| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#108407)
* In preauth tests of test_ssl, explicitly break reference cycles
invoving SingleConnectionTestServerThread to make sure that the
thread is deleted. Otherwise, the test marks the environment as
altered because the threading module sees a "dangling thread"
(SingleConnectionTestServerThread). This test leak was introduced
by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
test_preauth_data_to_tls_client(): the server now waits until the
client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flaw (#108320)
gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
|
| |
|
| |
Otherwise, buildbot builds would fail since there's no TLS 1.0/1.1 support.
|
| |
|
|
|
|
|
| |
(GH-95282) (GH-95323)
(cherry picked from commit 565403038b75eb64ea483b2757ba30769246d853)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-95312)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of explicitly enumerate test classes for run_unittest()
use the unittest ability to discover tests. This also makes these
tests discoverable and runnable with unittest.
load_tests() can be used for dynamic generating tests and adding
doctests. setUpModule(), tearDownModule() and addModuleCleanup()
can be used for running code before and after all module tests..
(cherry picked from commit 40348acc180580371d25f75f46b27048e35f2435)
|
| |
|
|
|
| |
(cherry picked from commit b5a52eef67997246b4235b5407e52a01e822ce56)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
|
| |
|
|
|
|
|
|
| |
(GH-25554) (GH-25555)
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit b9ad88be0304136c3fe5959c65a5d2c75490cd80)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-25451)
Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from *struct SSL_CTX* to *struct SSL*.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit b467d9a24011992242c95d9157d3455f8a84466b)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 3447750073aff229b049e4ccd6217db2811dcfd1)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 5151d642004c59cce58d669be85d9a5e987f51d3)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
(cherry picked from commit 29c451c6989c3c94fa0a9facf187c24f3cbf2420)
Co-authored-by: Carl Meyer <carl@oddbird.net>
Co-authored-by: Carl Meyer <carl@oddbird.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24957)
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.
PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 77cde5042a2f1eae489c11a67540afaf43cd5cdf)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.
See:
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
skip test_min_max_version_mismatch when TLS 1.0 is not available
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit ce04e7105bc396c32667a22b928a712ba0778a3f)
Co-authored-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: GH:tiran
|
| | |
|
| |
|
|
|
|
| |
* Move socket related functions from test.support to socket_helper.
* Import socket, nntplib and urllib.error lazily in transient_internet().
* Remove importing multiprocess.
|
| |
|
|
|
|
|
|
|
| |
Moreover, the following tests now check the child process exit code:
* test_os.PtyTests
* test_mailbox.test_lock_conflict()
* test_tempfile.test_process_awareness()
* test_uuid.testIssue8621()
* multiprocessing resource tracker tests
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace hardcoded timeout constants in tests with SHORT_TIMEOUT of
test.support, so it's easier to ajdust this timeout for all tests at
once.
SHORT_TIMEOUT is 30 seconds by default, but it can be longer
depending on --timeout command line option.
The change makes almost all timeouts longer, except
test_reap_children() of test_support which is made 2x shorter:
SHORT_TIMEOUT should be enough. If this test starts to fail,
LONG_TIMEOUT should be used instead.
Uniformize also "from test import support" import in some test files.
|
| |
|
|
|
|
|
|
|
|
| |
test_openssl_version now accepts version 3.0.0.
getpeercert() no longer returns IPv6 addresses with a trailing new line.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
|
| |
|
|
|
|
|
| |
Make ssl tests less strict and also accept TLSv3 as the default maximum
version. This change unbreaks test_min_max_version on Fedora 32.
https://bugs.python.org/issue38815
|
| |
|
|
|
|
| |
Check presence of SSLContext.minimum_version to make tests pass with
old versions of OpenSSL.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
policy and run-time settings are recognized and tests for disabled versions
are skipped.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38275
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
|
|
| |
Accumulate certificates in a set instead of doing a costly list contain
operation. A Windows cert store can easily contain over hundred
certificates. The old code would result in way over 5,000 comparison
operations
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
| |
test_ssl.test_pha_required_nocert() now uses
support.catch_threading_exception() to ignore the expected SSLError
in ConnectionHandler of ThreadedEchoServer (it is only raised
sometimes on Windows).
|
| |
|
|
|
| |
(GH-14662)" (GH-14669)
This reverts commit cf9c41c422de3774862db964fe3153086bad3f61.
|
| |
|
|
| |
Close the TLS connection in test_pha_required_nocert() of test_ssl to
fix a ResourceWarning.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing
whitespaces. Some inet_aton() implementations ignore whitespace and all data
after whitespace, e.g. '127.0.0.1 whatever'.
Short notations like '127.1' for '127.0.0.1' were already filtered out.
The bug was initially found by Dominik Czarnota and reported by Paul Kehrer.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37463
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SSLContext.post_handshake_auth = True no longer sets
SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
option is documented as ignored for clients, OpenSSL implicitly enables cert
chain validation when the flag is set.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37428
|
| | |
|
| |
|
|
| |
(GH-13454)
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Fix various compatibility issues with LibreSSL and OpenSSL 1.0.2
introduced by bpo-34271.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Modify test_coroutines, test_cprofile, test_generators, test_raise,
test_ssl and test_yield_from to use
support.catch_unraisable_exception() rather than
support.captured_stderr().
test_thread: remove test_save_exception_state_on_error() which is now
updated. test_unraisable_exception() checks that sys.unraisablehook()
is called to handle _thread.start_new_thread() exception.
test_cprofile now rely on unittest for test discovery: replace
support.run_unittest() with unittest.main().
|
| |
|
|
|
|
|
|
|
|
|
| |
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.
The msg_callback and related enums are private members. The feature
is designed for internal debugging and not for end users.
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Fix test_ssl for strict OpenSSL configuration like RHEL8 strict crypto policy.
Use older TLS version for minimum TLS version of the server SSL context if
needed, to test TLS version older than default minimum TLS version.
|
| |
|
|
|
|
| |
Make ssl tests less strict and also accept TLSv1 as system default. The
changes unbreaks test_min_max_version on Fedora 29.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue35746
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.
Signed-off-by: Christian Heimes <christian@python.org>q
https://bugs.python.org/issue34670
|
