Commit Graph

561 Commits

Author SHA1 Message Date
Christian Heimes c8666cfa7c
bpo-37322: Fix ResourceWarning and exception handling in test (GH-25553)
Revert 73ea546, increase logging, and improve stability of test.

Handle all OSErrors in a single block. OSError also takes care of
SSLError and socket's connection errors.

Partly reverts commit fb7e750. The
threaded connection handler must not raise an unhandled exception.
2021-04-24 09:17:54 +02:00
Christian Heimes f05c2aed7e
bpo-31870: Fix test_get_server_certificate_timeout on Windows (GH-25570)
Some OS do not support millisecond granularity in select(). Use 100ms
timeout and a server callback with sleep to emulate a slow server.
2021-04-24 07:54:08 +02:00
Zackery Spytz b2fac1afaa
bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270) 2021-04-23 21:46:01 -07:00
Christian Heimes e047239eaf
bpo-43921: ignore failing test_wrong_cert_tls13 on Windows (GH-25561)
test_wrong_cert_tls13 sometimes fails on some Windows buildbots. Turn
failing test case into skipped test case until we have more time to
investigate.

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-23 20:03:25 +02:00
Christian Heimes b9ad88be03
bpo-43920: Make load_verify_locations(cadata) error message consistent (GH-25554)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-23 13:51:40 +02:00
Ethan Furman a02cb474f9
bpo-38659: [Enum] add _simple_enum decorator (GH-25497)
add:

* `_simple_enum` decorator to transform a normal class into an enum
* `_test_simple_enum` function to compare
* `_old_convert_` to enable checking `_convert_` generated enums

`_simple_enum` takes a normal class and converts it into an enum:

    @simple_enum(Enum)
    class Color:
        RED = 1
        GREEN = 2
        BLUE = 3

`_old_convert_` works much like` _convert_` does, using the original logic:

    # in a test file
    import socket, enum
    CheckedAddressFamily = enum._old_convert_(
            enum.IntEnum, 'AddressFamily', 'socket',
            lambda C: C.isupper() and C.startswith('AF_'),
            source=_socket,
            )

`_test_simple_enum` takes a traditional enum and a simple enum and
compares the two:

    # in the REPL or the same module as Color
    class CheckedColor(Enum):
        RED = 1
        GREEN = 2
        BLUE = 3

    _test_simple_enum(CheckedColor, Color)

    _test_simple_enum(CheckedAddressFamily, socket.AddressFamily)

Any important differences will raise a TypeError
2021-04-21 10:20:44 -07:00
Christian Heimes 3309113d61
bpo-43799: Also define SSLv3_method() (GH-25481)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-20 18:10:10 +02:00
Ethan Furman 503cdc7c12
Revert "bpo-38659: [Enum] add _simple_enum decorator (GH-25285)" (GH-25476)
This reverts commit dbac8f40e8.
2021-04-19 19:12:24 -07:00
Ethan Furman dbac8f40e8
bpo-38659: [Enum] add _simple_enum decorator (GH-25285)
add:

_simple_enum decorator to transform a normal class into an enum
_test_simple_enum function to compare
_old_convert_ to enable checking _convert_ generated enums
_simple_enum takes a normal class and converts it into an enum:

@simple_enum(Enum)
class Color:
    RED = 1
    GREEN = 2
    BLUE = 3

_old_convert_ works much like _convert_ does, using the original logic:

# in a test file
import socket, enum
CheckedAddressFamily = enum._old_convert_(
        enum.IntEnum, 'AddressFamily', 'socket',
        lambda C: C.isupper() and C.startswith('AF_'),
        source=_socket,
        )

test_simple_enum takes a traditional enum and a simple enum and
compares the two:

# in the REPL or the same module as Color
class CheckedColor(Enum):
    RED = 1
    GREEN = 2
    BLUE = 3

_test_simple_enum(CheckedColor, Color)

_test_simple_enum(CheckedAddressFamily, socket.AddressFamily)

