client_context, server_context, hostname = testing_context()
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3990 # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
3991 # cipher name.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3992 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3993 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
3994 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
3995 # our default cipher list should prefer ECDH-based ciphers
3996 # automatically.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3997 with ThreadedEchoServer(context=server_context) as server:
3998 with client_context.wrap_socket(socket.socket(),
3999 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4000 s.connect((HOST, server.port))
4001 self.assertIn("ECDH", s.cipher()[0])
4002
4003 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
4004 "'tls-unique' channel binding not available")
4005 def test_tls_unique_channel_binding(self):
4006 """Test tls-unique channel binding."""
4007 if support.verbose:
4008 sys.stdout.write("\n")
4009
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4010 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4011
4012 server = ThreadedEchoServer(context=server_context,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4013 chatty=True,
4014 connectionchatty=False)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4015
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4016 with server:
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4017 with client_context.wrap_socket(
4018 socket.socket(),
4019 server_hostname=hostname) as s:
4020 s.connect((HOST, server.port))
4021 # get the data
4022 cb_data = s.get_channel_binding("tls-unique")
4023 if support.verbose:
4024 sys.stdout.write(
4025 " got channel binding data: {0!r}\n".format(cb_data))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4026
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4027 # check if it is sane
4028 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]4029 if s.version() == 'TLSv1.3':
4030 self.assertEqual(len(cb_data), 48)
4031 else:
4032 self.assertEqual(len(cb_data), 12) # True for TLSv1
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4033
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4034 # and compare with the peers version
4035 s.write(b"CB tls-unique\n")
4036 peer_data_repr = s.read().strip()
4037 self.assertEqual(peer_data_repr,
4038 repr(cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4039
4040 # now, again
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4041 with client_context.wrap_socket(
4042 socket.socket(),
4043 server_hostname=hostname) as s:
4044 s.connect((HOST, server.port))
4045 new_cb_data = s.get_channel_binding("tls-unique")
4046 if support.verbose:
4047 sys.stdout.write(
4048 "got another channel binding data: {0!r}\n".format(
4049 new_cb_data)
4050 )
4051 # is it really unique
4052 self.assertNotEqual(cb_data, new_cb_data)
4053 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]4054 if s.version() == 'TLSv1.3':
4055 self.assertEqual(len(cb_data), 48)
4056 else:
4057 self.assertEqual(len(cb_data), 12) # True for TLSv1
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4058 s.write(b"CB tls-unique\n")
4059 peer_data_repr = s.read().strip()
4060 self.assertEqual(peer_data_repr,
4061 repr(new_cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4062
4063 def test_compression(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4064 client_context, server_context, hostname = testing_context()
4065 stats = server_params_test(client_context, server_context,
4066 chatty=True, connectionchatty=True,
4067 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4068 if support.verbose:
4069 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
4070 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
4071
4072 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
4073 "ssl.OP_NO_COMPRESSION needed for this test")
4074 def test_compression_disabled(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4075 client_context, server_context, hostname = testing_context()
4076 client_context.options |= ssl.OP_NO_COMPRESSION
4077 server_context.options |= ssl.OP_NO_COMPRESSION
4078 stats = server_params_test(client_context, server_context,
4079 chatty=True, connectionchatty=True,
4080 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4081 self.assertIs(stats['compression'], None)
4082
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4083 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4084 def test_dh_params(self):
4085 # Check we can get a connection with ephemeral Diffie-Hellman
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4086 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4087 # test scenario needs TLS <= 1.2
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4088 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4089 server_context.load_dh_params(DHFILE)
4090 server_context.set_ciphers("kEDH")
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4091 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4092 stats = server_params_test(client_context, server_context,
4093 chatty=True, connectionchatty=True,
4094 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4095 cipher = stats["cipher"][0]
4096 parts = cipher.split("-")
4097 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
4098 self.fail("Non-DH cipher: " + cipher[0])
4099
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4100 def test_ecdh_curve(self):
4101 # server secp384r1, client auto
4102 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4103
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4104 server_context.set_ecdh_curve("secp384r1")
4105 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4106 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4107 stats = server_params_test(client_context, server_context,
4108 chatty=True, connectionchatty=True,
4109 sni_name=hostname)
4110
4111 # server auto, client secp384r1
4112 client_context, server_context, hostname = testing_context()
4113 client_context.set_ecdh_curve("secp384r1")
4114 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4115 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4116 stats = server_params_test(client_context, server_context,
4117 chatty=True, connectionchatty=True,
4118 sni_name=hostname)
4119
4120 # server / client curve mismatch
4121 client_context, server_context, hostname = testing_context()
4122 client_context.set_ecdh_curve("prime256v1")
4123 server_context.set_ecdh_curve("secp384r1")
