summaryrefslogtreecommitdiffstats
path: root/Lib/test/test_ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* gh-72719: Remove asyncore and asynchat modules (#96580)Nikita Sobolev2022-11-081-3/+1
| | | | | Remove modules asyncore and asynchat, which were deprecated by PEP 594. Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* gh-95280: Fix test_get_ciphers on systems without RSA key exchange (GH-95282)Christian Heimes2022-07-271-2/+14
|
* Fix typo in PROTOCOL_TO_TLS_VERSION in test_ssl (GH-95119)David Benjamin2022-07-221-1/+1
| | | | | | | | | | | | | | | | This appears to be a typo. It causes try_protocol_combo to try to turn on SSL 3.0 when testing PROTOCOL_SSLv23 (aka PROTOCOL_TLS), which doesn't make any sense. Fix it to be PROTOCOL_SSLv3. Without this, try_protocol_combo is actually setting context.minimum_version to SSLv3 when called as try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True) One would think this causes a no-ssl3 OpenSSL build to fail, but OpenSSL forgot to make SSL_CTX_set_min_proto_version(SSL3_VERSION) does not notice no-ssl3, so this typo has gone undetected. But we should still fix the typo because, presumably, a future version of OpenSSL will remove SSL 3.0 and do so more thoroughly, at which point this will break.
* gh-94199: Remove the ssl.wrap_socket() function (#94203)Victor Stinner2022-07-081-30/+0
| | | | | | | | Remove the ssl.wrap_socket() function, deprecated in Python 3.7: instead, create a ssl.SSLContext object and call its sl.SSLContext.wrap_socket() method. Any package that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295 : Improper Certificate Validation.
* gh-94172: Remove ssl.PROTOCOL_SSLv2 dead code (#94312)Victor Stinner2022-06-281-39/+0
| | | | | | | | Remove dead code related to ssl.PROTOCOL_SSLv2. ssl.PROTOCOL_SSLv2 was already removed in Python 3.10. In test_ssl, @requires_tls_version('SSLv2') always returned False. Extract of the removed code: "OpenSSL has removed support for SSLv2".
* gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347)Christian Heimes2022-06-281-27/+33
| | | Three test cases were failing on FreeBSD with latest OpenSSL.
* gh-94199: Remove ssl.match_hostname() function (#94224)Victor Stinner2022-06-251-199/+0
|
* gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202)Victor Stinner2022-06-241-6/+0
| | | | Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python 3.6: use os.urandom() or ssl.RAND_bytes() instead.
* Add test.support.busy_retry() (#93770)Victor Stinner2022-06-151-4/+1
| | | Add busy_retry() and sleeping_retry() functions to test.support.
* gh-69443: Add test.support.Py_DEBUG constant (#93226)Victor Stinner2022-05-251-3/+3
|
* bpo-45046: Support context managers in unittest (GH-28045)Serhiy Storchaka2022-05-081-4/+2
| | | | | | Add methods enterContext() and enterClassContext() in TestCase. Add method enterAsyncContext() in IsolatedAsyncioTestCase. Add function enterModuleContext().
* gh-92169: Use warnings_helper.import_deprecated() to import deprecated ↵Hugo van Kemenade2022-05-031-5/+3
| | | | modules uniformly in tests (GH-92170)
* bpo-40066: [Enum] fix tests (GH-30643)Ethan Furman2022-01-171-2/+2
| | | | | - skip doctest that changes depending on target system - skip doctest that only fails on CI - substitute in values that change depending on target system
* bpo-40066: [Enum] skip failing doc test (GH-30637)Kumar Aditya2022-01-171-3/+5
|
* Revert "bpo-40066: [Enum] update str() and format() output (GH-30582)" ↵Victor Stinner2022-01-171-5/+3
| | | | | (GH-30632) This reverts commit acf7403f9baea3ae1119fc6b4a3298522188bf96.
