Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext

author: Christian Heimes <christian@python.org> 2016-09-11 22:01:11 (GMT)
committer: Christian Heimes <christian@python.org> 2016-09-11 22:01:11 (GMT)
commit: 5fe668c6727b1301d4fbeb151d81854e74431295 (patch)
tree: 12c846f168e95e37b5a5810ee190fdb663d94754 /Lib
parent: 722898065c0b1bab196b32f9c1e863195b3aaf9a (diff)
download: cpython-5fe668c6727b1301d4fbeb151d81854e74431295.zip
cpython-5fe668c6727b1301d4fbeb151d81854e74431295.tar.gz
cpython-5fe668c6727b1301d4fbeb151d81854e74431295.tar.bz2
2 files changed, 34 insertions, 0 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index df5e98e..8ad4a33 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -52,6 +52,8 @@ PROTOCOL_SSLv2
 PROTOCOL_SSLv3
 PROTOCOL_SSLv23
 PROTOCOL_TLS
+PROTOCOL_TLS_CLIENT
+PROTOCOL_TLS_SERVER
 PROTOCOL_TLSv1
 PROTOCOL_TLSv1_1
 PROTOCOL_TLSv1_2
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 61744ae..557b6de 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1342,6 +1342,17 @@ class ContextTests(unittest.TestCase):
         ctx.check_hostname = False
         self.assertFalse(ctx.check_hostname)
 
+    def test_context_client_server(self):
+        # PROTOCOL_TLS_CLIENT has sane defaults
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        self.assertTrue(ctx.check_hostname)
+        self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
+
+        # PROTOCOL_TLS_SERVER has different but also sane defaults
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        self.assertFalse(ctx.check_hostname)
+        self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
+
 
 class SSLErrorTests(unittest.TestCase):
 
@@ -2280,12 +2291,33 @@ if _have_threads:
             if support.verbose:
                 sys.stdout.write("\n")
             for protocol in PROTOCOLS:
+                if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
+                    continue
                 with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
                     context = ssl.SSLContext(protocol)
                     context.load_cert_chain(CERTFILE)
                     server_params_test(context, context,
                                        chatty=True, connectionchatty=True)
 
+            client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+            client_context.load_verify_locations(SIGNING_CA)
+            server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+            # server_context.load_verify_locations(SIGNING_CA)
+            server_context.load_cert_chain(SIGNED_CERTFILE2)
+
+            with self.subTest(client='PROTOCOL_TLS_CLIENT', server='PROTOCOL_TLS_SERVER'):
+                server_params_test(client_context=client_context,
+                                   server_context=server_context,
+                                   chatty=True, connectionchatty=True,
+                                   sni_name='fakehostname')
+
+            with self.subTest(client='PROTOCOL_TLS_SERVER', server='PROTOCOL_TLS_CLIENT'):
+                with self.assertRaises(ssl.SSLError):
+                    server_params_test(client_context=server_context,
+                                       server_context=client_context,
+                                       chatty=True, connectionchatty=True,
+                                       sni_name='fakehostname')
+
         def test_getpeercert(self):
             if support.verbose:
                 sys.stdout.write("\n")
author	Christian Heimes <christian@python.org>	2016-09-11 22:01:11 (GMT)
committer	Christian Heimes <christian@python.org>	2016-09-11 22:01:11 (GMT)
commit	5fe668c6727b1301d4fbeb151d81854e74431295 (patch)
tree	12c846f168e95e37b5a5810ee190fdb663d94754 /Lib
parent	722898065c0b1bab196b32f9c1e863195b3aaf9a (diff)
download	cpython-5fe668c6727b1301d4fbeb151d81854e74431295.zip cpython-5fe668c6727b1301d4fbeb151d81854e74431295.tar.gz cpython-5fe668c6727b1301d4fbeb151d81854e74431295.tar.bz2