4124 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4125 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
4126 with self.assertRaises(ssl.SSLError):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4127 server_params_test(client_context, server_context,
4128 chatty=True, connectionchatty=True,
4129 sni_name=hostname)
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4130
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4131 def test_selected_alpn_protocol(self):
4132 # selected_alpn_protocol() is None unless ALPN is used.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4133 client_context, server_context, hostname = testing_context()
4134 stats = server_params_test(client_context, server_context,
4135 chatty=True, connectionchatty=True,
4136 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4137 self.assertIs(stats['client_alpn_protocol'], None)
4138
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4139 def test_selected_alpn_protocol_if_server_uses_alpn(self):
4140 # selected_alpn_protocol() is None unless ALPN is used by the client.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4141 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4142 server_context.set_alpn_protocols(['foo', 'bar'])
4143 stats = server_params_test(client_context, server_context,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4144 chatty=True, connectionchatty=True,
4145 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4146 self.assertIs(stats['client_alpn_protocol'], None)
4147
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4148 def test_alpn_protocols(self):
4149 server_protocols = ['foo', 'bar', 'milkshake']
4150 protocol_tests = [
4151 (['foo', 'bar'], 'foo'),
4152 (['bar', 'foo'], 'foo'),
4153 (['milkshake'], 'milkshake'),
4154 (['http/3.0', 'http/4.0'], None)
4155 ]
4156 for client_protocols, expected in protocol_tests:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4157 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4158 server_context.set_alpn_protocols(server_protocols)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4159 client_context.set_alpn_protocols(client_protocols)
4160
4161 try:
4162 stats = server_params_test(client_context,
4163 server_context,
4164 chatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4165 connectionchatty=True,
4166 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4167 except ssl.SSLError as e:
4168 stats = e
4169
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4170 msg = "failed trying %s (s) and %s (c).\n" \
4171 "was expecting %s, but got %%s from the %%s" \
4172 % (str(server_protocols), str(client_protocols),
4173 str(expected))
4174 client_result = stats['client_alpn_protocol']
4175 self.assertEqual(client_result, expected,
4176 msg % (client_result, "client"))
4177 server_result = stats['server_alpn_protocols'][-1] \
4178 if len(stats['server_alpn_protocols']) else 'nothing'
4179 self.assertEqual(server_result, expected,
4180 msg % (server_result, "server"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4181
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4182 def test_npn_protocols(self):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4183 assert not ssl.HAS_NPN
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4184
4185 def sni_contexts(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4186 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4187 server_context.load_cert_chain(SIGNED_CERTFILE)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4188 other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4189 other_context.load_cert_chain(SIGNED_CERTFILE2)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4190 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4191 client_context.load_verify_locations(SIGNING_CA)
4192 return server_context, other_context, client_context
4193
4194 def check_common_name(self, stats, name):
4195 cert = stats['peercert']
4196 self.assertIn((('commonName', name),), cert['subject'])
4197
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4198 def test_sni_callback(self):
4199 calls = []
4200 server_context, other_context, client_context = self.sni_contexts()
4201
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4202 client_context.check_hostname = False
4203
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4204 def servername_cb(ssl_sock, server_name, initial_context):
4205 calls.append((server_name, initial_context))
4206 if server_name is not None:
4207 ssl_sock.context = other_context
4208 server_context.set_servername_callback(servername_cb)
4209
4210 stats = server_params_test(client_context, server_context,
4211 chatty=True,
4212 sni_name='supermessage')
4213 # The hostname was fetched properly, and the certificate was
4214 # changed for the connection.
4215 self.assertEqual(calls, [("supermessage", server_context)])
4216 # CERTFILE4 was selected
4217 self.check_common_name(stats, 'fakehostname')
4218
4219 calls = []
4220 # The callback is called with server_name=None
4221 stats = server_params_test(client_context, server_context,
4222 chatty=True,
4223 sni_name=None)
4224 self.assertEqual(calls, [(None, server_context)])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4225 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4226
4227 # Check disabling the callback
4228 calls = []
4229 server_context.set_servername_callback(None)
4230
4231 stats = server_params_test(client_context, server_context,
4232 chatty=True,
4233 sni_name='notfunny')
4234 # Certificate didn't change
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4235 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4236 self.assertEqual(calls, [])
4237
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4238 def test_sni_callback_alert(self):
4239 # Returning a TLS alert is reflected to the connecting client
4240 server_context, other_context, client_context = self.sni_contexts()
4241
4242 def cb_returning_alert(ssl_sock, server_name, initial_context):
4243 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
4244 server_context.set_servername_callback(cb_returning_alert)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4245 with self.assertRaises(ssl.SSLError) as cm:
4246 stats = server_params_test(client_context, server_context,
4247 chatty=False,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4248 sni_name='supermessage')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4249 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4250
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4251 def test_sni_callback_raising(self):
4252 # Raising fails the connection with a TLS handshake failure alert.
