Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / e5e93e6145090a636e67766a53b758d7ac78e3ad / . / Lib / test / test_ssl.py
blob: fbd0131ea4f4108a4077e6fdc23875fab558c6ab [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5import unittest.mock
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]6from test import support
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]7from test.support import import_helper
8from test.support import os_helper
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]9from test.support import socket_helper
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]10from test.support import threading_helper
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]11from test.support import warnings_helper
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]13import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]14import time
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]15import datetime
16import enum
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]17import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]19import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]20import pprint
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]21import urllib.request
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]22import threading
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]23import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]24import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]25import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]26import platform
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]27import sysconfig
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]28import functools
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]29try:
30 import ctypes
31except ImportError:
32 ctypes = None
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]33
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]34ssl = import_helper.import_module("ssl")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]35import _ssl
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]36
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]37from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]38
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]39Py_DEBUG = hasattr(sys, 'gettotalrefcount')
40Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
41
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]42PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]43HOST = socket_helper.HOST
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]44IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]45PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]46
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]47PROTOCOL_TO_TLS_VERSION = {}
48for proto, ver in (
49 ("PROTOCOL_SSLv23", "SSLv3"),
50 ("PROTOCOL_TLSv1", "TLSv1"),
51 ("PROTOCOL_TLSv1_1", "TLSv1_1"),
52):
53 try:
54 proto = getattr(ssl, proto)
55 ver = getattr(ssl.TLSVersion, ver)
56 except AttributeError:
57 continue
58 PROTOCOL_TO_TLS_VERSION[proto] = ver
59
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]60def data_file(*name):
61 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]62
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]63# The custom key and certificate files used in test_ssl are generated
64# using Lib/test/make_ssl_certs.py.
65# Other certificates are simply fetched from the Internet servers they
66# are meant to authenticate.
67
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]68CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]69BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]70ONLYCERT = data_file("ssl_cert.pem")
71ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]72BYTES_ONLYCERT = os.fsencode(ONLYCERT)
73BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]74CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
75ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
76KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]77CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]78BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]79CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
80CAFILE_CACERT = data_file("capath", "5ed36f99.0")
81
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]82CERTFILE_INFO = {
83 'issuer': ((('countryName', 'XY'),),
84 (('localityName', 'Castle Anthrax'),),
85 (('organizationName', 'Python Software Foundation'),),
86 (('commonName', 'localhost'),)),
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]87 'notAfter': 'Aug 26 14:23:15 2028 GMT',
88 'notBefore': 'Aug 29 14:23:15 2018 GMT',
89 'serialNumber': '98A7CF88C74A32ED',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]90 'subject': ((('countryName', 'XY'),),
91 (('localityName', 'Castle Anthrax'),),
92 (('organizationName', 'Python Software Foundation'),),
93 (('commonName', 'localhost'),)),
94 'subjectAltName': (('DNS', 'localhost'),),
95 'version': 3
96}
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]97
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]98# empty CRL
99CRLFILE = data_file("revocation.crl")
100
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]101# Two keys and certs signed by the same CA (for SNI tests)
102SIGNED_CERTFILE = data_file("keycert3.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]103SIGNED_CERTFILE_HOSTNAME = 'localhost'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]104
105SIGNED_CERTFILE_INFO = {
106 'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
107 'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
108 'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
109 'issuer': ((('countryName', 'XY'),),
110 (('organizationName', 'Python Software Foundation CA'),),
111 (('commonName', 'our-ca-server'),)),
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]112 'notAfter': 'Oct 28 14:23:16 2037 GMT',
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]113 'notBefore': 'Aug 29 14:23:16 2018 GMT',
114 'serialNumber': 'CB2D80995A69525C',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]115 'subject': ((('countryName', 'XY'),),
116 (('localityName', 'Castle Anthrax'),),
117 (('organizationName', 'Python Software Foundation'),),
118 (('commonName', 'localhost'),)),
119 'subjectAltName': (('DNS', 'localhost'),),
120 'version': 3
121}
122
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]123SIGNED_CERTFILE2 = data_file("keycert4.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]124SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]125SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
126SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
127
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]128# Same certificate as pycacert.pem, but without extra text in file
129SIGNING_CA = data_file("capath", "ceff1710.0")
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]130# cert with all kinds of subject alt names
131ALLSANFILE = data_file("allsans.pem")
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]132IDNSANSFILE = data_file("idnsans.pem")
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]133NOSANFILE = data_file("nosan.pem")
134NOSAN_HOSTNAME = 'localhost'
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]135
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]136REMOTE_HOST = "self-signed.pythontest.net"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]137
138EMPTYCERT = data_file("nullcert.pem")
139BADCERT = data_file("badcert.pem")
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]140NONEXISTINGCERT = data_file("XXXnonexisting.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]141BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]142NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]143NULLBYTECERT = data_file("nullbytecert.pem")
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]144TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]145
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]146DHFILE = data_file("ffdh3072.pem")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]147BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]148
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]149# Not defined in all versions of OpenSSL
150OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
151OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
152OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
153OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]154OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]155OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]156
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]157# Ubuntu has patched OpenSSL and changed behavior of security level 2
158# see https://bugs.python.org/issue41561#msg389003
159def is_ubuntu():
160 try:
161 # Assume that any references of "ubuntu" implies Ubuntu-like distro
162 # The workaround is not required for 18.04, but doesn't hurt either.
163 with open("/etc/os-release", encoding="utf-8") as f:
164 return "ubuntu" in f.read()
165 except FileNotFoundError:
166 return False
167
168if is_ubuntu():
169 def seclevel_workaround(*ctxs):
170 """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
171 for ctx in ctxs:
Christian Heimes34477502021-04-12 12:00:38 +0200[diff] [blame]172 if (
173 hasattr(ctx, "minimum_version") and
174 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
175 ):
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]176 ctx.set_ciphers("@SECLEVEL=1:ALL")
177else:
178 def seclevel_workaround(*ctxs):
179 pass
180
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]181
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]182def has_tls_protocol(protocol):
183 """Check if a TLS protocol is available and enabled
184
185 :param protocol: enum ssl._SSLMethod member or name
186 :return: bool
187 """
188 if isinstance(protocol, str):
189 assert protocol.startswith('PROTOCOL_')
190 protocol = getattr(ssl, protocol, None)
191 if protocol is None:
192 return False
193 if protocol in {
194 ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
195 ssl.PROTOCOL_TLS_CLIENT
196 }:
197 # auto-negotiate protocols are always available
198 return True
199 name = protocol.name
200 return has_tls_version(name[len('PROTOCOL_'):])
201
202
203@functools.lru_cache
204def has_tls_version(version):
205 """Check if a TLS/SSL version is enabled
206
207 :param version: TLS version name or ssl.TLSVersion member
208 :return: bool
209 """
210 if version == "SSLv2":
211 # never supported and not even in TLSVersion enum
212 return False
213
214 if isinstance(version, str):
215 version = ssl.TLSVersion.__members__[version]
216
217 # check compile time flags like ssl.HAS_TLSv1_2
218 if not getattr(ssl, f'HAS_{version.name}'):
219 return False
220
Christian Heimes5151d642021-04-09 15:43:06 +0200[diff] [blame]221 if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
222 # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
223 return False
224
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]225 # check runtime and dynamic crypto policy settings. A TLS version may
226 # be compiled in but disabled by a policy or config option.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]227 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]228 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]229 hasattr(ctx, 'minimum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]230 ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
231 version < ctx.minimum_version
232 ):
233 return False
234 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]235 hasattr(ctx, 'maximum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]236 ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
237 version > ctx.maximum_version
238 ):
239 return False
240
241 return True
242
243
244def requires_tls_version(version):
245 """Decorator to skip tests when a required TLS version is not available
246
247 :param version: TLS version name or ssl.TLSVersion member
248 :return:
249 """
250 def decorator(func):
251 @functools.wraps(func)
252 def wrapper(*args, **kw):
253 if not has_tls_version(version):
254 raise unittest.SkipTest(f"{version} is not available.")
255 else:
256 return func(*args, **kw)
257 return wrapper
258 return decorator
259
260
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]261def handle_error(prefix):
262 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]263 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]264 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]265
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]266
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]267def utc_offset(): #NOTE: ignore issues like #1647654
268 # local time = utc time + utc offset
269 if time.daylight and time.localtime().tm_isdst > 0:
270 return -time.altzone # seconds
271 return -time.timezone
272
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]273
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]274ignore_deprecation = warnings_helper.ignore_warnings(
275 category=DeprecationWarning
276)
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]277
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]278
279def test_wrap_socket(sock, *,
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]280 cert_reqs=ssl.CERT_NONE, ca_certs=None,
281 ciphers=None, certfile=None, keyfile=None,
282 **kwargs):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]283 if not kwargs.get("server_side"):
284 kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
285 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
286 else:
287 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]288 if cert_reqs is not None:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]289 if cert_reqs == ssl.CERT_NONE:
290 context.check_hostname = False
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]291 context.verify_mode = cert_reqs
292 if ca_certs is not None:
293 context.load_verify_locations(ca_certs)
294 if certfile is not None or keyfile is not None:
295 context.load_cert_chain(certfile, keyfile)
296 if ciphers is not None:
297 context.set_ciphers(ciphers)
298 return context.wrap_socket(sock, **kwargs)
299
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]300
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]301def testing_context(server_cert=SIGNED_CERTFILE, *, server_chain=True):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]302 """Create context
303
304 client_context, server_context, hostname = testing_context()
305 """
306 if server_cert == SIGNED_CERTFILE:
307 hostname = SIGNED_CERTFILE_HOSTNAME
308 elif server_cert == SIGNED_CERTFILE2:
309 hostname = SIGNED_CERTFILE2_HOSTNAME
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]310 elif server_cert == NOSANFILE:
311 hostname = NOSAN_HOSTNAME
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]312 else:
313 raise ValueError(server_cert)
314
315 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
316 client_context.load_verify_locations(SIGNING_CA)
317
318 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
319 server_context.load_cert_chain(server_cert)
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]320 if server_chain:
321 server_context.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]322
323 return client_context, server_context, hostname
324
325
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]326class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]327
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]328 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]329 ssl.CERT_NONE
330 ssl.CERT_OPTIONAL
331 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]332 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]333 ssl.OP_SINGLE_DH_USE
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]334 ssl.OP_SINGLE_ECDH_USE
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]335 ssl.OP_NO_COMPRESSION
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]336 self.assertEqual(ssl.HAS_SNI, True)
337 self.assertEqual(ssl.HAS_ECDH, True)
338 self.assertEqual(ssl.HAS_TLSv1_2, True)
339 self.assertEqual(ssl.HAS_TLSv1_3, True)
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]340 ssl.OP_NO_SSLv2
341 ssl.OP_NO_SSLv3
342 ssl.OP_NO_TLSv1
343 ssl.OP_NO_TLSv1_3
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]344 ssl.OP_NO_TLSv1_1
345 ssl.OP_NO_TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]346 self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]347
Christian Heimes91554e42021-05-02 09:47:45 +0200[diff] [blame]348 def test_ssl_types(self):
349 ssl_types = [
350 _ssl._SSLContext,
351 _ssl._SSLSocket,
352 _ssl.MemoryBIO,
353 _ssl.Certificate,
354 _ssl.SSLSession,
355 _ssl.SSLError,
356 ]
357 for ssl_type in ssl_types:
358 with self.subTest(ssl_type=ssl_type):
359 with self.assertRaisesRegex(TypeError, "immutable type"):
360 ssl_type.value = None
361 with self.assertRaisesRegex(
362 TypeError,
363 "cannot create '_ssl.Certificate' instances"
364 ):
365 _ssl.Certificate()
366
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]367 def test_private_init(self):
368 with self.assertRaisesRegex(TypeError, "public constructor"):
369 with socket.socket() as s:
370 ssl.SSLSocket(s)
371
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]372 def test_str_for_enums(self):
373 # Make sure that the PROTOCOL_* constants have enum-like string
374 # reprs.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]375 proto = ssl.PROTOCOL_TLS_CLIENT
376 self.assertEqual(str(proto), 'PROTOCOL_TLS_CLIENT')
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]377 ctx = ssl.SSLContext(proto)
378 self.assertIs(ctx.protocol, proto)
379
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]380 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]381 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]382 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]383 sys.stdout.write("\n RAND_status is %d (%s)\n"
384 % (v, (v and "sufficient randomness") or
385 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]386
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]387 with warnings_helper.check_warnings():
388 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]389 self.assertEqual(len(data), 16)
390 self.assertEqual(is_cryptographic, v == 1)
391 if v:
392 data = ssl.RAND_bytes(16)
393 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]394 else:
395 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]396
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]397 # negative num is invalid
398 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]399 with warnings_helper.check_warnings():
400 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]401
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]402 ssl.RAND_add("this is a random string", 75.0)
Serhiy Storchaka8490f5a2015-03-20 09:00:36 +0200[diff] [blame]403 ssl.RAND_add(b"this is a random bytes object", 75.0)
404 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]405
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]406 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]407 # note that this uses an 'unofficial' function in _ssl.c,
408 # provided solely for this test, to exercise the certificate
409 # parsing code
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]410 self.assertEqual(
411 ssl._ssl._test_decode_cert(CERTFILE),
412 CERTFILE_INFO
413 )
414 self.assertEqual(
415 ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
416 SIGNED_CERTFILE_INFO
417 )
418
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]419 # Issue #13034: the subjectAltName in some certificates
420 # (notably projects.developer.nokia.com:443) wasn't parsed
421 p = ssl._ssl._test_decode_cert(NOKIACERT)
422 if support.verbose:
423 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
424 self.assertEqual(p['subjectAltName'],
425 (('DNS', 'projects.developer.nokia.com'),
426 ('DNS', 'projects.forum.nokia.com'))
427 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]428 # extra OCSP and AIA fields
429 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
430 self.assertEqual(p['caIssuers'],
431 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
432 self.assertEqual(p['crlDistributionPoints'],
433 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]434
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]435 def test_parse_cert_CVE_2019_5010(self):
436 p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
437 if support.verbose:
438 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
439 self.assertEqual(
440 p,
441 {
442 'issuer': (
443 (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
444 'notAfter': 'Jun 14 18:00:58 2028 GMT',
445 'notBefore': 'Jun 18 18:00:58 2018 GMT',
446 'serialNumber': '02',
447 'subject': ((('countryName', 'UK'),),
448 (('commonName',
449 'codenomicon-vm-2.test.lal.cisco.com'),)),
450 'subjectAltName': (
451 ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
452 'version': 3
453 }
454 )
455
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]456 def test_parse_cert_CVE_2013_4238(self):
457 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
458 if support.verbose:
459 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
460 subject = ((('countryName', 'US'),),
461 (('stateOrProvinceName', 'Oregon'),),
462 (('localityName', 'Beaverton'),),
463 (('organizationName', 'Python Software Foundation'),),
464 (('organizationalUnitName', 'Python Core Development'),),
465 (('commonName', 'null.python.org\x00example.org'),),
466 (('emailAddress', 'python-dev@python.org'),))
467 self.assertEqual(p['subject'], subject)
468 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]469 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
470 san = (('DNS', 'altnull.python.org\x00example.com'),
471 ('email', 'null@python.org\x00user@example.org'),
472 ('URI', 'http://null.python.org\x00http://example.org'),
473 ('IP Address', '192.0.2.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]474 ('IP Address', '2001:DB8:0:0:0:0:0:1'))
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]475 else:
476 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
477 san = (('DNS', 'altnull.python.org\x00example.com'),
478 ('email', 'null@python.org\x00user@example.org'),
479 ('URI', 'http://null.python.org\x00http://example.org'),
480 ('IP Address', '192.0.2.1'),
481 ('IP Address', '<invalid>'))
482
483 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]484
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]485 def test_parse_all_sans(self):
486 p = ssl._ssl._test_decode_cert(ALLSANFILE)
487 self.assertEqual(p['subjectAltName'],
488 (
489 ('DNS', 'allsans'),
490 ('othername', '<unsupported>'),
491 ('othername', '<unsupported>'),
492 ('email', 'user@example.org'),
493 ('DNS', 'www.example.org'),
494 ('DirName',
495 ((('countryName', 'XY'),),
496 (('localityName', 'Castle Anthrax'),),
497 (('organizationName', 'Python Software Foundation'),),
498 (('commonName', 'dirname example'),))),
499 ('URI', 'https://www.python.org/'),
500 ('IP Address', '127.0.0.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]501 ('IP Address', '0:0:0:0:0:0:0:1'),
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]502 ('Registered ID', '1.2.3.4.5')
503 )
504 )
505
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]506 def test_DER_to_PEM(self):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]507 with open(CAFILE_CACERT, 'r') as f:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]508 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]509 d1 = ssl.PEM_cert_to_DER_cert(pem)
510 p2 = ssl.DER_cert_to_PEM_cert(d1)
511 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]512 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]513 if not p2.startswith(ssl.PEM_HEADER + '\n'):
514 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
515 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
516 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]517
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]518 def test_openssl_version(self):
519 n = ssl.OPENSSL_VERSION_NUMBER
520 t = ssl.OPENSSL_VERSION_INFO
521 s = ssl.OPENSSL_VERSION
522 self.assertIsInstance(n, int)
523 self.assertIsInstance(t, tuple)
524 self.assertIsInstance(s, str)
525 # Some sanity checks follow
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]526 # >= 1.1.1
527 self.assertGreaterEqual(n, 0x10101000)
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]528 # < 4.0
529 self.assertLess(n, 0x40000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]530 major, minor, fix, patch, status = t
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]531 self.assertGreaterEqual(major, 1)
532 self.assertLess(major, 4)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]533 self.assertGreaterEqual(minor, 0)
534 self.assertLess(minor, 256)
535 self.assertGreaterEqual(fix, 0)
536 self.assertLess(fix, 256)
537 self.assertGreaterEqual(patch, 0)
Ned Deily05784a72015-02-05 17:20:13 +1100[diff] [blame]538 self.assertLessEqual(patch, 63)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]539 self.assertGreaterEqual(status, 0)
540 self.assertLessEqual(status, 15)
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]541
542 libressl_ver = f"LibreSSL {major:d}"
543 openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
544 self.assertTrue(
545 s.startswith((openssl_ver, libressl_ver)),
546 (s, t, hex(n))
547 )
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]548
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]549 @support.cpython_only
550 def test_refcycle(self):
551 # Issue #7943: an SSL object doesn't create reference cycles with
552 # itself.
553 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]554 ss = test_wrap_socket(s)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]555 wr = weakref.ref(ss)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]556 with warnings_helper.check_warnings(("", ResourceWarning)):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]557 del ss
Victor Stinnere0b75b72016-03-21 17:26:04 +0100[diff] [blame]558 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]559
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]560 def test_wrapped_unconnected(self):
561 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]562 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]563 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]564 with test_wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]565 self.assertRaises(OSError, ss.recv, 1)
566 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
567 self.assertRaises(OSError, ss.recvfrom, 1)
568 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
569 self.assertRaises(OSError, ss.send, b'x')
570 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]571 self.assertRaises(NotImplementedError, ss.dup)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]572 self.assertRaises(NotImplementedError, ss.sendmsg,
573 [b'x'], (), 0, ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]574 self.assertRaises(NotImplementedError, ss.recvmsg, 100)
575 self.assertRaises(NotImplementedError, ss.recvmsg_into,
576 [bytearray(100)])
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]577
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]578 def test_timeout(self):
579 # Issue #8524: when creating an SSL socket, the timeout of the
580 # original socket should be retained.
581 for timeout in (None, 0.0, 5.0):
582 s = socket.socket(socket.AF_INET)
583 s.settimeout(timeout)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]584 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]585 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]586
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]587 @ignore_deprecation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]588 def test_errors_sslwrap(self):
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]589 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]590 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]591 "certfile must be specified",
592 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]593 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]594 "certfile must be specified for server-side operations",
595 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]596 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]597 "certfile must be specified for server-side operations",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]598 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]599 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
600 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]601 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]602 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]603 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]604 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]605 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]606 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]607 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]608 ssl.wrap_socket(sock,
609 certfile=CERTFILE, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]610 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]611 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]612 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]613 ssl.wrap_socket(sock,
614 certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]615 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]616
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]617 def bad_cert_test(self, certfile):
618 """Check that trying to use the given client certificate fails"""
619 certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
620 certfile)
621 sock = socket.socket()
622 self.addCleanup(sock.close)
623 with self.assertRaises(ssl.SSLError):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]624 test_wrap_socket(sock,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]625 certfile=certfile)
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]626
627 def test_empty_cert(self):
628 """Wrapping with an empty cert file"""
629 self.bad_cert_test("nullcert.pem")
630
631 def test_malformed_cert(self):
632 """Wrapping with a badly formatted certificate (syntax error)"""
633 self.bad_cert_test("badcert.pem")
634
635 def test_malformed_key(self):
636 """Wrapping with a badly formatted key (syntax error)"""
637 self.bad_cert_test("badkey.pem")
638
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]639 @ignore_deprecation
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]640 def test_match_hostname(self):
641 def ok(cert, hostname):
642 ssl.match_hostname(cert, hostname)
643 def fail(cert, hostname):
644 self.assertRaises(ssl.CertificateError,
645 ssl.match_hostname, cert, hostname)
646
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]647 # -- Hostname matching --
648
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]649 cert = {'subject': ((('commonName', 'example.com'),),)}
650 ok(cert, 'example.com')
651 ok(cert, 'ExAmple.cOm')
652 fail(cert, 'www.example.com')
653 fail(cert, '.example.com')
654 fail(cert, 'example.org')
655 fail(cert, 'exampleXcom')
656
657 cert = {'subject': ((('commonName', '*.a.com'),),)}
658 ok(cert, 'foo.a.com')
659 fail(cert, 'bar.foo.a.com')
660 fail(cert, 'a.com')
661 fail(cert, 'Xa.com')
662 fail(cert, '.a.com')
663
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]664 # only match wildcards when they are the only thing
665 # in left-most segment
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]666 cert = {'subject': ((('commonName', 'f*.com'),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]667 fail(cert, 'foo.com')
668 fail(cert, 'f.com')
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]669 fail(cert, 'bar.com')
670 fail(cert, 'foo.a.com')
671 fail(cert, 'bar.foo.com')
672
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]673 # NULL bytes are bad, CVE-2013-4073
674 cert = {'subject': ((('commonName',
675 'null.python.org\x00example.org'),),)}
676 ok(cert, 'null.python.org\x00example.org') # or raise an error?