Any important differences will raise a TypeError
2021-04-19 18:04:53 -07:00
Christian Heimes d37b74f341
bpo-43669: More test_ssl cleanups (GH-25470)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-19 08:31:29 +02:00
Christian Heimes 2875c603b2
bpo-43880: Show DeprecationWarnings for deprecated ssl module features (GH-25455)
* ssl.OP_NO_SSLv2
* ssl.OP_NO_SSLv3
* ssl.OP_NO_TLSv1
* ssl.OP_NO_TLSv1_1
* ssl.OP_NO_TLSv1_2
* ssl.OP_NO_TLSv1_3
* ssl.PROTOCOL_SSLv2
* ssl.PROTOCOL_SSLv3
* ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS)
* ssl.PROTOCOL_TLS
* ssl.PROTOCOL_TLSv1
* ssl.PROTOCOL_TLSv1_1
* ssl.PROTOCOL_TLSv1_2
* ssl.TLSVersion.SSLv3
* ssl.TLSVersion.TLSv1
* ssl.TLSVersion.TLSv1_1
* ssl.wrap_socket()
* ssl.RAND_pseudo_bytes()
* ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1)
* ssl.SSLContext() without a protocol argument
* ssl.match_hostname()
* hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL
  function will stay)

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-19 07:27:10 +02:00
Christian Heimes 89d1550d14
bpo-42854: Use SSL_read/write_ex() (GH-25468)
The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex``
internally. The functions support reading and writing of data larger
than 2 GB. Writing zero-length data no longer fails with a protocol
violation error.

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-19 06:55:30 +02:00
juhovh 49fdf118ae
bpo-36076: Add SNI support to ssl.get_server_certificate. (GH-16820)
Many servers in the cloud environment require SNI to be used during the
SSL/TLS handshake, therefore it is not possible to fetch their certificates
using the ssl.get_server_certificate interface.

This change adds an additional optional hostname argument that can be used to
set the SNI. Note that it is intentionally a separate argument instead of
using the host part of the addr tuple, because one might want to explicitly
fetch the default certificate or fetch a certificate from a specific IP
address with the specified SNI hostname. A separate argument also works better
for backwards compatibility.

Automerge-Triggered-By: GH:tiran
2021-04-18 04:11:48 -07:00
Christian Heimes 39258d3595
bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)
- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is always supported
- Remove OPENSSL_VERSION_1_1 macro
- Remove locking callbacks
- Drop PY_OPENSSL_1_1_API macro
- Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
- SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
- security level is always available now
- get_num_tickets is available with TLS 1.3
- X509_V_ERR MISMATCH is always available now
- Always set SSL_MODE_RELEASE_BUFFERS
- X509_V_FLAG_TRUSTED_FIRST is always available
- get_ciphers is always supported
- SSL_CTX_set_keylog_callback is always available
- Update Modules/Setup with static link example
- Mention PEP in whatsnew
- Drop 1.0.2 and 1.1.0 from GHA tests
2021-04-17 11:36:35 +02:00
Christian Heimes b467d9a240
bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)
Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from *struct SSL_CTX* to *struct SSL*.

Signed-off-by: Christian Heimes <christian@python.org>
2021-04-17 10:07:19 +02:00
Christian Heimes 3447750073
bpo-41561: Fix testing with OpenSSL 1.0.2 (GH-25355)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-12 12:00:38 +02:00
Christian Heimes 6f37ebc61e
bpo-43794: OpenSSL 3.0.0: set OP_IGNORE_UNEXPECTED_EOF by default (GH-25309)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-09 17:59:21 +02:00
Christian Heimes 5151d64200
bpo-4379: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304)
Signed-off-by: Christian Heimes <christian@python.org>
2021-04-09 15:43:06 +02:00
Ethan Furman b775106d94
bpo-40066: Enum: modify `repr()` and `str()` (GH-22392)
* Enum: streamline repr() and str(); improve docs

- repr() is now ``enum_class.member_name``
- stdlib global enums are ``module_name.member_name``
- str() is now ``member_name``
- add HOW-TO section for ``Enum``
- change main documentation to be an API reference
2021-03-30 21:17:26 -07:00
Carl Meyer 29c451c698
bpo-43562: fix test_ssl to skip on unreachable network (GH-24937)
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
2021-03-27 14:52:28 -07:00
Christian Heimes 77cde5042a
bpo-43577: Fix deadlock with SSLContext._msg_callback and sni_callback (GH-24957)
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.

PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.

Signed-off-by: Christian Heimes <christian@python.org>
2021-03-21 16:13:09 +01:00
Christian Heimes f6c6b5821b
bpo-41561: Add workaround for Ubuntu's custom security level (GH-24915)
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.