4253 server_context, other_context, client_context = self.sni_contexts()
4254
4255 def cb_raising(ssl_sock, server_name, initial_context):
4256 1/0
4257 server_context.set_servername_callback(cb_raising)
4258
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4259 with support.catch_unraisable_exception() as catch:
4260 with self.assertRaises(ssl.SSLError) as cm:
4261 stats = server_params_test(client_context, server_context,
4262 chatty=False,
4263 sni_name='supermessage')
4264
4265 self.assertEqual(cm.exception.reason,
4266 'SSLV3_ALERT_HANDSHAKE_FAILURE')
4267 self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]4268
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4269 def test_sni_callback_wrong_return_type(self):
4270 # Returning the wrong return type terminates the TLS connection
4271 # with an internal error alert.
4272 server_context, other_context, client_context = self.sni_contexts()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4273
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4274 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
4275 return "foo"
4276 server_context.set_servername_callback(cb_wrong_return_type)
4277
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4278 with support.catch_unraisable_exception() as catch:
4279 with self.assertRaises(ssl.SSLError) as cm:
4280 stats = server_params_test(client_context, server_context,
4281 chatty=False,
4282 sni_name='supermessage')
4283
4284
4285 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
4286 self.assertEqual(catch.unraisable.exc_type, TypeError)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4287
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4288 def test_shared_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4289 client_context, server_context, hostname = testing_context()
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4290 client_context.set_ciphers("AES128:AES256")
4291 server_context.set_ciphers("AES256")
4292 expected_algs = [
4293 "AES256", "AES-256",
4294 # TLS 1.3 ciphers are always enabled
4295 "TLS_CHACHA20", "TLS_AES",
4296 ]
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4297
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4298 stats = server_params_test(client_context, server_context,
4299 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4300 ciphers = stats['server_shared_ciphers'][0]
4301 self.assertGreater(len(ciphers), 0)
4302 for name, tls_version, bits in ciphers:
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4303 if not any(alg in name for alg in expected_algs):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4304 self.fail(name)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4305
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4306 def test_read_write_after_close_raises_valuerror(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4307 client_context, server_context, hostname = testing_context()
4308 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4309
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4310 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4311 s = client_context.wrap_socket(socket.socket(),
4312 server_hostname=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4313 s.connect((HOST, server.port))
4314 s.close()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4315
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4316 self.assertRaises(ValueError, s.read, 1024)
4317 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4318
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4319 def test_sendfile(self):
4320 TEST_DATA = b"x" * 512
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4321 with open(os_helper.TESTFN, 'wb') as f:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4322 f.write(TEST_DATA)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4323 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4324 client_context, server_context, hostname = testing_context()
4325 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4326 with server:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4327 with client_context.wrap_socket(socket.socket(),
4328 server_hostname=hostname) as s:
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4329 s.connect((HOST, server.port))
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4330 with open(os_helper.TESTFN, 'rb') as file:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4331 s.sendfile(file)
4332 self.assertEqual(s.recv(1024), TEST_DATA)
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4333
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4334 def test_session(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4335 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4336 # TODO: sessions aren't compatible with TLSv1.3 yet
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4337 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4338
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4339 # first connection without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4340 stats = server_params_test(client_context, server_context,
4341 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4342 session = stats['session']