677 fail(cert, 'example.org')
678 fail(cert, 'null.python.org')
679
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]680 # error cases with wildcards
681 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
682 fail(cert, 'bar.foo.a.com')
683 fail(cert, 'a.com')
684 fail(cert, 'Xa.com')
685 fail(cert, '.a.com')
686
687 cert = {'subject': ((('commonName', 'a.*.com'),),)}
688 fail(cert, 'a.foo.com')
689 fail(cert, 'a..com')
690 fail(cert, 'a.com')
691
692 # wildcard doesn't match IDNA prefix 'xn--'
693 idna = 'püthon.python.org'.encode("idna").decode("ascii")
694 cert = {'subject': ((('commonName', idna),),)}
695 ok(cert, idna)
696 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
697 fail(cert, idna)
698 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
699 fail(cert, idna)
700
701 # wildcard in first fragment and IDNA A-labels in sequent fragments
702 # are supported.
703 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
704 cert = {'subject': ((('commonName', idna),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]705 fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
706 fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]707 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
708 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
709
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]710 # Slightly fake real-world example
711 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
712 'subject': ((('commonName', 'linuxfrz.org'),),),
713 'subjectAltName': (('DNS', 'linuxfr.org'),
714 ('DNS', 'linuxfr.com'),
715 ('othername', '<unsupported>'))}
716 ok(cert, 'linuxfr.org')
717 ok(cert, 'linuxfr.com')
718 # Not a "DNS" entry
719 fail(cert, '<unsupported>')
720 # When there is a subjectAltName, commonName isn't used
721 fail(cert, 'linuxfrz.org')
722
723 # A pristine real-world example
724 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
725 'subject': ((('countryName', 'US'),),
726 (('stateOrProvinceName', 'California'),),
727 (('localityName', 'Mountain View'),),
728 (('organizationName', 'Google Inc'),),
729 (('commonName', 'mail.google.com'),))}
730 ok(cert, 'mail.google.com')
731 fail(cert, 'gmail.com')
732 # Only commonName is considered
733 fail(cert, 'California')
734
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]735 # -- IPv4 matching --
736 cert = {'subject': ((('commonName', 'example.com'),),),
737 'subjectAltName': (('DNS', 'example.com'),
738 ('IP Address', '10.11.12.13'),
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]739 ('IP Address', '14.15.16.17'),
740 ('IP Address', '127.0.0.1'))}
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]741 ok(cert, '10.11.12.13')
742 ok(cert, '14.15.16.17')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]743 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
744 fail(cert, '127.1')
745 fail(cert, '14.15.16.17 ')
746 fail(cert, '14.15.16.17 extra data')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]747 fail(cert, '14.15.16.18')
748 fail(cert, 'example.net')
749
750 # -- IPv6 matching --
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]751 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]752 cert = {'subject': ((('commonName', 'example.com'),),),
753 'subjectAltName': (
754 ('DNS', 'example.com'),
755 ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
756 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
757 ok(cert, '2001::cafe')
758 ok(cert, '2003::baba')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]759 fail(cert, '2003::baba ')
760 fail(cert, '2003::baba extra data')
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]761 fail(cert, '2003::bebe')
762 fail(cert, 'example.net')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]763
764 # -- Miscellaneous --
765
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]766 # Neither commonName nor subjectAltName
767 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
768 'subject': ((('countryName', 'US'),),
769 (('stateOrProvinceName', 'California'),),
770 (('localityName', 'Mountain View'),),
771 (('organizationName', 'Google Inc'),))}
772 fail(cert, 'mail.google.com')
773
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]774 # No DNS entry in subjectAltName but a commonName
775 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
776 'subject': ((('countryName', 'US'),),
777 (('stateOrProvinceName', 'California'),),
778 (('localityName', 'Mountain View'),),
779 (('commonName', 'mail.google.com'),)),
780 'subjectAltName': (('othername', 'blabla'), )}
781 ok(cert, 'mail.google.com')
782
783 # No DNS entry subjectAltName and no commonName
784 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
785 'subject': ((('countryName', 'US'),),
786 (('stateOrProvinceName', 'California'),),
787 (('localityName', 'Mountain View'),),
788 (('organizationName', 'Google Inc'),)),
789 'subjectAltName': (('othername', 'blabla'),)}
790 fail(cert, 'google.com')
791
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]792 # Empty cert / no cert
793 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
794 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
795
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]796 # Issue #17980: avoid denials of service by refusing more than one
797 # wildcard per fragment.
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]798 cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
799 with self.assertRaisesRegex(
800 ssl.CertificateError,
801 "partial wildcards in leftmost label are not supported"):
802 ssl.match_hostname(cert, 'axxb.example.com')
803
804 cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
805 with self.assertRaisesRegex(
806 ssl.CertificateError,
807 "wildcard can only be present in the leftmost label"):
808 ssl.match_hostname(cert, 'www.sub.example.com')
809
810 cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
811 with self.assertRaisesRegex(
812 ssl.CertificateError,
813 "too many wildcards"):
814 ssl.match_hostname(cert, 'axxbxxc.example.com')
815
816 cert = {'subject': ((('commonName', '*'),),)}
817 with self.assertRaisesRegex(
818 ssl.CertificateError,
819 "sole wildcard without additional labels are not support"):
820 ssl.match_hostname(cert, 'host')
821
822 cert = {'subject': ((('commonName', '*.com'),),)}
823 with self.assertRaisesRegex(
824 ssl.CertificateError,
825 r"hostname 'com' doesn't match '\*.com'"):
826 ssl.match_hostname(cert, 'com')
827
828 # extra checks for _inet_paton()
829 for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
830 with self.assertRaises(ValueError):
831 ssl._inet_paton(invalid)
832 for ipaddr in ['127.0.0.1', '192.168.0.1']:
833 self.assertTrue(ssl._inet_paton(ipaddr))
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]834 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]835 for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
836 self.assertTrue(ssl._inet_paton(ipaddr))
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]837
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]838 def test_server_side(self):
839 # server_hostname doesn't work for server sockets
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]840 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]841 with socket.socket() as sock:
842 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
843 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]844
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]845 def test_unknown_channel_binding(self):
846 # should raise ValueError for unknown type
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]847 s = socket.create_server(('127.0.0.1', 0))
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]848 c = socket.socket(socket.AF_INET)
849 c.connect(s.getsockname())
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]850 with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]851 with self.assertRaises(ValueError):
852 ss.get_channel_binding("unknown-type")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]853 s.close()
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]854
855 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
856 "'tls-unique' channel binding not available")
857 def test_tls_unique_channel_binding(self):
858 # unconnected should return None for known type
859 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]860 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]861 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]862 # the same for server-side
863 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]864 with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]865 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]866
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]867 def test_dealloc_warn(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]868 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]869 r = repr(ss)
870 with self.assertWarns(ResourceWarning) as cm:
871 ss = None
872 support.gc_collect()
873 self.assertIn(r, str(cm.warning.args[0]))
874
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]875 def test_get_default_verify_paths(self):
876 paths = ssl.get_default_verify_paths()
877 self.assertEqual(len(paths), 6)
878 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
879
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]880 with os_helper.EnvironmentVarGuard() as env:
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]881 env["SSL_CERT_DIR"] = CAPATH
882 env["SSL_CERT_FILE"] = CERTFILE
883 paths = ssl.get_default_verify_paths()
884 self.assertEqual(paths.cafile, CERTFILE)
885 self.assertEqual(paths.capath, CAPATH)
886
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]887 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
888 def test_enum_certificates(self):
889 self.assertTrue(ssl.enum_certificates("CA"))
890 self.assertTrue(ssl.enum_certificates("ROOT"))
891
892 self.assertRaises(TypeError, ssl.enum_certificates)
893 self.assertRaises(WindowsError, ssl.enum_certificates, "")
894
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]895 trust_oids = set()
896 for storename in ("CA", "ROOT"):
897 store = ssl.enum_certificates(storename)
898 self.assertIsInstance(store, list)
899 for element in store:
900 self.assertIsInstance(element, tuple)
901 self.assertEqual(len(element), 3)
902 cert, enc, trust = element
903 self.assertIsInstance(cert, bytes)
904 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
Christian Heimes915cd3f2019-09-09 18:06:55 +0200[diff] [blame]905 self.assertIsInstance(trust, (frozenset, set, bool))
906 if isinstance(trust, (frozenset, set)):
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]907 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]908
909 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]910 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]911
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]912 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]913 def test_enum_crls(self):
914 self.assertTrue(ssl.enum_crls("CA"))
915 self.assertRaises(TypeError, ssl.enum_crls)
916 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]917
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]918 crls = ssl.enum_crls("CA")
919 self.assertIsInstance(crls, list)
920 for element in crls:
921 self.assertIsInstance(element, tuple)
922 self.assertEqual(len(element), 2)
923 self.assertIsInstance(element[0], bytes)
924 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]925
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]926
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]927 def test_asn1object(self):
928 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
929 '1.3.6.1.5.5.7.3.1')
930
931 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
932 self.assertEqual(val, expected)
933 self.assertEqual(val.nid, 129)
934 self.assertEqual(val.shortname, 'serverAuth')
935 self.assertEqual(val.longname, 'TLS Web Server Authentication')
936 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
937 self.assertIsInstance(val, ssl._ASN1Object)
938 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
939
940 val = ssl._ASN1Object.fromnid(129)
941 self.assertEqual(val, expected)
942 self.assertIsInstance(val, ssl._ASN1Object)
943 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]944 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
945 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]946 for i in range(1000):
947 try:
948 obj = ssl._ASN1Object.fromnid(i)
949 except ValueError:
950 pass
951 else:
952 self.assertIsInstance(obj.nid, int)
953 self.assertIsInstance(obj.shortname, str)
954 self.assertIsInstance(obj.longname, str)
955 self.assertIsInstance(obj.oid, (str, type(None)))
956
957 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
958 self.assertEqual(val, expected)
959 self.assertIsInstance(val, ssl._ASN1Object)
960 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
961 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
962 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]963 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
964 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]965
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]966 def test_purpose_enum(self):
967 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
968 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
969 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
970 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
971 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
972 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
973 '1.3.6.1.5.5.7.3.1')
974
975 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
976 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
977 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
978 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
979 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
980 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
981 '1.3.6.1.5.5.7.3.2')
982
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]983 def test_unsupported_dtls(self):
984 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
985 self.addCleanup(s.close)
986 with self.assertRaises(NotImplementedError) as cx:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]987 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]988 self.assertEqual(str(cx.exception), "only stream sockets are supported")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]989 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]990 with self.assertRaises(NotImplementedError) as cx:
991 ctx.wrap_socket(s)
992 self.assertEqual(str(cx.exception), "only stream sockets are supported")
993
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]994 def cert_time_ok(self, timestring, timestamp):
995 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
996
997 def cert_time_fail(self, timestring):
998 with self.assertRaises(ValueError):
999 ssl.cert_time_to_seconds(timestring)
1000
1001 @unittest.skipUnless(utc_offset(),
1002 'local time needs to be different from UTC')
1003 def test_cert_time_to_seconds_timezone(self):
1004 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
1005 # results if local timezone is not UTC
1006 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
1007 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
1008
1009 def test_cert_time_to_seconds(self):
1010 timestring = "Jan 5 09:34:43 2018 GMT"
1011 ts = 1515144883.0
1012 self.cert_time_ok(timestring, ts)
1013 # accept keyword parameter, assert its name
1014 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
1015 # accept both %e and %d (space or zero generated by strftime)
1016 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
1017 # case-insensitive
1018 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
1019 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
1020 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
1021 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
1022 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
1023 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
1024 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
1025 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
1026
1027 newyear_ts = 1230768000.0
1028 # leap seconds
1029 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
1030 # same timestamp
1031 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
1032
1033 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
1034 # allow 60th second (even if it is not a leap second)
1035 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
1036 # allow 2nd leap second for compatibility with time.strptime()
1037 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
1038 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
1039
Mike53f7a7c2017-12-14 14:04:53 +0300[diff] [blame]1040 # no special treatment for the special value:
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1041 # 99991231235959Z (rfc 5280)
1042 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
1043
1044 @support.run_with_locale('LC_ALL', '')
1045 def test_cert_time_to_seconds_locale(self):
1046 # `cert_time_to_seconds()` should be locale independent
1047
1048 def local_february_name():
1049 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
1050
1051 if local_february_name().lower() == 'feb':
1052 self.skipTest("locale-specific month name needs to be "
1053 "different from C locale")
1054
1055 # locale-independent
1056 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
1057 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
1058
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1059 def test_connect_ex_error(self):
1060 server = socket.socket(socket.AF_INET)
1061 self.addCleanup(server.close)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]1062 port = socket_helper.bind_port(server) # Reserve port but don't listen
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1063 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1064 cert_reqs=ssl.CERT_REQUIRED)
1065 self.addCleanup(s.close)
1066 rc = s.connect_ex((HOST, port))
1067 # Issue #19919: Windows machines or VMs hosted on Windows
1068 # machines sometimes return EWOULDBLOCK.
1069 errors = (
1070 errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
1071 errno.EWOULDBLOCK,
1072 )
1073 self.assertIn(rc, errors)
1074
Christian Heimes89d15502021-04-19 06:55:30 +0200[diff] [blame]1075 def test_read_write_zero(self):
1076 # empty reads and writes now work, bpo-42854, bpo-31711
1077 client_context, server_context, hostname = testing_context()
1078 server = ThreadedEchoServer(context=server_context)
1079 with server:
1080 with client_context.wrap_socket(socket.socket(),
1081 server_hostname=hostname) as s:
1082 s.connect((HOST, server.port))
1083 self.assertEqual(s.recv(0), b"")
1084 self.assertEqual(s.send(b""), 0)
1085
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1086
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1087class ContextTests(unittest.TestCase):
1088
1089 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1090 for protocol in PROTOCOLS:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1091 with warnings_helper.check_warnings():
1092 ctx = ssl.SSLContext(protocol)
1093 self.assertEqual(ctx.protocol, protocol)
1094 with warnings_helper.check_warnings():
1095 ctx = ssl.SSLContext()
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1096 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1097 self.assertRaises(ValueError, ssl.SSLContext, -1)
1098 self.assertRaises(ValueError, ssl.SSLContext, 42)
1099
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1100 def test_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1101 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1102 ctx.set_ciphers("ALL")
1103 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1104 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]1105 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1106
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]1107 @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
1108 "Test applies only to Python default ciphers")
1109 def test_python_ciphers(self):
1110 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1111 ciphers = ctx.get_ciphers()
1112 for suite in ciphers:
1113 name = suite['name']
1114 self.assertNotIn("PSK", name)
1115 self.assertNotIn("SRP", name)
1116 self.assertNotIn("MD5", name)
1117 self.assertNotIn("RC4", name)
1118 self.assertNotIn("3DES", name)
1119
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1120 def test_get_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1121 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesea9b2dc2016-09-06 10:45:44 +0200[diff] [blame]1122 ctx.set_ciphers('AESGCM')
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1123 names = set(d['name'] for d in ctx.get_ciphers())
Christian Heimes582282b2016-09-06 11:27:25 +0200[diff] [blame]1124 self.assertIn('AES256-GCM-SHA384', names)
1125 self.assertIn('AES128-GCM-SHA256', names)
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1126
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1127 def test_options(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1128 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Petersona9dcdab2015-11-11 22:38:41 -0800[diff] [blame]1129 # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1130 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1131 # SSLContext also enables these by default
1132 default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]1133 OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]1134 OP_ENABLE_MIDDLEBOX_COMPAT |
1135 OP_IGNORE_UNEXPECTED_EOF)
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1136 self.assertEqual(default, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1137 with warnings_helper.check_warnings():
1138 ctx.options |= ssl.OP_NO_TLSv1
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1139 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1140 with warnings_helper.check_warnings():
1141 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]1142 self.assertEqual(default, ctx.options)
1143 ctx.options = 0
1144 # Ubuntu has OP_NO_SSLv3 forced on by default
1145 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1146
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1147 def test_verify_mode_protocol(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1148 with warnings_helper.check_warnings():
1149 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1150 # Default value
1151 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1152 ctx.verify_mode = ssl.CERT_OPTIONAL
1153 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1154 ctx.verify_mode = ssl.CERT_REQUIRED
1155 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1156 ctx.verify_mode = ssl.CERT_NONE
1157 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1158 with self.assertRaises(TypeError):
1159 ctx.verify_mode = None
1160 with self.assertRaises(ValueError):
1161 ctx.verify_mode = 42
1162
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1163 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1164 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1165 self.assertFalse(ctx.check_hostname)
1166
1167 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1168 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1169 self.assertTrue(ctx.check_hostname)
1170
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1171 def test_hostname_checks_common_name(self):
1172 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1173 self.assertTrue(ctx.hostname_checks_common_name)
1174 if ssl.HAS_NEVER_CHECK_COMMON_NAME:
1175 ctx.hostname_checks_common_name = True
1176 self.assertTrue(ctx.hostname_checks_common_name)
1177 ctx.hostname_checks_common_name = False
1178 self.assertFalse(ctx.hostname_checks_common_name)
1179 ctx.hostname_checks_common_name = True
1180 self.assertTrue(ctx.hostname_checks_common_name)
1181 else:
1182 with self.assertRaises(AttributeError):
1183 ctx.hostname_checks_common_name = True
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1184
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1185 @ignore_deprecation
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1186 def test_min_max_version(self):
1187 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1188 # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
1189 # Fedora override the setting to TLS 1.0.
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1190 minimum_range = {
1191 # stock OpenSSL
1192 ssl.TLSVersion.MINIMUM_SUPPORTED,
1193 # Fedora 29 uses TLS 1.0 by default
1194 ssl.TLSVersion.TLSv1,
1195 # RHEL 8 uses TLS 1.2 by default
1196 ssl.TLSVersion.TLSv1_2
1197 }
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1198 maximum_range = {
1199 # stock OpenSSL
1200 ssl.TLSVersion.MAXIMUM_SUPPORTED,
1201 # Fedora 32 uses TLS 1.3 by default
1202 ssl.TLSVersion.TLSv1_3
1203 }
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1204
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1205 self.assertIn(
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1206 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1207 )
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1208 self.assertIn(
1209 ctx.maximum_version, maximum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1210 )
1211
1212 ctx.minimum_version = ssl.TLSVersion.TLSv1_1
1213 ctx.maximum_version = ssl.TLSVersion.TLSv1_2
1214 self.assertEqual(
1215 ctx.minimum_version, ssl.TLSVersion.TLSv1_1
1216 )
1217 self.assertEqual(
1218 ctx.maximum_version, ssl.TLSVersion.TLSv1_2
1219 )
1220
1221 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1222 ctx.maximum_version = ssl.TLSVersion.TLSv1
1223 self.assertEqual(
1224 ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
1225 )
1226 self.assertEqual(
1227 ctx.maximum_version, ssl.TLSVersion.TLSv1
1228 )
1229
1230 ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1231 self.assertEqual(
1232 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1233 )
1234
1235 ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1236 self.assertIn(
1237 ctx.maximum_version,
1238 {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
1239 )
1240
1241 ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1242 self.assertIn(
1243 ctx.minimum_version,
1244 {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
1245 )
1246
1247 with self.assertRaises(ValueError):
1248 ctx.minimum_version = 42
1249
1250 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
1251
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1252 self.assertIn(
1253 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1254 )
1255 self.assertEqual(
1256 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1257 )
1258 with self.assertRaises(ValueError):
1259 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1260 with self.assertRaises(ValueError):
1261 ctx.maximum_version = ssl.TLSVersion.TLSv1
1262
1263
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1264 @unittest.skipUnless(
1265 hasattr(ssl.SSLContext, 'security_level'),
1266 "requires OpenSSL >= 1.1.0"
1267 )
1268 def test_security_level(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1269 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1270 # The default security callback allows for levels between 0-5
1271 # with OpenSSL defaulting to 1, however some vendors override the
1272 # default value (e.g. Debian defaults to 2)
1273 security_level_range = {
1274 0,
1275 1, # OpenSSL default
1276 2, # Debian
1277 3,
1278 4,
1279 5,
1280 }
1281 self.assertIn(ctx.security_level, security_level_range)
1282
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1283 def test_verify_flags(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1284 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Benjamin Peterson990fcaa2015-03-04 22:49:41 -0500[diff] [blame]1285 # default value
1286 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
1287 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1288 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
1289 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
1290 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
1291 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
1292 ctx.verify_flags = ssl.VERIFY_DEFAULT
1293 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
Chris Burre0b4aa02021-03-18 09:24:01 +0100[diff] [blame]1294 ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
1295 self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1296 # supports any value
1297 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
1298 self.assertEqual(ctx.verify_flags,
1299 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
1300 with self.assertRaises(TypeError):
1301 ctx.verify_flags = None
1302
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1303 def test_load_cert_chain(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1304 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1305 # Combined key and cert in a single file
Benjamin Peterson1ea070e2014-11-03 21:05:01 -0500[diff] [blame]1306 ctx.load_cert_chain(CERTFILE, keyfile=None)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1307 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
1308 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1309 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1310 ctx.load_cert_chain(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1311 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1312 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1313 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1314 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1315 ctx.load_cert_chain(EMPTYCERT)
1316 # Separate key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1317 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1318 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
1319 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
1320 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1321 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1322 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1323 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1324 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1325 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1326 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
1327 # Mismatching key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1328 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1329 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]1330 ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1331 # Password protected key and cert
1332 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
1333 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
1334 ctx.load_cert_chain(CERTFILE_PROTECTED,
1335 password=bytearray(KEY_PASSWORD.encode()))
1336 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
1337 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
1338 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
1339 bytearray(KEY_PASSWORD.encode()))
1340 with self.assertRaisesRegex(TypeError, "should be a string"):
1341 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
1342 with self.assertRaises(ssl.SSLError):
1343 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
1344 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1345 # openssl has a fixed limit on the password buffer.
