Issue #25940: Merge self-signed.pythontest.net testing from 3.5

This commit is contained in:
Martin Panter 2016-01-14 13:25:06 +00:00
commit 3570e02fd2
6 changed files with 111 additions and 111 deletions

View File

@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE-----
MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
-----END CERTIFICATE-----

View File

@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE-----
MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
-----END CERTIFICATE-----

View File

@ -1,41 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----

View File

@ -1,5 +1,5 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIChzCCAfCgAwIBAgIJAKGU95wKR8pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
@ -8,9 +8,9 @@ b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjKTAnMCUGA1UdEQQeMByCGnNl EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MA0GCSqGSIb3DQEBBQUAA4GBAIOXmdtM bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
eG9qzP9TiXW/Gc/zI4cBfdCpC+Y4gOfC9bQUC7hefix4iO3+iZjgy3X/FaRxUUoV AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
HKiXcXIaWqTSUWp45cSh0MbwZXudp6JIAptzdAhvvCrPKeC9i9GvxsPD4LtDAL97 TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
vSaxQBezA7hdxZd90/EeyMgVZgAnTCnvAWX9 C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
-----END CERTIFICATE----- -----END CERTIFICATE-----

View File

@ -55,7 +55,8 @@ SIGNED_CERTFILE = data_file("keycert3.pem")
SIGNED_CERTFILE2 = data_file("keycert4.pem") SIGNED_CERTFILE2 = data_file("keycert4.pem")
SIGNING_CA = data_file("pycacert.pem") SIGNING_CA = data_file("pycacert.pem")
SVN_PYTHON_ORG_ROOT_CERT = data_file("https_svn_python_org_root.pem") REMOTE_HOST = "self-signed.pythontest.net"
REMOTE_ROOT_CERT = data_file("selfsigned_pythontestdotnet.pem")
EMPTYCERT = data_file("nullcert.pem") EMPTYCERT = data_file("nullcert.pem")
BADCERT = data_file("badcert.pem") BADCERT = data_file("badcert.pem")
@ -276,7 +277,7 @@ class BasicSocketTests(unittest.TestCase):
self.assertEqual(p['subjectAltName'], san) self.assertEqual(p['subjectAltName'], san)
def test_DER_to_PEM(self): def test_DER_to_PEM(self):
with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f: with open(CAFILE_CACERT, 'r') as f:
pem = f.read() pem = f.read()
d1 = ssl.PEM_cert_to_DER_cert(pem) d1 = ssl.PEM_cert_to_DER_cert(pem)
p2 = ssl.DER_cert_to_PEM_cert(d1) p2 = ssl.DER_cert_to_PEM_cert(d1)
@ -862,7 +863,7 @@ class ContextTests(unittest.TestCase):
# Mismatching key and cert # Mismatching key and cert
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"): with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
ctx.load_cert_chain(SVN_PYTHON_ORG_ROOT_CERT, ONLYKEY) ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
# Password protected key and cert # Password protected key and cert
ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD) ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode()) ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
@ -1080,7 +1081,7 @@ class ContextTests(unittest.TestCase):
ctx.load_verify_locations(CERTFILE) ctx.load_verify_locations(CERTFILE)
self.assertEqual(ctx.cert_store_stats(), self.assertEqual(ctx.cert_store_stats(),
{'x509_ca': 0, 'crl': 0, 'x509': 1}) {'x509_ca': 0, 'crl': 0, 'x509': 1})
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT) ctx.load_verify_locations(CAFILE_CACERT)
self.assertEqual(ctx.cert_store_stats(), self.assertEqual(ctx.cert_store_stats(),
{'x509_ca': 1, 'crl': 0, 'x509': 2}) {'x509_ca': 1, 'crl': 0, 'x509': 2})
@ -1090,8 +1091,8 @@ class ContextTests(unittest.TestCase):
# CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
ctx.load_verify_locations(CERTFILE) ctx.load_verify_locations(CERTFILE)
self.assertEqual(ctx.get_ca_certs(), []) self.assertEqual(ctx.get_ca_certs(), [])
# but SVN_PYTHON_ORG_ROOT_CERT is a CA cert # but CAFILE_CACERT is a CA cert
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT) ctx.load_verify_locations(CAFILE_CACERT)
self.assertEqual(ctx.get_ca_certs(), self.assertEqual(ctx.get_ca_certs(),
[{'issuer': ((('organizationName', 'Root CA'),), [{'issuer': ((('organizationName', 'Root CA'),),
(('organizationalUnitName', 'http://www.cacert.org'),), (('organizationalUnitName', 'http://www.cacert.org'),),
@ -1107,7 +1108,7 @@ class ContextTests(unittest.TestCase):
(('emailAddress', 'support@cacert.org'),)), (('emailAddress', 'support@cacert.org'),)),
'version': 3}]) 'version': 3}])
with open(SVN_PYTHON_ORG_ROOT_CERT) as f: with open(CAFILE_CACERT) as f:
pem = f.read() pem = f.read()
der = ssl.PEM_cert_to_DER_cert(pem) der = ssl.PEM_cert_to_DER_cert(pem)
self.assertEqual(ctx.get_ca_certs(True), [der]) self.assertEqual(ctx.get_ca_certs(True), [der])
@ -1346,11 +1347,11 @@ class MemoryBIOTests(unittest.TestCase):
class NetworkedTests(unittest.TestCase): class NetworkedTests(unittest.TestCase):
def test_connect(self): def test_connect(self):
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_NONE) cert_reqs=ssl.CERT_NONE)
try: try:
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
self.assertEqual({}, s.getpeercert()) self.assertEqual({}, s.getpeercert())
finally: finally:
s.close() s.close()
@ -1359,27 +1360,27 @@ class NetworkedTests(unittest.TestCase):
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED) cert_reqs=ssl.CERT_REQUIRED)
self.assertRaisesRegex(ssl.SSLError, "certificate verify failed", self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
s.connect, ("svn.python.org", 443)) s.connect, (REMOTE_HOST, 443))
s.close() s.close()
# this should succeed because we specify the root cert # this should succeed because we specify the root cert
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=SVN_PYTHON_ORG_ROOT_CERT) ca_certs=REMOTE_ROOT_CERT)
try: try:
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
self.assertTrue(s.getpeercert()) self.assertTrue(s.getpeercert())
finally: finally:
s.close() s.close()
def test_connect_ex(self): def test_connect_ex(self):
# Issue #11326: check connect_ex() implementation # Issue #11326: check connect_ex() implementation
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=SVN_PYTHON_ORG_ROOT_CERT) ca_certs=REMOTE_ROOT_CERT)
try: try:
self.assertEqual(0, s.connect_ex(("svn.python.org", 443))) self.assertEqual(0, s.connect_ex((REMOTE_HOST, 443)))
self.assertTrue(s.getpeercert()) self.assertTrue(s.getpeercert())
finally: finally:
s.close() s.close()
@ -1387,14 +1388,14 @@ class NetworkedTests(unittest.TestCase):
def test_non_blocking_connect_ex(self): def test_non_blocking_connect_ex(self):
# Issue #11326: non-blocking connect_ex() should allow handshake # Issue #11326: non-blocking connect_ex() should allow handshake
# to proceed after the socket gets ready. # to proceed after the socket gets ready.
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=SVN_PYTHON_ORG_ROOT_CERT, ca_certs=REMOTE_ROOT_CERT,
do_handshake_on_connect=False) do_handshake_on_connect=False)
try: try:
s.setblocking(False) s.setblocking(False)
rc = s.connect_ex(('svn.python.org', 443)) rc = s.connect_ex((REMOTE_HOST, 443))
# EWOULDBLOCK under Windows, EINPROGRESS elsewhere # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK)) self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
# Wait for connect to finish # Wait for connect to finish
@ -1416,58 +1417,62 @@ class NetworkedTests(unittest.TestCase):
def test_timeout_connect_ex(self): def test_timeout_connect_ex(self):
# Issue #12065: on a timeout, connect_ex() should return the original # Issue #12065: on a timeout, connect_ex() should return the original
# errno (mimicking the behaviour of non-SSL sockets). # errno (mimicking the behaviour of non-SSL sockets).
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=SVN_PYTHON_ORG_ROOT_CERT, ca_certs=REMOTE_ROOT_CERT,
do_handshake_on_connect=False) do_handshake_on_connect=False)
try: try:
s.settimeout(0.0000001) s.settimeout(0.0000001)
rc = s.connect_ex(('svn.python.org', 443)) rc = s.connect_ex((REMOTE_HOST, 443))
if rc == 0: if rc == 0:
self.skipTest("svn.python.org responded too quickly") self.skipTest("REMOTE_HOST responded too quickly")
self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK)) self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
finally: finally:
s.close() s.close()
def test_connect_ex_error(self): def test_connect_ex_error(self):
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
s = ssl.wrap_socket(socket.socket(socket.AF_INET), s = ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=SVN_PYTHON_ORG_ROOT_CERT) ca_certs=REMOTE_ROOT_CERT)
try: try:
rc = s.connect_ex(("svn.python.org", 444)) rc = s.connect_ex((REMOTE_HOST, 444))
# Issue #19919: Windows machines or VMs hosted on Windows # Issue #19919: Windows machines or VMs hosted on Windows
# machines sometimes return EWOULDBLOCK. # machines sometimes return EWOULDBLOCK.
self.assertIn(rc, (errno.ECONNREFUSED, errno.EWOULDBLOCK)) errors = (
errno.ECONNREFUSED, errno.EHOSTUNREACH,
errno.EWOULDBLOCK,
)
self.assertIn(rc, errors)
finally: finally:
s.close() s.close()
def test_connect_with_context(self): def test_connect_with_context(self):
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
# Same as test_connect, but with a separately created context # Same as test_connect, but with a separately created context
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
try: try:
self.assertEqual({}, s.getpeercert()) self.assertEqual({}, s.getpeercert())
finally: finally:
s.close() s.close()
# Same with a server hostname # Same with a server hostname
s = ctx.wrap_socket(socket.socket(socket.AF_INET), s = ctx.wrap_socket(socket.socket(socket.AF_INET),
server_hostname="svn.python.org") server_hostname=REMOTE_HOST)
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
s.close() s.close()
# This should fail because we have no verification certs # This should fail because we have no verification certs
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
self.assertRaisesRegex(ssl.SSLError, "certificate verify failed", self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