4343 self.assertTrue(session.id)
4344 self.assertGreater(session.time, 0)
4345 self.assertGreater(session.timeout, 0)
4346 self.assertTrue(session.has_ticket)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4347 self.assertGreater(session.ticket_lifetime_hint, 0)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4348 self.assertFalse(stats['session_reused'])
4349 sess_stat = server_context.session_stats()
4350 self.assertEqual(sess_stat['accept'], 1)
4351 self.assertEqual(sess_stat['hits'], 0)
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]4352
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4353 # reuse session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4354 stats = server_params_test(client_context, server_context,
4355 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4356 sess_stat = server_context.session_stats()
4357 self.assertEqual(sess_stat['accept'], 2)
4358 self.assertEqual(sess_stat['hits'], 1)
4359 self.assertTrue(stats['session_reused'])
4360 session2 = stats['session']
4361 self.assertEqual(session2.id, session.id)
4362 self.assertEqual(session2, session)
4363 self.assertIsNot(session2, session)
4364 self.assertGreaterEqual(session2.time, session.time)
4365 self.assertGreaterEqual(session2.timeout, session.timeout)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4366
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4367 # another one without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4368 stats = server_params_test(client_context, server_context,
4369 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4370 self.assertFalse(stats['session_reused'])
4371 session3 = stats['session']
4372 self.assertNotEqual(session3.id, session.id)
4373 self.assertNotEqual(session3, session)
4374 sess_stat = server_context.session_stats()
4375 self.assertEqual(sess_stat['accept'], 3)
4376 self.assertEqual(sess_stat['hits'], 1)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4377
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4378 # reuse session again
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4379 stats = server_params_test(client_context, server_context,
4380 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4381 self.assertTrue(stats['session_reused'])
4382 session4 = stats['session']
4383 self.assertEqual(session4.id, session.id)
4384 self.assertEqual(session4, session)
4385 self.assertGreaterEqual(session4.time, session.time)
4386 self.assertGreaterEqual(session4.timeout, session.timeout)
4387 sess_stat = server_context.session_stats()
4388 self.assertEqual(sess_stat['accept'], 4)
4389 self.assertEqual(sess_stat['hits'], 2)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4390
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4391 def test_session_handling(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4392 client_context, server_context, hostname = testing_context()
4393 client_context2, _, _ = testing_context()
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4394
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4395 # TODO: session reuse does not work with TLSv1.3
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4396 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4397 client_context2.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]4398
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4399 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4400 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4401 with client_context.wrap_socket(socket.socket(),
4402 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4403 # session is None before handshake
4404 self.assertEqual(s.session, None)
4405 self.assertEqual(s.session_reused, None)
4406 s.connect((HOST, server.port))
4407 session = s.session
4408 self.assertTrue(session)
4409 with self.assertRaises(TypeError) as e:
4410 s.session = object
Ned Deily4531ec72018-06-11 20:26:28 -0400[diff] [blame]4411 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4412
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4413 with client_context.wrap_socket(socket.socket(),
4414 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4415 s.connect((HOST, server.port))
4416 # cannot set session after handshake
4417 with self.assertRaises(ValueError) as e:
4418 s.session = session
4419 self.assertEqual(str(e.exception),
4420 'Cannot set session after handshake.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4421
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4422 with client_context.wrap_socket(socket.socket(),
4423 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4424 # can set session before handshake and before the
4425 # connection was established
4426 s.session = session
4427 s.connect((HOST, server.port))
4428 self.assertEqual(s.session.id, session.id)
4429 self.assertEqual(s.session, session)
4430 self.assertEqual(s.session_reused, True)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4431
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4432 with client_context2.wrap_socket(socket.socket(),
4433 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4434 # cannot re-use session with a different SSLContext
4435 with self.assertRaises(ValueError) as e:
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4436 s.session = session
4437 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4438 self.assertEqual(str(e.exception),
4439 'Session refers to a different SSLContext.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4440
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]4441
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]4442@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4443class TestPostHandshakeAuth(unittest.TestCase):
4444 def test_pha_setter(self):
4445 protocols = [
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4446 ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4447 ]
4448 for protocol in protocols:
4449 ctx = ssl.SSLContext(protocol)
4450 self.assertEqual(ctx.post_handshake_auth, False)
4451
4452 ctx.post_handshake_auth = True
4453 self.assertEqual(ctx.post_handshake_auth, True)
4454
4455 ctx.verify_mode = ssl.CERT_REQUIRED
4456 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4457 self.assertEqual(ctx.post_handshake_auth, True)
4458
4459 ctx.post_handshake_auth = False
4460 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4461 self.assertEqual(ctx.post_handshake_auth, False)
4462
4463 ctx.verify_mode = ssl.CERT_OPTIONAL
4464 ctx.post_handshake_auth = True
4465 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
4466 self.assertEqual(ctx.post_handshake_auth, True)
4467
4468 def test_pha_required(self):
4469 client_context, server_context, hostname = testing_context()
4470 server_context.post_handshake_auth = True
4471 server_context.verify_mode = ssl.CERT_REQUIRED
4472 client_context.post_handshake_auth = True
4473 client_context.load_cert_chain(SIGNED_CERTFILE)
4474
4475 server = ThreadedEchoServer(context=server_context, chatty=False)
4476 with server:
4477 with client_context.wrap_socket(socket.socket(),
4478 server_hostname=hostname) as s:
4479 s.connect((HOST, server.port))
4480 s.write(b'HASCERT')
4481 self.assertEqual(s.recv(1024), b'FALSE\n')
4482 s.write(b'PHA')
4483 self.assertEqual(s.recv(1024), b'OK\n')
4484 s.write(b'HASCERT')
4485 self.assertEqual(s.recv(1024), b'TRUE\n')
4486 # PHA method just returns true when cert is already available
4487 s.write(b'PHA')
4488 self.assertEqual(s.recv(1024), b'OK\n')
4489 s.write(b'GETCERT')
4490 cert_text = s.recv(4096).decode('us-ascii')
4491 self.assertIn('Python Software Foundation CA', cert_text)
4492
4493 def test_pha_required_nocert(self):
4494 client_context, server_context, hostname = testing_context()
4495 server_context.post_handshake_auth = True
4496 server_context.verify_mode = ssl.CERT_REQUIRED
4497 client_context.post_handshake_auth = True
4498
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4499 def msg_cb(conn, direction, version, content_type, msg_type, data):
4500 if support.verbose and content_type == _TLSContentType.ALERT:
4501 info = (conn, direction, version, content_type, msg_type, data)
4502 sys.stdout.write(f"TLS: {info!r}\n")
4503
4504 server_context._msg_callback = msg_cb
4505 client_context._msg_callback = msg_cb
4506
4507 server = ThreadedEchoServer(context=server_context, chatty=True)
4508 with server:
4509 with client_context.wrap_socket(socket.socket(),
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]4510 server_hostname=hostname,
4511 suppress_ragged_eofs=False) as s:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4512 s.connect((HOST, server.port))
4513 s.write(b'PHA')
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4514 # test sometimes fails with EOF error. Test passes as long as
4515 # server aborts connection with an error.
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4516 with self.assertRaisesRegex(
4517 ssl.SSLError,
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4518 '(certificate required|EOF occurred)'
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4519 ):
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4520 # receive CertificateRequest
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame]4521 data = s.recv(1024)
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame]4522 self.assertEqual(data, b'OK\n')
4523
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4524 # send empty Certificate + Finish
4525 s.write(b'HASCERT')
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame]4526
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4527 # receive alert
Miss Islington (bot)d2ab15f2021-06-03 13:15:15 -0700[diff] [blame]4528 s.recv(1024)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4529
4530 def test_pha_optional(self):
4531 if support.verbose:
4532 sys.stdout.write("\n")
4533
4534 client_context, server_context, hostname = testing_context()
4535 server_context.post_handshake_auth = True
4536 server_context.verify_mode = ssl.CERT_REQUIRED
4537 client_context.post_handshake_auth = True
4538 client_context.load_cert_chain(SIGNED_CERTFILE)
4539
4540 # check CERT_OPTIONAL
4541 server_context.verify_mode = ssl.CERT_OPTIONAL
4542 server = ThreadedEchoServer(context=server_context, chatty=False)
4543 with server:
4544 with client_context.wrap_socket(socket.socket(),
4545 server_hostname=hostname) as s:
4546 s.connect((HOST, server.port))
4547 s.write(b'HASCERT')