1346 # PEM_BUFSIZE is generally set to 1kb.
1347 # Return a string larger than this.
1348 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
1349 # Password callback
1350 def getpass_unicode():
1351 return KEY_PASSWORD
1352 def getpass_bytes():
1353 return KEY_PASSWORD.encode()
1354 def getpass_bytearray():
1355 return bytearray(KEY_PASSWORD.encode())
1356 def getpass_badpass():
1357 return "badpass"
1358 def getpass_huge():
1359 return b'a' * (1024 * 1024)
1360 def getpass_bad_type():
1361 return 9
1362 def getpass_exception():
1363 raise Exception('getpass error')
1364 class GetPassCallable:
1365 def __call__(self):
1366 return KEY_PASSWORD
1367 def getpass(self):
1368 return KEY_PASSWORD
1369 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
1370 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
1371 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
1372 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
1373 ctx.load_cert_chain(CERTFILE_PROTECTED,
1374 password=GetPassCallable().getpass)
1375 with self.assertRaises(ssl.SSLError):
1376 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
1377 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1378 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
1379 with self.assertRaisesRegex(TypeError, "must return a string"):
1380 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
1381 with self.assertRaisesRegex(Exception, "getpass error"):
1382 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
1383 # Make sure the password function isn't called if it isn't needed
1384 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1385
1386 def test_load_verify_locations(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1387 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1388 ctx.load_verify_locations(CERTFILE)
1389 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
1390 ctx.load_verify_locations(BYTES_CERTFILE)
1391 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
1392 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1393 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1394 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1395 ctx.load_verify_locations(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1396 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1397 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1398 ctx.load_verify_locations(BADCERT)
1399 ctx.load_verify_locations(CERTFILE, CAPATH)
1400 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
1401
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]1402 # Issue #10989: crash if the second argument type is invalid
1403 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
1404
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1405 def test_load_verify_cadata(self):
1406 # test cadata
1407 with open(CAFILE_CACERT) as f:
1408 cacert_pem = f.read()
1409 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1410 with open(CAFILE_NEURONIO) as f:
1411 neuronio_pem = f.read()
1412 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1413
1414 # test PEM
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1415 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1416 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
1417 ctx.load_verify_locations(cadata=cacert_pem)
1418 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
1419 ctx.load_verify_locations(cadata=neuronio_pem)
1420 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1421 # cert already in hash table
1422 ctx.load_verify_locations(cadata=neuronio_pem)
1423 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1424
1425 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1426 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1427 combined = "\n".join((cacert_pem, neuronio_pem))
1428 ctx.load_verify_locations(cadata=combined)
1429 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1430
1431 # with junk around the certs
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1432 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1433 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
1434 neuronio_pem, "tail"]
1435 ctx.load_verify_locations(cadata="\n".join(combined))
1436 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1437
1438 # test DER
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1439 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1440 ctx.load_verify_locations(cadata=cacert_der)
1441 ctx.load_verify_locations(cadata=neuronio_der)
1442 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1443 # cert already in hash table
1444 ctx.load_verify_locations(cadata=cacert_der)
1445 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1446
1447 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1448 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1449 combined = b"".join((cacert_der, neuronio_der))
1450 ctx.load_verify_locations(cadata=combined)
1451 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1452
1453 # error cases
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1454 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1455 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
1456
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1457 with self.assertRaisesRegex(
1458 ssl.SSLError,
1459 "no start line: cadata does not contain a certificate"
1460 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1461 ctx.load_verify_locations(cadata="broken")
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1462 with self.assertRaisesRegex(
1463 ssl.SSLError,
1464 "not enough data: cadata does not contain a certificate"
1465 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1466 ctx.load_verify_locations(cadata=b"broken")
1467
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1468 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1469 def test_load_dh_params(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1470 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1471 ctx.load_dh_params(DHFILE)
1472 if os.name != 'nt':
1473 ctx.load_dh_params(BYTES_DHFILE)
1474 self.assertRaises(TypeError, ctx.load_dh_params)
1475 self.assertRaises(TypeError, ctx.load_dh_params, None)
1476 with self.assertRaises(FileNotFoundError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1477 ctx.load_dh_params(NONEXISTINGCERT)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1478 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1479 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1480 ctx.load_dh_params(CERTFILE)
1481
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1482 def test_session_stats(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1483 for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1484 ctx = ssl.SSLContext(proto)
1485 self.assertEqual(ctx.session_stats(), {
1486 'number': 0,
1487 'connect': 0,
1488 'connect_good': 0,
1489 'connect_renegotiate': 0,
1490 'accept': 0,
1491 'accept_good': 0,
1492 'accept_renegotiate': 0,
1493 'hits': 0,
1494 'misses': 0,
1495 'timeouts': 0,
1496 'cache_full': 0,
1497 })
1498
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1499 def test_set_default_verify_paths(self):
1500 # There's not much we can do to test that it acts as expected,
1501 # so just check it doesn't crash or raise an exception.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1502 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1503 ctx.set_default_verify_paths()
1504
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1505 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1506 def test_set_ecdh_curve(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1507 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1508 ctx.set_ecdh_curve("prime256v1")
1509 ctx.set_ecdh_curve(b"prime256v1")
1510 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1511 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1512 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1513 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1514
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1515 def test_sni_callback(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1516 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1517
1518 # set_servername_callback expects a callable, or None
1519 self.assertRaises(TypeError, ctx.set_servername_callback)
1520 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1521 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1522 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1523
1524 def dummycallback(sock, servername, ctx):
1525 pass
1526 ctx.set_servername_callback(None)
1527 ctx.set_servername_callback(dummycallback)
1528
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1529 def test_sni_callback_refcycle(self):
1530 # Reference cycles through the servername callback are detected
1531 # and cleared.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1532 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1533 def dummycallback(sock, servername, ctx, cycle=ctx):
1534 pass
1535 ctx.set_servername_callback(dummycallback)
1536 wr = weakref.ref(ctx)
1537 del ctx, dummycallback
1538 gc.collect()
1539 self.assertIs(wr(), None)
1540
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1541 def test_cert_store_stats(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1542 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1543 self.assertEqual(ctx.cert_store_stats(),
1544 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1545 ctx.load_cert_chain(CERTFILE)
1546 self.assertEqual(ctx.cert_store_stats(),
1547 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1548 ctx.load_verify_locations(CERTFILE)
1549 self.assertEqual(ctx.cert_store_stats(),
1550 {'x509_ca': 0, 'crl': 0, 'x509': 1})
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1551 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1552 self.assertEqual(ctx.cert_store_stats(),
1553 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1554
1555 def test_get_ca_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1556 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1557 self.assertEqual(ctx.get_ca_certs(), [])
1558 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1559 ctx.load_verify_locations(CERTFILE)
1560 self.assertEqual(ctx.get_ca_certs(), [])
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1561 # but CAFILE_CACERT is a CA cert
1562 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1563 self.assertEqual(ctx.get_ca_certs(),
1564 [{'issuer': ((('organizationName', 'Root CA'),),
1565 (('organizationalUnitName', 'http://www.cacert.org'),),
1566 (('commonName', 'CA Cert Signing Authority'),),
1567 (('emailAddress', 'support@cacert.org'),)),
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]1568 'notAfter': 'Mar 29 12:29:49 2033 GMT',
1569 'notBefore': 'Mar 30 12:29:49 2003 GMT',
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1570 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1571 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1572 'subject': ((('organizationName', 'Root CA'),),
1573 (('organizationalUnitName', 'http://www.cacert.org'),),
1574 (('commonName', 'CA Cert Signing Authority'),),
1575 (('emailAddress', 'support@cacert.org'),)),
1576 'version': 3}])
1577
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1578 with open(CAFILE_CACERT) as f:
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1579 pem = f.read()
1580 der = ssl.PEM_cert_to_DER_cert(pem)
1581 self.assertEqual(ctx.get_ca_certs(True), [der])
1582
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1583 def test_load_default_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1584 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1585 ctx.load_default_certs()
1586
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1587 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1588 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1589 ctx.load_default_certs()
1590
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1591 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1592 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1593
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1594 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1595 self.assertRaises(TypeError, ctx.load_default_certs, None)
1596 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1597
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1598 @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1599 def test_load_default_certs_env(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1600 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1601 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1602 env["SSL_CERT_DIR"] = CAPATH
1603 env["SSL_CERT_FILE"] = CERTFILE
1604 ctx.load_default_certs()
1605 self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
1606
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1607 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Steve Dower68d663c2017-07-17 11:15:48 +0200[diff] [blame]1608 @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1609 def test_load_default_certs_env_windows(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1610 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1611 ctx.load_default_certs()
1612 stats = ctx.cert_store_stats()
1613
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1614 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1615 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1616 env["SSL_CERT_DIR"] = CAPATH
1617 env["SSL_CERT_FILE"] = CERTFILE
1618 ctx.load_default_certs()
1619 stats["x509"] += 1
1620 self.assertEqual(ctx.cert_store_stats(), stats)
1621
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1622 def _assert_context_options(self, ctx):
1623 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1624 if OP_NO_COMPRESSION != 0:
1625 self.assertEqual(ctx.options & OP_NO_COMPRESSION,
1626 OP_NO_COMPRESSION)
1627 if OP_SINGLE_DH_USE != 0:
1628 self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
1629 OP_SINGLE_DH_USE)
1630 if OP_SINGLE_ECDH_USE != 0:
1631 self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
1632 OP_SINGLE_ECDH_USE)
1633 if OP_CIPHER_SERVER_PREFERENCE != 0:
1634 self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
1635 OP_CIPHER_SERVER_PREFERENCE)
1636
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1637 def test_create_default_context(self):
1638 ctx = ssl.create_default_context()
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1639
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1640 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1641 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1642 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1643 self._assert_context_options(ctx)
1644
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1645 with open(SIGNING_CA) as f:
1646 cadata = f.read()
1647 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1648 cadata=cadata)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1649 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1650 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1651 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1652
1653 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1654 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1655 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1656 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1657
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1658
1659
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1660 def test__create_stdlib_context(self):
1661 ctx = ssl._create_stdlib_context()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1662 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1663 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1664 self.assertFalse(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1665 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1666
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1667 with warnings_helper.check_warnings():
1668 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1669 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1670 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1671 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1672
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1673 with warnings_helper.check_warnings():
1674 ctx = ssl._create_stdlib_context(
1675 ssl.PROTOCOL_TLSv1_2,
1676 cert_reqs=ssl.CERT_REQUIRED,
1677 check_hostname=True
1678 )
1679 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1680 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1681 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1682 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1683
1684 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1685 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1686 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1687 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1688
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1689 def test_check_hostname(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1690 with warnings_helper.check_warnings():
1691 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1692 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1693 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1694
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1695 # Auto set CERT_REQUIRED
1696 ctx.check_hostname = True
1697 self.assertTrue(ctx.check_hostname)
1698 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1699 ctx.check_hostname = False
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1700 ctx.verify_mode = ssl.CERT_REQUIRED
1701 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1702 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1703
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1704 # Changing verify_mode does not affect check_hostname
1705 ctx.check_hostname = False
1706 ctx.verify_mode = ssl.CERT_NONE
1707 ctx.check_hostname = False
1708 self.assertFalse(ctx.check_hostname)
1709 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1710 # Auto set
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1711 ctx.check_hostname = True
1712 self.assertTrue(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1713 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1714
1715 ctx.check_hostname = False
1716 ctx.verify_mode = ssl.CERT_OPTIONAL
1717 ctx.check_hostname = False
1718 self.assertFalse(ctx.check_hostname)
1719 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1720 # keep CERT_OPTIONAL
1721 ctx.check_hostname = True
1722 self.assertTrue(ctx.check_hostname)
1723 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1724
1725 # Cannot set CERT_NONE with check_hostname enabled
1726 with self.assertRaises(ValueError):
1727 ctx.verify_mode = ssl.CERT_NONE
1728 ctx.check_hostname = False
1729 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1730 ctx.verify_mode = ssl.CERT_NONE
1731 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1732
Christian Heimes5fe668c2016-09-12 00:01:11 +0200[diff] [blame]1733 def test_context_client_server(self):
1734 # PROTOCOL_TLS_CLIENT has sane defaults
1735 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1736 self.assertTrue(ctx.check_hostname)
1737 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1738
1739 # PROTOCOL_TLS_SERVER has different but also sane defaults
1740 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1741 self.assertFalse(ctx.check_hostname)
1742 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1743
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1744 def test_context_custom_class(self):
1745 class MySSLSocket(ssl.SSLSocket):
1746 pass
1747
1748 class MySSLObject(ssl.SSLObject):
1749 pass
1750
1751 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1752 ctx.sslsocket_class = MySSLSocket
1753 ctx.sslobject_class = MySSLObject
1754
1755 with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
1756 self.assertIsInstance(sock, MySSLSocket)
1757 obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
1758 self.assertIsInstance(obj, MySSLObject)
1759
Christian Heimes78c7d522019-06-03 21:00:10 +0200[diff] [blame]1760 def test_num_tickest(self):
1761 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1762 self.assertEqual(ctx.num_tickets, 2)
1763 ctx.num_tickets = 1
1764 self.assertEqual(ctx.num_tickets, 1)
1765 ctx.num_tickets = 0
1766 self.assertEqual(ctx.num_tickets, 0)
1767 with self.assertRaises(ValueError):
1768 ctx.num_tickets = -1
1769 with self.assertRaises(TypeError):
1770 ctx.num_tickets = None
1771
1772 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1773 self.assertEqual(ctx.num_tickets, 2)
1774 with self.assertRaises(ValueError):
1775 ctx.num_tickets = 1
1776
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1777
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1778class SSLErrorTests(unittest.TestCase):
1779
1780 def test_str(self):
1781 # The str() of a SSLError doesn't include the errno
1782 e = ssl.SSLError(1, "foo")
1783 self.assertEqual(str(e), "foo")
1784 self.assertEqual(e.errno, 1)
1785 # Same for a subclass
1786 e = ssl.SSLZeroReturnError(1, "foo")
1787 self.assertEqual(str(e), "foo")
1788 self.assertEqual(e.errno, 1)
1789
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1790 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1791 def test_lib_reason(self):
1792 # Test the library and reason attributes
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1793 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1794 with self.assertRaises(ssl.SSLError) as cm:
1795 ctx.load_dh_params(CERTFILE)
1796 self.assertEqual(cm.exception.library, 'PEM')
1797 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1798 s = str(cm.exception)
1799 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1800
1801 def test_subclass(self):
1802 # Check that the appropriate SSLError subclass is raised
1803 # (this only tests one of them)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1804 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1805 ctx.check_hostname = False
1806 ctx.verify_mode = ssl.CERT_NONE
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]1807 with socket.create_server(("127.0.0.1", 0)) as s:
1808 c = socket.create_connection(s.getsockname())
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1809 c.setblocking(False)
1810 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1811 with self.assertRaises(ssl.SSLWantReadError) as cm:
1812 c.do_handshake()
1813 s = str(cm.exception)
1814 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1815 # For compatibility
1816 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1817
1818
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1819 def test_bad_server_hostname(self):
1820 ctx = ssl.create_default_context()
1821 with self.assertRaises(ValueError):
1822 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1823 server_hostname="")
1824 with self.assertRaises(ValueError):
1825 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1826 server_hostname=".example.org")
Christian Heimesd02ac252018-03-25 12:36:13 +0200[diff] [blame]1827 with self.assertRaises(TypeError):
1828 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1829 server_hostname="example.org\x00evil.com")
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1830
1831
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]1832class MemoryBIOTests(unittest.TestCase):
1833
1834 def test_read_write(self):
1835 bio = ssl.MemoryBIO()
1836 bio.write(b'foo')
1837 self.assertEqual(bio.read(), b'foo')
1838 self.assertEqual(bio.read(), b'')
1839 bio.write(b'foo')
1840 bio.write(b'bar')
1841 self.assertEqual(bio.read(), b'foobar')
1842 self.assertEqual(bio.read(), b'')
1843 bio.write(b'baz')
1844 self.assertEqual(bio.read(2), b'ba')
1845 self.assertEqual(bio.read(1), b'z')
1846 self.assertEqual(bio.read(1), b'')
1847
1848 def test_eof(self):
1849 bio = ssl.MemoryBIO()
1850 self.assertFalse(bio.eof)
1851 self.assertEqual(bio.read(), b'')
1852 self.assertFalse(bio.eof)
1853 bio.write(b'foo')
1854 self.assertFalse(bio.eof)
1855 bio.write_eof()
1856 self.assertFalse(bio.eof)
1857 self.assertEqual(bio.read(2), b'fo')
1858 self.assertFalse(bio.eof)
1859 self.assertEqual(bio.read(1), b'o')
1860 self.assertTrue(bio.eof)
1861 self.assertEqual(bio.read(), b'')
1862 self.assertTrue(bio.eof)
1863
1864 def test_pending(self):
1865 bio = ssl.MemoryBIO()
1866 self.assertEqual(bio.pending, 0)
1867 bio.write(b'foo')
1868 self.assertEqual(bio.pending, 3)
1869 for i in range(3):
1870 bio.read(1)
1871 self.assertEqual(bio.pending, 3-i-1)
1872 for i in range(3):
1873 bio.write(b'x')
1874 self.assertEqual(bio.pending, i+1)
1875 bio.read()
1876 self.assertEqual(bio.pending, 0)
1877
1878 def test_buffer_types(self):
1879 bio = ssl.MemoryBIO()
1880 bio.write(b'foo')
1881 self.assertEqual(bio.read(), b'foo')
1882 bio.write(bytearray(b'bar'))
1883 self.assertEqual(bio.read(), b'bar')
1884 bio.write(memoryview(b'baz'))
1885 self.assertEqual(bio.read(), b'baz')
1886
1887 def test_error_types(self):
1888 bio = ssl.MemoryBIO()
1889 self.assertRaises(TypeError, bio.write, 'foo')
1890 self.assertRaises(TypeError, bio.write, None)
1891 self.assertRaises(TypeError, bio.write, True)
1892 self.assertRaises(TypeError, bio.write, 1)
1893
1894
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1895class SSLObjectTests(unittest.TestCase):
1896 def test_private_init(self):
1897 bio = ssl.MemoryBIO()
1898 with self.assertRaisesRegex(TypeError, "public constructor"):
1899 ssl.SSLObject(bio, bio)
1900
Nathaniel J. Smithc0da5822018-09-21 21:44:12 -0700[diff] [blame]1901 def test_unwrap(self):
1902 client_ctx, server_ctx, hostname = testing_context()
1903 c_in = ssl.MemoryBIO()
1904 c_out = ssl.MemoryBIO()
1905 s_in = ssl.MemoryBIO()
1906 s_out = ssl.MemoryBIO()
1907 client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
1908 server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
1909
1910 # Loop on the handshake for a bit to get it settled
1911 for _ in range(5):
1912 try:
1913 client.do_handshake()
1914 except ssl.SSLWantReadError:
1915 pass
1916 if c_out.pending:
1917 s_in.write(c_out.read())
1918 try:
1919 server.do_handshake()
1920 except ssl.SSLWantReadError:
1921 pass
1922 if s_out.pending:
1923 c_in.write(s_out.read())
1924 # Now the handshakes should be complete (don't raise WantReadError)
1925 client.do_handshake()
1926 server.do_handshake()
1927
1928 # Now if we unwrap one side unilaterally, it should send close-notify
1929 # and raise WantReadError:
1930 with self.assertRaises(ssl.SSLWantReadError):
1931 client.unwrap()
1932
1933 # But server.unwrap() does not raise, because it reads the client's
1934 # close-notify:
1935 s_in.write(c_out.read())
1936 server.unwrap()
1937
1938 # And now that the client gets the server's close-notify, it doesn't
1939 # raise either.
