bpo-31518: Change TLS protocol for Debian (#3660)

Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to make them pass on Debian. Signed-off-by: Christian Heimes <christian@python.org>
author: Christian Heimes <christian@python.org> 2018-02-24 23:45:24 (GMT)
committer: GitHub <noreply@github.com> 2018-02-24 23:45:24 (GMT)
commit: aab225840360719516eca55a7a69cfee45aee2af (patch)
tree: 3ddac4750f35272d110d4d5174e8e27c96ad93ab
parent: 980790eee0c804061a49b8ad7373e4669b48f2ec (diff)
download: cpython-aab225840360719516eca55a7a69cfee45aee2af.zip
cpython-aab225840360719516eca55a7a69cfee45aee2af.tar.gz
cpython-aab225840360719516eca55a7a69cfee45aee2af.tar.bz2
6 files changed, 15 insertions, 12 deletions
diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
index b593313..44dd73a 100644
--- a/Lib/test/test_ftplib.py
+++ b/Lib/test/test_ftplib.py
@@ -908,11 +908,11 @@ class TestTLS_FTPClass(TestCase):
             self.client.auth()
             self.assertRaises(ValueError, self.client.auth)
         finally:
-            self.client.ssl_version = ssl.PROTOCOL_TLSv1
+            self.client.ssl_version = ssl.PROTOCOL_TLS
 
     def test_context(self):
         self.client.quit()
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
         self.assertRaises(ValueError, ftplib.FTP_TLS, keyfile=CERTFILE,
                           context=ctx)
         self.assertRaises(ValueError, ftplib.FTP_TLS, certfile=CERTFILE,
@@ -941,7 +941,7 @@ class TestTLS_FTPClass(TestCase):
 
     def test_check_hostname(self):
         self.client.quit()
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
         ctx.verify_mode = ssl.CERT_REQUIRED
         ctx.check_hostname = True
         ctx.load_verify_locations(CAFILE)
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 68f6946..64d6e43 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -1583,7 +1583,7 @@ class HTTPSTest(TestCase):
         import ssl
         support.requires('network')
         with support.transient_internet('self-signed.pythontest.net'):
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+            context = ssl.SSLContext(ssl.PROTOCOL_TLS)
             context.verify_mode = ssl.CERT_REQUIRED
             context.load_verify_locations(CERT_selfsigned_pythontestdotnet)
             h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
@@ -1599,7 +1599,7 @@ class HTTPSTest(TestCase):
         import ssl
         support.requires('network')
         with support.transient_internet('self-signed.pythontest.net'):
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+            context = ssl.SSLContext(ssl.PROTOCOL_TLS)
             context.verify_mode = ssl.CERT_REQUIRED
             context.load_verify_locations(CERT_localhost)
             h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
@@ -1620,7 +1620,7 @@ class HTTPSTest(TestCase):
         # The (valid) cert validates the HTTP hostname
         import ssl
         server = self.make_server(CERT_localhost)
-        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
         context.verify_mode = ssl.CERT_REQUIRED
         context.load_verify_locations(CERT_localhost)
         h = client.HTTPSConnection('localhost', server.port, context=context)
@@ -1634,7 +1634,7 @@ class HTTPSTest(TestCase):
         # The (valid) cert doesn't validate the HTTP hostname
         import ssl
         server = self.make_server(CERT_fakehostname)
-        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
         context.verify_mode = ssl.CERT_REQUIRED
         context.check_hostname = True
         context.load_verify_locations(CERT_fakehostname)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index 1269199..608eac5 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -352,7 +352,7 @@ class TestPOP3Class(TestCase):
     @requires_ssl
     def test_stls_context(self):
         expected = b'+OK Begin TLS negotiation'
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
         ctx.load_verify_locations(CAFILE)
         ctx.verify_mode = ssl.CERT_REQUIRED
         ctx.check_hostname = True
@@ -392,7 +392,7 @@ class TestPOP3_SSLClass(TestPOP3Class):
         self.assertIn('POP3_SSL', poplib.__all__)
 
     def test_context(self):
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
         self.assertRaises(ValueError, poplib.POP3_SSL, self.server.host,
                             self.server.port, keyfile=CERTFILE, context=ctx)
         self.assertRaises(ValueError, poplib.POP3_SSL, self.server.host,
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index daffaf7..8dd3b41 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1689,7 +1689,7 @@ class SimpleBackgroundTests(unittest.TestCase):
     @needs_sni
     def test_context_setget(self):
         # Check that the context of a connected socket can be replaced.
-        ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
         ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
         s = socket.socket(socket.AF_INET)
         with ctx1.wrap_socket(s) as ss:
@@ -1986,7 +1986,7 @@ if _have_threads:
             else:
                 self.context = ssl.SSLContext(ssl_version
                                               if ssl_version is not None
-                                              else ssl.PROTOCOL_TLSv1)
+                                              else ssl.PROTOCOL_TLS)
                 self.context.verify_mode = (certreqs if certreqs is not None
                                             else ssl.CERT_NONE)
                 if cacerts:
diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py
index f83f9cc..9d9ec87 100644
--- a/Lib/test/test_urllib2_localnet.py
+++ b/Lib/test/test_urllib2_localnet.py
@@ -598,7 +598,7 @@ class TestUrlopen(unittest.TestCase):
         def cb_sni(ssl_sock, server_name, initial_context):
             nonlocal sni_name
             sni_name = server_name
-        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
         context.set_servername_callback(cb_sni)
         handler = self.start_https_server(context=context, certfile=CERT_localhost)
         context = ssl.create_default_context(cafile=CERT_localhost)
diff --git a/Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst b/Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst
new file mode 100644
index 0000000..7378df0
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst
@@ -0,0 +1,3 @@
+Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change
+TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to make
+them pass on Debian.
author	Christian Heimes <christian@python.org>	2018-02-24 23:45:24 (GMT)
committer	GitHub <noreply@github.com>	2018-02-24 23:45:24 (GMT)
commit	aab225840360719516eca55a7a69cfee45aee2af (patch)
tree	3ddac4750f35272d110d4d5174e8e27c96ad93ab
parent	980790eee0c804061a49b8ad7373e4669b48f2ec (diff)
download	cpython-aab225840360719516eca55a7a69cfee45aee2af.zip cpython-aab225840360719516eca55a7a69cfee45aee2af.tar.gz cpython-aab225840360719516eca55a7a69cfee45aee2af.tar.bz2