4548 self.assertEqual(s.recv(1024), b'FALSE\n')
4549 s.write(b'PHA')
4550 self.assertEqual(s.recv(1024), b'OK\n')
4551 s.write(b'HASCERT')
4552 self.assertEqual(s.recv(1024), b'TRUE\n')
4553
4554 def test_pha_optional_nocert(self):
4555 if support.verbose:
4556 sys.stdout.write("\n")
4557
4558 client_context, server_context, hostname = testing_context()
4559 server_context.post_handshake_auth = True
4560 server_context.verify_mode = ssl.CERT_OPTIONAL
4561 client_context.post_handshake_auth = True
4562
4563 server = ThreadedEchoServer(context=server_context, chatty=False)
4564 with server:
4565 with client_context.wrap_socket(socket.socket(),
4566 server_hostname=hostname) as s:
4567 s.connect((HOST, server.port))
4568 s.write(b'HASCERT')
4569 self.assertEqual(s.recv(1024), b'FALSE\n')
4570 s.write(b'PHA')
4571 self.assertEqual(s.recv(1024), b'OK\n')
penguindustin96466302019-05-06 14:57:17 -0400[diff] [blame]4572 # optional doesn't fail when client does not have a cert
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4573 s.write(b'HASCERT')
4574 self.assertEqual(s.recv(1024), b'FALSE\n')
4575
4576 def test_pha_no_pha_client(self):
4577 client_context, server_context, hostname = testing_context()
4578 server_context.post_handshake_auth = True
4579 server_context.verify_mode = ssl.CERT_REQUIRED
4580 client_context.load_cert_chain(SIGNED_CERTFILE)
4581
4582 server = ThreadedEchoServer(context=server_context, chatty=False)
4583 with server:
4584 with client_context.wrap_socket(socket.socket(),
4585 server_hostname=hostname) as s:
4586 s.connect((HOST, server.port))
4587 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
4588 s.verify_client_post_handshake()
4589 s.write(b'PHA')
4590 self.assertIn(b'extension not received', s.recv(1024))
4591
4592 def test_pha_no_pha_server(self):
4593 # server doesn't have PHA enabled, cert is requested in handshake
4594 client_context, server_context, hostname = testing_context()
4595 server_context.verify_mode = ssl.CERT_REQUIRED
4596 client_context.post_handshake_auth = True
4597 client_context.load_cert_chain(SIGNED_CERTFILE)
4598
4599 server = ThreadedEchoServer(context=server_context, chatty=False)
4600 with server:
4601 with client_context.wrap_socket(socket.socket(),
4602 server_hostname=hostname) as s:
4603 s.connect((HOST, server.port))
4604 s.write(b'HASCERT')
4605 self.assertEqual(s.recv(1024), b'TRUE\n')
4606 # PHA doesn't fail if there is already a cert
4607 s.write(b'PHA')
4608 self.assertEqual(s.recv(1024), b'OK\n')
4609 s.write(b'HASCERT')
4610 self.assertEqual(s.recv(1024), b'TRUE\n')
4611
4612 def test_pha_not_tls13(self):
4613 # TLS 1.2
4614 client_context, server_context, hostname = testing_context()
4615 server_context.verify_mode = ssl.CERT_REQUIRED
4616 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4617 client_context.post_handshake_auth = True
4618 client_context.load_cert_chain(SIGNED_CERTFILE)
4619
4620 server = ThreadedEchoServer(context=server_context, chatty=False)
4621 with server:
4622 with client_context.wrap_socket(socket.socket(),
4623 server_hostname=hostname) as s:
4624 s.connect((HOST, server.port))
4625 # PHA fails for TLS != 1.3
4626 s.write(b'PHA')
4627 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
4628
Christian Heimesf0f59302019-07-01 08:29:17 +0200[diff] [blame]4629 def test_bpo37428_pha_cert_none(self):
4630 # verify that post_handshake_auth does not implicitly enable cert
4631 # validation.
4632 hostname = SIGNED_CERTFILE_HOSTNAME
4633 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4634 client_context.post_handshake_auth = True
4635 client_context.load_cert_chain(SIGNED_CERTFILE)
4636 # no cert validation and CA on client side
4637 client_context.check_hostname = False
4638 client_context.verify_mode = ssl.CERT_NONE
4639
4640 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
4641 server_context.load_cert_chain(SIGNED_CERTFILE)
4642 server_context.load_verify_locations(SIGNING_CA)
4643 server_context.post_handshake_auth = True
4644 server_context.verify_mode = ssl.CERT_REQUIRED
4645
4646 server = ThreadedEchoServer(context=server_context, chatty=False)
4647 with server:
4648 with client_context.wrap_socket(socket.socket(),
4649 server_hostname=hostname) as s:
4650 s.connect((HOST, server.port))
4651 s.write(b'HASCERT')
4652 self.assertEqual(s.recv(1024), b'FALSE\n')
4653 s.write(b'PHA')
4654 self.assertEqual(s.recv(1024), b'OK\n')
4655 s.write(b'HASCERT')
4656 self.assertEqual(s.recv(1024), b'TRUE\n')
4657 # server cert has not been validated
4658 self.assertEqual(s.getpeercert(), {})
4659
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]4660 def test_internal_chain_client(self):
4661 client_context, server_context, hostname = testing_context(
4662 server_chain=False
4663 )
4664 server = ThreadedEchoServer(context=server_context, chatty=False)
4665 with server:
4666 with client_context.wrap_socket(
4667 socket.socket(),
4668 server_hostname=hostname
4669 ) as s:
4670 s.connect((HOST, server.port))
4671 vc = s._sslobj.get_verified_chain()
4672 self.assertEqual(len(vc), 2)
4673 ee, ca = vc
4674 uvc = s._sslobj.get_unverified_chain()
4675 self.assertEqual(len(uvc), 1)
4676
4677 self.assertEqual(ee, uvc[0])