1940 c_in.write(s_out.read())
1941 client.unwrap()
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1942
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1943class SimpleBackgroundTests(unittest.TestCase):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1944 """Tests that connect to a simple server running in the background"""
1945
1946 def setUp(self):
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]1947 self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1948 self.server_context.load_cert_chain(SIGNED_CERTFILE)
1949 server = ThreadedEchoServer(context=self.server_context)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1950 self.server_addr = (HOST, server.port)
1951 server.__enter__()
1952 self.addCleanup(server.__exit__, None, None, None)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1953
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1954 def test_connect(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1955 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1956 cert_reqs=ssl.CERT_NONE) as s:
1957 s.connect(self.server_addr)
1958 self.assertEqual({}, s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1959 self.assertFalse(s.server_side)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1960
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1961 # this should succeed because we specify the root cert
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1962 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1963 cert_reqs=ssl.CERT_REQUIRED,
1964 ca_certs=SIGNING_CA) as s:
1965 s.connect(self.server_addr)
1966 self.assertTrue(s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1967 self.assertFalse(s.server_side)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1968
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1969 def test_connect_fail(self):
1970 # This should fail because we have no verification certs. Connection
1971 # failure crashes ThreadedEchoServer, so run this in an independent
1972 # test method.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1973 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1974 cert_reqs=ssl.CERT_REQUIRED)
1975 self.addCleanup(s.close)
1976 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1977 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1978
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1979 def test_connect_ex(self):
1980 # Issue #11326: check connect_ex() implementation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1981 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1982 cert_reqs=ssl.CERT_REQUIRED,
1983 ca_certs=SIGNING_CA)
1984 self.addCleanup(s.close)
1985 self.assertEqual(0, s.connect_ex(self.server_addr))
1986 self.assertTrue(s.getpeercert())
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1987
1988 def test_non_blocking_connect_ex(self):
1989 # Issue #11326: non-blocking connect_ex() should allow handshake
1990 # to proceed after the socket gets ready.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1991 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1992 cert_reqs=ssl.CERT_REQUIRED,
1993 ca_certs=SIGNING_CA,
1994 do_handshake_on_connect=False)
1995 self.addCleanup(s.close)
1996 s.setblocking(False)
1997 rc = s.connect_ex(self.server_addr)
1998 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
1999 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
2000 # Wait for connect to finish
2001 select.select([], [s], [], 5.0)
2002 # Non-blocking handshake
2003 while True:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2004 try:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2005 s.do_handshake()
2006 break
2007 except ssl.SSLWantReadError:
2008 select.select([s], [], [], 5.0)
2009 except ssl.SSLWantWriteError:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2010 select.select([], [s], [], 5.0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2011 # SSL established
2012 self.assertTrue(s.getpeercert())
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]2013
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2014 def test_connect_with_context(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2015 # Same as test_connect, but with a separately created context
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2016 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2017 ctx.check_hostname = False
2018 ctx.verify_mode = ssl.CERT_NONE
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2019 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2020 s.connect(self.server_addr)
2021 self.assertEqual({}, s.getpeercert())
2022 # Same with a server hostname
2023 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2024 server_hostname="dummy") as s:
2025 s.connect(self.server_addr)
2026 ctx.verify_mode = ssl.CERT_REQUIRED
2027 # This should succeed because we specify the root cert
2028 ctx.load_verify_locations(SIGNING_CA)
2029 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2030 s.connect(self.server_addr)
2031 cert = s.getpeercert()
2032 self.assertTrue(cert)
2033
2034 def test_connect_with_context_fail(self):
2035 # This should fail because we have no verification certs. Connection
2036 # failure crashes ThreadedEchoServer, so run this in an independent
2037 # test method.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2038 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2039 s = ctx.wrap_socket(
2040 socket.socket(socket.AF_INET),
2041 server_hostname=SIGNED_CERTFILE_HOSTNAME
2042 )
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2043 self.addCleanup(s.close)
2044 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2045 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2046
2047 def test_connect_capath(self):
2048 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]2049 # NOTE: the subject hashing algorithm has been changed between
2050 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
2051 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]2052 # filename) for this test to be portable across OpenSSL releases.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2053 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2054 ctx.load_verify_locations(capath=CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2055 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2056 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2057 s.connect(self.server_addr)
2058 cert = s.getpeercert()
2059 self.assertTrue(cert)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2060
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2061 # Same with a bytes `capath` argument
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2062 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2063 ctx.load_verify_locations(capath=BYTES_CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2064 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2065 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2066 s.connect(self.server_addr)
2067 cert = s.getpeercert()
2068 self.assertTrue(cert)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2069
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2070 def test_connect_cadata(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2071 with open(SIGNING_CA) as f:
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2072 pem = f.read()
2073 der = ssl.PEM_cert_to_DER_cert(pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2074 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2075 ctx.load_verify_locations(cadata=pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2076 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2077 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2078 s.connect(self.server_addr)
2079 cert = s.getpeercert()
2080 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2081
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2082 # same with DER
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2083 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2084 ctx.load_verify_locations(cadata=der)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2085 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2086 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2087 s.connect(self.server_addr)
2088 cert = s.getpeercert()
2089 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2090
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2091 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
2092 def test_makefile_close(self):
2093 # Issue #5238: creating a file-like object with makefile() shouldn't
2094 # delay closing the underlying "real socket" (here tested with its
2095 # file descriptor, hence skipping the test under Windows).
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2096 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2097 ss.connect(self.server_addr)
2098 fd = ss.fileno()
2099 f = ss.makefile()
2100 f.close()
2101 # The fd is still open
2102 os.read(fd, 0)
2103 # Closing the SSL socket should close the fd too
2104 ss.close()
2105 gc.collect()
2106 with self.assertRaises(OSError) as e:
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2107 os.read(fd, 0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2108 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2109
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2110 def test_non_blocking_handshake(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2111 s = socket.socket(socket.AF_INET)
2112 s.connect(self.server_addr)
2113 s.setblocking(False)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2114 s = test_wrap_socket(s,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2115 cert_reqs=ssl.CERT_NONE,
2116 do_handshake_on_connect=False)
2117 self.addCleanup(s.close)
2118 count = 0
2119 while True:
2120 try:
2121 count += 1
2122 s.do_handshake()
2123 break
2124 except ssl.SSLWantReadError:
2125 select.select([s], [], [])
2126 except ssl.SSLWantWriteError:
2127 select.select([], [s], [])
2128 if support.verbose:
2129 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2130
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2131 def test_get_server_certificate(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2132 _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]2133
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]2134 def test_get_server_certificate_sni(self):
2135 host, port = self.server_addr
2136 server_names = []
2137
2138 # We store servername_cb arguments to make sure they match the host
2139 def servername_cb(ssl_sock, server_name, initial_context):
2140 server_names.append(server_name)
2141 self.server_context.set_servername_callback(servername_cb)
2142
2143 pem = ssl.get_server_certificate((host, port))
2144 if not pem:
2145 self.fail("No server certificate on %s:%s!" % (host, port))
2146
2147 pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
2148 if not pem:
2149 self.fail("No server certificate on %s:%s!" % (host, port))
2150 if support.verbose:
2151 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
2152
2153 self.assertEqual(server_names, [host, host])
2154
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2155 def test_get_server_certificate_fail(self):
2156 # Connection failure crashes ThreadedEchoServer, so run this in an
2157 # independent test method
2158 _test_get_server_certificate_fail(self, *self.server_addr)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2159
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2160 def test_get_server_certificate_timeout(self):
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2161 def servername_cb(ssl_sock, server_name, initial_context):
2162 time.sleep(0.2)
2163 self.server_context.set_servername_callback(servername_cb)
2164
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2165 with self.assertRaises(socket.timeout):
2166 ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2167 timeout=0.1)
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2168
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]2169 def test_ciphers(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2170 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2171 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
2172 s.connect(self.server_addr)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2173 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2174 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
2175 s.connect(self.server_addr)
2176 # Error checking can happen at instantiation or when connecting
2177 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
2178 with socket.socket(socket.AF_INET) as sock:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2179 s = test_wrap_socket(sock,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2180 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
2181 s.connect(self.server_addr)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]2182
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2183 def test_get_ca_certs_capath(self):
2184 # capath certs are loaded on request
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2185 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2186 ctx.load_verify_locations(capath=CAPATH)
2187 self.assertEqual(ctx.get_ca_certs(), [])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2188 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2189 server_hostname='localhost') as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2190 s.connect(self.server_addr)
2191 cert = s.getpeercert()
2192 self.assertTrue(cert)
2193 self.assertEqual(len(ctx.get_ca_certs()), 1)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2194
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]2195 def test_context_setget(self):
2196 # Check that the context of a connected socket can be replaced.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2197 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2198 ctx1.load_verify_locations(capath=CAPATH)
2199 ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2200 ctx2.load_verify_locations(capath=CAPATH)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2201 s = socket.socket(socket.AF_INET)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2202 with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2203 ss.connect(self.server_addr)
2204 self.assertIs(ss.context, ctx1)
2205 self.assertIs(ss._sslobj.context, ctx1)
2206 ss.context = ctx2
2207 self.assertIs(ss.context, ctx2)
2208 self.assertIs(ss._sslobj.context, ctx2)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2209
2210 def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
2211 # A simple IO loop. Call func(*args) depending on the error we get
2212 # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
Victor Stinner0d63bac2019-12-11 11:30:03 +0100[diff] [blame]2213 timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2214 deadline = time.monotonic() + timeout
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2215 count = 0
2216 while True:
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2217 if time.monotonic() > deadline:
2218 self.fail("timeout")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2219 errno = None
2220 count += 1
2221 try:
2222 ret = func(*args)
2223 except ssl.SSLError as e:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2224 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
Martin Panter40b97ec2016-01-14 13:05:46 +0000[diff] [blame]2225 ssl.SSL_ERROR_WANT_WRITE):
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2226 raise
2227 errno = e.errno
2228 # Get any data from the outgoing BIO irrespective of any error, and
2229 # send it to the socket.
2230 buf = outgoing.read()
2231 sock.sendall(buf)
2232 # If there's no error, we're done. For WANT_READ, we need to get
2233 # data from the socket and put it in the incoming BIO.
2234 if errno is None:
2235 break
2236 elif errno == ssl.SSL_ERROR_WANT_READ:
2237 buf = sock.recv(32768)
2238 if buf:
2239 incoming.write(buf)
2240 else:
2241 incoming.write_eof()
2242 if support.verbose:
2243 sys.stdout.write("Needed %d calls to complete %s().\n"
2244 % (count, func.__name__))
2245 return ret
2246
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2247 def test_bio_handshake(self):
2248 sock = socket.socket(socket.AF_INET)
2249 self.addCleanup(sock.close)
2250 sock.connect(self.server_addr)
2251 incoming = ssl.MemoryBIO()
2252 outgoing = ssl.MemoryBIO()
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2253 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2254 self.assertTrue(ctx.check_hostname)
2255 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2256 ctx.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2257 sslobj = ctx.wrap_bio(incoming, outgoing, False,
2258 SIGNED_CERTFILE_HOSTNAME)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2259 self.assertIs(sslobj._sslobj.owner, sslobj)
2260 self.assertIsNone(sslobj.cipher())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2261 self.assertIsNone(sslobj.version())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2262 self.assertIsNotNone(sslobj.shared_ciphers())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2263 self.assertRaises(ValueError, sslobj.getpeercert)
2264 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2265 self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
2266 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2267 self.assertTrue(sslobj.cipher())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2268 self.assertIsNotNone(sslobj.shared_ciphers())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2269 self.assertIsNotNone(sslobj.version())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2270 self.assertTrue(sslobj.getpeercert())
2271 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2272 self.assertTrue(sslobj.get_channel_binding('tls-unique'))
2273 try:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2274 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2275 except ssl.SSLSyscallError:
2276 # If the server shuts down the TCP connection without sending a
2277 # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
2278 pass
2279 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
2280
2281 def test_bio_read_write_data(self):
2282 sock = socket.socket(socket.AF_INET)
2283 self.addCleanup(sock.close)
2284 sock.connect(self.server_addr)
2285 incoming = ssl.MemoryBIO()
2286 outgoing = ssl.MemoryBIO()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2287 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2288 ctx.check_hostname = False
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2289 ctx.verify_mode = ssl.CERT_NONE
2290 sslobj = ctx.wrap_bio(incoming, outgoing, False)
2291 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2292 req = b'FOO\n'
2293 self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
2294 buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
2295 self.assertEqual(buf, b'foo\n')
2296 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2297
2298
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2299class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2300
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2301 def test_timeout_connect_ex(self):
2302 # Issue #12065: on a timeout, connect_ex() should return the original
2303 # errno (mimicking the behaviour of non-SSL sockets).
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2304 with socket_helper.transient_internet(REMOTE_HOST):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2305 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2306 cert_reqs=ssl.CERT_REQUIRED,
2307 do_handshake_on_connect=False)
2308 self.addCleanup(s.close)
2309 s.settimeout(0.0000001)
2310 rc = s.connect_ex((REMOTE_HOST, 443))
2311 if rc == 0:
2312 self.skipTest("REMOTE_HOST responded too quickly")
Carl Meyer29c451c2021-03-27 15:52:28 -0600[diff] [blame]2313 elif rc == errno.ENETUNREACH:
2314 self.skipTest("Network unreachable.")
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2315 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
2316
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2317 @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2318 def test_get_server_certificate_ipv6(self):
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2319 with socket_helper.transient_internet('ipv6.google.com'):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2320 _test_get_server_certificate(self, 'ipv6.google.com', 443)
2321 _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
2322
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2323
2324def _test_get_server_certificate(test, host, port, cert=None):
2325 pem = ssl.get_server_certificate((host, port))
2326 if not pem:
2327 test.fail("No server certificate on %s:%s!" % (host, port))
2328
2329 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
2330 if not pem:
2331 test.fail("No server certificate on %s:%s!" % (host, port))
2332 if support.verbose:
2333 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
2334
2335def _test_get_server_certificate_fail(test, host, port):
2336 try:
2337 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
2338 except ssl.SSLError as x:
2339 #should fail
2340 if support.verbose:
2341 sys.stdout.write("%s\n" % x)
2342 else:
2343 test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
2344
2345
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2346from test.ssl_servers import make_https_server
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2347
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2348class ThreadedEchoServer(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2349
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2350 class ConnectionHandler(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2351
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2352 """A mildly complicated class, because we want it to work both
2353 with and without the SSL wrapper around the socket connection, so
2354 that we can test the STARTTLS functionality."""
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2355
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2356 def __init__(self, server, connsock, addr):
2357 self.server = server
2358 self.running = False
2359 self.sock = connsock
2360 self.addr = addr
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]2361 self.sock.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2362 self.sslconn = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2363 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]2364 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2365
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2366 def wrap_conn(self):
2367 try:
2368 self.sslconn = self.server.context.wrap_socket(
2369 self.sock, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2370 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2371 except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2372 # We treat ConnectionResetError as though it were an
2373 # SSLError - OpenSSL on Ubuntu abruptly closes the
2374 # connection when asked to use an unsupported protocol.
2375 #
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2376 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
2377 # tries to send session tickets after handshake.
2378 # https://github.com/openssl/openssl/issues/6342
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2379 #
2380 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
2381 # tries to send session tickets after handshake when using WinSock.
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2382 self.server.conn_errors.append(str(e))
2383 if self.server.chatty:
2384 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2385 self.running = False
2386 self.close()
2387 return False
2388 except (ssl.SSLError, OSError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2389 # OSError may occur with wrong protocols, e.g. both
2390 # sides use PROTOCOL_TLS_SERVER.
2391 #
2392 # XXX Various errors can have happened here, for example
2393 # a mismatching protocol version, an invalid certificate,
2394 # or a low-level bug. This should be made more discriminating.
2395 #
2396 # bpo-31323: Store the exception as string to prevent
2397 # a reference leak: server -> conn_errors -> exception
2398 # -> traceback -> self (ConnectionHandler) -> server
2399 self.server.conn_errors.append(str(e))
2400 if self.server.chatty:
2401 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2402 self.running = False
2403 self.server.stop()
2404 self.close()
2405 return False
2406 else:
2407 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
2408 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
2409 cert = self.sslconn.getpeercert()
2410 if support.verbose and self.server.chatty:
2411 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
2412 cert_binary = self.sslconn.getpeercert(True)
2413 if support.verbose and self.server.chatty:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2414 if cert_binary is None:
2415 sys.stdout.write(" client did not provide a cert\n")
2416 else:
2417 sys.stdout.write(f" cert binary is {len(cert_binary)}b\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2418 cipher = self.sslconn.cipher()
2419 if support.verbose and self.server.chatty:
2420 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2421 return True
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2422
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2423 def read(self):
2424 if self.sslconn:
2425 return self.sslconn.read()
2426 else:
2427 return self.sock.recv(1024)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2428
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2429 def write(self, bytes):
2430 if self.sslconn:
2431 return self.sslconn.write(bytes)
2432 else:
2433 return self.sock.send(bytes)
2434
2435 def close(self):
2436 if self.sslconn:
2437 self.sslconn.close()
2438 else:
2439 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2440
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2441 def run(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2442 self.running = True
2443 if not self.server.starttls_server:
2444 if not self.wrap_conn():
2445 return
2446 while self.running:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2447 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2448 msg = self.read()
2449 stripped = msg.strip()
2450 if not stripped:
2451 # eof, so quit this handler
2452 self.running = False
2453 try:
2454 self.sock = self.sslconn.unwrap()
2455 except OSError:
2456 # Many tests shut the TCP connection down
2457 # without an SSL shutdown. This causes
2458 # unwrap() to raise OSError with errno=0!
2459 pass
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2460 else:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2461 self.sslconn = None
2462 self.close()
2463 elif stripped == b'over':
2464 if support.verbose and self.server.connectionchatty:
2465 sys.stdout.write(" server: client closed connection\n")
2466 self.close()
2467 return
2468 elif (self.server.starttls_server and
2469 stripped == b'STARTTLS'):
2470 if support.verbose and self.server.connectionchatty:
2471 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
2472 self.write(b"OK\n")
2473 if not self.wrap_conn():
2474 return
2475 elif (self.server.starttls_server and self.sslconn
2476 and stripped == b'ENDTLS'):
2477 if support.verbose and self.server.connectionchatty:
2478 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
2479 self.write(b"OK\n")
2480 self.sock = self.sslconn.unwrap()
2481 self.sslconn = None
2482 if support.verbose and self.server.connectionchatty:
2483 sys.stdout.write(" server: connection is now unencrypted...\n")
2484 elif stripped == b'CB tls-unique':
2485 if support.verbose and self.server.connectionchatty:
2486 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
2487 data = self.sslconn.get_channel_binding("tls-unique")
2488 self.write(repr(data).encode("us-ascii") + b"\n")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]2489 elif stripped == b'PHA':
2490 if support.verbose and self.server.connectionchatty:
2491 sys.stdout.write(" server: initiating post handshake auth\n")
2492 try:
2493 self.sslconn.verify_client_post_handshake()
2494 except ssl.SSLError as e:
2495 self.write(repr(e).encode("us-ascii") + b"\n")
2496 else:
2497 self.write(b"OK\n")
2498 elif stripped == b'HASCERT':
2499 if self.sslconn.getpeercert() is not None:
2500 self.write(b'TRUE\n')
2501 else:
2502 self.write(b'FALSE\n')
2503 elif stripped == b'GETCERT':
2504 cert = self.sslconn.getpeercert()
2505 self.write(repr(cert).encode("us-ascii") + b"\n")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]2506 elif stripped == b'VERIFIEDCHAIN':
2507 certs = self.sslconn._sslobj.get_verified_chain()
2508 self.write(len(certs).to_bytes(1, "big") + b"\n")
2509 elif stripped == b'UNVERIFIEDCHAIN':
2510 certs = self.sslconn._sslobj.get_unverified_chain()
2511 self.write(len(certs).to_bytes(1, "big") + b"\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2512 else:
2513 if (support.verbose and
2514 self.server.connectionchatty):
2515 ctype = (self.sslconn and "encrypted") or "unencrypted"
2516 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
2517 % (msg, ctype, msg.lower(), ctype))
2518 self.write(msg.lower())
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2519 except OSError as e:
2520 # handles SSLError and socket errors
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2521 if self.server.chatty and support.verbose:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2522 if isinstance(e, ConnectionError):
2523 # OpenSSL 1.1.1 sometimes raises
2524 # ConnectionResetError when connection is not
2525 # shut down gracefully.
