| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
(GH-95313)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit b5a52eef67997246b4235b5407e52a01e822ce56)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
|
| |
|
|
|
|
|
|
| |
(GH-25554) (GH-25556)
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit b9ad88be0304136c3fe5959c65a5d2c75490cd80)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-25452)
Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from *struct SSL_CTX* to *struct SSL*.
(cherry picked from commit 330b49e397168df789fd0dd20cfe7e81b8e47258)
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 3447750073aff229b049e4ccd6217db2811dcfd1)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-25308)
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 5151d642004c59cce58d669be85d9a5e987f51d3)
Co-authored-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: GH:tiran
|
| |
|
|
|
|
|
|
| |
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
(cherry picked from commit 29c451c6989c3c94fa0a9facf187c24f3cbf2420)
Co-authored-by: Carl Meyer <carl@oddbird.net>
Co-authored-by: Carl Meyer <carl@oddbird.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24957)
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.
PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 77cde5042a2f1eae489c11a67540afaf43cd5cdf)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.
See:
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
skip test_min_max_version_mismatch when TLS 1.0 is not available
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit ce04e7105bc396c32667a22b928a712ba0778a3f)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test_openssl_version now accepts version 3.0.0.
getpeercert() no longer returns IPv6 addresses with a trailing new line.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
(cherry picked from commit 2b7de6696bf2f924cd2cd9ff0a539c8aa37c6244)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
Automerge-Triggered-By: @tiran
|
| |
|
|
|
|
|
|
|
| |
Make ssl tests less strict and also accept TLSv3 as the default maximum
version. This change unbreaks test_min_max_version on Fedora 32.
https://bugs.python.org/issue38815
(cherry picked from commit 34864d1cffdbfc620f8517dab9a68ae9a37b8c53)
Co-authored-by: torsava <torsava@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
policy and run-time settings are recognized and tests for disabled versions
are skipped.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38275
(cherry picked from commit df6ac7e2b82d921a6e9ff5571b40c6dbcf635581)
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit de606ea169435fe4dd40dc3e3b2b591e11396a14)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit c9bc49c5f6e26a7c958307c2ac338951a7534d9a)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
Accumulate certificates in a set instead of doing a costly list contain
operation. A Windows cert store can easily contain over hundred
certificates. The old code would result in way over 5,000 comparison
operations
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
| |
test_ssl.test_pha_required_nocert() now uses
support.catch_threading_exception() to ignore the expected SSLError
in ConnectionHandler of ThreadedEchoServer (it is only raised
sometimes on Windows).
(cherry picked from commit 73ea54620a6f91c3f2e53880373dd47813691a21)
Co-authored-by: Victor Stinner <vstinner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing
whitespaces. Some inet_aton() implementations ignore whitespace and all data
after whitespace, e.g. '127.0.0.1 whatever'.
Short notations like '127.1' for '127.0.0.1' were already filtered out.
The bug was initially found by Dominik Czarnota and reported by Paul Kehrer.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37463
(cherry picked from commit 477b1b25768945621d466a8b3f0739297a842439)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
| |
(cherry picked from commit 8f4ef3b019ce380022018587571b0f970e668de3)
|
| |
|
|
|
|
|
|
|
|
|
| |
SSLContext.post_handshake_auth = True no longer sets
SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
option is documented as ignored for clients, OpenSSL implicitly enables cert
chain validation when the flag is set.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37428
(cherry picked from commit f0f5930ac88482ef896283db5be9b8d508d077db)
|
| |
|
|
|
| |
(cherry picked from commit c2cda638d63b98f5cf9a8ef13e15aace2b7e3f0b)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Fix various compatibility issues with LibreSSL and OpenSSL 1.0.2
introduced by bpo-34271.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Modify test_coroutines, test_cprofile, test_generators, test_raise,
test_ssl and test_yield_from to use
support.catch_unraisable_exception() rather than
support.captured_stderr().
test_thread: remove test_save_exception_state_on_error() which is now
updated. test_unraisable_exception() checks that sys.unraisablehook()
is called to handle _thread.start_new_thread() exception.
test_cprofile now rely on unittest for test discovery: replace
support.run_unittest() with unittest.main().
|
| |
|
|
|
|
|
|
|
|
|
| |
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.
The msg_callback and related enums are private members. The feature
is designed for internal debugging and not for end users.
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Fix test_ssl for strict OpenSSL configuration like RHEL8 strict crypto policy.
Use older TLS version for minimum TLS version of the server SSL context if
needed, to test TLS version older than default minimum TLS version.
|
| |
|
|
|
|
| |
Make ssl tests less strict and also accept TLSv1 as system default. The
changes unbreaks test_min_max_version on Fedora 29.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue35746
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.
Signed-off-by: Christian Heimes <christian@python.org>q
https://bugs.python.org/issue34670
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL follows the convention that whenever you call a function, it
returns an error indicator value; and if this value is negative, then
you need to go look at the actual error code to see what happened.
Commit c6fd1c1c3a introduced a small mistake in
_ssl__SSLSocket_shutdown_impl: instead of checking whether the error
indicator was negative, it started checking whether the actual error
code was negative, and it turns out that the error codes are never
negative. So the effect was that 'unwrap()' lost the ability to raise
SSL errors.
https://bugs.python.org/issue34759
|
| |
|
|
|
|
|
| |
* Replace "master process" with "parent process"
* Replace "master option mappings" with "main option mappings"
* Replace "master pattern object" with "main pattern object"
* ssl: replace "master" with "server"
* And some other similar changes
|
| |
|
|
|
|
|
|
| |
Update all test certs and keys to use future proof crypto settings:
* 3072 bit RSA keys
* SHA-256 signature
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
Downstream vendors have started to deprecate weak keys. Update all RSA keys
and DH params to use at least 2048 bits.
Finite field DH param file use RFC 7919 values, generated with
certtool --get-dh-params --sec-param=high
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were
misleading and partly wrong. It fails to explain that OpenSSL behaves
differently in client and server mode. Also OpenSSL does validate the
cert chain everytime. With SSL_VERIFY_NONE a validation error is not
fatal in client mode and does not request a client cert in server mode.
Also discourage people from using CERT_OPTIONAL in client mode.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.
To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.
Also update multissltests and Travis config to test with latest OpenSSL.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
* test_ssl: Remove skip_if_broken_ubuntu_ssl
We no longer support OpenSSL 0.9.8.15.15.
* bpo-28167: Remove platform.linux_distribution
|
| |
|
|
|
|
|
| |
Harden ssl module against LibreSSL CVE-2018-8970.
X509_VERIFY_PARAM_set1_host() is called with an explicit namelen. A new test
ensures that NULL bytes are not allowed.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.
Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.
SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.
The only test case for direct instantiation was added a couple of days
ago for IDNA testing.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Add tests to verify connection with secp384r1 ECDH curves.
|
