summaryrefslogtreecommitdiffstats
path: root/Lib/test/test_ssl.py
Commit message (Collapse)AuthorAgeFilesLines
* [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old ↵Gregory P. Smith2019-05-291-0/+35
| | | | | | | | | | | | | | | | | | | | | | | TLS (GH-13124) (GH-13252) * [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue.. (cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90) Co-authored-by: Gregory P. Smith <greg@krypto.org> * Also skip ssl tests that fail when the system rejects TLSv1. * Remove the test_httplib change; server was updated. self-signed.pythontest.net was updated so the test_httplib change is no longer necessary.
* bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-11612)Victor Stinner2019-05-291-0/+15
| | | | | | | Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918: complete the previous partial backport (commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826. Co-Authored-By: Christian Heimes <christian@python.org>
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573)Miss Islington (bot)2019-01-161-0/+22
| | | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-33023: Fix NotImplemented to NotImplementedError. (GH-10934). (GH-11001)Serhiy Storchaka2018-12-061-2/+8
| | | | (cherry picked from commit 42b1d6127bd8595522a78a75166ebb9fba74a6a2)
* [3.6] bpo-34670: Add TLS 1.3 post handshake auth (GH-9460) (GH-9507)Christian Heimes2018-09-231-0/+207
| | | | | | | | | | | | | | | | Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake authentication. Signed-off-by: Christian Heimes <christian@python.org>q https://bugs.python.org/issue34670. (cherry picked from commit 9fb051f032c36b9f6086b79086b4d6b7755a3d70) Co-authored-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue34670
* [3.6] bpo-34542: Update test certs and keys (GH-8997) (GH-9396)Christian Heimes2018-09-201-3/+5
| | | | | | | | | | | | | Update all test certs and keys to use future proof crypto settings: * 3072 bit RSA keys * SHA-256 signature Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit e6dac0077996b1e1f886f036d6f2606237fa4c85) https://bugs.python.org/issue34542
* [3.6] bpo-34399: 2048 bits RSA keys and DH params (GH-8762) (GH-8764)Christian Heimes2018-08-151-8/+7
| | | | | | | | | | | | | Downstream vendors have started to deprecate weak keys. Update all RSA keys and DH params to use at least 2048 bits. Finite field DH param file use RFC 7919 values, generated with certtool --get-dh-params --sec-param=high Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 88bfd0bce05043f658e50addd21366f317995e35) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760)Christian Heimes2018-08-151-19/+30
| | | | | | | | | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761)Christian Heimes2018-08-141-6/+22
| | | | | | | | | | | | | | Backport of TLS 1.3 related fixes from 3.7. Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options Signed-off-by: Christian Heimes <christian@python.org>
* [3.6] bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) (GH-6214)Christian Heimes2018-03-241-0/+1
| | | | | | | | | | | | | LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 4ca0739c9d97ac7cd45499e0d31be68dc659d0e1) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-31518: Change TLS protocol for Debian (#3660)Christian Heimes2018-02-241-2/+2
| | | | | | | Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to make them pass on Debian. Signed-off-by: Christian Heimes <christian@python.org>
* [3.6] bpo-32297: Fix misspellings in Python source code comments (GH-4803) ↵Andrew Svetlov2017-12-141-1/+1
| | | | | | | | | | | | | | (#4864) * [3.6] bpo-32297: Few misspellings found in Python source code comments. (GH-4803) * Fix multiple typos in code comments * Add spacing in comments (test_logging.py, test_math.py) * Fix spaces at the beginning of comments in test_logging.py. (cherry picked from commit 53f7a7c2814fbfd8a29200926601a32fa48bacb3)
* [3.6] bpo-31323: Fix reference leak in test_ssl (GH-3263) (#3538)Miss Islington (bot)2017-09-131-2/+6
| | | | | Store exceptions as string rather than object to prevent reference cycles which cause leaking dangling threads. (cherry picked from commit 868710158910fa38e285ce0e6d50026e1d0b2a8c)