2526 print(
2527 f" Connection reset by peer: {self.addr}"
2528 )
2529 else:
2530 handle_error("Test server failure:\n")
2531 try:
2532 self.write(b"ERROR\n")
2533 except OSError:
2534 pass
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]2535 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2536 self.running = False
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2537
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2538 # normally, we'd just stop here, but for the test
2539 # harness, we want to stop the server
2540 self.server.stop()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2541
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2542 def __init__(self, certificate=None, ssl_version=None,
2543 certreqs=None, cacerts=None,
2544 chatty=True, connectionchatty=False, starttls_server=False,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2545 alpn_protocols=None,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2546 ciphers=None, context=None):
2547 if context:
2548 self.context = context
2549 else:
2550 self.context = ssl.SSLContext(ssl_version
2551 if ssl_version is not None
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2552 else ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2553 self.context.verify_mode = (certreqs if certreqs is not None
2554 else ssl.CERT_NONE)
2555 if cacerts:
2556 self.context.load_verify_locations(cacerts)
2557 if certificate:
2558 self.context.load_cert_chain(certificate)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2559 if alpn_protocols:
2560 self.context.set_alpn_protocols(alpn_protocols)
2561 if ciphers:
2562 self.context.set_ciphers(ciphers)
2563 self.chatty = chatty
2564 self.connectionchatty = connectionchatty
2565 self.starttls_server = starttls_server
2566 self.sock = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2567 self.port = socket_helper.bind_port(self.sock)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2568 self.flag = None
2569 self.active = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2570 self.selected_alpn_protocols = []
2571 self.shared_ciphers = []
2572 self.conn_errors = []
2573 threading.Thread.__init__(self)
2574 self.daemon = True
2575
2576 def __enter__(self):
2577 self.start(threading.Event())
2578 self.flag.wait()
2579 return self
2580
2581 def __exit__(self, *args):
2582 self.stop()
2583 self.join()
2584
2585 def start(self, flag=None):
2586 self.flag = flag
2587 threading.Thread.start(self)
2588
2589 def run(self):
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2590 self.sock.settimeout(1.0)
2591 self.sock.listen(5)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2592 self.active = True
2593 if self.flag:
2594 # signal an event
2595 self.flag.set()
2596 while self.active:
2597 try:
2598 newconn, connaddr = self.sock.accept()
2599 if support.verbose and self.chatty:
2600 sys.stdout.write(' server: new connection from '
2601 + repr(connaddr) + '\n')
2602 handler = self.ConnectionHandler(self, newconn, connaddr)
2603 handler.start()
2604 handler.join()
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2605 except TimeoutError as e:
2606 if support.verbose:
2607 sys.stdout.write(f' connection timeout {e!r}\n')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2608 except KeyboardInterrupt:
2609 self.stop()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2610 except BaseException as e:
2611 if support.verbose and self.chatty:
2612 sys.stdout.write(
2613 ' connection handling failed: ' + repr(e) + '\n')
2614
Christian Heimesc715b522021-05-03 17:45:02 +0200[diff] [blame]2615 self.close()
2616
2617 def close(self):
2618 if self.sock is not None:
2619 self.sock.close()
2620 self.sock = None
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2621
2622 def stop(self):
2623 self.active = False
2624
2625class AsyncoreEchoServer(threading.Thread):
2626
2627 # this one's based on asyncore.dispatcher
2628
2629 class EchoServer (asyncore.dispatcher):
2630
2631 class ConnectionHandler(asyncore.dispatcher_with_send):
2632
2633 def __init__(self, conn, certfile):
2634 self.socket = test_wrap_socket(conn, server_side=True,
2635 certfile=certfile,
2636 do_handshake_on_connect=False)
2637 asyncore.dispatcher_with_send.__init__(self, self.socket)
2638 self._ssl_accepting = True
2639 self._do_ssl_handshake()
2640
2641 def readable(self):
2642 if isinstance(self.socket, ssl.SSLSocket):
2643 while self.socket.pending() > 0:
2644 self.handle_read_event()
2645 return True
2646
2647 def _do_ssl_handshake(self):
2648 try:
2649 self.socket.do_handshake()
2650 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2651 return
2652 except ssl.SSLEOFError:
2653 return self.handle_close()
2654 except ssl.SSLError:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2655 raise
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2656 except OSError as err:
2657 if err.args[0] == errno.ECONNABORTED:
2658 return self.handle_close()
2659 else:
2660 self._ssl_accepting = False
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2661
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2662 def handle_read(self):
2663 if self._ssl_accepting:
2664 self._do_ssl_handshake()
2665 else:
2666 data = self.recv(1024)
2667 if support.verbose:
2668 sys.stdout.write(" server: read %s from client\n" % repr(data))
2669 if not data:
2670 self.close()
2671 else:
2672 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2673
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2674 def handle_close(self):
2675 self.close()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2676 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2677 sys.stdout.write(" server: closed connection %s\n" % self.socket)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2678
2679 def handle_error(self):
2680 raise
2681
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2682 def __init__(self, certfile):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2683 self.certfile = certfile
2684 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2685 self.port = socket_helper.bind_port(sock, '')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2686 asyncore.dispatcher.__init__(self, sock)
2687 self.listen(5)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2688
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2689 def handle_accepted(self, sock_obj, addr):
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2690 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2691 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
2692 self.ConnectionHandler(sock_obj, self.certfile)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2693
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2694 def handle_error(self):
2695 raise
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2696
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2697 def __init__(self, certfile):
2698 self.flag = None
2699 self.active = False
2700 self.server = self.EchoServer(certfile)
2701 self.port = self.server.port
2702 threading.Thread.__init__(self)
2703 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2704
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2705 def __str__(self):
2706 return "<%s %s>" % (self.__class__.__name__, self.server)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2707
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2708 def __enter__(self):
2709 self.start(threading.Event())
2710 self.flag.wait()
2711 return self
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2712
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2713 def __exit__(self, *args):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2714 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2715 sys.stdout.write(" cleanup: stopping server.\n")
2716 self.stop()
2717 if support.verbose:
2718 sys.stdout.write(" cleanup: joining server thread.\n")
2719 self.join()
2720 if support.verbose:
2721 sys.stdout.write(" cleanup: successfully joined.\n")
2722 # make sure that ConnectionHandler is removed from socket_map
2723 asyncore.close_all(ignore_all=True)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2724
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2725 def start (self, flag=None):
2726 self.flag = flag
2727 threading.Thread.start(self)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2728
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2729 def run(self):
2730 self.active = True
2731 if self.flag:
2732 self.flag.set()
2733 while self.active:
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2734 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2735 asyncore.loop(1)
2736 except:
2737 pass
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2738
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2739 def stop(self):
2740 self.active = False
2741 self.server.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2742
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2743def server_params_test(client_context, server_context, indata=b"FOO\n",
2744 chatty=True, connectionchatty=False, sni_name=None,
2745 session=None):
2746 """
2747 Launch a server, connect a client to it and try various reads
2748 and writes.
2749 """
2750 stats = {}
2751 server = ThreadedEchoServer(context=server_context,
2752 chatty=chatty,
2753 connectionchatty=False)
2754 with server:
2755 with client_context.wrap_socket(socket.socket(),
2756 server_hostname=sni_name, session=session) as s:
2757 s.connect((HOST, server.port))
2758 for arg in [indata, bytearray(indata), memoryview(indata)]:
2759 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2760 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2761 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2762 " client: sending %r...\n" % indata)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2763 s.write(arg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2764 outdata = s.read()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2765 if connectionchatty:
2766 if support.verbose:
2767 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2768 if outdata != indata.lower():
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2769 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2770 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2771 % (outdata[:20], len(outdata),
2772 indata[:20].lower(), len(indata)))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2773 s.write(b"over\n")
2774 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2775 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2776 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2777 stats.update({
2778 'compression': s.compression(),
2779 'cipher': s.cipher(),
2780 'peercert': s.getpeercert(),
2781 'client_alpn_protocol': s.selected_alpn_protocol(),
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2782 'version': s.version(),
2783 'session_reused': s.session_reused,
2784 'session': s.session,
2785 })
2786 s.close()
2787 stats['server_alpn_protocols'] = server.selected_alpn_protocols
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2788 stats['server_shared_ciphers'] = server.shared_ciphers
2789 return stats
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2790
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2791def try_protocol_combo(server_protocol, client_protocol, expect_success,
2792 certsreqs=None, server_options=0, client_options=0):
2793 """
2794 Try to SSL-connect using *client_protocol* to *server_protocol*.
2795 If *expect_success* is true, assert that the connection succeeds,
2796 if it's false, assert that the connection fails.
2797 Also, if *expect_success* is a string, assert that it is the protocol
2798 version actually used by the connection.
2799 """
2800 if certsreqs is None:
2801 certsreqs = ssl.CERT_NONE
2802 certtype = {
2803 ssl.CERT_NONE: "CERT_NONE",
2804 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2805 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2806 }[certsreqs]
2807 if support.verbose:
2808 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
2809 sys.stdout.write(formatstr %
2810 (ssl.get_protocol_name(client_protocol),
2811 ssl.get_protocol_name(server_protocol),
2812 certtype))
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2813
2814 with warnings_helper.check_warnings():
2815 # ignore Deprecation warnings
2816 client_context = ssl.SSLContext(client_protocol)
2817 client_context.options |= client_options
2818 server_context = ssl.SSLContext(server_protocol)
2819 server_context.options |= server_options
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2820
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2821 min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
2822 if (min_version is not None
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2823 # SSLContext.minimum_version is only available on recent OpenSSL
2824 # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
2825 and hasattr(server_context, 'minimum_version')
2826 and server_protocol == ssl.PROTOCOL_TLS
2827 and server_context.minimum_version > min_version
2828 ):
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2829 # If OpenSSL configuration is strict and requires more recent TLS
2830 # version, we have to change the minimum to test old TLS versions.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2831 with warnings_helper.check_warnings():
2832 server_context.minimum_version = min_version
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2833
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2834 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
2835 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
2836 # starting from OpenSSL 1.0.0 (see issue #8322).
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2837 if client_context.protocol == ssl.PROTOCOL_TLS:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2838 client_context.set_ciphers("ALL")
2839
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]2840 seclevel_workaround(server_context, client_context)
2841
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2842 for ctx in (client_context, server_context):
2843 ctx.verify_mode = certsreqs
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]2844 ctx.load_cert_chain(SIGNED_CERTFILE)
2845 ctx.load_verify_locations(SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2846 try:
2847 stats = server_params_test(client_context, server_context,
2848 chatty=False, connectionchatty=False)
2849 # Protocol mismatch can result in either an SSLError, or a
2850 # "Connection reset by peer" error.
2851 except ssl.SSLError:
2852 if expect_success:
2853 raise
2854 except OSError as e:
2855 if expect_success or e.errno != errno.ECONNRESET:
2856 raise
2857 else:
2858 if not expect_success:
2859 raise AssertionError(
2860 "Client protocol %s succeeded with server protocol %s!"
2861 % (ssl.get_protocol_name(client_protocol),
2862 ssl.get_protocol_name(server_protocol)))
2863 elif (expect_success is not True
2864 and expect_success != stats['version']):
2865 raise AssertionError("version mismatch: expected %r, got %r"
2866 % (expect_success, stats['version']))
2867
2868
2869class ThreadedTests(unittest.TestCase):
2870
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2871 def test_echo(self):
2872 """Basic test of an SSL client connecting to a server"""
2873 if support.verbose:
2874 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2875
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2876 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2877
2878 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2879 server_params_test(client_context=client_context,
2880 server_context=server_context,
2881 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2882 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2883
2884 client_context.check_hostname = False
2885 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2886 with self.assertRaises(ssl.SSLError) as e:
2887 server_params_test(client_context=server_context,
2888 server_context=client_context,
2889 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2890 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2891 self.assertIn('called a function you should not call',
2892 str(e.exception))
2893
2894 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2895 with self.assertRaises(ssl.SSLError) as e:
2896 server_params_test(client_context=server_context,
2897 server_context=server_context,
2898 chatty=True, connectionchatty=True)
2899 self.assertIn('called a function you should not call',
2900 str(e.exception))
2901
2902 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2903 with self.assertRaises(ssl.SSLError) as e:
2904 server_params_test(client_context=server_context,
2905 server_context=client_context,
2906 chatty=True, connectionchatty=True)
2907 self.assertIn('called a function you should not call',
2908 str(e.exception))
2909
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2910 def test_getpeercert(self):
2911 if support.verbose:
2912 sys.stdout.write("\n")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2913
2914 client_context, server_context, hostname = testing_context()
2915 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2916 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2917 with client_context.wrap_socket(socket.socket(),
2918 do_handshake_on_connect=False,
2919 server_hostname=hostname) as s:
2920 s.connect((HOST, server.port))
2921 # getpeercert() raise ValueError while the handshake isn't
2922 # done.
2923 with self.assertRaises(ValueError):
2924 s.getpeercert()
2925 s.do_handshake()
2926 cert = s.getpeercert()
2927 self.assertTrue(cert, "Can't get peer certificate.")
2928 cipher = s.cipher()
2929 if support.verbose:
2930 sys.stdout.write(pprint.pformat(cert) + '\n')
2931 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2932 if 'subject' not in cert:
2933 self.fail("No subject field in certificate: %s." %
2934 pprint.pformat(cert))
2935 if ((('organizationName', 'Python Software Foundation'),)
2936 not in cert['subject']):
2937 self.fail(
2938 "Missing or invalid 'organizationName' field in certificate subject; "
2939 "should be 'Python Software Foundation'.")
2940 self.assertIn('notBefore', cert)
2941 self.assertIn('notAfter', cert)
2942 before = ssl.cert_time_to_seconds(cert['notBefore'])
2943 after = ssl.cert_time_to_seconds(cert['notAfter'])
2944 self.assertLess(before, after)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2945
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2946 def test_crl_check(self):
2947 if support.verbose:
2948 sys.stdout.write("\n")
2949
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2950 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2951
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2952 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2953 self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2954
2955 # VERIFY_DEFAULT should pass
2956 server = ThreadedEchoServer(context=server_context, chatty=True)
2957 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2958 with client_context.wrap_socket(socket.socket(),
2959 server_hostname=hostname) as s:
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2960 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2961 cert = s.getpeercert()
2962 self.assertTrue(cert, "Can't get peer certificate.")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2963
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2964 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2965 client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2966
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2967 server = ThreadedEchoServer(context=server_context, chatty=True)
2968 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2969 with client_context.wrap_socket(socket.socket(),
2970 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2971 with self.assertRaisesRegex(ssl.SSLError,
2972 "certificate verify failed"):
2973 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2974
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2975 # now load a CRL file. The CRL file is signed by the CA.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2976 client_context.load_verify_locations(CRLFILE)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2977
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2978 server = ThreadedEchoServer(context=server_context, chatty=True)
2979 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2980 with client_context.wrap_socket(socket.socket(),
2981 server_hostname=hostname) as s:
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2982 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2983 cert = s.getpeercert()
2984 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2985
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2986 def test_check_hostname(self):
2987 if support.verbose:
2988 sys.stdout.write("\n")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2989
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2990 client_context, server_context, hostname = testing_context()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2991
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2992 # correct hostname should verify
2993 server = ThreadedEchoServer(context=server_context, chatty=True)
2994 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2995 with client_context.wrap_socket(socket.socket(),
2996 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2997 s.connect((HOST, server.port))
2998 cert = s.getpeercert()
2999 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3000
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3001 # incorrect hostname should raise an exception
3002 server = ThreadedEchoServer(context=server_context, chatty=True)
3003 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3004 with client_context.wrap_socket(socket.socket(),
3005 server_hostname="invalid") as s:
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]3006 with self.assertRaisesRegex(
3007 ssl.CertificateError,
3008 "Hostname mismatch, certificate is not valid for 'invalid'."):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3009 s.connect((HOST, server.port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3010
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3011 # missing server_hostname arg should cause an exception, too
3012 server = ThreadedEchoServer(context=server_context, chatty=True)
3013 with server:
3014 with socket.socket() as s:
3015 with self.assertRaisesRegex(ValueError,
3016 "check_hostname requires server_hostname"):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3017 client_context.wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3018
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]3019 @unittest.skipUnless(
3020 ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
3021 )
3022 def test_hostname_checks_common_name(self):
3023 client_context, server_context, hostname = testing_context()
3024 assert client_context.hostname_checks_common_name
3025 client_context.hostname_checks_common_name = False
3026
3027 # default cert has a SAN
3028 server = ThreadedEchoServer(context=server_context, chatty=True)
3029 with server:
3030 with client_context.wrap_socket(socket.socket(),
3031 server_hostname=hostname) as s:
3032 s.connect((HOST, server.port))
3033
3034 client_context, server_context, hostname = testing_context(NOSANFILE)
3035 client_context.hostname_checks_common_name = False
3036 server = ThreadedEchoServer(context=server_context, chatty=True)
3037 with server:
3038 with client_context.wrap_socket(socket.socket(),
3039 server_hostname=hostname) as s:
3040 with self.assertRaises(ssl.SSLCertVerificationError):
3041 s.connect((HOST, server.port))
3042
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3043 def test_ecc_cert(self):
3044 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3045 client_context.load_verify_locations(SIGNING_CA)
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3046 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3047 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3048
3049 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3050 # load ECC cert
3051 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3052
3053 # correct hostname should verify
3054 server = ThreadedEchoServer(context=server_context, chatty=True)
3055 with server:
3056 with client_context.wrap_socket(socket.socket(),
3057 server_hostname=hostname) as s:
3058 s.connect((HOST, server.port))
3059 cert = s.getpeercert()
3060 self.assertTrue(cert, "Can't get peer certificate.")
3061 cipher = s.cipher()[0].split('-')
3062 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3063
3064 def test_dual_rsa_ecc(self):
3065 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3066 client_context.load_verify_locations(SIGNING_CA)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3067 # TODO: fix TLSv1.3 once SSLContext can restrict signature
3068 # algorithms.
3069 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3070 # only ECDSA certs
3071 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
3072 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3073
3074 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3075 # load ECC and RSA key/cert pairs
3076 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3077 server_context.load_cert_chain(SIGNED_CERTFILE)
3078
3079 # correct hostname should verify
3080 server = ThreadedEchoServer(context=server_context, chatty=True)
3081 with server:
3082 with client_context.wrap_socket(socket.socket(),
3083 server_hostname=hostname) as s:
3084 s.connect((HOST, server.port))
3085 cert = s.getpeercert()
3086 self.assertTrue(cert, "Can't get peer certificate.")
3087 cipher = s.cipher()[0].split('-')
3088 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3089
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3090 def test_check_hostname_idn(self):
3091 if support.verbose:
3092 sys.stdout.write("\n")
3093
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3094 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3095 server_context.load_cert_chain(IDNSANSFILE)
3096
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3097 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3098 context.verify_mode = ssl.CERT_REQUIRED
3099 context.check_hostname = True
3100 context.load_verify_locations(SIGNING_CA)
3101
3102 # correct hostname should verify, when specified in several
3103 # different ways
3104 idn_hostnames = [
3105 ('könig.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3106 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3107 ('xn--knig-5qa.idn.pythontest.net',
3108 'xn--knig-5qa.idn.pythontest.net'),
3109 (b'xn--knig-5qa.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3110 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3111
3112 ('königsgäßchen.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3113 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3114 ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
3115 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3116 (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3117 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3118
3119 # ('königsgäßchen.idna2008.pythontest.net',
3120 # 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3121 ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3122 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3123 (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3124 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3125
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3126 ]
3127 for server_hostname, expected_hostname in idn_hostnames:
3128 server = ThreadedEchoServer(context=server_context, chatty=True)
3129 with server:
3130 with context.wrap_socket(socket.socket(),
3131 server_hostname=server_hostname) as s:
3132 self.assertEqual(s.server_hostname, expected_hostname)
3133 s.connect((HOST, server.port))
3134 cert = s.getpeercert()
3135 self.assertEqual(s.server_hostname, expected_hostname)
3136 self.assertTrue(cert, "Can't get peer certificate.")
3137
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3138 # incorrect hostname should raise an exception
3139 server = ThreadedEchoServer(context=server_context, chatty=True)
3140 with server:
3141 with context.wrap_socket(socket.socket(),
3142 server_hostname="python.example.org") as s:
3143 with self.assertRaises(ssl.CertificateError):
3144 s.connect((HOST, server.port))
3145
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3146 def test_wrong_cert_tls12(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3147 """Connecting when the server rejects the client's certificate
3148
3149 Launch a server with CERT_REQUIRED, and check that trying to
3150 connect to it with a wrong client certificate fails.
3151 """
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3152 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3153 # load client cert that is not signed by trusted CA
3154 client_context.load_cert_chain(CERTFILE)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3155 # require TLS client authentication
3156 server_context.verify_mode = ssl.CERT_REQUIRED
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3157 # TLS 1.3 has different handshake
3158 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3159
3160 server = ThreadedEchoServer(
3161 context=server_context, chatty=True, connectionchatty=True,
3162 )
3163
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3164 with server, \
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3165 client_context.wrap_socket(socket.socket(),
3166 server_hostname=hostname) as s:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3167 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3168 # Expect either an SSL error about the server rejecting
3169 # the connection, or a low-level connection reset (which
3170 # sometimes happens on Windows)
3171 s.connect((HOST, server.port))
3172 except ssl.SSLError as e:
3173 if support.verbose:
3174 sys.stdout.write("\nSSLError is %r\n" % e)
3175 except OSError as e:
3176 if e.errno != errno.ECONNRESET:
3177 raise
3178 if support.verbose:
3179 sys.stdout.write("\nsocket.error is %r\n" % e)
3180 else:
3181 self.fail("Use of invalid cert should have failed!")
3182
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3183 @requires_tls_version('TLSv1_3')
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3184 def test_wrong_cert_tls13(self):
3185 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3186 # load client cert that is not signed by trusted CA
3187 client_context.load_cert_chain(CERTFILE)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3188 server_context.verify_mode = ssl.CERT_REQUIRED
3189 server_context.minimum_version = ssl.TLSVersion.TLSv1_3
3190 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3191
3192 server = ThreadedEchoServer(
3193 context=server_context, chatty=True, connectionchatty=True,
3194 )
3195 with server, \
3196 client_context.wrap_socket(socket.socket(),
3197 server_hostname=hostname) as s:
3198 # TLS 1.3 perform client cert exchange after handshake
3199 s.connect((HOST, server.port))
3200 try:
3201 s.write(b'data')
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3202 s.read(1000)
3203 s.write(b'should have failed already')
3204 s.read(1000)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3205 except ssl.SSLError as e:
3206 if support.verbose:
3207 sys.stdout.write("\nSSLError is %r\n" % e)
3208 except OSError as e:
3209 if e.errno != errno.ECONNRESET:
3210 raise
3211 if support.verbose:
3212 sys.stdout.write("\nsocket.error is %r\n" % e)
3213 else:
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3214 if sys.platform == "win32":
3215 self.skipTest(
3216 "Ignoring failed test_wrong_cert_tls13 test case. "
3217 "The test is flaky on Windows, see bpo-43921."
3218 )
3219 else:
3220 self.fail("Use of invalid cert should have failed!")
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3221
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3222 def test_rude_shutdown(self):
3223 """A brutal shutdown of an SSL server should raise an OSError
3224 in the client when attempting handshake.
3225 """
3226 listener_ready = threading.Event()
3227 listener_gone = threading.Event()
3228
3229 s = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3230 port = socket_helper.bind_port(s, HOST)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3231
3232 # `listener` runs in a thread. It sits in an accept() until
3233 # the main thread connects. Then it rudely closes the socket,
3234 # and sets Event `listener_gone` to let the main thread know
3235 # the socket is gone.