* bpo-40066: [Enum] update str() and format() output (GH-30582)Ethan Furman2022-01-161-3/+5
| | | | | | | | | | | | | | | Undo rejected PEP-663 changes: - restore `repr()` to its 3.10 status - restore `str()` to its 3.10 status New changes: - `IntEnum` and `IntFlag` now leave `__str__` as the original `int.__str__` so that str() and format() return the same result - zero-valued flags without a name have a slightly changed repr(), e.g. `repr(Color(0)) == '<Color: 0>'` - update `dir()` for mixed-in types to return all the methods and attributes of the mixed-in type - added `_numeric_repr_` to `Flag` to control display of unnamed values - enums without doc strings have a more comprehensive doc string added - `ReprEnum` added -- inheriting from this makes it so only `__repr__` is replaced, not `__str__` nor `__format__`; `IntEnum`, `IntFlag`, and `StrEnum` all inherit from `ReprEnum`
* bpo-46114: Fix OpenSSL version check for 3.0.1 (GH-30170)Christian Heimes2021-12-171-1/+5
|
* Revert "bpo-28533: Remove asyncore, asynchat, smtpd modules (GH-29521)" ↵Victor Stinner2021-12-071-1/+4
| | | | | (GH-29951) This reverts commit 9bf2cbc4c498812e14f20d86acb61c53928a5a57.
* bpo-28533: Remove asyncore, asynchat, smtpd modules (GH-29521)Victor Stinner2021-11-151-4/+1
| | | | | | | | | | | | | | | | Remove the asyncore and asynchat modules, deprecated in Python 3.6: use the asyncio module instead. Remove the smtpd module, deprecated in Python 3.6: the aiosmtpd module can be used instead, it is based on asyncio. * Remove asyncore, asynchat and smtpd documentation * Remove test_asyncore, test_asynchat and test_smtpd * Rename Lib/asynchat.py to Lib/test/support/_asynchat.py * Rename Lib/asyncore.py to Lib/test/support/_asyncore.py * Rename Lib/smtpd.py to Lib/test/support/_smtpd.py * Remove DeprecationWarning from private _asyncore, _asynchat and _smtpd modules * _smtpd: remove deprecated properties
* bpo-45229: Fix setUpModule in test_ssl (GH-28454)Serhiy Storchaka2021-09-191-2/+0
|
* bpo-45229: Remove test_main in many tests (GH-28405)Serhiy Storchaka2021-09-191-14/+6
| | | | | | | | | Instead of explicitly enumerate test classes for run_unittest() use the unittest ability to discover tests. This also makes these tests discoverable and runnable with unittest. load_tests() can be used for dynamic generating tests and adding doctests. setUpModule(), tearDownModule() and addModuleCleanup() can be used for running code before and after all module tests.
* bpo-45185: enables `TestEnumerations` in `test_ssl` (GH-28330)Nikita Sobolev2021-09-151-8/+10
|
* bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378)Mariusz Felisiak2021-07-261-1/+1
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* bpo-44498: suppress DeprecationWarnings for asynchat, asyncore and smtpd in ↵Irit Katriel2021-06-241-1/+5
| | | | tests (GH-26905)
* bpo-44229: Ignore spurious EPROTOTYPE on macOS in test_ssl (GH-26893)Erlend Egeberg Aasland2021-06-241-3/+8
|
* bpo-44389: Fix typo in ssl deprecation warning message (GH-26754)Joe2021-06-171-1/+1
| | | `ssl.SSL_NO_TLS` should be `ssl.OP_NO_TLS`.
* bpo-44389: Fix deprecation of OP_NO_TLSv1_3 (GH-26700)Christian Heimes2021-06-131-8/+56
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-44362: ssl: improve deprecation warnings and docs (GH-26646)Christian Heimes2021-06-111-7/+12
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43921: Cleanup test_ssl.test_wrong_cert_tls13() (GH-26520)Victor Stinner2021-06-031-12/+5
| | | Don't catch OSError, and check the SSLError message.
* bpo-43921: Fix test_ssl.test_wrong_cert_tls13() on Windows (GH-26502)Victor Stinner2021-06-031-14/+6
| | | | Fix test_ssl.test_wrong_cert_tls13(): use suppress_ragged_eofs=False, since read() can raise ssl.SSLEOFError on Windows.
