diff options
author | Donald Stufft <donald@stufft.io> | 2014-03-23 23:05:28 (GMT) |
---|---|---|
committer | Donald Stufft <donald@stufft.io> | 2014-03-23 23:05:28 (GMT) |
commit | 6a2ba949089754dafe69d56ce0398f4b8847a4e2 (patch) | |
tree | 5a4463201c01486e368c2c3a74f7b1240ea02f87 /Lib/test/test_ssl.py | |
parent | 553e108fce5673072e709d85c4b4de817f7057b1 (diff) | |
download | cpython-6a2ba949089754dafe69d56ce0398f4b8847a4e2.zip cpython-6a2ba949089754dafe69d56ce0398f4b8847a4e2.tar.gz cpython-6a2ba949089754dafe69d56ce0398f4b8847a4e2.tar.bz2 |
Issue #21013: Enhance ssl.create_default_context() for server side contexts
Closes #21013 by modfying ssl.create_default_context() to:
* Move the restricted ciphers to only apply when using
ssl.Purpose.CLIENT_AUTH. The major difference between restricted and not
is the lack of RC4 in the restricted. However there are servers that exist
that only expose RC4 still.
* Switches the default protocol to ssl.PROTOCOL_SSLv23 so that the context
will select TLS1.1 or TLS1.2 if it is available.
* Add ssl.OP_NO_SSLv3 by default to continue to block SSL3.0 sockets
* Add ssl.OP_SINGLE_DH_USE and ssl.OP_SINGLE_ECDG_USE to improve the security
of the perfect forward secrecy
* Add ssl.OP_CIPHER_SERVER_PREFERENCE so that when used for a server side
socket the context will prioritize our ciphers which have been carefully
selected to maximize security and performance.
* Documents the failure conditions when a SSL3.0 connection is required so
that end users can more easily determine if they need to unset
ssl.OP_NO_SSLv3.
Diffstat (limited to 'Lib/test/test_ssl.py')
-rw-r--r-- | Lib/test/test_ssl.py | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 891720e..331d6ba 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1014,23 +1014,43 @@ class ContextTests(unittest.TestCase): def test_create_default_context(self): ctx = ssl.create_default_context() - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1) + self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED) self.assertTrue(ctx.check_hostname) self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) + self.assertEqual( + ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0), + getattr(ssl, "OP_NO_COMPRESSION", 0), + ) with open(SIGNING_CA) as f: cadata = f.read() ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH, cadata=cadata) - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1) + self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED) self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) + self.assertEqual( + ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0), + getattr(ssl, "OP_NO_COMPRESSION", 0), + ) ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1) + self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23) self.assertEqual(ctx.verify_mode, ssl.CERT_NONE) self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2) + self.assertEqual( + ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0), + getattr(ssl, "OP_NO_COMPRESSION", 0), + ) + self.assertEqual( + ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0), + getattr(ssl, "OP_SINGLE_DH_USE", 0), + ) + self.assertEqual( + ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0), + getattr(ssl, "OP_SINGLE_ECDH_USE", 0), + ) def test__create_stdlib_context(self): ctx = ssl._create_stdlib_context() |