3236 def listener():
3237 s.listen()
3238 listener_ready.set()
3239 newsock, addr = s.accept()
3240 newsock.close()
3241 s.close()
3242 listener_gone.set()
3243
3244 def connector():
3245 listener_ready.wait()
3246 with socket.socket() as c:
3247 c.connect((HOST, port))
3248 listener_gone.wait()
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]3249 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3250 ssl_sock = test_wrap_socket(c)
3251 except OSError:
3252 pass
3253 else:
3254 self.fail('connecting to closed SSL socket should have failed')
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3255
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3256 t = threading.Thread(target=listener)
3257 t.start()
3258 try:
3259 connector()
3260 finally:
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3261 t.join()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3262
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3263 def test_ssl_cert_verify_error(self):
3264 if support.verbose:
3265 sys.stdout.write("\n")
3266
3267 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3268 server_context.load_cert_chain(SIGNED_CERTFILE)
3269
3270 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3271
3272 server = ThreadedEchoServer(context=server_context, chatty=True)
3273 with server:
3274 with context.wrap_socket(socket.socket(),
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3275 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3276 try:
3277 s.connect((HOST, server.port))
3278 except ssl.SSLError as e:
3279 msg = 'unable to get local issuer certificate'
3280 self.assertIsInstance(e, ssl.SSLCertVerificationError)
3281 self.assertEqual(e.verify_code, 20)
3282 self.assertEqual(e.verify_message, msg)
3283 self.assertIn(msg, repr(e))
3284 self.assertIn('certificate verify failed', repr(e))
3285
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3286 @requires_tls_version('SSLv2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3287 def test_protocol_sslv2(self):
3288 """Connecting to an SSLv2 server with various client options"""
3289 if support.verbose:
3290 sys.stdout.write("\n")
3291 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
3292 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
3293 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3294 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3295 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3296 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
3297 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
3298 # SSLv23 client with specific SSL options
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3299 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3300 client_options=ssl.OP_NO_SSLv3)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3301 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3302 client_options=ssl.OP_NO_TLSv1)
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]3303
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3304 def test_PROTOCOL_TLS(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3305 """Connecting to an SSLv23 server with various client options"""
3306 if support.verbose:
3307 sys.stdout.write("\n")
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3308 if has_tls_version('SSLv2'):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3309 try:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3310 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3311 except OSError as x:
3312 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
3313 if support.verbose:
3314 sys.stdout.write(
3315 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
3316 % str(x))
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3317 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3318 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
3319 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3320 if has_tls_version('TLSv1'):
3321 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3322
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3323 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3324 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
3325 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3326 if has_tls_version('TLSv1'):
3327 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3328
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3329 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3330 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
3331 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3332 if has_tls_version('TLSv1'):
3333 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3334
3335 # Server with specific SSL options
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3336 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3337 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3338 server_options=ssl.OP_NO_SSLv3)
3339 # Will choose TLSv1
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3340 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3341 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3342 if has_tls_version('TLSv1'):
3343 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
3344 server_options=ssl.OP_NO_TLSv1)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3345
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3346 @requires_tls_version('SSLv3')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3347 def test_protocol_sslv3(self):
3348 """Connecting to an SSLv3 server with various client options"""
3349 if support.verbose:
3350 sys.stdout.write("\n")
3351 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
3352 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
3353 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3354 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3355 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3356 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3357 client_options=ssl.OP_NO_SSLv3)
3358 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3359
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3360 @requires_tls_version('TLSv1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3361 def test_protocol_tlsv1(self):
3362 """Connecting to a TLSv1 server with various client options"""
3363 if support.verbose:
3364 sys.stdout.write("\n")
3365 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
3366 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
3367 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3368 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3369 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3370 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3371 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3372 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3373 client_options=ssl.OP_NO_TLSv1)
3374
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3375 @requires_tls_version('TLSv1_1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3376 def test_protocol_tlsv1_1(self):
3377 """Connecting to a TLSv1.1 server with various client options.
3378 Testing against older TLS versions."""
3379 if support.verbose:
3380 sys.stdout.write("\n")
3381 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3382 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3383 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3384 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3385 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3386 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3387 client_options=ssl.OP_NO_TLSv1_1)
3388
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3389 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3390 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3391 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3392
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3393 @requires_tls_version('TLSv1_2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3394 def test_protocol_tlsv1_2(self):
3395 """Connecting to a TLSv1.2 server with various client options.
3396 Testing against older TLS versions."""
3397 if support.verbose:
3398 sys.stdout.write("\n")
3399 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
3400 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
3401 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3402 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3403 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3404 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3405 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3406 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3407 client_options=ssl.OP_NO_TLSv1_2)
3408
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3409 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3410 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
3411 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
3412 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
3413 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3414
3415 def test_starttls(self):
3416 """Switching from clear text to encrypted and back again."""
3417 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
3418
3419 server = ThreadedEchoServer(CERTFILE,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3420 starttls_server=True,
3421 chatty=True,
3422 connectionchatty=True)
3423 wrapped = False
3424 with server:
3425 s = socket.socket()
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]3426 s.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3427 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3428 if support.verbose:
3429 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3430 for indata in msgs:
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3431 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3432 sys.stdout.write(
3433 " client: sending %r...\n" % indata)
3434 if wrapped:
3435 conn.write(indata)
3436 outdata = conn.read()
3437 else:
3438 s.send(indata)
3439 outdata = s.recv(1024)
3440 msg = outdata.strip().lower()
3441 if indata == b"STARTTLS" and msg.startswith(b"ok"):
3442 # STARTTLS ok, switch to secure mode
3443 if support.verbose:
3444 sys.stdout.write(
3445 " client: read %r from server, starting TLS...\n"
3446 % msg)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3447 conn = test_wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3448 wrapped = True
3449 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
3450 # ENDTLS ok, switch back to clear text
3451 if support.verbose:
3452 sys.stdout.write(
3453 " client: read %r from server, ending TLS...\n"
3454 % msg)
3455 s = conn.unwrap()
3456 wrapped = False
3457 else:
3458 if support.verbose:
3459 sys.stdout.write(
3460 " client: read %r from server\n" % msg)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3461 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3462 sys.stdout.write(" client: closing connection.\n")
3463 if wrapped:
3464 conn.write(b"over\n")
3465 else:
3466 s.send(b"over\n")
3467 if wrapped:
3468 conn.close()
3469 else:
3470 s.close()
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3471
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3472 def test_socketserver(self):
3473 """Using socketserver to create and manage SSL connections."""
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3474 server = make_https_server(self, certfile=SIGNED_CERTFILE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3475 # try to connect
3476 if support.verbose:
3477 sys.stdout.write('\n')
3478 with open(CERTFILE, 'rb') as f:
3479 d1 = f.read()
3480 d2 = ''
3481 # now fetch the same data from the HTTPS server
3482 url = 'https://localhost:%d/%s' % (
3483 server.port, os.path.split(CERTFILE)[1])
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3484 context = ssl.create_default_context(cafile=SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3485 f = urllib.request.urlopen(url, context=context)
3486 try:
3487 dlen = f.info().get("content-length")
3488 if dlen and (int(dlen) > 0):
3489 d2 = f.read(int(dlen))
3490 if support.verbose:
3491 sys.stdout.write(
3492 " client: read %d bytes from remote server '%s'\n"
3493 % (len(d2), server))
3494 finally:
3495 f.close()
3496 self.assertEqual(d1, d2)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3497
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3498 def test_asyncore_server(self):
3499 """Check the example asyncore integration."""
3500 if support.verbose:
3501 sys.stdout.write("\n")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3502
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3503 indata = b"FOO\n"
3504 server = AsyncoreEchoServer(CERTFILE)
3505 with server:
3506 s = test_wrap_socket(socket.socket())
3507 s.connect(('127.0.0.1', server.port))
3508 if support.verbose:
3509 sys.stdout.write(
3510 " client: sending %r...\n" % indata)
3511 s.write(indata)
3512 outdata = s.read()
3513 if support.verbose:
3514 sys.stdout.write(" client: read %r\n" % outdata)
3515 if outdata != indata.lower():
3516 self.fail(
3517 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
3518 % (outdata[:20], len(outdata),
3519 indata[:20].lower(), len(indata)))
3520 s.write(b"over\n")
3521 if support.verbose:
3522 sys.stdout.write(" client: closing connection.\n")
3523 s.close()
3524 if support.verbose:
3525 sys.stdout.write(" client: connection closed.\n")
Benjamin Petersoncca27322015-01-23 16:35:37 -0500[diff] [blame]3526
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3527 def test_recv_send(self):
3528 """Test recv(), send() and friends."""
3529 if support.verbose:
3530 sys.stdout.write("\n")
3531
3532 server = ThreadedEchoServer(CERTFILE,
3533 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3534 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3535 cacerts=CERTFILE,
3536 chatty=True,
3537 connectionchatty=False)
3538 with server:
3539 s = test_wrap_socket(socket.socket(),
3540 server_side=False,
3541 certfile=CERTFILE,
3542 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3543 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3544 s.connect((HOST, server.port))
3545 # helper methods for standardising recv* method signatures
3546 def _recv_into():
3547 b = bytearray(b"\0"*100)
3548 count = s.recv_into(b)
3549 return b[:count]
3550
3551 def _recvfrom_into():
3552 b = bytearray(b"\0"*100)
3553 count, addr = s.recvfrom_into(b)
3554 return b[:count]
3555
3556 # (name, method, expect success?, *args, return value func)
3557 send_methods = [
3558 ('send', s.send, True, [], len),
3559 ('sendto', s.sendto, False, ["some.address"], len),
3560 ('sendall', s.sendall, True, [], lambda x: None),
3561 ]
3562 # (name, method, whether to expect success, *args)
3563 recv_methods = [
3564 ('recv', s.recv, True, []),
3565 ('recvfrom', s.recvfrom, False, ["some.address"]),
3566 ('recv_into', _recv_into, True, []),
3567 ('recvfrom_into', _recvfrom_into, False, []),
3568 ]
3569 data_prefix = "PREFIX_"
3570
3571 for (meth_name, send_meth, expect_success, args,
3572 ret_val_meth) in send_methods:
3573 indata = (data_prefix + meth_name).encode('ascii')
3574 try:
3575 ret = send_meth(indata, *args)
3576 msg = "sending with {}".format(meth_name)
3577 self.assertEqual(ret, ret_val_meth(indata), msg=msg)
3578 outdata = s.read()
3579 if outdata != indata.lower():
3580 self.fail(
3581 "While sending with <<{name:s}>> bad data "
3582 "<<{outdata:r}>> ({nout:d}) received; "
3583 "expected <<{indata:r}>> ({nin:d})\n".format(
3584 name=meth_name, outdata=outdata[:20],
3585 nout=len(outdata),
3586 indata=indata[:20], nin=len(indata)
3587 )
3588 )
3589 except ValueError as e:
3590 if expect_success:
3591 self.fail(
3592 "Failed to send with method <<{name:s}>>; "
3593 "expected to succeed.\n".format(name=meth_name)
3594 )
3595 if not str(e).startswith(meth_name):
3596 self.fail(
3597 "Method <<{name:s}>> failed with unexpected "
3598 "exception message: {exp:s}\n".format(
3599 name=meth_name, exp=e
3600 )
3601 )
3602
3603 for meth_name, recv_meth, expect_success, args in recv_methods:
3604 indata = (data_prefix + meth_name).encode('ascii')
3605 try:
3606 s.send(indata)
3607 outdata = recv_meth(*args)
3608 if outdata != indata.lower():
3609 self.fail(
3610 "While receiving with <<{name:s}>> bad data "
3611 "<<{outdata:r}>> ({nout:d}) received; "
3612 "expected <<{indata:r}>> ({nin:d})\n".format(
3613 name=meth_name, outdata=outdata[:20],
3614 nout=len(outdata),
3615 indata=indata[:20], nin=len(indata)
3616 )
3617 )
3618 except ValueError as e:
3619 if expect_success:
3620 self.fail(
3621 "Failed to receive with method <<{name:s}>>; "
3622 "expected to succeed.\n".format(name=meth_name)
3623 )
3624 if not str(e).startswith(meth_name):
3625 self.fail(
3626 "Method <<{name:s}>> failed with unexpected "
3627 "exception message: {exp:s}\n".format(
3628 name=meth_name, exp=e
3629 )
3630 )
3631 # consume data
3632 s.read()
3633
3634 # read(-1, buffer) is supported, even though read(-1) is not
3635 data = b"data"
3636 s.send(data)
3637 buffer = bytearray(len(data))
3638 self.assertEqual(s.read(-1, buffer), len(data))
3639 self.assertEqual(buffer, data)
3640
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]3641 # sendall accepts bytes-like objects
3642 if ctypes is not None:
3643 ubyte = ctypes.c_ubyte * len(data)
3644 byteslike = ubyte.from_buffer_copy(data)
3645 s.sendall(byteslike)
3646 self.assertEqual(s.read(), data)
3647
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3648 # Make sure sendmsg et al are disallowed to avoid
3649 # inadvertent disclosure of data and/or corruption
3650 # of the encrypted data stream
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3651 self.assertRaises(NotImplementedError, s.dup)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3652 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
3653 self.assertRaises(NotImplementedError, s.recvmsg, 100)
3654 self.assertRaises(NotImplementedError,
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3655 s.recvmsg_into, [bytearray(100)])
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3656 s.write(b"over\n")
3657
3658 self.assertRaises(ValueError, s.recv, -1)
3659 self.assertRaises(ValueError, s.read, -1)
3660
3661 s.close()
3662
3663 def test_recv_zero(self):
3664 server = ThreadedEchoServer(CERTFILE)
3665 server.__enter__()
3666 self.addCleanup(server.__exit__, None, None)
3667 s = socket.create_connection((HOST, server.port))
3668 self.addCleanup(s.close)
3669 s = test_wrap_socket(s, suppress_ragged_eofs=False)
3670 self.addCleanup(s.close)
3671
3672 # recv/read(0) should return no data
3673 s.send(b"data")
3674 self.assertEqual(s.recv(0), b"")
3675 self.assertEqual(s.read(0), b"")
3676 self.assertEqual(s.read(), b"data")
3677
3678 # Should not block if the other end sends no data
3679 s.setblocking(False)
3680 self.assertEqual(s.recv(0), b"")
3681 self.assertEqual(s.recv_into(bytearray()), 0)
3682
3683 def test_nonblocking_send(self):
3684 server = ThreadedEchoServer(CERTFILE,
3685 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3686 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3687 cacerts=CERTFILE,
3688 chatty=True,
3689 connectionchatty=False)
3690 with server:
3691 s = test_wrap_socket(socket.socket(),
3692 server_side=False,
3693 certfile=CERTFILE,
3694 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3695 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3696 s.connect((HOST, server.port))
3697 s.setblocking(False)
3698
3699 # If we keep sending data, at some point the buffers
3700 # will be full and the call will block
3701 buf = bytearray(8192)
3702 def fill_buffer():
3703 while True:
3704 s.send(buf)
3705 self.assertRaises((ssl.SSLWantWriteError,
3706 ssl.SSLWantReadError), fill_buffer)
3707
3708 # Now read all the output and discard it
3709 s.setblocking(True)
3710 s.close()
3711
3712 def test_handshake_timeout(self):
3713 # Issue #5103: SSL handshake must respect the socket timeout
3714 server = socket.socket(socket.AF_INET)
3715 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3716 port = socket_helper.bind_port(server)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3717 started = threading.Event()
3718 finish = False
3719
3720 def serve():
3721 server.listen()
3722 started.set()
3723 conns = []
3724 while not finish:
3725 r, w, e = select.select([server], [], [], 0.1)
3726 if server in r:
3727 # Let the socket hang around rather than having
3728 # it closed by garbage collection.
3729 conns.append(server.accept()[0])
3730 for sock in conns:
3731 sock.close()
3732
3733 t = threading.Thread(target=serve)
3734 t.start()
3735 started.wait()
3736
3737 try:
3738 try:
3739 c = socket.socket(socket.AF_INET)
3740 c.settimeout(0.2)
3741 c.connect((host, port))
3742 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3743 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3744 test_wrap_socket, c)
3745 finally:
3746 c.close()
3747 try:
3748 c = socket.socket(socket.AF_INET)
3749 c = test_wrap_socket(c)
3750 c.settimeout(0.2)
3751 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3752 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3753 c.connect, (host, port))
3754 finally:
3755 c.close()
3756 finally:
3757 finish = True
3758 t.join()
3759 server.close()
3760
3761 def test_server_accept(self):
3762 # Issue #16357: accept() on a SSLSocket created through
3763 # SSLContext.wrap_socket().
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3764 client_ctx, server_ctx, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3765 server = socket.socket(socket.AF_INET)
3766 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3767 port = socket_helper.bind_port(server)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3768 server = server_ctx.wrap_socket(server, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3769 self.assertTrue(server.server_side)
3770
3771 evt = threading.Event()
3772 remote = None
3773 peer = None
3774 def serve():
3775 nonlocal remote, peer
3776 server.listen()
3777 # Block on the accept and wait on the connection to close.
3778 evt.set()
3779 remote, peer = server.accept()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3780 remote.send(remote.recv(4))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3781
3782 t = threading.Thread(target=serve)
3783 t.start()
3784 # Client wait until server setup and perform a connect.
3785 evt.wait()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3786 client = client_ctx.wrap_socket(
3787 socket.socket(), server_hostname=hostname
3788 )
3789 client.connect((hostname, port))
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3790 client.send(b'data')
3791 client.recv()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3792 client_addr = client.getsockname()
3793 client.close()
3794 t.join()
3795 remote.close()
3796 server.close()
3797 # Sanity checks.
3798 self.assertIsInstance(remote, ssl.SSLSocket)
3799 self.assertEqual(peer, client_addr)
3800
3801 def test_getpeercert_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3802 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3803 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3804 with context.wrap_socket(socket.socket()) as sock:
3805 with self.assertRaises(OSError) as cm:
3806 sock.getpeercert()
3807 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3808
3809 def test_do_handshake_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3810 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3811 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3812 with context.wrap_socket(socket.socket()) as sock:
3813 with self.assertRaises(OSError) as cm:
3814 sock.do_handshake()
3815 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3816
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3817 def test_no_shared_ciphers(self):
3818 client_context, server_context, hostname = testing_context()
3819 # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
3820 client_context.options |= ssl.OP_NO_TLSv1_3
Victor Stinner5e922652018-09-07 17:30:33 +0200[diff] [blame]3821 # Force different suites on client and server
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3822 client_context.set_ciphers("AES128")
3823 server_context.set_ciphers("AES256")
3824 with ThreadedEchoServer(context=server_context) as server:
3825 with client_context.wrap_socket(socket.socket(),
3826 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3827 with self.assertRaises(OSError):
3828 s.connect((HOST, server.port))
3829 self.assertIn("no shared cipher", server.conn_errors[0])
3830
3831 def test_version_basic(self):
3832 """
3833 Basic tests for SSLSocket.version().
3834 More tests are done in the test_protocol_*() methods.
3835 """
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3836 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3837 context.check_hostname = False
3838 context.verify_mode = ssl.CERT_NONE
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3839 with ThreadedEchoServer(CERTFILE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3840 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3841 chatty=False) as server:
3842 with context.wrap_socket(socket.socket()) as s:
3843 self.assertIs(s.version(), None)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3844 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3845 s.connect((HOST, server.port))
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]3846 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3847 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3848 self.assertIs(s.version(), None)
3849
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3850 @requires_tls_version('TLSv1_3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3851 def test_tls1_3(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3852 client_context, server_context, hostname = testing_context()
3853 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3854 with ThreadedEchoServer(context=server_context) as server:
3855 with client_context.wrap_socket(socket.socket(),
3856 server_hostname=hostname) as s:
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3857 s.connect((HOST, server.port))
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3858 self.assertIn(s.cipher()[0], {
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3859 'TLS_AES_256_GCM_SHA384',
3860 'TLS_CHACHA20_POLY1305_SHA256',
3861 'TLS_AES_128_GCM_SHA256',
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3862 })
3863 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3864
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3865 @requires_tls_version('TLSv1_2')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3866 @requires_tls_version('TLSv1')
3867 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3868 def test_min_max_version_tlsv1_2(self):
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3869 client_context, server_context, hostname = testing_context()
3870 # client TLSv1.0 to 1.2
3871 client_context.minimum_version = ssl.TLSVersion.TLSv1
3872 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
3873 # server only TLSv1.2
3874 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
3875 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
3876
3877 with ThreadedEchoServer(context=server_context) as server:
3878 with client_context.wrap_socket(socket.socket(),
3879 server_hostname=hostname) as s:
3880 s.connect((HOST, server.port))
3881 self.assertEqual(s.version(), 'TLSv1.2')
3882
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3883 @requires_tls_version('TLSv1_1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3884 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3885 def test_min_max_version_tlsv1_1(self):
3886 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3887 # client 1.0 to 1.2, server 1.0 to 1.1
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3888 client_context.minimum_version = ssl.TLSVersion.TLSv1
3889 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3890 server_context.minimum_version = ssl.TLSVersion.TLSv1
3891 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3892 seclevel_workaround(client_context, server_context)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3893
3894 with ThreadedEchoServer(context=server_context) as server:
3895 with client_context.wrap_socket(socket.socket(),
3896 server_hostname=hostname) as s:
3897 s.connect((HOST, server.port))
3898 self.assertEqual(s.version(), 'TLSv1.1')
3899
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3900 @requires_tls_version('TLSv1_2')
Christian Heimesce04e712020-11-18 13:10:53 +0100[diff] [blame]3901 @requires_tls_version('TLSv1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3902 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3903 def test_min_max_version_mismatch(self):
3904 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3905 # client 1.0, server 1.2 (mismatch)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3906 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc9bc49c2019-09-11 19:24:47 +0200[diff] [blame]3907 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]3908 client_context.maximum_version = ssl.TLSVersion.TLSv1
Christian Heimesde606ea2019-09-11 19:48:58 +0200[diff] [blame]3909 client_context.minimum_version = ssl.TLSVersion.TLSv1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3910 seclevel_workaround(client_context, server_context)
3911
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3912 with ThreadedEchoServer(context=server_context) as server:
3913 with client_context.wrap_socket(socket.socket(),
3914 server_hostname=hostname) as s:
3915 with self.assertRaises(ssl.SSLError) as e:
3916 s.connect((HOST, server.port))
3917 self.assertIn("alert", str(e.exception))
3918
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3919 @requires_tls_version('SSLv3')
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3920 def test_min_max_version_sslv3(self):
3921 client_context, server_context, hostname = testing_context()
3922 server_context.minimum_version = ssl.TLSVersion.SSLv3
3923 client_context.minimum_version = ssl.TLSVersion.SSLv3
3924 client_context.maximum_version = ssl.TLSVersion.SSLv3
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3925 seclevel_workaround(client_context, server_context)
3926
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3927 with ThreadedEchoServer(context=server_context) as server:
3928 with client_context.wrap_socket(socket.socket(),
3929 server_hostname=hostname) as s:
3930 s.connect((HOST, server.port))
3931 self.assertEqual(s.version(), 'SSLv3')
3932
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3933 def test_default_ecdh_curve(self):
3934 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
3935 # should be enabled by default on SSL contexts.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3936 client_context, server_context, hostname = testing_context()
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3937 # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
3938 # cipher name.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3939 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3940 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
3941 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
3942 # our default cipher list should prefer ECDH-based ciphers
3943 # automatically.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3944 with ThreadedEchoServer(context=server_context) as server:
3945 with client_context.wrap_socket(socket.socket(),
3946 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3947 s.connect((HOST, server.port))
3948 self.assertIn("ECDH", s.cipher()[0])
3949
3950 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
3951 "'tls-unique' channel binding not available")
3952 def test_tls_unique_channel_binding(self):
3953 """Test tls-unique channel binding."""