4678 self.assertEqual(hash(ee), hash(uvc[0]))
4679 self.assertEqual(repr(ee), repr(uvc[0]))
4680
4681 self.assertNotEqual(ee, ca)
4682 self.assertNotEqual(hash(ee), hash(ca))
4683 self.assertNotEqual(repr(ee), repr(ca))
4684 self.assertNotEqual(ee.get_info(), ca.get_info())
4685 self.assertIn("CN=localhost", repr(ee))
4686 self.assertIn("CN=our-ca-server", repr(ca))
4687
4688 pem = ee.public_bytes(_ssl.ENCODING_PEM)
4689 der = ee.public_bytes(_ssl.ENCODING_DER)
4690 self.assertIsInstance(pem, str)
4691 self.assertIn("-----BEGIN CERTIFICATE-----", pem)
4692 self.assertIsInstance(der, bytes)
4693 self.assertEqual(
4694 ssl.PEM_cert_to_DER_cert(pem), der
4695 )
4696
4697 def test_internal_chain_server(self):
4698 client_context, server_context, hostname = testing_context()
4699 client_context.load_cert_chain(SIGNED_CERTFILE)
4700 server_context.verify_mode = ssl.CERT_REQUIRED
4701 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
4702
4703 server = ThreadedEchoServer(context=server_context, chatty=False)
4704 with server:
4705 with client_context.wrap_socket(
4706 socket.socket(),
4707 server_hostname=hostname
4708 ) as s:
4709 s.connect((HOST, server.port))
4710 s.write(b'VERIFIEDCHAIN\n')
4711 res = s.recv(1024)
4712 self.assertEqual(res, b'\x02\n')
4713 s.write(b'UNVERIFIEDCHAIN\n')
4714 res = s.recv(1024)
4715 self.assertEqual(res, b'\x02\n')
4716
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4717
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4718HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
4719requires_keylog = unittest.skipUnless(
4720 HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
4721
4722class TestSSLDebug(unittest.TestCase):
4723
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4724 def keylog_lines(self, fname=os_helper.TESTFN):
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4725 with open(fname) as f:
4726 return len(list(f))
4727
4728 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4729 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4730 def test_keylog_defaults(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4731 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4732 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4733 self.assertEqual(ctx.keylog_filename, None)
4734
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4735 self.assertFalse(os.path.isfile(os_helper.TESTFN))
4736 ctx.keylog_filename = os_helper.TESTFN
4737 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
4738 self.assertTrue(os.path.isfile(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4739 self.assertEqual(self.keylog_lines(), 1)
4740
4741 ctx.keylog_filename = None
4742 self.assertEqual(ctx.keylog_filename, None)
4743
4744 with self.assertRaises((IsADirectoryError, PermissionError)):
4745 # Windows raises PermissionError
4746 ctx.keylog_filename = os.path.dirname(
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4747 os.path.abspath(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4748
4749 with self.assertRaises(TypeError):
4750 ctx.keylog_filename = 1
4751
4752 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4753 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4754 def test_keylog_filename(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4755 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4756 client_context, server_context, hostname = testing_context()
4757
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4758 client_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4759 server = ThreadedEchoServer(context=server_context, chatty=False)
4760 with server:
4761 with client_context.wrap_socket(socket.socket(),
4762 server_hostname=hostname) as s:
4763 s.connect((HOST, server.port))
4764 # header, 5 lines for TLS 1.3
4765 self.assertEqual(self.keylog_lines(), 6)
4766
4767 client_context.keylog_filename = None
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4768 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4769 server = ThreadedEchoServer(context=server_context, chatty=False)
4770 with server:
4771 with client_context.wrap_socket(socket.socket(),
4772 server_hostname=hostname) as s:
4773 s.connect((HOST, server.port))
4774 self.assertGreaterEqual(self.keylog_lines(), 11)
4775
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4776 client_context.keylog_filename = os_helper.TESTFN
4777 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4778 server = ThreadedEchoServer(context=server_context, chatty=False)
4779 with server:
4780 with client_context.wrap_socket(socket.socket(),
4781 server_hostname=hostname) as s:
4782 s.connect((HOST, server.port))
4783 self.assertGreaterEqual(self.keylog_lines(), 21)
4784
4785 client_context.keylog_filename = None
4786 server_context.keylog_filename = None
4787
4788 @requires_keylog
4789 @unittest.skipIf(sys.flags.ignore_environment,
4790 "test is not compatible with ignore_environment")
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4791 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4792 def test_keylog_env(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4793 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4794 with unittest.mock.patch.dict(os.environ):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4795 os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
