diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2019-06-30 23:51:40 -0700 |
|---|---|---|
| committer | Ned Deily <nad@python.org> | 2019-07-01 22:27:58 -0400 |
| commit | 5b45fb0a449543fab6e7b606e51b739cb316d3c4 (patch) | |
| tree | faddc0122ba3e2179cd945341d49e6d341be67f8 /Lib | |
| parent | 3e24dd52bba863fce4f3c6a34ca9f813666ed181 (diff) | |
| download | cpython-git-5b45fb0a449543fab6e7b606e51b739cb316d3c4.tar.gz | |
[3.7] bpo-37428: Don't set PHA verify flag on client side (GH-14421) (GH-14493)
SSLContext.post_handshake_auth = True no longer sets
SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
option is documented as ignored for clients, OpenSSL implicitly enables cert
chain validation when the flag is set.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37428
(cherry picked from commit f0f5930ac88482ef896283db5be9b8d508d077db)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37428
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/test/test_ssl.py | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 73b6bdf01e..86f790b4a2 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4437,6 +4437,37 @@ class TestPostHandshakeAuth(unittest.TestCase): s.write(b'PHA') self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024)) + def test_bpo37428_pha_cert_none(self): + # verify that post_handshake_auth does not implicitly enable cert + # validation. + hostname = SIGNED_CERTFILE_HOSTNAME + client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + client_context.post_handshake_auth = True + client_context.load_cert_chain(SIGNED_CERTFILE) + # no cert validation and CA on client side + client_context.check_hostname = False + client_context.verify_mode = ssl.CERT_NONE + + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + server_context.load_cert_chain(SIGNED_CERTFILE) + server_context.load_verify_locations(SIGNING_CA) + server_context.post_handshake_auth = True + server_context.verify_mode = ssl.CERT_REQUIRED + + server = ThreadedEchoServer(context=server_context, chatty=False) + with server: + with client_context.wrap_socket(socket.socket(), + server_hostname=hostname) as s: + s.connect((HOST, server.port)) + s.write(b'HASCERT') + self.assertEqual(s.recv(1024), b'FALSE\n') + s.write(b'PHA') + self.assertEqual(s.recv(1024), b'OK\n') + s.write(b'HASCERT') + self.assertEqual(s.recv(1024), b'TRUE\n') + # server cert has not been validated + self.assertEqual(s.getpeercert(), {}) + def test_main(verbose=False): if support.verbose: |