Commit Graph

58 Commits

Author SHA1 Message Date
Christian Heimes a5669b3c62
bpo-43998: Fix testing without ssl module (GH-25790)
Signed-off-by: Christian Heimes <christian@python.org>
2021-05-01 22:17:01 +02:00
Christian Heimes e983252b51
bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)
The ssl module now has more secure default settings. Ciphers without forward
secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
weak RSA, DH, and ECC keys with less than 112 bits of security.
:class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
Settings are based on Hynek Schlawack's research.

```
$ openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021
$ openssl ciphers -v '@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
```

Signed-off-by: Christian Heimes <christian@python.org>
2021-05-01 20:53:10 +02:00
Christian Heimes 2875c603b2
bpo-43880: Show DeprecationWarnings for deprecated ssl module features (GH-25455)
* ssl.OP_NO_SSLv2
* ssl.OP_NO_SSLv3
* ssl.OP_NO_TLSv1
* ssl.OP_NO_TLSv1_1
* ssl.OP_NO_TLSv1_2
* ssl.OP_NO_TLSv1_3
* ssl.PROTOCOL_SSLv2
* ssl.PROTOCOL_SSLv3
* ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS)
* ssl.PROTOCOL_TLS
* ssl.PROTOCOL_TLSv1
* ssl.PROTOCOL_TLSv1_1
* ssl.PROTOCOL_TLSv1_2
* ssl.TLSVersion.SSLv3
* ssl.TLSVersion.TLSv1
* ssl.TLSVersion.TLSv1_1
* ssl.wrap_socket()
* ssl.RAND_pseudo_bytes()
* ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1)
* ssl.SSLContext() without a protocol argument
* ssl.match_hostname()
* hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL
  function will stay)

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-19 07:27:10 +02:00
Dong-hee Na ec3165320e
bpo-42794: Update test_nntplib to use offical group name for testing (GH-24037) 2021-01-01 23:20:33 +09:00
Victor Stinner fabd7bb8e0
bpo-41521: Replace whitelist/blacklist with allowlist/denylist (GH-21822)
Automerge-Triggered-By: @tiran
2020-08-11 06:26:59 -07:00
Dong-hee Na aa92a7cf21
bpo-39305: Update nntplib to merge nntplib.NNTP and nntplib._NNTPBase (GH-19817) 2020-05-16 19:31:54 +09:00
Serhiy Storchaka bfb1cf4465
bpo-40275: Move transient_internet from test.support to socket_helper (GH-19711) 2020-04-29 10:36:20 +03:00
Serhiy Storchaka 16994912c9
bpo-40275: Avoid importing socket in test.support (GH-19603)
* Move socket related functions from test.support to socket_helper.
* Import socket, nntplib and urllib.error lazily in transient_internet().
* Remove importing multiprocess.
2020-04-25 10:06:29 +03:00
Dong-hee Na 1b335ae281 bpo-39259: nntplib.NNTP/NNTP_SSL now reject timeout = 0 (GH-17936)
nntplib.NNTP and nntplib.NNTP_SSL now raise a ValueError
if the given timeout for their constructor is zero to
prevent the creation of a non-blocking socket.
2020-01-11 18:39:15 +01:00
Dong-hee Na 2e6a8efa83 bpo-39242: Updated the Gmane domain into news.gmane.io (GH-17903) 2020-01-08 16:29:34 +01:00
Victor Stinner 1d0f9b316a
bpo-38614: Use test.support.INTERNET_TIMEOUT constant (GH-17565)
Replace hardcoded timeout constants in tests with INTERNET_TIMEOUT of
test.support, so it's easier to ajdust this timeout for all tests at
once.
2019-12-10 22:09:23 +01:00
Gregory P. Smith 2cc0223f43
bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124)
Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default.  This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.

Fixing the network servers is a separate issue.
2019-05-06 17:54:06 -04:00
Victor Stinner 706cb3162e
bpo-32128: Skip test_nntplib.test_article_head_body() (#4552)
The NNTP server currently has troubles with SSL, whereas we don't
have the control on this server. This test blocks all CIs, so disable
it until a fix can be found.
2017-11-25 02:42:18 +01:00
Antoine Pitrou a6a4dc816d bpo-31370: Remove support for threads-less builds (#3385)
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
2017-09-07 18:56:24 +02:00
INADA Naoki 067931dd95 bpo-30188: fix TypeError in test_nntplib (GH-2892)
fixes regression of 5b4feb7
2017-07-26 23:43:22 +09:00
Victor Stinner 5b4feb7e86 bpo-30188: test_nntplib catch also ssl.SSLEOFError (#2843)
Catch also ssl.SSLEOFError in NetworkedNNTPTests setUpClass().
EOFError was already catched.
2017-07-24 17:41:02 +02:00
Victor Stinner 5bccca58b9 bpo-30175: Skip client cert tests of test_imaplib (#1320)
* bpo-30175: Skip client cert tests of test_imaplib

The IMAP server cyrus.andrew.cmu.edu doesn't accept our randomly
generated client x509 certificate anymore.