4796 self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4797
4798 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4799 self.assertEqual(ctx.keylog_filename, None)
4800
4801 ctx = ssl.create_default_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4802 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4803
4804 ctx = ssl._create_stdlib_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4805 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4806
4807 def test_msg_callback(self):
4808 client_context, server_context, hostname = testing_context()
4809
4810 def msg_cb(conn, direction, version, content_type, msg_type, data):
4811 pass
4812
4813 self.assertIs(client_context._msg_callback, None)
4814 client_context._msg_callback = msg_cb
4815 self.assertIs(client_context._msg_callback, msg_cb)
4816 with self.assertRaises(TypeError):
4817 client_context._msg_callback = object()
4818
4819 def test_msg_callback_tls12(self):
4820 client_context, server_context, hostname = testing_context()
Miss Islington (bot)4becc562021-06-13 05:07:00 -0700[diff] [blame]4821 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4822
4823 msg = []
4824
4825 def msg_cb(conn, direction, version, content_type, msg_type, data):
4826 self.assertIsInstance(conn, ssl.SSLSocket)
4827 self.assertIsInstance(data, bytes)
4828 self.assertIn(direction, {'read', 'write'})
4829 msg.append((direction, version, content_type, msg_type))
4830
4831 client_context._msg_callback = msg_cb
4832
4833 server = ThreadedEchoServer(context=server_context, chatty=False)
4834 with server:
4835 with client_context.wrap_socket(socket.socket(),
4836 server_hostname=hostname) as s:
4837 s.connect((HOST, server.port))
4838
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4839 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4840 ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
4841 _TLSMessageType.SERVER_KEY_EXCHANGE),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4842 msg
4843 )
4844 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4845 ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
4846 _TLSMessageType.CHANGE_CIPHER_SPEC),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4847 msg
4848 )
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4849
Christian Heimes77cde502021-03-21 16:13:09 +0100[diff] [blame]4850 def test_msg_callback_deadlock_bpo43577(self):
4851 client_context, server_context, hostname = testing_context()
4852 server_context2 = testing_context()[1]
4853
4854 def msg_cb(conn, direction, version, content_type, msg_type, data):
4855 pass
4856
4857 def sni_cb(sock, servername, ctx):
4858 sock.context = server_context2
4859
4860 server_context._msg_callback = msg_cb
4861 server_context.sni_callback = sni_cb
4862
4863 server = ThreadedEchoServer(context=server_context, chatty=False)
4864 with server:
4865 with client_context.wrap_socket(socket.socket(),
4866 server_hostname=hostname) as s:
4867 s.connect((HOST, server.port))
4868 with client_context.wrap_socket(socket.socket(),
4869 server_hostname=hostname) as s:
4870 s.connect((HOST, server.port))
4871
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4872
Serhiy Storchakabedce352021-09-19 22:36:03 +0300[diff] [blame]4873def setUpModule():
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4874 if support.verbose:
4875 plats = {
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4876 'Mac': platform.mac_ver,
4877 'Windows': platform.win32_ver,
4878 }
Petr Viktorin8b94b412018-05-16 11:51:18 -0400[diff] [blame]4879 for name, func in plats.items():
4880 plat = func()
4881 if plat and plat[0]:
4882 plat = '%s %r' % (name, plat)
4883 break
4884 else:
4885 plat = repr(platform.platform())
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4886 print("test_ssl: testing with %r %r" %
4887 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
4888 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]4889 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]4890 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
4891 try:
4892 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
4893 except AttributeError:
4894 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4895
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4896 for filename in [
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4897 CERTFILE, BYTES_CERTFILE,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4898 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4899 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4900 BADCERT, BADKEY, EMPTYCERT]:
4901 if not os.path.exists(filename):
4902 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]4903
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4904 thread_info = threading_helper.threading_setup()
Serhiy Storchakabedce352021-09-19 22:36:03 +0300[diff] [blame]4905 unittest.addModuleCleanup(threading_helper.threading_cleanup, *thread_info)
4906
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4907
4908if __name__ == "__main__":
Serhiy Storchakabedce352021-09-19 22:36:03 +0300[diff] [blame]4909 unittest.main()