See: 
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
Signed-off-by: Christian Heimes <christian@python.org>
2021-03-18 15:06:50 -07:00
Chris Burr e0b4aa0f5c
bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS in ssl module (GH-18011)
Exposes the `X509_V_FLAG_ALLOW_PROXY_CERTS` constant as `ssl.VERIFY_ALLOW_PROXY_CERTS` to allow for proxy certificate validation as described in: https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html
2021-03-18 01:24:01 -07:00
pxinwr 98a5417193
bpo-41439: Skip test_ssl and test_uuid tests if fork() is not supported (GH-21684) 2020-12-09 00:20:19 +01:00
Christian Heimes 03c8ddd9e9
bpo-42413: socket.timeout is now an alias of TimeoutError (GH-23413)
Signed-off-by: Christian Heimes <christian@python.org>
2020-11-20 00:26:07 -08:00
Christian Heimes ce04e7105b
bpo-41561: skip test_min_max_version_mismatch (GH-22308)
skip test_min_max_version_mismatch when TLS 1.0 is not available

Signed-off-by: Christian Heimes <christian@python.org>
2020-11-18 13:10:53 +01:00
Hai Shi a7f5d93bb6
bpo-40275: Use new test.support helper submodules in tests (GH-21449) 2020-08-03 18:41:24 +02:00
matthewhughes934 8e836bb21c
bpo-41195: Add getter for Openssl security level (GH-21282)
Add an accessor under SSLContext.security_level as a wrapper around
SSL_CTX_get_security_level, see:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html


------
This is my first time contributing, so please pull me up on all the things I missed or did incorrectly.

Automerge-Triggered-By: @tiran
2020-07-17 01:59:15 -07:00
Hai Shi e80697d687
bpo-40275: Adding threading_helper submodule in test.support (GH-20263) 2020-05-28 00:10:27 +02:00
Serhiy Storchaka bfb1cf4465
bpo-40275: Move transient_internet from test.support to socket_helper (GH-19711) 2020-04-29 10:36:20 +03:00
Serhiy Storchaka 16994912c9
bpo-40275: Avoid importing socket in test.support (GH-19603)
* Move socket related functions from test.support to socket_helper.
* Import socket, nntplib and urllib.error lazily in transient_internet().
* Remove importing multiprocess.
2020-04-25 10:06:29 +03:00
Victor Stinner 278c1e159c
bpo-40094: Add test.support.wait_process() (GH-19254)
Moreover, the following tests now check the child process exit code:

* test_os.PtyTests
* test_mailbox.test_lock_conflict()
* test_tempfile.test_process_awareness()
* test_uuid.testIssue8621()
* multiprocessing resource tracker tests
2020-03-31 20:08:12 +02:00
Victor Stinner 0d63bacefd
bpo-38614: Use test.support.SHORT_TIMEOUT constant (GH-17566)
Replace hardcoded timeout constants in tests with SHORT_TIMEOUT of
test.support, so it's easier to ajdust this timeout for all tests at
once.

SHORT_TIMEOUT is 30 seconds by default, but it can be longer
depending on --timeout command line option.

The change makes almost all timeouts longer, except
test_reap_children() of test_support which is made 2x shorter:
SHORT_TIMEOUT should be enough. If this test starts to fail,
LONG_TIMEOUT should be used instead.

Uniformize also "from test import support" import in some test files.
2019-12-11 11:30:03 +01:00
Christian Heimes 2b7de6696b bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190)
test_openssl_version now accepts version 3.0.0.

getpeercert() no longer returns IPv6 addresses with a trailing new line.

Signed-off-by: Christian Heimes <christian@python.org>


https://bugs.python.org/issue38820
2019-12-07 08:59:36 -08:00
torsava 34864d1cff bpo-38815: Accept TLSv3 default in min max test (GH-NNNN) (GH-17437)
Make ssl tests less strict and also accept TLSv3 as the default maximum
version. This change unbreaks test_min_max_version on Fedora 32.


https://bugs.python.org/issue38815
2019-12-02 08:15:42 -08:00
Christian Heimes 9f77268f90
bpo-38275: Fix test_ssl issue caused by GH-16386 (#16428)
Check presence of SSLContext.minimum_version to make tests pass with
old versions of OpenSSL.

