summaryrefslogtreecommitdiffstats
path: root/Lib/test/test_ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 ↵Victor Stinner2019-09-071-0/+5
| | | | | (#12694) Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867)Victor Stinner2019-02-261-0/+22
| | | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
* bpo-30199: test_ssl closes all asyncore channels (#1381) (#1389)Victor Stinner2017-05-021-1/+3
| | | | | | | | | | | | | AsyncoreEchoServer of test_ssl now calls asyncore.close_all(ignore_all=True) to ensure that asyncore.socket_map is cleared once the test completes, even if ConnectionHandler was not correctly unregistered. Fix the following warning: Warning -- asyncore.socket_map was modified by test_ssl Before: {} After: {6: <test.test_ssl.AsyncoreEchoServer.EchoServer.ConnectionHandler>} (cherry picked from commit 1dae7450c68bad498e57800387b24cb103c461fa)
* Issue #28221: Remove unused assignment from test_asyncore_server()Martin Panter2016-09-231-2/+0
| | | | | The later value of FOO is fine. The test just needs to verify that the server converted it to lowercase.
* Fix references to Python 3’s socketserver (lowercase) moduleMartin Panter2016-09-221-1/+1
|
* Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-0/+23
| | | | fields in X.509 certs.
* Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-31/+58
|
* Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-8/+21
|
* Issue #26867: Ubuntu's openssl OP_NO_SSLv3 is forced on by default; fix test.Matthias Klose2016-06-131-1/+2
|
* Issue #23804: Fix SSL recv/read(0) to not return 1024 bytesMartin Panter2016-03-281-1/+8
|
* Issue #26644: Raise ValueError for negative SSLSocket.recv() and read()Martin Panter2016-03-271-0/+11
|
* Issue #26173: Separate bad cert file tests and client rejection testMartin Panter2016-02-011-40/+54
| | | | | | | | | Test test_wrong_cert() runs a server that rejects the client's certificate, so ECONNRESET is reasonable in addition to SSLError. On the other hand, the other three tests don't even need to run a server because they are just testing the parsing of invalid certificate files. Also fix a ResourceWarning by closing the wrapped socket.
* Issue #26173: Fix test_ssl confusion with non-existing cert and wrongcert.pemMartin Panter2016-01-301-14/+11
| | | | | | Testing for a non-existing certificate file is already done in test_errors(). Copy wrongcert.pem from Python 2 and use it to test the behaviour with a mismatched certificate.
* Issue #25940: Merge ETIMEDOUT fix from 3.4 into 3.5Martin Panter2016-01-151-1/+1
|\
| * Issue #25940: Merge ETIMEDOUT fix from 3.3 into 3.4Martin Panter2016-01-151-1/+1
| |\
| | * Issue #25940: Merge ETIMEDOUT fix from 3.2 into 3.3Martin Panter2016-01-151-1/+1
| | |\
| | | * Issue #25940: On Windows, connecting to port 444 returns ETIMEDOUTMartin Panter2016-01-151-1/+3
| | | |
* | | | Issue #25940: Update new SSL tests for self-signed.pythontest.netMartin Panter2016-01-141-13/+14
| | | | | | | | | | | | | | | | | | | | Removed SSL_ERROR_SYSCALL checking from ssl_io_loop() so that the loop can terminate when unwrap() raises that error.
* | | | Issue #25940: Merge self-signed.pythontest.net testing from 3.4 into 3.5Martin Panter2016-01-141-51/+56
|\ \ \ \ | |/ / /
| * | | Issue #25940: Update new SSL tests for self-signed.pythontest.netMartin Panter2016-01-141-12/+12
| | | |
| * | | Issue #25940: Merge self-signed.pythontest.net testing from 3.3 into 3.4Martin Panter2016-01-141-39/+44
| |\ \ \ | | |/ /
| | * | Issue #25940: Merge self-signed.pythontest.net testing from 3.2 into 3.3Martin Panter2016-01-141-41/+48
| | |\ \ | | | |/
| | | * Issue #25940: Use self-signed.pythontest.net in SSL testsMartin Panter2016-01-141-49/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is instead of svn.python.org, whose certificate recently expired, and whose new certificate uses a different root certificate. The certificate used at the pythontest server was modifed to set the "basic constraints" CA flag. This flag seems to be required for test_get_ca_certs_ capath() to work (in Python 3.4+). Added the new self-signed certificate to capath with the following commands: cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/} c_rehash -v Lib/test/capath/ c_rehash -v -old Lib/test/capath/ # Note the generated file names cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0} mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0} The new server responds with "No route to host" when connecting to port 444.
| | | * Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytesGeorg Brandl2014-09-301-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | inside subjectAltName correctly. Formerly the module has used OpenSSL's GENERAL_NAME_print() function to get the string represention of ASN.1 strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and ``uniformResourceIdentifier`` (URI).
| | * | merge 3.2 (#20896)Benjamin Peterson2014-03-121-3/+8
| | |\ \ | | | |/
| | | * use ssl.PROTOCOL_SSLv23 for maximum compatibility (closes #20896)Benjamin Peterson2014-03-121-3/+8
| | | |
| | | * Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of ↵Antoine Pitrou2013-05-181-0/+11
| | | | | | | | | | | | | | | | service using certificates with many wildcards (CVE-2013-2099).
* | | | merge 3.4 (#25530)Benjamin Peterson2015-11-121-9/+9
|\ \ \ \ | |/ / /
| * | | always set OP_NO_SSLv3 by default (closes #25530)Benjamin Peterson2015-11-121-9/+9
| | | |
* | | | Issue #24210: Silence more PendingDeprecationWarning warnings in tests.Berker Peksag2015-05-161-7/+15
| | | |
* | | | merge 3.4 (#23844)Benjamin Peterson2015-04-021-1/+1
|\ \ \ \ | |/ / /
| * | | replace 512 bit dh key with a 2014 bit one (closes #23844)Benjamin Peterson2015-04-021-1/+1
| | | | | | | | | | | | | | | | Patch by Cédric Krier.
* | | | Issue #23001: Few functions in modules mmap, ossaudiodev, socket, ssl, andSerhiy Storchaka2015-03-201-0/+2
| | | | | | | | | | | | | | | | | | | | codecs, that accepted only read-only bytes-like object now accept writable bytes-like object too.
* | | | Issue #20617: Remove unused import in test_ssl.Berker Peksag2015-03-121-1/+0
|\ \ \ \ | |/ / / | | | | | | | | Patch by Mark Lawrence.
| * | | Issue #20617: Remove unused import in test_ssl.Berker Peksag2015-03-121-1/+0
| | | | | | | | | | | | | | | | Patch by Mark Lawrence.
* | | | merge 3.4Benjamin Peterson2015-03-051-1/+2
|\ \ \ \ | |/ / /
| * | | adjust test_crl_check for trusted first being defaultBenjamin Peterson2015-03-051-1/+2
| | | |
* | | | merge 3.4Benjamin Peterson2015-03-051-2/+3
|\ \ \ \ | |/ / /
| * | | expose X509_V_FLAG_TRUSTED_FIRSTBenjamin Peterson2015-03-051-2/+3
| | | |
* | | | Issue #23239: ssl.match_hostname() now supports matching of IP addresses.Antoine Pitrou2015-02-151-0/+24
| | | |
* | | | Issue #23345: merge from 3.4Ned Deily2015-02-051-1/+1
|\ \ \ \ | |/ / /
| * | | Issue #23345: Prevent test_ssl failures with large OpenSSL patch levelNed Deily2015-02-051-1/+1
| | | | | | | | | | | | | | | | values (like 0.9.8zc).
| * | | Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. TheVictor Stinner2015-01-061-2/+3
| | | | | | | | | | | | | | | | | | | | availability of the function is checked during the compilation. Patch written by Bernard Spil.
| * | | Issue #22935: Fix test_ssl when the SSLv3 protocol is not supportedVictor Stinner2014-12-121-1/+2
| | | |
* | | | prefer server alpn ordering over the client'sBenjamin Peterson2015-01-231-2/+2
| | | |
* | | | add support for ALPN (closes #20188)Benjamin Peterson2015-01-231-4/+60
| | | |
* | | | enable cert validation in testBenjamin Peterson2015-01-081-1/+4
| | | |
* | | | trying againBenjamin Peterson2015-01-081-2/+2
| | | |
* | | | reorder cipher prefsBenjamin Peterson2015-01-081-1/+1
| | | |
* | | | drop 256Benjamin Peterson2015-01-081-2/+2
| | | |
generated by cgit v0.12 at 2026-01-06 23:09:39 (GMT)