diff options
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/http/client.py | 4 | ||||
| -rw-r--r-- | Lib/ssl.py | 15 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 16 | ||||
| -rw-r--r-- | Lib/test/test_urllib2net.py | 33 |
4 files changed, 60 insertions, 8 deletions
diff --git a/Lib/http/client.py b/Lib/http/client.py index 1039fa5..6c38c4a 100644 --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -1081,7 +1081,9 @@ else: self.sock = sock self._tunnel() - self.sock = self._context.wrap_socket(sock) + server_hostname = self.host if ssl.HAS_SNI else None + self.sock = self._context.wrap_socket(sock, + server_hostname=server_hostname) try: if self._check_hostname: ssl.match_hostname(self.sock.getpeercert(), self.host) @@ -77,6 +77,7 @@ from _ssl import ( SSL_ERROR_EOF, SSL_ERROR_INVALID_ERROR_CODE, ) +from _ssl import HAS_SNI from socket import getnameinfo as _getnameinfo from socket import error as socket_error @@ -158,10 +159,12 @@ class SSLContext(_SSLContext): def wrap_socket(self, sock, server_side=False, do_handshake_on_connect=True, - suppress_ragged_eofs=True): + suppress_ragged_eofs=True, + server_hostname=None): return SSLSocket(sock=sock, server_side=server_side, do_handshake_on_connect=do_handshake_on_connect, suppress_ragged_eofs=suppress_ragged_eofs, + server_hostname=server_hostname, _context=self) @@ -176,6 +179,7 @@ class SSLSocket(socket): do_handshake_on_connect=True, family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, suppress_ragged_eofs=True, ciphers=None, + server_hostname=None, _context=None): if _context: @@ -202,7 +206,11 @@ class SSLSocket(socket): self.ssl_version = ssl_version self.ca_certs = ca_certs self.ciphers = ciphers + if server_side and server_hostname: + raise ValueError("server_hostname can only be specified " + "in client mode") self.server_side = server_side + self.server_hostname = server_hostname self.do_handshake_on_connect = do_handshake_on_connect self.suppress_ragged_eofs = suppress_ragged_eofs connected = False @@ -232,7 +240,8 @@ class SSLSocket(socket): if connected: # create the SSL object try: - self._sslobj = self.context._wrap_socket(self, server_side) + self._sslobj = self.context._wrap_socket(self, server_side, + server_hostname) if do_handshake_on_connect: timeout = self.gettimeout() if timeout == 0.0: @@ -431,7 +440,7 @@ class SSLSocket(socket): if self._sslobj: raise ValueError("attempt to connect already-connected SSLSocket!") socket.connect(self, addr) - self._sslobj = self.context._wrap_socket(self, False) + self._sslobj = self.context._wrap_socket(self, False, self.server_hostname) try: if self.do_handshake_on_connect: self.do_handshake() diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 0c8a8e6..67bc01a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -89,6 +89,7 @@ class BasicSocketTests(unittest.TestCase): ssl.CERT_NONE ssl.CERT_OPTIONAL ssl.CERT_REQUIRED + self.assertIn(ssl.HAS_SNI, {True, False}) def test_random(self): v = ssl.RAND_status() @@ -277,6 +278,12 @@ class BasicSocketTests(unittest.TestCase): self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') + def test_server_side(self): + # server_hostname doesn't work for server sockets + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + sock = socket.socket() + self.assertRaises(ValueError, ctx.wrap_socket, sock, True, + server_hostname="some.hostname") class ContextTests(unittest.TestCase): @@ -441,6 +448,14 @@ class NetworkedTests(unittest.TestCase): self.assertEqual({}, s.getpeercert()) finally: s.close() + # Same with a server hostname + s = ctx.wrap_socket(socket.socket(socket.AF_INET), + server_hostname="svn.python.org") + if ssl.HAS_SNI: + s.connect(("svn.python.org", 443)) + s.close() + else: + self.assertRaises(ValueError, s.connect, ("svn.python.org", 443)) # This should fail because we have no verification certs ctx.verify_mode = ssl.CERT_REQUIRED s = ctx.wrap_socket(socket.socket(socket.AF_INET)) @@ -1500,6 +1515,7 @@ def test_main(verbose=False): print("test_ssl: testing with %r %r" % (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO)) print(" under %s" % plat) + print(" HAS_SNI = %r" % ssl.HAS_SNI) for filename in [ CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE, diff --git a/Lib/test/test_urllib2net.py b/Lib/test/test_urllib2net.py index a4af01a..0a777c4 100644 --- a/Lib/test/test_urllib2net.py +++ b/Lib/test/test_urllib2net.py @@ -9,6 +9,10 @@ import socket import urllib.error import urllib.request import sys +try: + import ssl +except ImportError: + ssl = None TIMEOUT = 60 # seconds @@ -278,13 +282,34 @@ class TimeoutTest(unittest.TestCase): self.assertEqual(u.fp.fp.raw._sock.gettimeout(), 60) +@unittest.skipUnless(ssl, "requires SSL support") +class HTTPSTests(unittest.TestCase): + + def test_sni(self): + # Checks that Server Name Indication works, if supported by the + # OpenSSL linked to. + # The ssl module itself doesn't have server-side support for SNI, + # so we rely on a third-party test site. + expect_sni = ssl.HAS_SNI + with support.transient_internet("bob.sni.velox.ch"): + u = urllib.request.urlopen("https://bob.sni.velox.ch/") + contents = u.readall() + if expect_sni: + self.assertIn(b"Great", contents) + self.assertNotIn(b"Unfortunately", contents) + else: + self.assertNotIn(b"Great", contents) + self.assertIn(b"Unfortunately", contents) + + def test_main(): support.requires("network") support.run_unittest(AuthTests, - OtherNetworkTests, - CloseSocketTest, - TimeoutTest, - ) + HTTPSTests, + OtherNetworkTests, + CloseSocketTest, + TimeoutTest, + ) if __name__ == "__main__": test_main() |