Signed-off-by: Christian Heimes <christian@python.org>
2019-09-26 18:23:17 +02:00
Christian Heimes df6ac7e2b8 bpo-38275: Skip ssl tests for disabled versions (GH-16386)
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
policy and run-time settings are recognized and tests for disabled versions
are skipped.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue38275
2019-09-26 08:02:59 -07:00
Christian Heimes de606ea169 Correct typo in min version test (GH-16000)
Signed-off-by: Christian Heimes <christian@python.org>
2019-09-11 10:48:58 -07:00
Christian Heimes c9bc49c5f6 bpo-34001: Fix test_ssl with LibreSSL (GH-13783) 2019-09-11 10:24:47 -07:00
Christian Heimes 915cd3f069 bpo-35941: Fix performance regression in new code (GH-12610)
Accumulate certificates in a set instead of doing a costly list contain
operation. A Windows cert store can easily contain over hundred
certificates. The old code would result in way over 5,000 comparison
operations

Signed-off-by: Christian Heimes <christian@python.org>
2019-09-09 09:06:55 -07:00
Serhiy Storchaka 5eca7f3f38
bpo-15999: Always pass bool instead of int to socket.setblocking(). (GH-15621) 2019-09-01 12:12:52 +03:00
Victor Stinner 73ea54620a
bpo-37322: ssl test_pha_required_nocert() ignores expected SSLError (GH-14670)
test_ssl.test_pha_required_nocert() now uses
support.catch_threading_exception() to ignore the expected SSLError
in ConnectionHandler of ThreadedEchoServer (it is only raised
sometimes on Windows).
2019-07-09 14:33:49 +02:00
Victor Stinner 61b1bc5606
Revert "bpo-37322: Fix test_ssl.test_pha_required_nocert() ResourceWarning (GH-14662)" (GH-14669)
This reverts commit cf9c41c422.
2019-07-09 13:35:47 +02:00
Victor Stinner cf9c41c422
bpo-37322: Fix test_ssl.test_pha_required_nocert() ResourceWarning (GH-14662)
Close the TLS connection in test_pha_required_nocert() of test_ssl to
fix a ResourceWarning.
2019-07-09 12:36:55 +02:00
Christian Heimes 477b1b2576 bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499)
ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing
whitespaces. Some inet_aton() implementations ignore whitespace and all data
after whitespace, e.g. '127.0.0.1 whatever'.

Short notations like '127.1' for '127.0.0.1' were already filtered out.

The bug was initially found by Dominik Czarnota and reported by Paul Kehrer.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue37463
2019-07-02 11:39:42 -07:00
Victor Stinner 8f4ef3b019
Remove unused imports in tests (GH-14518) 2019-07-01 18:28:25 +02:00
Christian Heimes f0f5930ac8 bpo-37428: Don't set PHA verify flag on client side (GH-14421)
SSLContext.post_handshake_auth = True no longer sets
SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
option is documented as ignored for clients, OpenSSL implicitly enables cert
chain validation when the flag is set.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue37428
2019-06-30 23:29:17 -07:00
Zackery Spytz c2cda638d6 bpo-37199: Fix test failures when IPv6 is unavailable or disabled (#14480) 2019-06-30 18:24:43 +03:00
Paul Monson f355069a33 bpo-36511: Add buildbot scripts and fix tests for Windows ARM32 buildbot (GH-13454) 2019-06-19 13:09:54 -07:00
Christian Heimes 78c7d52779
bpo-37120: Add SSLContext.num_tickets (GH-13719)
Signed-off-by: Christian Heimes <christian@python.org>
2019-06-03 21:00:10 +02:00
Christian Heimes e35d1ba9ea
bpo-34271: Fix compatibility with 1.0.2 (GH-13728)
Fix various compatibility issues with LibreSSL and OpenSSL 1.0.2
introduced by bpo-34271.

