diff options
| author | Christian Heimes <christian@python.org> | 2019-07-01 07:25:48 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-01 07:25:48 (GMT) |
| commit | f22c4cf11d10f52faa86e0b308dd28f11819efd8 (patch) | |
| tree | a221e4d3841ffe1ddd8bae9324d7a07237fa3d88 /Lib | |
| parent | ee72dda9616258b57c19eb5af00f3e80a3fb8e22 (diff) | |
| download | cpython-f22c4cf11d10f52faa86e0b308dd28f11819efd8.zip cpython-f22c4cf11d10f52faa86e0b308dd28f11819efd8.tar.gz cpython-f22c4cf11d10f52faa86e0b308dd28f11819efd8.tar.bz2 | |
[3.8] bpo-37428: Don't set PHA verify flag on client side (GH-14494)
SSLContext.post_handshake_auth = True no longer sets
SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
option is documented as ignored for clients, OpenSSL implicitly enables cert
chain validation when the flag is set.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37428
(cherry picked from commit f0f5930ac88482ef896283db5be9b8d508d077db)
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/test/test_ssl.py | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 38fdf3f..66369fe 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4428,6 +4428,37 @@ class TestPostHandshakeAuth(unittest.TestCase): s.write(b'PHA') self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024)) + def test_bpo37428_pha_cert_none(self): + # verify that post_handshake_auth does not implicitly enable cert + # validation. + hostname = SIGNED_CERTFILE_HOSTNAME + client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + client_context.post_handshake_auth = True + client_context.load_cert_chain(SIGNED_CERTFILE) + # no cert validation and CA on client side + client_context.check_hostname = False + client_context.verify_mode = ssl.CERT_NONE + + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + server_context.load_cert_chain(SIGNED_CERTFILE) + server_context.load_verify_locations(SIGNING_CA) + server_context.post_handshake_auth = True + server_context.verify_mode = ssl.CERT_REQUIRED + + server = ThreadedEchoServer(context=server_context, chatty=False) + with server: + with client_context.wrap_socket(socket.socket(), + server_hostname=hostname) as s: + s.connect((HOST, server.port)) + s.write(b'HASCERT') + self.assertEqual(s.recv(1024), b'FALSE\n') + s.write(b'PHA') + self.assertEqual(s.recv(1024), b'OK\n') + s.write(b'HASCERT') + self.assertEqual(s.recv(1024), b'TRUE\n') + # server cert has not been validated + self.assertEqual(s.getpeercert(), {}) + HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename') requires_keylog = unittest.skipUnless( |