* bpo-43921: Fix test_ssl.test_pha_required_nocert() (GH-26489)Victor Stinner2021-06-021-2/+9
| | | | Fix test_pha_required_nocert() of test_ssl: catch two more EOF cases (when the recv() method returns an empty string).
* bpo-43988: Use check disallow instantiation helper (GH-26392)Erlend Egeberg Aasland2021-05-271-5/+1
|
* bpo-43943: ssl tests: Increase server socket timeout, backlog, debugging ↵Christian Heimes2021-05-031-5/+11
| | | | | (GH-25850) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43908: Mark ssl, hash, and hmac types as immutable (GH-25792)Christian Heimes2021-05-021-0/+19
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-18233: Add internal methods to access peer chain (GH-25467)Christian Heimes2021-04-261-2/+67
| | | | | | | | | | | | The internal `_ssl._SSLSocket` object now provides methods to retrieve the peer cert chain and verified cert chain as a list of Certificate objects. Certificate objects have methods to convert the cert to a dict, PEM, or DER (ASN.1). These are private APIs for now. There is a slim chance to stabilize the approach and provide a public API for 3.10. Otherwise I'll provide a stable API in 3.11. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43921: also accept EOF in post-handshake auth test (GH-25574)Christian Heimes2021-04-241-1/+3
|
* bpo-37322: Fix ResourceWarning and exception handling in test (GH-25553)Christian Heimes2021-04-241-38/+38
| | | | | | | | | Revert 73ea546, increase logging, and improve stability of test. Handle all OSErrors in a single block. OSError also takes care of SSLError and socket's connection errors. Partly reverts commit fb7e750. The threaded connection handler must not raise an unhandled exception.
* bpo-31870: Fix test_get_server_certificate_timeout on Windows (GH-25570)Christian Heimes2021-04-241-1/+5
| | | | Some OS do not support millisecond granularity in select(). Use 100ms timeout and a server callback with sleep to emulate a slow server.
* bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270)Zackery Spytz2021-04-241-0/+5
|
* bpo-43921: ignore failing test_wrong_cert_tls13 on Windows (GH-25561)Christian Heimes2021-04-231-2/+10
| | | | | | | test_wrong_cert_tls13 sometimes fails on some Windows buildbots. Turn failing test case into skipped test case until we have more time to investigate. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43920: Make load_verify_locations(cadata) error message consistent ↵Christian Heimes2021-04-231-3/+8
| | | | | (GH-25554) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-38659: [Enum] add _simple_enum decorator (GH-25497)Ethan Furman2021-04-211-1/+152
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add: * `_simple_enum` decorator to transform a normal class into an enum * `_test_simple_enum` function to compare * `_old_convert_` to enable checking `_convert_` generated enums `_simple_enum` takes a normal class and converts it into an enum: @simple_enum(Enum) class Color: RED = 1 GREEN = 2 BLUE = 3 `_old_convert_` works much like` _convert_` does, using the original logic: # in a test file import socket, enum CheckedAddressFamily = enum._old_convert_( enum.IntEnum, 'AddressFamily', 'socket', lambda C: C.isupper() and C.startswith('AF_'), source=_socket, ) `_test_simple_enum` takes a traditional enum and a simple enum and compares the two: # in the REPL or the same module as Color class CheckedColor(Enum): RED = 1 GREEN = 2 BLUE = 3 _test_simple_enum(CheckedColor, Color) _test_simple_enum(CheckedAddressFamily, socket.AddressFamily) Any important differences will raise a TypeError
* bpo-43799: Also define SSLv3_method() (GH-25481)Christian Heimes2021-04-201-8/+0
| | | Signed-off-by: Christian Heimes <christian@python.org>
* Revert "bpo-38659: [Enum] add _simple_enum decorator (GH-25285)" (GH-25476)Ethan Furman2021-04-201-152/+1
| | | This reverts commit dbac8f40e81eb0a29dc833e6409a1abf47467da6.
