diff options
| author | Christian Heimes <christian@python.org> | 2018-01-27 14:51:38 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-27 14:51:38 (GMT) |
| commit | 61d478c71c5341cdc54e6bfb4ace4252852fd972 (patch) | |
| tree | 5ad17242b4c341df03664ee5cde87cdb80b0ee50 /Lib/test/test_ssl.py | |
| parent | 746cc75541f31278864a10b995e7d009bd2ff053 (diff) | |
| download | cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.zip cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.gz cpython-61d478c71c5341cdc54e6bfb4ace4252852fd972.tar.bz2 | |
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Lib/test/test_ssl.py')
| -rw-r--r-- | Lib/test/test_ssl.py | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index e3fa423..fdf727f 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -988,6 +988,19 @@ class ContextTests(unittest.TestCase): self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED) self.assertTrue(ctx.check_hostname) + def test_hostname_checks_common_name(self): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + self.assertTrue(ctx.hostname_checks_common_name) + if ssl.HAS_NEVER_CHECK_COMMON_NAME: + ctx.hostname_checks_common_name = True + self.assertTrue(ctx.hostname_checks_common_name) + ctx.hostname_checks_common_name = False + self.assertFalse(ctx.hostname_checks_common_name) + ctx.hostname_checks_common_name = True + self.assertTrue(ctx.hostname_checks_common_name) + else: + with self.assertRaises(AttributeError): + ctx.hostname_checks_common_name = True @unittest.skipUnless(have_verify_flags(), "verify_flags need OpenSSL > 0.9.8") @@ -1511,6 +1524,16 @@ class SSLErrorTests(unittest.TestCase): ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(), server_hostname="xn--.com") + def test_bad_server_hostname(self): + ctx = ssl.create_default_context() + with self.assertRaises(ValueError): + ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(), + server_hostname="") + with self.assertRaises(ValueError): + ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(), + server_hostname=".example.org") + + class MemoryBIOTests(unittest.TestCase): def test_read_write(self): @@ -2536,8 +2559,9 @@ class ThreadedTests(unittest.TestCase): with server: with client_context.wrap_socket(socket.socket(), server_hostname="invalid") as s: - with self.assertRaisesRegex(ssl.CertificateError, - "hostname 'invalid' doesn't match 'localhost'"): + with self.assertRaisesRegex( + ssl.CertificateError, + "Hostname mismatch, certificate is not valid for 'invalid'."): s.connect((HOST, server.port)) # missing server_hostname arg should cause an exception, too |