summaryrefslogtreecommitdiff
path: root/Lib/test/test_ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* [2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old ↵Gregory P. Smith2019-05-131-0/+33
| | | | | | | | | | | | | | | | | | | | TLS (GH-13124) (GH-13253) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue. (cherry picked from commit 2cc0223) Changes to test_ssl.py required as 2.7 has legacy protocol tests. The test_httplib.py change is omitted from this backport as self-signed.pythontest.net's certificate was updated and the test_nntplib.py change is not applicable on 2.7. Authored-by: Gregory P. Smith greg@krypto.org
* [2.7] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) (GH-11876)stratakis2019-02-151-19/+43
| | | | | | | | | | | | | | | Backport of TLS 1.3 related fixes from 3.7. Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826)
* Fixup from test_ssl test_default_ecdh_curve (GH-11877)stratakis2019-02-151-0/+3
| | | | | Partial backport from cb5b68abdeb1b1d56c581d5b4d647018703d61e3 Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-28043: improved default settings for SSLContext (GH-10608)stratakis2019-02-151-30/+35
| | | | | | | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2). (cherry picked from commit 358cfd426ccc0fcd6a7940d306602138e76420ae)
* [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760) ↵stratakis2019-02-151-16/+21
| | | | | | | | | | | | | (GH-10607) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569)Miss Islington (bot)2019-01-151-0/+22
| | | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <christian@python.org>
* [2.7] bpo-33023: Fix NotImplemented to NotImplementedError. (GH-10934). ↵Serhiy Storchaka2018-12-071-0/+2
| | | | | | | (GH-11001) (GH-11008) (cherry picked from commit 42b1d6127bd8595522a78a75166ebb9fba74a6a2) (cherry picked from commit 7a2cf1e7d3bf300e98c702589d405734f4a8fcf8)
* [2.7] bpo-34542: Update test certs and keys (GH-8997) (GH-9397)Christian Heimes2018-09-201-3/+3
| | | | | | | | | | | | | Update all test certs and keys to use future proof crypto settings: * 3072 bit RSA keys * SHA-256 signature Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit e6dac0077996b1e1f886f036d6f2606237fa4c85) https://bugs.python.org/issue34542
* [2.7] bpo-34399: 2048 bits RSA keys and DH params (GH-8762) (GH-8765)Christian Heimes2018-08-141-7/+7
| | | | | | | | | | | | | Downstream vendors have started to deprecate weak keys. Update all RSA keys and DH params to use at least 2048 bits. Finite field DH param file use RFC 7919 values, generated with certtool --get-dh-params --sec-param=high Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 88bfd0bce05043f658e50addd21366f317995e35) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-33354: Fix test_ssl when a filename cannot be encoded (GH-6613)Pablo Galindo2018-05-251-1/+8
| | | | Skip test_load_dh_params() of test_ssl when Python filesystem encoding cannot encode the provided path.
* bpo-25404: SSLContext.load_dh_params() non-ASCII path (GH-3459)Christian Heimes2018-02-251-1/+5
| | | | | SSLContext.load_dh_params() now supports non-ASCII path. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-31518: Change TLS protocol for Debian (#3661)Christian Heimes2018-02-251-1/+1
| | | | | | | Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to make them pass on Debian. Signed-off-by: Christian Heimes <christian@python.org>
* [2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)Christian Heimes2017-09-071-0/+25
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
* [2.7] bpo-25674: remove sha256.tbs-internet.com ssl test (GH-3297) (#3301)Christian Heimes2017-09-041-28/+0
| | | | | | | | | | | | * bpo-25674: remove sha256.tbs-internet.com ssl test (#3297) Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 002d64039b60c1a9289f981fe73a5cf91d082136) * [2.7] bpo-25674: remove sha256.tbs-internet.com ssl test (GH-3297) Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 002d64039b60c1a9289f981fe73a5cf91d082136)
* [2.7] bpo-30714: ALPN changes for OpenSSL 1.1.0f (#3094)Christian Heimes2017-08-151-2/+3
| | | | | | | | | | | OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that. The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN callback can pretend to not been set. See https://github.com/openssl/openssl/pull/3158 for more details Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit a5c1bab352671e043645163ca50c5211aa657acd)
* bpo-30199: test_ssl closes all asyncore channels (#1381) (#1408)Victor Stinner2017-05-031-0/+2
| | | | | | | | | | | | | AsyncoreEchoServer of test_ssl now calls asyncore.close_all(ignore_all=True) to ensure that asyncore.socket_map is cleared once the test completes, even if ConnectionHandler was not correctly unregistered. Fix the following warning: Warning -- asyncore.socket_map was modified by test_ssl Before: {} After: {6: <test.test_ssl.AsyncoreEchoServer.EchoServer.ConnectionHandler>} (cherry picked from commit 1dae7450c68bad498e57800387b24cb103c461fa)
* bpo-26867: Ubuntu's openssl OP_NO_SSLv3 is forced on by default; fix test. ↵Xiang Zhang2017-03-011-1/+2
| | | | (GH-374)
* Issue #28221: Remove unused assignment from test_asyncore_server()Martin Panter2016-09-231-2/+0
| | | | | The later value of FOO is fine. The test just needs to verify that the server converted it to lowercase.
* Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-0/+23
| | | | fields in X.509 certs.
* Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-26/+40
|
* Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-8/+21
|
* Issue #23804: Fix SSL recv/read(0) to not return 1024 bytesMartin Panter2016-03-281-1/+8
|
* Issue #26644: Raise ValueError for negative SSLSocket.recv() and read()Martin Panter2016-03-271-0/+11
|
* Issue #23857: Implement PEP 493Nick Coghlan2016-03-201-0/+52
| | | | | | Adds a Python-2-only ssl module API and environment variable to configure the default handling of SSL/TLS certificates for HTTPS connections.
* Issue #26173: Separate bad cert file tests and client rejection testMartin Panter2016-02-011-40/+54
| | | | | | | | | | Test test_wrong_cert() runs a server that rejects the client's certificate, so ECONNRESET is reasonable in addition to SSLError. On the other hand, the other three tests don't even need to run a server because they are just testing the parsing of invalid certificate files. This should fix intermittent failures on Windows where ECONNRESET was not being caught.
* Issue #26173: Fix test_ssl confusion with non-existing cert and wrongcert.pemMartin Panter2016-01-301-14/+11
| | | | | | Testing for a non-existing certificate file is already done in test_errors(). The wrongcert.pem test was originally testing behaviour with a mismatched certificate.
* Issue #25940: Use self-signed.pythontest.net in SSL testsMartin Panter2016-01-151-51/+56
| | | | | | | | | | | | | | | | | | | | | This is instead of svn.python.org, whose certificate recently expired, and whose new certificate uses a different root certificate. The certificate used at the pythontest server was modifed to set the "basic constraints" CA flag. This flag seems to be required for test_get_ca_certs_ capath() to work. Added the new self-signed certificate to capath with the following commands: cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/} c_rehash -v Lib/test/capath/ c_rehash -v -old Lib/test/capath/ # Note the generated file names cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0} mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0} When attempting to connect to port 444 on the new server, the resulting error code is EHOSTUNREACH on Linux, and ETIMEDOUT on Windows.
* always set OP_NO_SSLv3 by default (closes #25530)Benjamin Peterson2015-11-111-9/+9
|
* replace 512 bit dh key with a 2014 bit one (closes #23844)Benjamin Peterson2015-04-021-1/+1
| | | | Patch by Cédric Krier.
* adjust test_crl_check for trusted first being defaultBenjamin Peterson2015-03-041-1/+2
|
* expose X509_V_FLAG_TRUSTED_FIRSTBenjamin Peterson2015-03-041-2/+3
|
* Issue #23345: Prevent test_ssl failures with large OpenSSL patch levelNed Deily2015-02-051-1/+1
| | | | values (like 0.9.8zc).
* Avoid deprecation warnings.Serhiy Storchaka2015-01-311-1/+1
|
* prefer server alpn ordering over the client'sBenjamin Peterson2015-01-231-2/+2
|
* pep 466 backport of alpn (#20188)Benjamin Peterson2015-01-231-4/+60
|
* Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-2/+3
| | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
* allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935)Benjamin Peterson2014-12-051-7/+16
| | | | Patch by Kurt Roeckx.
* allow hostname to be passed to SSLContext even if OpenSSL doesn't support ↵Benjamin Peterson2014-11-231-6/+2
| | | | | | SNI (closes #22921) Patch from Donald Stufft.
* remove py3k warning guardBenjamin Peterson2014-11-231-2/+1
|
* allow passing cert/ssl information to urllib2.urlopen and ↵Benjamin Peterson2014-11-231-4/+5
| | | | | | httplib.HTTPSConnection This is basically a backport of issues #9003 and #22366.
* test that keyfile can be NoneBenjamin Peterson2014-11-031-1/+1
|
* separate cert loading tests into Windows and non-Windows casesBenjamin Peterson2014-10-031-0/+15
|
* also use openssl envvars to find certs on windows (closes #22449)Benjamin Peterson2014-10-031-0/+8
| | | | Patch by Christian Heimes and Alex Gaynor.
* fix sslwrap_simple (closes #22523)Benjamin Peterson2014-10-011-1/+3
| | | | Thanks Alex Gaynor.
* Issue #22340: Fix Python 3 warnings in Python 2 testsVictor Stinner2014-09-051-1/+2
|
* Issue #20421: Add a .version() method to SSL sockets exposing the actual ↵Alex Gaynor2014-09-041-20/+47
| | | | | | protocol version in use. Backport from default.
* fix load_verify_locations on unicode paths (closes #22244)Benjamin Peterson2014-08-281-0/+3
|
* allow any socket error for rude shutdown testBenjamin Peterson2014-08-201-1/+1
|
* backport many ssl features from Python 3 (closes #21308)Benjamin Peterson2014-08-201-552/+2043
| | | | | A contribution of Alex Gaynor and David Reid with the generous support of Rackspace. May God have mercy on their souls.
* Issue #21976: Fix test_ssl to accept LibreSSL version strings.Antoine Pitrou2014-07-211-6/+10
| | | | Thanks to William Orr.
View Lorry Controller Status