Signed-off-by: Christian Heimes <christian@python.org>
2019-06-03 20:40:15 +02:00
Victor Stinner 0025350294
bpo-37069: tests use catch_unraisable_exception() (GH-13762)
Modify test_coroutines, test_cprofile, test_generators, test_raise,
test_ssl and test_yield_from to use
support.catch_unraisable_exception() rather than
support.captured_stderr().

test_thread: remove test_save_exception_state_on_error() which is now
updated. test_unraisable_exception() checks that sys.unraisablehook()
is called to handle _thread.start_new_thread() exception.

test_cprofile now rely on unittest for test discovery: replace
support.run_unittest() with unittest.main().
2019-06-03 03:51:43 +02:00
Christian Heimes c7f7069e77
bpo-34271: Add ssl debugging helpers (GH-10031)
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

The msg_callback and related enums are private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes <christian@python.org>
2019-05-31 11:44:05 +02:00
Paul Monson fb7e7505ed bpo-35926: Add support for OpenSSL 1.1.1b on Windows (GH-11779) 2019-05-15 15:38:55 -07:00
penguindustin 9646630895 bpo-36766: Typos in docs and code comments (GH-13116) 2019-05-06 14:57:17 -04:00
Giampaolo Rodola eb7e29f2a9
bpo-35934: Add socket.create_server() utility function (GH-11784) 2019-04-09 00:34:02 +02:00
Victor Stinner 3ef6344ee5
bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940)
Fix test_ssl for strict OpenSSL configuration like RHEL8 strict crypto policy.
Use older TLS version for minimum TLS version of the server SSL context if
needed, to test TLS version older than default minimum TLS version.
2019-02-19 18:06:03 +01:00
Christian Heimes 34de2d312b bpo-35045: Accept TLSv1 default in min max test (GH-11510)
Make ssl tests less strict and also accept TLSv1 as system default. The
changes unbreaks test_min_max_version on Fedora 29.

Signed-off-by: Christian Heimes <christian@python.org>
2019-01-18 16:09:30 +01:00
Christian Heimes a37f52436f bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue35746
2019-01-15 14:47:42 -08:00
Serhiy Storchaka 42b1d6127b
bpo-33023: Fix NotImplemented to NotImplementedError. (GH-10934) 2018-12-06 22:36:55 +02:00
Srinivas Thatiparthy (శ్రీనివాస్ తాటిపర్తి) 90d0cfb222 bpo-35202: Remove unused imports in tests. (GH-10561) 2018-11-16 17:32:58 +02:00
Christian Heimes 9fb051f032 bpo-34670: Add TLS 1.3 post handshake auth (GH-9460)
Add SSLContext.post_handshake_auth and
SSLSocket.verify_client_post_handshake for TLS 1.3 post-handshake
authentication.

Signed-off-by: Christian Heimes <christian@python.org>q


https://bugs.python.org/issue34670
2018-09-22 23:32:31 -07:00
Nathaniel J. Smith c0da582b22 bpo-34759: Fix error handling in ssl 'unwrap()' (GH-9468)
OpenSSL follows the convention that whenever you call a function, it
returns an error indicator value; and if this value is negative, then
you need to go look at the actual error code to see what happened.

Commit c6fd1c1c3a introduced a small mistake in
_ssl__SSLSocket_shutdown_impl: instead of checking whether the error
indicator was negative, it started checking whether the actual error
code was negative, and it turns out that the error codes are never
negative. So the effect was that 'unwrap()' lost the ability to raise
SSL errors.


https://bugs.python.org/issue34759
2018-09-21 21:44:12 -07:00
Victor Stinner 5e922658fb
bpo-34605: Avoid master/slave terms (GH-9101)
* Replace "master process" with "parent process"
* Replace "master option mappings" with "main option mappings"
* Replace "master pattern object" with "main pattern object"
* ssl: replace "master" with "server"
* And some other similar changes
2018-09-07 17:30:33 +02:00
Christian Heimes e6dac00779
bpo-34542: Update test certs and keys (GH-8997)
Update all test certs and keys to use future proof crypto settings:

* 3072 bit RSA keys
* SHA-256 signature

Signed-off-by: Christian Heimes <christian@python.org>
2018-08-30 07:25:49 +02:00
Christian Heimes 88bfd0bce0
bpo-34399: 2048 bits RSA keys and DH params (#8762)
Downstream vendors have started to deprecate weak keys. Update all RSA keys
and DH params to use at least 2048 bits.

Finite field DH param file use RFC 7919 values, generated with

    certtool --get-dh-params --sec-param=high

Signed-off-by: Christian Heimes <christian@python.org>
2018-08-14 12:54:19 +02:00
Ned Deily 4531ec74c4
bpo-31432: Revert unrelated code changes to _ssl.c and test_ssl (GH-7650) 2018-06-11 20:26:28 -04:00
Christian Heimes ef24b6c54d bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)
The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were
misleading and partly wrong. It fails to explain that OpenSSL behaves
differently in client and server mode. Also OpenSSL does validate the
cert chain everytime. With SSL_VERIFY_NONE a validation error is not
fatal in client mode and does not request a client cert in server mode.
Also discourage people from using CERT_OPTIONAL in client mode.
2018-06-11 18:59:45 -04:00
Christian Heimes 529525fb5a
bpo-33618: Enable TLS 1.3 in tests (GH-7079)
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.