* bpo-30188: Catch EOFError in NetworkedNNTPTests

test_nntplib fails randomly with EOFError in
NetworkedNNTPTests.setUpClass(). Catch EOFError to skip tests in that
case.
2017-04-27 17:30:13 +02:00
Xavier de Gaye 10a22dc65a Issue #28971: Merge 3.5 2016-12-16 20:50:10 +01:00
Xavier de Gaye ac13beeef5 Issue #28971: Temporarily skip test_over until a permanent solution is found
for issue #28971.
2016-12-16 20:49:10 +01:00
Christian Heimes d04863771b Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.

ssl.wrap_socket() is not marked as deprecated yet.
2016-09-10 23:23:33 +02:00
Martin Panter eb9957065a Issue #27626: Spelling fixes in docs, comments and internal names
Based on patch by Ville Skyttä.
2016-07-28 01:11:04 +00:00
Martin Panter 6245cb3c01 Correct “an” → “a” with “Unicode”, “user”, “UTF”, etc
This affects documentation, code comments, and a debugging messages.
2016-04-15 02:14:19 +00:00
Martin Panter 8f19e8e1c5 Issue #25859: Reimplement NNTP test_starttls() using local server
The previous test relied on a remote server, which currently seems to be
shutting the connection down once TLS has been set up, causing an EOFError.
Now the test is implemented using a minimal NNTP server running in a
background thread.
2016-01-19 01:10:58 +00:00
Serhiy Storchaka 807743403d Issue #22351. MockSslTests tests in test_nntplib now are reported if skipped. 2015-04-03 15:02:20 +03:00
Victor Stinner 8c9bba07d4 Issue #22351: Fix test_nntplib if the ssl module is missing
@unittest.skipUnless(ssl, '...') doesn't work because the class body uses the
nntplib.NNTP_SSL attribute which doesn't exist.
2015-04-03 11:06:40 +02:00
Serhiy Storchaka 52027c301a Issue #22351: The nntplib.NNTP constructor no longer leaves the connection
and socket open until the garbage collector cleans them up.  Patch by
Martin Panter.
2015-03-21 09:40:26 +02:00
Berker Peksag 96756b6a27 Issue #22247: Add NNTPError to nntplib.__all__. 2014-09-20 08:53:05 +03:00
Serhiy Storchaka 43767638a9 Issue #18702: All skipped tests now reported as skipped. 2013-11-03 21:31:38 +02:00
Georg Brandl b89b5df9c9 merge with 3.3 2013-10-27 07:46:09 +01:00
Georg Brandl 28e78414f9 Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory.  Patch by Jyrki
Pulliainen.
2013-10-27 07:29:47 +01:00
Andrew Svetlov 0832af6628 Issue #16717: get rid of socket.error, replace with OSError 2012-12-18 23:10:48 +02:00
Antoine Pitrou 1f5d2a087c Fix test to really run behind a NNTP virus checker 2012-06-24 16:28:18 +02:00
Nick Coghlan 307ef8aee5 Merge from 3.2 (Ignore X-Antivirus headers in test_nntplib) 2012-06-17 21:30:35 +10:00
Nick Coghlan 14d99a1491 Ignore X-Antivirus headers in test_nntplib 2012-06-17 21:27:18 +10:00
Antoine Pitrou 482ee66cb7 Issue #7644: Add tests for the file argument of NNTP.head() and NNTP.body().
Patch by Hynek Schlawack.
2012-02-15 18:53:49 +01:00
Antoine Pitrou 2640b52237 Issue #7644: Add tests for the file argument of NNTP.head() and NNTP.body().
Patch by Hynek Schlawack.
2012-02-15 18:53:18 +01:00
Antoine Pitrou 06b57ef958 Issue #10287: nntplib now queries the server's CAPABILITIES first before sending MODE READER, and only sends it if not already in READER mode.
Patch by Hynek Schlawack.
2012-02-14 23:30:35 +01:00
Antoine Pitrou 71135624d8 Issue #10287: nntplib now queries the server's CAPABILITIES first before sending MODE READER, and only sends it if not already in READER mode.
Patch by Hynek Schlawack.
2012-02-14 23:29:34 +01:00
Antoine Pitrou 425b8e85a9 Issue #10287: nntplib now queries the server's CAPABILITIES again after authenticating (since the result may change, according to RFC 4643).
Patch by Hynek Schlawack.
2012-02-12 19:15:09 +01:00
Antoine Pitrou 54411c1784 Issue #10287: nntplib now queries the server's CAPABILITIES again after authenticating (since the result may change, according to RFC 4643).
Patch by Hynek Schlawack.
2012-02-12 19:14:17 +01:00
Florent Xicluna aabbda5354 Merge 3.2 2011-10-28 14:52:29 +02:00
Florent Xicluna 5d1155c08e Closes #13258: Use callable() built-in in the standard library. 2011-10-28 14:45:05 +02:00
Ezio Melotti d8b509b192 #13012: use splitlines(keepends=True/False) instead of splitlines(0/1). 2011-09-28 17:37:55 +03:00
Giampaolo Rodolà 424298a155 Issue 9795: adds context manager protocol to nntplib.NNTP class so that it can used with the 'with' statement. 2011-03-03 18:34:06 +00:00
Marc-André Lemburg 8f36af7a4c Normalize the encoding names for Latin-1 and UTF-8 to
'latin-1' and 'utf-8'.

These are optimized in the Python Unicode implementation
to result in more direct processing, bypassing the codec
registry.

Also see issue11303.
2011-02-25 15:42:01 +00:00
Raymond Hettinger 57d1a887e7 Fix imports from collections.abc 2011-02-23 00:46:28 +00:00
Antoine Pitrou 3bce11cbbd Make test_nntplib more robust 2010-11-21 17:14:19 +00:00
Antoine Pitrou de609186fc Wrap all test_nntplib methods accessing a remote server in a transient_internet()
exception catcher.  Wrapping the initial connection routine is not sufficient
as network timeouts can then occur as part of NNTP commands.
2010-11-18 17:29:23 +00:00
Antoine Pitrou d28f790b69 Make test_nntplib more robust when the "last" article in a group can't be retrieved 2010-11-18 15:11:43 +00:00
Antoine Pitrou 45ca987495 Switch from gmane to another provider for NNTP tests (as gmane isn't reliable
enough).  Also, use setUpClass in order to connect only once per test run.
2010-11-13 00:28:53 +00:00