* [3.6] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3444)Christian Heimes2017-09-081-0/+32
| | | | | | | | | | | | | | | | * bpo-29136: Add TLS 1.3 support TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. Since Python sets its own set of permitted ciphers, TLS 1.3 handshake will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common AES-GCM and ChaCha20 suites. Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 now. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
* [3.6] bpo-27340: Use memoryview in SSLSocket.sendall() (GH-3384) (#3434)Christian Heimes2017-09-071-1/+11
| | | | | | | | | | | | | | * bpo-27340: Use memoryview in SSLSocket.sendall() SSLSocket.sendall() now uses memoryview to create slices of data. This fix support for all bytes-like object. It is also more efficient and avoids costly copies. Signed-off-by: Christian Heimes <christian@python.org> * Cast view to bytes, fix typo Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 888bbdc192ec4db888a294ef758cf5510442dc9a)
* [3.6] bpo-29781: Fix SSLObject.version before handshake (GH-3364) (#3381)Christian Heimes2017-09-061-0/+2
| | | | | | | SSLObject.version() now correctly returns None when handshake over BIO has not been performed yet. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 6877111)
* [3.6] bpo-31320: No traceback to sys.stderr in test_ssl (GH-3360) (GH-3369)Miss Islington (bot)2017-09-061-1/+4
| | | | | | | | In case PROTOCOL_TLS_SERVER is used for both client context and server context, the test thread dies with OSError. Catch OSError to avoid traceback on sys.stderr Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 305e56c27afce605e5d2f71903a966cf0bb95038)
* [3.6] bpo-25674: remove sha256.tbs-internet.com ssl test (GH-3297) (#3300)Christian Heimes2017-09-041-28/+0
| | | | Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 002d64039b60c1a9289f981fe73a5cf91d082136)
* [3.6] bpo-30714: ALPN changes for OpenSSL 1.1.0f (#3093)Christian Heimes2017-08-151-2/+3
| | | | | | | | | | | OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that. The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN callback can pretend to not been set. See https://github.com/openssl/openssl/pull/3158 for more details Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit a5c1bab352671e043645163ca50c5211aa657acd)
* bpo-30199: test_ssl closes all asyncore channels (#1381) (#1390)Victor Stinner2017-05-021-1/+3
| | | | | | | | | | | | | AsyncoreEchoServer of test_ssl now calls asyncore.close_all(ignore_all=True) to ensure that asyncore.socket_map is cleared once the test completes, even if ConnectionHandler was not correctly unregistered. Fix the following warning: Warning -- asyncore.socket_map was modified by test_ssl Before: {} After: {6: <test.test_ssl.AsyncoreEchoServer.EchoServer.ConnectionHandler>} (cherry picked from commit 1dae7450c68bad498e57800387b24cb103c461fa)
* Issue #28394: More typo fixes for 3.6+Martin Panter2016-10-101-1/+1
|
* Finish GC code for SSLSession and increase test coverageChristian Heimes2016-09-241-0/+3
|
* Issue #28221: Merge SSL test cleanup from 3.5 into 3.6Martin Panter2016-09-241-2/+0
|\
| * Issue #28221: Remove unused assignment from test_asyncore_server()Martin Panter2016-09-231-2/+0
| | | | | | | | | | The later value of FOO is fine. The test just needs to verify that the server converted it to lowercase.
* | Merge socketserver fixes from 3.5 into 3.6Martin Panter2016-09-221-1/+1
|\ \ | |/
| * Fix references to Python 3’s socketserver (lowercase) moduleMartin Panter2016-09-221-1/+1
| |
* | Issue #28093: Check more invalid combinations of PROTOCOL_TLS_CLIENT / ↵Christian Heimes2016-09-121-3/+23
| | | | | | | | PROTOCOL_TLS_SERVER
* | Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContextChristian Heimes2016-09-111-0/+32
| |
* | Issue #19500: Add client-side SSL session resumption to the ssl module.Christian Heimes2016-09-101-2/+110
| |
* | Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.Christian Heimes2016-09-101-36/+51
| | | | | | | | | | | | | | The deprecation include manual creation of SSLSocket and certfile/keyfile (or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib. ssl.wrap_socket() is not marked as deprecated yet.