To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.

Signed-off-by: Christian Heimes <christian@python.org>
2018-05-23 22:24:45 +02:00
Christian Heimes e8eb6cb792
bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.

Also update multissltests and Travis config to test with latest OpenSSL.

Signed-off-by: Christian Heimes <christian@python.org>
2018-05-22 22:50:12 +02:00
Petr Viktorin 8b94b41ab7
bpo-28167: Remove platform.linux_distribution (GH-6871)
* test_ssl: Remove skip_if_broken_ubuntu_ssl

We no longer support OpenSSL 0.9.8.15.15.

* bpo-28167: Remove platform.linux_distribution
2018-05-16 11:51:18 -04:00
Christian Heimes d02ac25ab0
bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229)
Harden ssl module against LibreSSL CVE-2018-8970.
X509_VERIFY_PARAM_set1_host() is called with an explicit namelen. A new test
ensures that NULL bytes are not allowed.

Signed-off-by: Christian Heimes <christian@python.org>
2018-03-25 12:36:13 +02:00
Christian Heimes 698dde16f6
bpo-31453: Add setter for min/max protocol version (#5259)
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.

Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.

Signed-off-by: Christian Heimes <christian@python.org>
2018-02-27 11:54:43 +01:00
Christian Heimes 9d50ab563d
bpo-32951: Disable SSLSocket/SSLObject constructor (#5864)
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.

SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.

The only test case for direct instantiation was added a couple of days
ago for IDNA testing.

Signed-off-by: Christian Heimes <christian@python.org>
2018-02-27 10:17:30 +01:00
Christian Heimes 05d9fe32a1
bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663)
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes

Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.

I'm going to address these issues when OpenSSL 1.1.1 reaches beta.

OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.

Signed-off-by: Christian Heimes <christian@python.org>
2018-02-27 08:55:39 +01:00
Christian Heimes b7b9225831
bpo-31809: test secp ECDH curves (#4036)
Add tests to verify connection with secp384r1 ECDH curves.
2018-02-25 09:49:31 +01:00
Christian Heimes 141c5e8c24
bpo-24334: Cleanup SSLSocket (#5252)
* The SSLSocket is no longer implemented on top of SSLObject to
  avoid an extra level of indirection.
* Owner and session are now handled in the internal constructor.
* _ssl._SSLSocket now uses the same method names as SSLSocket and
  SSLObject.
* Channel binding type check is now handled in C code. Channel binding
  is always available.

The patch also changes the signature of SSLObject.__init__(). In my
opinion it's fine. A SSLObject is not a user-constructable object.
SSLContext.wrap_bio() is the only valid factory.
2018-02-24 21:10:57 +01:00
Christian Heimes aef1283ba4
bpo-32819: Simplify and improve ssl.match_hostname (#5620)
ssl.match_hostname() has been simplified and no longer depends on re and
ipaddress module for wildcard and IP addresses. Error reporting for invalid
wildcards has been improved.

Signed-off-by: Christian Heimes <christian@python.org>
2018-02-24 14:35:56 +01:00
Christian Heimes 11a1493bc4 [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.

After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
2018-02-23 17:35:08 -08:00
Christian Heimes 66e5742bec
bpo-28414: ssl module idna test (#5395)
Add test cases for IDNA 2003 and 2008 host names. IDNA 2003
internationalized host names are working since bpo-31399 has landed. IDNA
2008 deviations are still broken and will be fixed in another patch.

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-29 14:25:13 +01:00
Christian Heimes 892d66e422
bpo-31429: Define TLS cipher suite on build time (#3532)
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.

Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-29 14:10:18 +01:00
Christian Heimes 61d478c71c
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
bpo-31399: Let OpenSSL verify hostname and IP

The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.

* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-27 15:51:38 +01:00
Christian Heimes bd5c7d238c
bpo-32602: Test ECDSA certs (#5247)
Add test certs and test for ECDSA cert and EC/RSA dual mode.