* bpo-38659: [Enum] add _simple_enum decorator (GH-25285)Ethan Furman2021-04-201-1/+152
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add: _simple_enum decorator to transform a normal class into an enum _test_simple_enum function to compare _old_convert_ to enable checking _convert_ generated enums _simple_enum takes a normal class and converts it into an enum: @simple_enum(Enum) class Color: RED = 1 GREEN = 2 BLUE = 3 _old_convert_ works much like _convert_ does, using the original logic: # in a test file import socket, enum CheckedAddressFamily = enum._old_convert_( enum.IntEnum, 'AddressFamily', 'socket', lambda C: C.isupper() and C.startswith('AF_'), source=_socket, ) test_simple_enum takes a traditional enum and a simple enum and compares the two: # in the REPL or the same module as Color class CheckedColor(Enum): RED = 1 GREEN = 2 BLUE = 3 _test_simple_enum(CheckedColor, Color) _test_simple_enum(CheckedAddressFamily, socket.AddressFamily) Any important differences will raise a TypeError
* bpo-43669: More test_ssl cleanups (GH-25470)Christian Heimes2021-04-191-78/+21
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-43880: Show DeprecationWarnings for deprecated ssl module features ↵Christian Heimes2021-04-191-153/+120
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-25455) * ssl.OP_NO_SSLv2 * ssl.OP_NO_SSLv3 * ssl.OP_NO_TLSv1 * ssl.OP_NO_TLSv1_1 * ssl.OP_NO_TLSv1_2 * ssl.OP_NO_TLSv1_3 * ssl.PROTOCOL_SSLv2 * ssl.PROTOCOL_SSLv3 * ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS) * ssl.PROTOCOL_TLS * ssl.PROTOCOL_TLSv1 * ssl.PROTOCOL_TLSv1_1 * ssl.PROTOCOL_TLSv1_2 * ssl.TLSVersion.SSLv3 * ssl.TLSVersion.TLSv1 * ssl.TLSVersion.TLSv1_1 * ssl.wrap_socket() * ssl.RAND_pseudo_bytes() * ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1) * ssl.SSLContext() without a protocol argument * ssl.match_hostname() * hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay) Signed-off-by: Christian Heimes <christian@python.org>
* bpo-42854: Use SSL_read/write_ex() (GH-25468)Christian Heimes2021-04-191-0/+11
| | | | | | | | The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex`` internally. The functions support reading and writing of data larger than 2 GB. Writing zero-length data no longer fails with a protocol violation error. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-36076: Add SNI support to ssl.get_server_certificate. (GH-16820)juhovh2021-04-181-1/+25
| | | | | | | | | | | | | | Many servers in the cloud environment require SNI to be used during the SSL/TLS handshake, therefore it is not possible to fetch their certificates using the ssl.get_server_certificate interface. This change adds an additional optional hostname argument that can be used to set the SNI. Note that it is intentionally a separate argument instead of using the host part of the addr tuple, because one might want to explicitly fetch the default certificate or fetch a certificate from a specific IP address with the specified SNI hostname. A separate argument also works better for backwards compatibility. Automerge-Triggered-By: GH:tiran
* bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)Christian Heimes2021-04-171-93/+26
| | | | | | | | | | | | | | | | | | | | | | | | - Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check - Update hashopenssl to require OpenSSL 1.1.1 - multissltests only OpenSSL > 1.1.0 - ALPN is always supported - SNI is always supported - Remove deprecated NPN code. Python wrappers are no-op. - ECDH is always supported - Remove OPENSSL_VERSION_1_1 macro - Remove locking callbacks - Drop PY_OPENSSL_1_1_API macro - Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro - SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now - security level is always available now - get_num_tickets is available with TLS 1.3 - X509_V_ERR MISMATCH is always available now - Always set SSL_MODE_RELEASE_BUFFERS - X509_V_FLAG_TRUSTED_FIRST is always available - get_ciphers is always supported - SSL_CTX_set_keylog_callback is always available - Update Modules/Setup with static link example - Mention PEP in whatsnew - Drop 1.0.2 and 1.1.0 from GHA tests
generated by cgit v0.12 at 2025-03-01 05:34:28 (GMT)