* | Issue 28043: SSLContext has improved default settingsChristian Heimes2016-09-101-29/+33
| | | | | | | | The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
* | #27364: fix "incorrect" uses of escape character in the stdlib.R David Murray2016-09-081-1/+1
| | | | | | | | | | | | | | And most of the tools. Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and Martin Panter.
* | Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-0/+23
|\ \ | |/ | | | | fields in X.509 certs.
| * Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name ↵Christian Heimes2016-09-061-0/+23
| | | | | | | | fields in X.509 certs.
* | Issue 27866: relax get_cipher() test even more. Gentoo buildbot has no ECDHEChristian Heimes2016-09-061-2/+2
| |
* | Issue 27866: relax test case for set_cipher() and allow more cipher suitesChristian Heimes2016-09-061-4/+3
| |
* | Issue #27866: Add SSLContext.get_ciphers() method to get a list of all ↵Christian Heimes2016-09-051-0/+9
| | | | | | | | enabled ciphers.
* | Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-31/+58
|\ \ | |/
| * Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.Christian Heimes2016-09-051-31/+58
| |
* | Issue #23804: Merge SSL recv() fix from 3.5Martin Panter2016-07-111-8/+21
|\ \ | |/
| * Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOFMartin Panter2016-07-111-8/+21
| |
* | Merge from 3.5.Larry Hastings2016-06-271-1/+2
|\ \ | |/
| * Issue #26867: Ubuntu's openssl OP_NO_SSLv3 is forced on by default; fix test.Matthias Klose2016-06-131-1/+2
| |
* | Issue #25951: Fix SSLSocket.sendall() to return None, by Aviv PalivodaMartin Panter2016-04-031-6/+10
| |
* | Issue #23804: Merge SSL zero read fix from 3.5Martin Panter2016-03-281-1/+8
|\ \ | |/
| * Issue #23804: Fix SSL recv/read(0) to not return 1024 bytesMartin Panter2016-03-281-1/+8
| |
* | Issue #26644: Merge SSL negative read fix from 3.5Martin Panter2016-03-271-0/+11
|\ \ | |/
| * Issue #26644: Raise ValueError for negative SSLSocket.recv() and read()Martin Panter2016-03-271-0/+11
| |
* | Issue #25940: Use internal local server more in test_sslMartin Panter2016-03-271-342/+335
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move many tests from NetworkedTests and NetworkedBIOTests to a new Simple- BackgroundTests class, using the existing ThreadedEchoServer and SIGNED_ CERTFILE infrastructure. For tests that cause the server to crash by rejecting its certificate, separate them into independent test methods. Added custom root certificate to capath with the following commands: cp Lib/test/{pycacert.pem,capath/} # Edit copy to remove part before certificate c_rehash -v Lib/test/capath/ c_rehash -v -old Lib/test/capath/ # Note the generated file names cp Lib/test/capath/{pycacert.pem,b1930218.0} mv Lib/test/capath/{pycacert.pem,ceff1710.0} Change to pure PEM version of SIGNING_CA because PEM_cert_to_DER_cert() does not like the extra text at the start. Moved test_connect_ex_error() into BasicSocketTests and rewrote it to connect to a reserved localhost port. NetworkedTests.test_get_server_certificate_ipv6() split out because it needs to connect to an IPv6 DNS address. The only reference left to self-signed.pythontest.net is test_timeout_ connect_ex(), which needs a remote server to reliably time out the connection, but does not rely on the server running SSL. Made ThreadedEchoServer call unwrap() by default when it sees the client has shut the connection down, so that the client can cleanly call unwrap().
* | Fix test_ssl.test_refcycle()Victor Stinner2016-03-211-1/+1
|/ | | | | | Issue #26590: support.check_warnings() stores warnins, but ResourceWarning now comes with a reference to the socket object which indirectly keeps the socket alive.
generated by cgit v0.12 at 2026-03-02 16:06:56 (GMT)