I'm also adding certs for IDNA 2003/2008 tests and simplify some test
data handling.

Signed-off-by: Christian Heimes <christian@python.org>
2018-01-20 15:16:30 +01:00
Mike 53f7a7c281 bpo-32297: Few misspellings found in Python source code comments. (#4803)
* Fix multiple typos in code comments

* Add spacing in comments (test_logging.py, test_math.py)

* Fix spaces at the beginning of comments in test_logging.py
2017-12-14 13:04:53 +02:00
Mandeep Singh ede2ac913e bpo-23033: Improve SSL Certificate handling (GH-937)
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
2017-11-26 14:31:27 -08:00
Christian Heimes e82c034496 bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531)
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:29:57 +02:00
Christian Heimes a170fa162d bpo-31346: Use PROTOCOL_TLS_CLIENT/SERVER (#3058)
Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and
PROTOCOL_TLS_SERVER.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:27:30 +02:00
Christian Heimes 4df60f18c6 bpo-31386: Custom wrap_bio and wrap_socket type (#3426)
SSLSocket.wrap_bio() and SSLSocket.wrap_socket() hard-code SSLObject and
SSLSocket as return types. In the light of future deprecation of
ssl.wrap_socket() module function and direct instantiation of SSLSocket,
it is desirable to make the return type of SSLSocket.wrap_bio() and
SSLSocket.wrap_socket() customizable.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-15 20:26:05 +02:00
Victor Stinner 50a72af657 test_ssl: Implement timeout in ssl_io_loop() (#3500)
The timeout parameter was not used.
2017-09-11 09:34:24 -07:00
Christian Heimes b3ad0e5127 bpo-28182: Expose OpenSSL verification results (#3412)
The SSL module now raises SSLCertVerificationError when OpenSSL fails to
verify the peer's certificate. The exception contains more information about
the error.

Original patch by Chi Hsuan Yen

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-08 12:00:19 -07:00
Christian Heimes cb5b68abde bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (#1363)
* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 18:07:00 -07:00
Christian Heimes 888bbdc192 bpo-27340: Use memoryview in SSLSocket.sendall() (#3384)
* bpo-27340: Use memoryview in SSLSocket.sendall()

SSLSocket.sendall() now uses memoryview to create slices of data. This fix
support for all bytes-like object. It is also more efficient and avoids
costly copies.

Signed-off-by: Christian Heimes <christian@python.org>

* Cast view to bytes, fix typo

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-07 14:18:21 -07:00
Antoine Pitrou a6a4dc816d bpo-31370: Remove support for threads-less builds (#3385)
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
2017-09-07 18:56:24 +02:00
Christian Heimes 6877111648 bpo-29781: Fix SSLObject.version before handshake (#3364)
SSLObject.version() now correctly returns None when handshake over BIO has
not been performed yet.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 21:55:40 -07:00
Christian Heimes 305e56c27a bpo-31320: No traceback to sys.stderr in test_ssl (#3360)
In case PROTOCOL_TLS_SERVER is used for both client context and server
context, the test thread dies with OSError. Catch OSError to avoid
traceback on sys.stderr

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 16:37:09 -07:00
Christian Heimes 002d64039b bpo-25674: remove sha256.tbs-internet.com ssl test (#3297)
Signed-off-by: Christian Heimes <christian@python.org>
2017-09-04 22:26:01 +02:00
Victor Stinner 8687101589 bpo-31323: Fix reference leak in test_ssl (#3263)
Store exceptions as string rather than object to prevent reference
cycles which cause leaking dangling threads.
2017-09-02 00:26:17 +02:00
Christian Heimes 7b40cb7293 bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305)
OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
callback can pretend to not been set.

See https://github.com/openssl/openssl/pull/3158 for more details

Signed-off-by: Christian Heimes <christian@python.org>
2017-08-15 10:33:43 +02:00
Steve Dower 68d663cf85 [bpo-30916] Pre-build OpenSSL and Tcl/Tk for Windows (#2688)
Updates ssl and tkinter projects to use pre-built externals
2017-07-17 11:15:48 +02:00
Nathaniel J. Smith 59fdf0f3ba Add a test for bad IDNA in ssl server_hostname (#1997)
See discussion:
  https://github.com/python/cpython/pull/1992#issuecomment-307024778
2017-06-09 11:35:16 +02:00