From da6902cb7ba83b4a5fd82fd183f248b7984d1e36 Mon Sep 17 00:00:00 2001 From: Antoine Pitrou Date: Wed, 21 Apr 2010 19:52:52 +0000 Subject: Merged revisions 80317 via svnmerge from svn+ssh://pythondev@svn.python.org/python/branches/py3k ................ r80317 | antoine.pitrou | 2010-04-21 21:46:23 +0200 (mer., 21 avril 2010) | 15 lines Merged revisions 80314-80315 via svnmerge from svn+ssh://pythondev@svn.python.org/python/trunk ........ r80314 | antoine.pitrou | 2010-04-21 21:28:03 +0200 (mer., 21 avril 2010) | 5 lines Issue #8484: Load all ciphers and digest algorithms when initializing the _ssl extension, such that verification of some SSL certificates doesn't fail because of an "unknown algorithm". ........ r80315 | antoine.pitrou | 2010-04-21 21:36:23 +0200 (mer., 21 avril 2010) | 3 lines Forgot to add the sample certificate (followup to r80314) ........ ................ --- Lib/test/sha256.pem | 33 +++++++++++++++++++++++++++++++++ Lib/test/support.py | 11 +++++++++++ Lib/test/test_ssl.py | 20 ++++++++++++++++++++ Misc/NEWS | 4 ++++ Modules/_ssl.c | 3 ++- 5 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 Lib/test/sha256.pem diff --git a/Lib/test/sha256.pem b/Lib/test/sha256.pem new file mode 100644 index 0000000..01878e9 --- /dev/null +++ b/Lib/test/sha256.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFxzCCA6+gAwIBAgIJALnlnf5uzTkIMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV +BAYTAkRFMRcwFQYDVQQKEw5zY2hva29rZWtzLm9yZzEjMCEGCSqGSIb3DQEJARYU +aGFubm9Ac2Nob2tva2Vrcy5vcmcwHhcNMTAwMTI3MDAyMTI1WhcNMjAwMTI1MDAy +MTI1WjBLMQswCQYDVQQGEwJERTEXMBUGA1UEChMOc2Nob2tva2Vrcy5vcmcxIzAh +BgkqhkiG9w0BCQEWFGhhbm5vQHNjaG9rb2tla3Mub3JnMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEApJ4ODPwEooMW35dQPlBqdvcfkEvjhcsA7jmJfFqN +e/1T34zT44X9+KnMBSG2InacbD7eyFgjfaENFsZ87YkEBDIFZ/SHotLJZORQ8PUj +YoxPG4mjKN+yL2WthNcYbRyJreTbbDroNMuw6tkTSxeSXyYFQrKMCUfErVbZa/d5 +RvfFVk+Au9dVUFhed/Stn5cv+a0ffvpyA7ygihm1kMFICbvPeI0846tmC2Ph7rM5 +pYQyNBDOVpULODTk5Wu6jiiJJygvJWCZ1FdpsdBs5aKWHWdRhX++quGuflTTjH5d +qaIka4op9H7XksYphTDXmV+qHnva5jbPogwutDQcVsGBQcJaLmQqhsQK13bf4khE +iWJvfBLfHn8OOpY25ZwwuigJIwifNCxQeeT1FrLmyuYNhz2phPpzx065kqSUSR+A +Iw8DPE6e65UqMDKqZnID3dQeiQaFrHEV+Ibo0U/tD0YSBw5p33TMh0Es33IBWMac +m7x4hIFWdhl8W522u6qOrTswY3s8vB7blNWqMc9n7oWH8ybFf7EgKeDVtEN9AyBE +0WotXIEZWI+WvDbU1ACJXau9sQhYP/eerg7Zwr3iGUy4IQ5oUJibnjtcE+z8zmDN +pE6YcMCLJyLjXiQ3iHG9mNXzw7wPnslTbEEEukrfSlHGgW8Dm+VrNyW0JUM1bntx +vbMCAwEAAaOBrTCBqjAdBgNVHQ4EFgQUCedv7pDTuXtCxm4HTw9hUtrTvsowewYD +VR0jBHQwcoAUCedv7pDTuXtCxm4HTw9hUtrTvsqhT6RNMEsxCzAJBgNVBAYTAkRF +MRcwFQYDVQQKEw5zY2hva29rZWtzLm9yZzEjMCEGCSqGSIb3DQEJARYUaGFubm9A +c2Nob2tva2Vrcy5vcmeCCQC55Z3+bs05CDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4ICAQBHKAxA7WA/MEFjet03K8ouzEOr6Jrk2fZOuRhoDZ+9gr4FtaJB +P3Hh5D00kuSOvDnwsvCohxeNd1KTMAwVmVoH+NZkHERn3UXniUENlp18koI1ehlr +CZbXbzzE9Te9BelliSFA63q0cq0yJN1x9GyabU34XkAouCAmOqfSpKNZWZHGBHPF +bbYnZrHEMcsye6vKeTOcg1GqUHGrQM2WK0QaOwnCQv2RblI9VN+SeRoUJ44qTXdW +TwIYStsIPesacNcAQTStnHgKqIPx4zCwdx5xo8zONbXJfocqwyFqiAofvb9dN1nW +g1noVBcXB+oRBZW5CjFw87U88itq39i9+BWl835DWLBW2pVmx1QTLGv0RNgs/xVx +mWnjH4nNHvrjn6pRmqHZTk/SS0Hkl2qtDsynVxIl8EiMTfWSU3DBTuD2J/RSzuOE +eKtAbaoXkXE31jCl4FEZLITIZd8UkXacb9rN304tAK92L76JOAV+xOZxFRipmvx4 ++A9qQXgLhtP4VaDajb44V/kCKPSA0Vm3apehke9Wl8dDtagfos1e6MxSu3EVLXRF +SP2U777V77pdMSd0f/7cerKn5FjrxW1v1FaP1oIGniMk4qQNTgA/jvvhjybsPlVA +jsfnhWGbh1voJa0RQcMiRMsxpw2P1KNOEu37W2eq/vFghVztZJQUmb5iNw== +-----END CERTIFICATE----- diff --git a/Lib/test/support.py b/Lib/test/support.py index 18fb391..08828a8 100644 --- a/Lib/test/support.py +++ b/Lib/test/support.py @@ -607,6 +607,17 @@ ioerror_peer_reset = TransientResource(IOError, errno=errno.ECONNRESET) @contextlib.contextmanager +def transient_internet(): + """Return a context manager that raises ResourceDenied when various issues + with the Internet connection manifest themselves as exceptions.""" + time_out = TransientResource(IOError, errno=errno.ETIMEDOUT) + socket_peer_reset = TransientResource(socket.error, errno=errno.ECONNRESET) + ioerror_peer_reset = TransientResource(IOError, errno=errno.ECONNRESET) + with time_out, socket_peer_reset, ioerror_peer_reset: + yield + + +@contextlib.contextmanager def captured_output(stream_name): """Run the 'with' statement body using a StringIO object in place of a specific attribute on the sys module. diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 0be5652..15af333 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -176,6 +176,26 @@ class NetworkedTests(unittest.TestCase): if support.verbose: sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem) + def test_algorithms(self): + # Issue #8484: all algorithms should be available when verifying a + # certificate. + # NOTE: https://sha256.tbs-internet.com is another possible test host + remote = ("sha2.hboeck.de", 443) + sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem") + s = ssl.wrap_socket(socket.socket(socket.AF_INET), + cert_reqs=ssl.CERT_REQUIRED, + ca_certs=sha256_cert,) + with support.transient_internet(): + try: + s.connect(remote) + if support.verbose: + sys.stdout.write("\nCipher with %r is %r\n" % + (remote, s.cipher())) + sys.stdout.write("Certificate is:\n%s\n" % + pprint.pformat(s.getpeercert())) + finally: + s.close() + try: import threading diff --git a/Misc/NEWS b/Misc/NEWS index e699b6e..c9f1bcc 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -33,6 +33,10 @@ Core and Builtins Library ------- +- Issue #8484: Load all ciphers and digest algorithms when initializing + the _ssl extension, such that verification of some SSL certificates + doesn't fail because of an "unknown algorithm". + - Issue #4814: timeout parameter is now applied also for connections resulting from PORT/EPRT commands. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 3cec4b4..5311f77 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1652,13 +1652,14 @@ PyInit__ssl(void) /* Init OpenSSL */ SSL_load_error_strings(); + SSL_library_init(); #ifdef WITH_THREAD /* note that this will start threading if not already started */ if (!_setup_ssl_threads()) { return NULL; } #endif - SSLeay_add_ssl_algorithms(); + OpenSSL_add_all_algorithms(); /* Add symbols to module dict */ PySSLErrorObject = PyErr_NewException("ssl.SSLError", -- cgit v0.12