3954 if support.verbose:
3955 sys.stdout.write("\n")
3956
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3957 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3958
3959 server = ThreadedEchoServer(context=server_context,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3960 chatty=True,
3961 connectionchatty=False)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3962
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3963 with server:
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3964 with client_context.wrap_socket(
3965 socket.socket(),
3966 server_hostname=hostname) as s:
3967 s.connect((HOST, server.port))
3968 # get the data
3969 cb_data = s.get_channel_binding("tls-unique")
3970 if support.verbose:
3971 sys.stdout.write(
3972 " got channel binding data: {0!r}\n".format(cb_data))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3973
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3974 # check if it is sane
3975 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3976 if s.version() == 'TLSv1.3':
3977 self.assertEqual(len(cb_data), 48)
3978 else:
3979 self.assertEqual(len(cb_data), 12) # True for TLSv1
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3980
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3981 # and compare with the peers version
3982 s.write(b"CB tls-unique\n")
3983 peer_data_repr = s.read().strip()
3984 self.assertEqual(peer_data_repr,
3985 repr(cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3986
3987 # now, again
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3988 with client_context.wrap_socket(
3989 socket.socket(),
3990 server_hostname=hostname) as s:
3991 s.connect((HOST, server.port))
3992 new_cb_data = s.get_channel_binding("tls-unique")
3993 if support.verbose:
3994 sys.stdout.write(
3995 "got another channel binding data: {0!r}\n".format(
3996 new_cb_data)
3997 )
3998 # is it really unique
3999 self.assertNotEqual(cb_data, new_cb_data)
4000 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]4001 if s.version() == 'TLSv1.3':
4002 self.assertEqual(len(cb_data), 48)
4003 else:
4004 self.assertEqual(len(cb_data), 12) # True for TLSv1
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4005 s.write(b"CB tls-unique\n")
4006 peer_data_repr = s.read().strip()
4007 self.assertEqual(peer_data_repr,
4008 repr(new_cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4009
4010 def test_compression(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4011 client_context, server_context, hostname = testing_context()
4012 stats = server_params_test(client_context, server_context,
4013 chatty=True, connectionchatty=True,
4014 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4015 if support.verbose:
4016 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
4017 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
4018
4019 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
4020 "ssl.OP_NO_COMPRESSION needed for this test")
4021 def test_compression_disabled(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4022 client_context, server_context, hostname = testing_context()
4023 client_context.options |= ssl.OP_NO_COMPRESSION
4024 server_context.options |= ssl.OP_NO_COMPRESSION
4025 stats = server_params_test(client_context, server_context,
4026 chatty=True, connectionchatty=True,
4027 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4028 self.assertIs(stats['compression'], None)
4029
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4030 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4031 def test_dh_params(self):
4032 # Check we can get a connection with ephemeral Diffie-Hellman
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4033 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4034 # test scenario needs TLS <= 1.2
4035 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4036 server_context.load_dh_params(DHFILE)
4037 server_context.set_ciphers("kEDH")
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4038 server_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4039 stats = server_params_test(client_context, server_context,
4040 chatty=True, connectionchatty=True,
4041 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4042 cipher = stats["cipher"][0]
4043 parts = cipher.split("-")
4044 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
4045 self.fail("Non-DH cipher: " + cipher[0])
4046
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4047 def test_ecdh_curve(self):
4048 # server secp384r1, client auto
4049 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4050
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4051 server_context.set_ecdh_curve("secp384r1")
4052 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4053 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4054 stats = server_params_test(client_context, server_context,
4055 chatty=True, connectionchatty=True,
4056 sni_name=hostname)
4057
4058 # server auto, client secp384r1
4059 client_context, server_context, hostname = testing_context()
4060 client_context.set_ecdh_curve("secp384r1")
4061 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4062 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4063 stats = server_params_test(client_context, server_context,
4064 chatty=True, connectionchatty=True,
4065 sni_name=hostname)
4066
4067 # server / client curve mismatch
4068 client_context, server_context, hostname = testing_context()
4069 client_context.set_ecdh_curve("prime256v1")
4070 server_context.set_ecdh_curve("secp384r1")
4071 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4072 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
4073 with self.assertRaises(ssl.SSLError):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4074 server_params_test(client_context, server_context,
4075 chatty=True, connectionchatty=True,
4076 sni_name=hostname)
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4077
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4078 def test_selected_alpn_protocol(self):
4079 # selected_alpn_protocol() is None unless ALPN is used.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4080 client_context, server_context, hostname = testing_context()
4081 stats = server_params_test(client_context, server_context,
4082 chatty=True, connectionchatty=True,
4083 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4084 self.assertIs(stats['client_alpn_protocol'], None)
4085
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4086 def test_selected_alpn_protocol_if_server_uses_alpn(self):
4087 # selected_alpn_protocol() is None unless ALPN is used by the client.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4088 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4089 server_context.set_alpn_protocols(['foo', 'bar'])
4090 stats = server_params_test(client_context, server_context,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4091 chatty=True, connectionchatty=True,
4092 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4093 self.assertIs(stats['client_alpn_protocol'], None)
4094
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4095 def test_alpn_protocols(self):
4096 server_protocols = ['foo', 'bar', 'milkshake']
4097 protocol_tests = [
4098 (['foo', 'bar'], 'foo'),
4099 (['bar', 'foo'], 'foo'),
4100 (['milkshake'], 'milkshake'),
4101 (['http/3.0', 'http/4.0'], None)
4102 ]
4103 for client_protocols, expected in protocol_tests:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4104 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4105 server_context.set_alpn_protocols(server_protocols)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4106 client_context.set_alpn_protocols(client_protocols)
4107
4108 try:
4109 stats = server_params_test(client_context,
4110 server_context,
4111 chatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4112 connectionchatty=True,
4113 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4114 except ssl.SSLError as e:
4115 stats = e
4116
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4117 msg = "failed trying %s (s) and %s (c).\n" \
4118 "was expecting %s, but got %%s from the %%s" \
4119 % (str(server_protocols), str(client_protocols),
4120 str(expected))
4121 client_result = stats['client_alpn_protocol']
4122 self.assertEqual(client_result, expected,
4123 msg % (client_result, "client"))
4124 server_result = stats['server_alpn_protocols'][-1] \
4125 if len(stats['server_alpn_protocols']) else 'nothing'
4126 self.assertEqual(server_result, expected,
4127 msg % (server_result, "server"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4128
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4129 def test_npn_protocols(self):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4130 assert not ssl.HAS_NPN
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4131
4132 def sni_contexts(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4133 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4134 server_context.load_cert_chain(SIGNED_CERTFILE)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4135 other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4136 other_context.load_cert_chain(SIGNED_CERTFILE2)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4137 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4138 client_context.load_verify_locations(SIGNING_CA)
4139 return server_context, other_context, client_context
4140
4141 def check_common_name(self, stats, name):
4142 cert = stats['peercert']
4143 self.assertIn((('commonName', name),), cert['subject'])
4144
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4145 def test_sni_callback(self):
4146 calls = []
4147 server_context, other_context, client_context = self.sni_contexts()
4148
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4149 client_context.check_hostname = False
4150
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4151 def servername_cb(ssl_sock, server_name, initial_context):
4152 calls.append((server_name, initial_context))
4153 if server_name is not None:
4154 ssl_sock.context = other_context
4155 server_context.set_servername_callback(servername_cb)
4156
4157 stats = server_params_test(client_context, server_context,
4158 chatty=True,
4159 sni_name='supermessage')
4160 # The hostname was fetched properly, and the certificate was
4161 # changed for the connection.
4162 self.assertEqual(calls, [("supermessage", server_context)])
4163 # CERTFILE4 was selected
4164 self.check_common_name(stats, 'fakehostname')
4165
4166 calls = []
4167 # The callback is called with server_name=None
4168 stats = server_params_test(client_context, server_context,
4169 chatty=True,
4170 sni_name=None)
4171 self.assertEqual(calls, [(None, server_context)])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4172 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4173
4174 # Check disabling the callback
4175 calls = []
4176 server_context.set_servername_callback(None)
4177
4178 stats = server_params_test(client_context, server_context,
4179 chatty=True,
4180 sni_name='notfunny')
4181 # Certificate didn't change
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4182 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4183 self.assertEqual(calls, [])
4184
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4185 def test_sni_callback_alert(self):
4186 # Returning a TLS alert is reflected to the connecting client
4187 server_context, other_context, client_context = self.sni_contexts()
4188
4189 def cb_returning_alert(ssl_sock, server_name, initial_context):
4190 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
4191 server_context.set_servername_callback(cb_returning_alert)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4192 with self.assertRaises(ssl.SSLError) as cm:
4193 stats = server_params_test(client_context, server_context,
4194 chatty=False,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4195 sni_name='supermessage')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4196 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4197
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4198 def test_sni_callback_raising(self):
4199 # Raising fails the connection with a TLS handshake failure alert.
4200 server_context, other_context, client_context = self.sni_contexts()
4201
4202 def cb_raising(ssl_sock, server_name, initial_context):
4203 1/0
4204 server_context.set_servername_callback(cb_raising)
4205
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4206 with support.catch_unraisable_exception() as catch:
4207 with self.assertRaises(ssl.SSLError) as cm:
4208 stats = server_params_test(client_context, server_context,
4209 chatty=False,
4210 sni_name='supermessage')
4211
4212 self.assertEqual(cm.exception.reason,
4213 'SSLV3_ALERT_HANDSHAKE_FAILURE')
4214 self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]4215
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4216 def test_sni_callback_wrong_return_type(self):
4217 # Returning the wrong return type terminates the TLS connection
4218 # with an internal error alert.
4219 server_context, other_context, client_context = self.sni_contexts()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4220
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4221 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
4222 return "foo"
4223 server_context.set_servername_callback(cb_wrong_return_type)
4224
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4225 with support.catch_unraisable_exception() as catch:
4226 with self.assertRaises(ssl.SSLError) as cm:
4227 stats = server_params_test(client_context, server_context,
4228 chatty=False,
4229 sni_name='supermessage')
4230
4231
4232 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
4233 self.assertEqual(catch.unraisable.exc_type, TypeError)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4234
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4235 def test_shared_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4236 client_context, server_context, hostname = testing_context()
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4237 client_context.set_ciphers("AES128:AES256")
4238 server_context.set_ciphers("AES256")
4239 expected_algs = [
4240 "AES256", "AES-256",
4241 # TLS 1.3 ciphers are always enabled
4242 "TLS_CHACHA20", "TLS_AES",
4243 ]
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4244
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4245 stats = server_params_test(client_context, server_context,
4246 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4247 ciphers = stats['server_shared_ciphers'][0]
4248 self.assertGreater(len(ciphers), 0)
4249 for name, tls_version, bits in ciphers:
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4250 if not any(alg in name for alg in expected_algs):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4251 self.fail(name)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4252
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4253 def test_read_write_after_close_raises_valuerror(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4254 client_context, server_context, hostname = testing_context()
4255 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4256
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4257 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4258 s = client_context.wrap_socket(socket.socket(),
4259 server_hostname=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4260 s.connect((HOST, server.port))
4261 s.close()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4262
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4263 self.assertRaises(ValueError, s.read, 1024)
4264 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4265
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4266 def test_sendfile(self):
4267 TEST_DATA = b"x" * 512
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4268 with open(os_helper.TESTFN, 'wb') as f:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4269 f.write(TEST_DATA)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4270 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4271 client_context, server_context, hostname = testing_context()
4272 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4273 with server:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4274 with client_context.wrap_socket(socket.socket(),
4275 server_hostname=hostname) as s:
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4276 s.connect((HOST, server.port))
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4277 with open(os_helper.TESTFN, 'rb') as file:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4278 s.sendfile(file)
4279 self.assertEqual(s.recv(1024), TEST_DATA)
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4280
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4281 def test_session(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4282 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4283 # TODO: sessions aren't compatible with TLSv1.3 yet
4284 client_context.options |= ssl.OP_NO_TLSv1_3
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4285
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4286 # first connection without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4287 stats = server_params_test(client_context, server_context,
4288 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4289 session = stats['session']
4290 self.assertTrue(session.id)
4291 self.assertGreater(session.time, 0)
4292 self.assertGreater(session.timeout, 0)
4293 self.assertTrue(session.has_ticket)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4294 self.assertGreater(session.ticket_lifetime_hint, 0)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4295 self.assertFalse(stats['session_reused'])
4296 sess_stat = server_context.session_stats()
4297 self.assertEqual(sess_stat['accept'], 1)
4298 self.assertEqual(sess_stat['hits'], 0)
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]4299
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4300 # reuse session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4301 stats = server_params_test(client_context, server_context,
4302 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4303 sess_stat = server_context.session_stats()
4304 self.assertEqual(sess_stat['accept'], 2)
4305 self.assertEqual(sess_stat['hits'], 1)
4306 self.assertTrue(stats['session_reused'])
4307 session2 = stats['session']
4308 self.assertEqual(session2.id, session.id)
4309 self.assertEqual(session2, session)
4310 self.assertIsNot(session2, session)
4311 self.assertGreaterEqual(session2.time, session.time)
4312 self.assertGreaterEqual(session2.timeout, session.timeout)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4313
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4314 # another one without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4315 stats = server_params_test(client_context, server_context,
4316 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4317 self.assertFalse(stats['session_reused'])
4318 session3 = stats['session']
4319 self.assertNotEqual(session3.id, session.id)
4320 self.assertNotEqual(session3, session)
4321 sess_stat = server_context.session_stats()
4322 self.assertEqual(sess_stat['accept'], 3)
4323 self.assertEqual(sess_stat['hits'], 1)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4324
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4325 # reuse session again
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4326 stats = server_params_test(client_context, server_context,
4327 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4328 self.assertTrue(stats['session_reused'])
4329 session4 = stats['session']
4330 self.assertEqual(session4.id, session.id)
4331 self.assertEqual(session4, session)
4332 self.assertGreaterEqual(session4.time, session.time)
4333 self.assertGreaterEqual(session4.timeout, session.timeout)
4334 sess_stat = server_context.session_stats()
4335 self.assertEqual(sess_stat['accept'], 4)
4336 self.assertEqual(sess_stat['hits'], 2)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4337
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4338 def test_session_handling(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4339 client_context, server_context, hostname = testing_context()
4340 client_context2, _, _ = testing_context()
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4341
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4342 # TODO: session reuse does not work with TLSv1.3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4343 client_context.options |= ssl.OP_NO_TLSv1_3
4344 client_context2.options |= ssl.OP_NO_TLSv1_3
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]4345
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4346 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4347 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4348 with client_context.wrap_socket(socket.socket(),
4349 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4350 # session is None before handshake
4351 self.assertEqual(s.session, None)
4352 self.assertEqual(s.session_reused, None)
4353 s.connect((HOST, server.port))
4354 session = s.session
4355 self.assertTrue(session)
4356 with self.assertRaises(TypeError) as e:
4357 s.session = object
Ned Deily4531ec72018-06-11 20:26:28 -0400[diff] [blame]4358 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4359
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4360 with client_context.wrap_socket(socket.socket(),
4361 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4362 s.connect((HOST, server.port))
4363 # cannot set session after handshake
4364 with self.assertRaises(ValueError) as e:
4365 s.session = session
4366 self.assertEqual(str(e.exception),
4367 'Cannot set session after handshake.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4368
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4369 with client_context.wrap_socket(socket.socket(),
4370 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4371 # can set session before handshake and before the
4372 # connection was established
4373 s.session = session
4374 s.connect((HOST, server.port))
4375 self.assertEqual(s.session.id, session.id)
4376 self.assertEqual(s.session, session)
4377 self.assertEqual(s.session_reused, True)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4378
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4379 with client_context2.wrap_socket(socket.socket(),
4380 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4381 # cannot re-use session with a different SSLContext
4382 with self.assertRaises(ValueError) as e:
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4383 s.session = session
4384 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4385 self.assertEqual(str(e.exception),
4386 'Session refers to a different SSLContext.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4387
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]4388
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]4389@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4390class TestPostHandshakeAuth(unittest.TestCase):
4391 def test_pha_setter(self):
4392 protocols = [
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4393 ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4394 ]
4395 for protocol in protocols:
4396 ctx = ssl.SSLContext(protocol)
4397 self.assertEqual(ctx.post_handshake_auth, False)
4398
4399 ctx.post_handshake_auth = True
4400 self.assertEqual(ctx.post_handshake_auth, True)
4401
4402 ctx.verify_mode = ssl.CERT_REQUIRED
4403 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4404 self.assertEqual(ctx.post_handshake_auth, True)
4405
4406 ctx.post_handshake_auth = False
4407 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4408 self.assertEqual(ctx.post_handshake_auth, False)
4409
4410 ctx.verify_mode = ssl.CERT_OPTIONAL
4411 ctx.post_handshake_auth = True
4412 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
4413 self.assertEqual(ctx.post_handshake_auth, True)
4414
4415 def test_pha_required(self):
4416 client_context, server_context, hostname = testing_context()
4417 server_context.post_handshake_auth = True
4418 server_context.verify_mode = ssl.CERT_REQUIRED
4419 client_context.post_handshake_auth = True
4420 client_context.load_cert_chain(SIGNED_CERTFILE)
4421
4422 server = ThreadedEchoServer(context=server_context, chatty=False)
4423 with server:
4424 with client_context.wrap_socket(socket.socket(),
4425 server_hostname=hostname) as s:
4426 s.connect((HOST, server.port))
4427 s.write(b'HASCERT')
4428 self.assertEqual(s.recv(1024), b'FALSE\n')
4429 s.write(b'PHA')
4430 self.assertEqual(s.recv(1024), b'OK\n')
4431 s.write(b'HASCERT')
4432 self.assertEqual(s.recv(1024), b'TRUE\n')
4433 # PHA method just returns true when cert is already available
4434 s.write(b'PHA')
4435 self.assertEqual(s.recv(1024), b'OK\n')
4436 s.write(b'GETCERT')
4437 cert_text = s.recv(4096).decode('us-ascii')
4438 self.assertIn('Python Software Foundation CA', cert_text)
4439
4440 def test_pha_required_nocert(self):
4441 client_context, server_context, hostname = testing_context()
4442 server_context.post_handshake_auth = True
4443 server_context.verify_mode = ssl.CERT_REQUIRED
4444 client_context.post_handshake_auth = True
4445
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4446 def msg_cb(conn, direction, version, content_type, msg_type, data):
4447 if support.verbose and content_type == _TLSContentType.ALERT:
4448 info = (conn, direction, version, content_type, msg_type, data)
4449 sys.stdout.write(f"TLS: {info!r}\n")
4450
4451 server_context._msg_callback = msg_cb
4452 client_context._msg_callback = msg_cb
4453
4454 server = ThreadedEchoServer(context=server_context, chatty=True)
4455 with server:
4456 with client_context.wrap_socket(socket.socket(),
4457 server_hostname=hostname) as s:
4458 s.connect((HOST, server.port))
4459 s.write(b'PHA')
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4460 # test sometimes fails with EOF error. Test passes as long as
4461 # server aborts connection with an error.
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4462 with self.assertRaisesRegex(
4463 ssl.SSLError,
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4464 '(certificate required|EOF occurred)'
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4465 ):
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4466 # receive CertificateRequest
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame^]4467 data = s.recv(1024)
4468 if not data:
4469 raise ssl.SSLError(1, "EOF occurred")
4470 self.assertEqual(data, b'OK\n')
4471
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4472 # send empty Certificate + Finish
4473 s.write(b'HASCERT')
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame^]4474
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4475 # receive alert
Miss Islington (bot)e5e93e62021-06-02 16:48:40 -0700[diff] [blame^]4476 data = s.recv(1024)
4477 if not data:
4478 raise ssl.SSLError(1, "EOF occurred")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4479
4480 def test_pha_optional(self):
4481 if support.verbose:
4482 sys.stdout.write("\n")
4483
4484 client_context, server_context, hostname = testing_context()
4485 server_context.post_handshake_auth = True
4486 server_context.verify_mode = ssl.CERT_REQUIRED
4487 client_context.post_handshake_auth = True
4488 client_context.load_cert_chain(SIGNED_CERTFILE)
4489
4490 # check CERT_OPTIONAL
4491 server_context.verify_mode = ssl.CERT_OPTIONAL
4492 server = ThreadedEchoServer(context=server_context, chatty=False)
4493 with server:
4494 with client_context.wrap_socket(socket.socket(),
4495 server_hostname=hostname) as s:
4496 s.connect((HOST, server.port))
4497 s.write(b'HASCERT')
4498 self.assertEqual(s.recv(1024), b'FALSE\n')
4499 s.write(b'PHA')
4500 self.assertEqual(s.recv(1024), b'OK\n')
4501 s.write(b'HASCERT')
4502 self.assertEqual(s.recv(1024), b'TRUE\n')
4503
4504 def test_pha_optional_nocert(self):
4505 if support.verbose:
4506 sys.stdout.write("\n")
4507
4508 client_context, server_context, hostname = testing_context()
4509 server_context.post_handshake_auth = True
4510 server_context.verify_mode = ssl.CERT_OPTIONAL
4511 client_context.post_handshake_auth = True
4512
4513 server = ThreadedEchoServer(context=server_context, chatty=False)
4514 with server:
4515 with client_context.wrap_socket(socket.socket(),
4516 server_hostname=hostname) as s:
4517 s.connect((HOST, server.port))
4518 s.write(b'HASCERT')
4519 self.assertEqual(s.recv(1024), b'FALSE\n')
4520 s.write(b'PHA')
4521 self.assertEqual(s.recv(1024), b'OK\n')
penguindustin96466302019-05-06 14:57:17 -0400[diff] [blame]4522 # optional doesn't fail when client does not have a cert
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4523 s.write(b'HASCERT')
4524 self.assertEqual(s.recv(1024), b'FALSE\n')
4525
4526 def test_pha_no_pha_client(self):
4527 client_context, server_context, hostname = testing_context()
4528 server_context.post_handshake_auth = True
4529 server_context.verify_mode = ssl.CERT_REQUIRED
4530 client_context.load_cert_chain(SIGNED_CERTFILE)
4531
4532 server = ThreadedEchoServer(context=server_context, chatty=False)
4533 with server:
4534 with client_context.wrap_socket(socket.socket(),
4535 server_hostname=hostname) as s:
4536 s.connect((HOST, server.port))
4537 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
4538 s.verify_client_post_handshake()
4539 s.write(b'PHA')
4540 self.assertIn(b'extension not received', s.recv(1024))
4541
4542 def test_pha_no_pha_server(self):
4543 # server doesn't have PHA enabled, cert is requested in handshake
4544 client_context, server_context, hostname = testing_context()
4545 server_context.verify_mode = ssl.CERT_REQUIRED
4546 client_context.post_handshake_auth = True
4547 client_context.load_cert_chain(SIGNED_CERTFILE)
4548
4549 server = ThreadedEchoServer(context=server_context, chatty=False)
4550 with server:
4551 with client_context.wrap_socket(socket.socket(),
4552 server_hostname=hostname) as s:
4553 s.connect((HOST, server.port))
4554 s.write(b'HASCERT')
4555 self.assertEqual(s.recv(1024), b'TRUE\n')
4556 # PHA doesn't fail if there is already a cert
4557 s.write(b'PHA')
4558 self.assertEqual(s.recv(1024), b'OK\n')
4559 s.write(b'HASCERT')
4560 self.assertEqual(s.recv(1024), b'TRUE\n')
4561
4562 def test_pha_not_tls13(self):
4563 # TLS 1.2
4564 client_context, server_context, hostname = testing_context()
4565 server_context.verify_mode = ssl.CERT_REQUIRED
4566 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4567 client_context.post_handshake_auth = True
4568 client_context.load_cert_chain(SIGNED_CERTFILE)
4569
4570 server = ThreadedEchoServer(context=server_context, chatty=False)
4571 with server:
4572 with client_context.wrap_socket(socket.socket(),
4573 server_hostname=hostname) as s:
4574 s.connect((HOST, server.port))
4575 # PHA fails for TLS != 1.3
4576 s.write(b'PHA')
4577 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
4578
Christian Heimesf0f59302019-07-01 08:29:17 +0200[diff] [blame]4579 def test_bpo37428_pha_cert_none(self):
4580 # verify that post_handshake_auth does not implicitly enable cert
4581 # validation.
4582 hostname = SIGNED_CERTFILE_HOSTNAME
4583 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4584 client_context.post_handshake_auth = True
4585 client_context.load_cert_chain(SIGNED_CERTFILE)
4586 # no cert validation and CA on client side
4587 client_context.check_hostname = False
4588 client_context.verify_mode = ssl.CERT_NONE
4589
4590 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
4591 server_context.load_cert_chain(SIGNED_CERTFILE)
4592 server_context.load_verify_locations(SIGNING_CA)
4593 server_context.post_handshake_auth = True
4594 server_context.verify_mode = ssl.CERT_REQUIRED
4595
4596 server = ThreadedEchoServer(context=server_context, chatty=False)
4597 with server:
4598 with client_context.wrap_socket(socket.socket(),
4599 server_hostname=hostname) as s:
4600 s.connect((HOST, server.port))
4601 s.write(b'HASCERT')
4602 self.assertEqual(s.recv(1024), b'FALSE\n')
4603 s.write(b'PHA')
4604 self.assertEqual(s.recv(1024), b'OK\n')
4605 s.write(b'HASCERT')
4606 self.assertEqual(s.recv(1024), b'TRUE\n')
4607 # server cert has not been validated
4608 self.assertEqual(s.getpeercert(), {})
4609
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]4610 def test_internal_chain_client(self):
4611 client_context, server_context, hostname = testing_context(
4612 server_chain=False
4613 )
4614 server = ThreadedEchoServer(context=server_context, chatty=False)
4615 with server:
4616 with client_context.wrap_socket(
4617 socket.socket(),
4618 server_hostname=hostname
4619 ) as s:
4620 s.connect((HOST, server.port))
4621 vc = s._sslobj.get_verified_chain()
4622 self.assertEqual(len(vc), 2)
4623 ee, ca = vc
4624 uvc = s._sslobj.get_unverified_chain()
4625 self.assertEqual(len(uvc), 1)
4626
4627 self.assertEqual(ee, uvc[0])
4628 self.assertEqual(hash(ee), hash(uvc[0]))
4629 self.assertEqual(repr(ee), repr(uvc[0]))
4630
4631 self.assertNotEqual(ee, ca)
4632 self.assertNotEqual(hash(ee), hash(ca))
4633 self.assertNotEqual(repr(ee), repr(ca))
4634 self.assertNotEqual(ee.get_info(), ca.get_info())
4635 self.assertIn("CN=localhost", repr(ee))
4636 self.assertIn("CN=our-ca-server", repr(ca))
4637
4638 pem = ee.public_bytes(_ssl.ENCODING_PEM)
4639 der = ee.public_bytes(_ssl.ENCODING_DER)
4640 self.assertIsInstance(pem, str)
4641 self.assertIn("-----BEGIN CERTIFICATE-----", pem)
4642 self.assertIsInstance(der, bytes)
4643 self.assertEqual(
4644 ssl.PEM_cert_to_DER_cert(pem), der
4645 )
4646
4647 def test_internal_chain_server(self):
4648 client_context, server_context, hostname = testing_context()
4649 client_context.load_cert_chain(SIGNED_CERTFILE)
4650 server_context.verify_mode = ssl.CERT_REQUIRED
4651 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
4652
4653 server = ThreadedEchoServer(context=server_context, chatty=False)
4654 with server:
4655 with client_context.wrap_socket(
4656 socket.socket(),
4657 server_hostname=hostname
4658 ) as s:
4659 s.connect((HOST, server.port))
4660 s.write(b'VERIFIEDCHAIN\n')
4661 res = s.recv(1024)
4662 self.assertEqual(res, b'\x02\n')
4663 s.write(b'UNVERIFIEDCHAIN\n')
4664 res = s.recv(1024)
4665 self.assertEqual(res, b'\x02\n')
4666
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4667
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4668HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
4669requires_keylog = unittest.skipUnless(
4670 HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
4671
4672class TestSSLDebug(unittest.TestCase):
4673
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4674 def keylog_lines(self, fname=os_helper.TESTFN):
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4675 with open(fname) as f:
4676 return len(list(f))
4677
4678 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4679 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4680 def test_keylog_defaults(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4681 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4682 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4683 self.assertEqual(ctx.keylog_filename, None)
4684
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4685 self.assertFalse(os.path.isfile(os_helper.TESTFN))
4686 ctx.keylog_filename = os_helper.TESTFN
4687 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
4688 self.assertTrue(os.path.isfile(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4689 self.assertEqual(self.keylog_lines(), 1)
4690
4691 ctx.keylog_filename = None
4692 self.assertEqual(ctx.keylog_filename, None)
4693
4694 with self.assertRaises((IsADirectoryError, PermissionError)):
4695 # Windows raises PermissionError
4696 ctx.keylog_filename = os.path.dirname(
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4697 os.path.abspath(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4698
4699 with self.assertRaises(TypeError):
4700 ctx.keylog_filename = 1
4701
4702 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4703 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4704 def test_keylog_filename(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4705 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4706 client_context, server_context, hostname = testing_context()
4707
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4708 client_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4709 server = ThreadedEchoServer(context=server_context, chatty=False)
4710 with server:
4711 with client_context.wrap_socket(socket.socket(),
4712 server_hostname=hostname) as s:
4713 s.connect((HOST, server.port))
4714 # header, 5 lines for TLS 1.3
4715 self.assertEqual(self.keylog_lines(), 6)
4716
4717 client_context.keylog_filename = None
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4718 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4719 server = ThreadedEchoServer(context=server_context, chatty=False)
4720 with server:
4721 with client_context.wrap_socket(socket.socket(),
4722 server_hostname=hostname) as s:
4723 s.connect((HOST, server.port))
4724 self.assertGreaterEqual(self.keylog_lines(), 11)
4725
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4726 client_context.keylog_filename = os_helper.TESTFN
4727 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4728 server = ThreadedEchoServer(context=server_context, chatty=False)
4729 with server:
4730 with client_context.wrap_socket(socket.socket(),
4731 server_hostname=hostname) as s:
4732 s.connect((HOST, server.port))
4733 self.assertGreaterEqual(self.keylog_lines(), 21)
4734
4735 client_context.keylog_filename = None
4736 server_context.keylog_filename = None
4737
4738 @requires_keylog
4739 @unittest.skipIf(sys.flags.ignore_environment,
4740 "test is not compatible with ignore_environment")
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4741 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4742 def test_keylog_env(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4743 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4744 with unittest.mock.patch.dict(os.environ):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4745 os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
4746 self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4747
4748 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4749 self.assertEqual(ctx.keylog_filename, None)
4750
4751 ctx = ssl.create_default_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4752 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4753
4754 ctx = ssl._create_stdlib_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4755 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4756
4757 def test_msg_callback(self):
4758 client_context, server_context, hostname = testing_context()
4759
4760 def msg_cb(conn, direction, version, content_type, msg_type, data):
4761 pass
4762
4763 self.assertIs(client_context._msg_callback, None)
4764 client_context._msg_callback = msg_cb
4765 self.assertIs(client_context._msg_callback, msg_cb)
4766 with self.assertRaises(TypeError):
4767 client_context._msg_callback = object()
4768
4769 def test_msg_callback_tls12(self):
4770 client_context, server_context, hostname = testing_context()
4771 client_context.options |= ssl.OP_NO_TLSv1_3
4772
4773 msg = []
4774
4775 def msg_cb(conn, direction, version, content_type, msg_type, data):
4776 self.assertIsInstance(conn, ssl.SSLSocket)
4777 self.assertIsInstance(data, bytes)
4778 self.assertIn(direction, {'read', 'write'})
4779 msg.append((direction, version, content_type, msg_type))
4780
4781 client_context._msg_callback = msg_cb
4782
4783 server = ThreadedEchoServer(context=server_context, chatty=False)
4784 with server:
4785 with client_context.wrap_socket(socket.socket(),
4786 server_hostname=hostname) as s:
4787 s.connect((HOST, server.port))
4788
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4789 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4790 ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
4791 _TLSMessageType.SERVER_KEY_EXCHANGE),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4792 msg
4793 )
4794 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4795 ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
4796 _TLSMessageType.CHANGE_CIPHER_SPEC),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4797 msg
4798 )
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4799
Christian Heimes77cde502021-03-21 16:13:09 +0100[diff] [blame]4800 def test_msg_callback_deadlock_bpo43577(self):
4801 client_context, server_context, hostname = testing_context()
4802 server_context2 = testing_context()[1]
4803
4804 def msg_cb(conn, direction, version, content_type, msg_type, data):
4805 pass
4806
4807 def sni_cb(sock, servername, ctx):
4808 sock.context = server_context2
4809
4810 server_context._msg_callback = msg_cb
4811 server_context.sni_callback = sni_cb
4812
4813 server = ThreadedEchoServer(context=server_context, chatty=False)
4814 with server:
4815 with client_context.wrap_socket(socket.socket(),
4816 server_hostname=hostname) as s:
4817 s.connect((HOST, server.port))
4818 with client_context.wrap_socket(socket.socket(),
4819 server_hostname=hostname) as s:
4820 s.connect((HOST, server.port))
4821
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4822
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]4823class TestEnumerations(unittest.TestCase):
4824
4825 def test_tlsversion(self):
4826 class CheckedTLSVersion(enum.IntEnum):
4827 MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
4828 SSLv3 = _ssl.PROTO_SSLv3
4829 TLSv1 = _ssl.PROTO_TLSv1
4830 TLSv1_1 = _ssl.PROTO_TLSv1_1
4831 TLSv1_2 = _ssl.PROTO_TLSv1_2
4832 TLSv1_3 = _ssl.PROTO_TLSv1_3
4833 MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
4834 enum._test_simple_enum(CheckedTLSVersion, TLSVersion)
4835
4836 def test_tlscontenttype(self):
4837 class Checked_TLSContentType(enum.IntEnum):
4838 """Content types (record layer)
4839
4840 See RFC 8446, section B.1
4841 """
4842 CHANGE_CIPHER_SPEC = 20
4843 ALERT = 21
4844 HANDSHAKE = 22
4845 APPLICATION_DATA = 23
4846 # pseudo content types
4847 HEADER = 0x100
4848 INNER_CONTENT_TYPE = 0x101
4849 enum._test_simple_enum(Checked_TLSContentType, _TLSContentType)
4850
4851 def test_tlsalerttype(self):
4852 class Checked_TLSAlertType(enum.IntEnum):
4853 """Alert types for TLSContentType.ALERT messages
4854
4855 See RFC 8466, section B.2
4856 """
4857 CLOSE_NOTIFY = 0
4858 UNEXPECTED_MESSAGE = 10
4859 BAD_RECORD_MAC = 20
4860 DECRYPTION_FAILED = 21
4861 RECORD_OVERFLOW = 22
4862 DECOMPRESSION_FAILURE = 30
4863 HANDSHAKE_FAILURE = 40
4864 NO_CERTIFICATE = 41
4865 BAD_CERTIFICATE = 42
4866 UNSUPPORTED_CERTIFICATE = 43
4867 CERTIFICATE_REVOKED = 44
4868 CERTIFICATE_EXPIRED = 45
4869 CERTIFICATE_UNKNOWN = 46
4870 ILLEGAL_PARAMETER = 47
4871 UNKNOWN_CA = 48
4872 ACCESS_DENIED = 49
4873 DECODE_ERROR = 50
4874 DECRYPT_ERROR = 51
4875 EXPORT_RESTRICTION = 60
4876 PROTOCOL_VERSION = 70
4877 INSUFFICIENT_SECURITY = 71
4878 INTERNAL_ERROR = 80
4879 INAPPROPRIATE_FALLBACK = 86
4880 USER_CANCELED = 90
4881 NO_RENEGOTIATION = 100
4882 MISSING_EXTENSION = 109
4883 UNSUPPORTED_EXTENSION = 110
4884 CERTIFICATE_UNOBTAINABLE = 111
4885 UNRECOGNIZED_NAME = 112
4886 BAD_CERTIFICATE_STATUS_RESPONSE = 113
4887 BAD_CERTIFICATE_HASH_VALUE = 114
4888 UNKNOWN_PSK_IDENTITY = 115
4889 CERTIFICATE_REQUIRED = 116
4890 NO_APPLICATION_PROTOCOL = 120
4891 enum._test_simple_enum(Checked_TLSAlertType, _TLSAlertType)
4892
4893 def test_tlsmessagetype(self):
4894 class Checked_TLSMessageType(enum.IntEnum):
4895 """Message types (handshake protocol)
4896
4897 See RFC 8446, section B.3
4898 """
4899 HELLO_REQUEST = 0
4900 CLIENT_HELLO = 1
4901 SERVER_HELLO = 2
4902 HELLO_VERIFY_REQUEST = 3
4903 NEWSESSION_TICKET = 4
4904 END_OF_EARLY_DATA = 5
4905 HELLO_RETRY_REQUEST = 6
4906 ENCRYPTED_EXTENSIONS = 8
4907 CERTIFICATE = 11
4908 SERVER_KEY_EXCHANGE = 12
4909 CERTIFICATE_REQUEST = 13
4910 SERVER_DONE = 14
4911 CERTIFICATE_VERIFY = 15
4912 CLIENT_KEY_EXCHANGE = 16
4913 FINISHED = 20
4914 CERTIFICATE_URL = 21
4915 CERTIFICATE_STATUS = 22
4916 SUPPLEMENTAL_DATA = 23
4917 KEY_UPDATE = 24
4918 NEXT_PROTO = 67
4919 MESSAGE_HASH = 254
4920 CHANGE_CIPHER_SPEC = 0x0101
4921 enum._test_simple_enum(Checked_TLSMessageType, _TLSMessageType)
4922
4923 def test_sslmethod(self):
4924 Checked_SSLMethod = enum._old_convert_(
4925 enum.IntEnum, '_SSLMethod', 'ssl',
4926 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4927 source=ssl._ssl,
4928 )
4929 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4930
4931 def test_options(self):
4932 CheckedOptions = enum._old_convert_(
4933 enum.FlagEnum, 'Options', 'ssl',
4934 lambda name: name.startswith('OP_'),
4935 source=ssl._ssl,
4936 )
4937 enum._test_simple_enum(CheckedOptions, ssl.Options)
4938
4939
4940 def test_alertdescription(self):
4941 CheckedAlertDescription = enum._old_convert_(
4942 enum.IntEnum, 'AlertDescription', 'ssl',
4943 lambda name: name.startswith('ALERT_DESCRIPTION_'),
4944 source=ssl._ssl,
4945 )
4946 enum._test_simple_enum(CheckedAlertDescription, ssl.AlertDescription)
4947
4948 def test_sslerrornumber(self):
4949 Checked_SSLMethod = enum._old_convert_(
4950 enum.IntEnum, '_SSLMethod', 'ssl',
4951 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4952 source=ssl._ssl,
4953 )
4954 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4955
4956 def test_verifyflags(self):
4957 CheckedVerifyFlags = enum._old_convert_(
4958 enum.FlagEnum, 'VerifyFlags', 'ssl',
4959 lambda name: name.startswith('VERIFY_'),
4960 source=ssl._ssl,
4961 )
4962 enum._test_simple_enum(CheckedVerifyFlags, ssl.VerifyFlags)
4963
4964 def test_verifymode(self):
4965 CheckedVerifyMode = enum._old_convert_(
4966 enum.IntEnum, 'VerifyMode', 'ssl',
4967 lambda name: name.startswith('CERT_'),
4968 source=ssl._ssl,
4969 )
4970 enum._test_simple_enum(CheckedVerifyMode, ssl.VerifyMode)
4971
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4972def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4973 if support.verbose:
4974 plats = {
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4975 'Mac': platform.mac_ver,
4976 'Windows': platform.win32_ver,
4977 }
Petr Viktorin8b94b412018-05-16 11:51:18 -0400[diff] [blame]4978 for name, func in plats.items():
4979 plat = func()
4980 if plat and plat[0]:
4981 plat = '%s %r' % (name, plat)
4982 break
4983 else:
4984 plat = repr(platform.platform())
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4985 print("test_ssl: testing with %r %r" %
4986 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
4987 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]4988 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]4989 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
4990 try:
4991 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
4992 except AttributeError:
4993 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4994
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4995 for filename in [
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4996 CERTFILE, BYTES_CERTFILE,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4997 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4998 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4999 BADCERT, BADKEY, EMPTYCERT]:
5000 if not os.path.exists(filename):
5001 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]5002
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]5003 tests = [
5004 ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]5005 SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5006 TestPostHandshakeAuth, TestSSLDebug
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]5007 ]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5008
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]5009 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]5010 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5011
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]5012 thread_info = threading_helper.threading_setup()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]5013 try:
5014 support.run_unittest(*tests)
5015 finally:
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]5016 threading_helper.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5017
5018if __name__ == "__main__":
5019 test_main()