s.connect, ("svn.python.org", 443)) s.connect, (REMOTE_HOST, 443))
s.close() s.close()
# This should succeed because we specify the root cert # This should succeed because we specify the root cert
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT) ctx.load_verify_locations(REMOTE_ROOT_CERT)
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
try: try:
cert = s.getpeercert() cert = s.getpeercert()
self.assertTrue(cert) self.assertTrue(cert)
@ -1480,12 +1485,12 @@ class NetworkedTests(unittest.TestCase):
# OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
# contain both versions of each certificate (same content, different # contain both versions of each certificate (same content, different
# filename) for this test to be portable across OpenSSL releases. # filename) for this test to be portable across OpenSSL releases.
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(capath=CAPATH) ctx.load_verify_locations(capath=CAPATH)
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
try: try:
cert = s.getpeercert() cert = s.getpeercert()
self.assertTrue(cert) self.assertTrue(cert)
@ -1496,7 +1501,7 @@ class NetworkedTests(unittest.TestCase):
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(capath=BYTES_CAPATH) ctx.load_verify_locations(capath=BYTES_CAPATH)
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
try: try:
cert = s.getpeercert() cert = s.getpeercert()
self.assertTrue(cert) self.assertTrue(cert)
@ -1504,15 +1509,15 @@ class NetworkedTests(unittest.TestCase):
s.close() s.close()
def test_connect_cadata(self): def test_connect_cadata(self):
with open(CAFILE_CACERT) as f: with open(REMOTE_ROOT_CERT) as f:
pem = f.read() pem = f.read()
der = ssl.PEM_cert_to_DER_cert(pem) der = ssl.PEM_cert_to_DER_cert(pem)
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(cadata=pem) ctx.load_verify_locations(cadata=pem)
with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s: with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
cert = s.getpeercert() cert = s.getpeercert()
self.assertTrue(cert) self.assertTrue(cert)
@ -1521,7 +1526,7 @@ class NetworkedTests(unittest.TestCase):
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(cadata=der) ctx.load_verify_locations(cadata=der)
with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s: with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
cert = s.getpeercert() cert = s.getpeercert()
self.assertTrue(cert) self.assertTrue(cert)
@ -1530,9 +1535,9 @@ class NetworkedTests(unittest.TestCase):
# Issue #5238: creating a file-like object with makefile() shouldn't # Issue #5238: creating a file-like object with makefile() shouldn't
# delay closing the underlying "real socket" (here tested with its # delay closing the underlying "real socket" (here tested with its
# file descriptor, hence skipping the test under Windows). # file descriptor, hence skipping the test under Windows).
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
ss = ssl.wrap_socket(socket.socket(socket.AF_INET)) ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
ss.connect(("svn.python.org", 443)) ss.connect((REMOTE_HOST, 443))
fd = ss.fileno() fd = ss.fileno()
f = ss.makefile() f = ss.makefile()
f.close() f.close()
@ -1546,9 +1551,9 @@ class NetworkedTests(unittest.TestCase):
self.assertEqual(e.exception.errno, errno.EBADF) self.assertEqual(e.exception.errno, errno.EBADF)
def test_non_blocking_handshake(self): def test_non_blocking_handshake(self):
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
s = socket.socket(socket.AF_INET) s = socket.socket(socket.AF_INET)
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
s.setblocking(False) s.setblocking(False)
s = ssl.wrap_socket(s, s = ssl.wrap_socket(s,
cert_reqs=ssl.CERT_NONE, cert_reqs=ssl.CERT_NONE,
@ -1591,12 +1596,12 @@ class NetworkedTests(unittest.TestCase):
if support.verbose: if support.verbose:
sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem)) sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
_test_get_server_certificate('svn.python.org', 443, SVN_PYTHON_ORG_ROOT_CERT) _test_get_server_certificate(REMOTE_HOST, 443, REMOTE_ROOT_CERT)
if support.IPV6_ENABLED: if support.IPV6_ENABLED:
_test_get_server_certificate('ipv6.google.com', 443) _test_get_server_certificate('ipv6.google.com', 443)
def test_ciphers(self): def test_ciphers(self):
remote = ("svn.python.org", 443) remote = (REMOTE_HOST, 443)
with support.transient_internet(remote[0]): with support.transient_internet(remote[0]):
with ssl.wrap_socket(socket.socket(socket.AF_INET), with ssl.wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s: cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
@ -1641,13 +1646,13 @@ class NetworkedTests(unittest.TestCase):
def test_get_ca_certs_capath(self): def test_get_ca_certs_capath(self):
# capath certs are loaded on request # capath certs are loaded on request
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(capath=CAPATH) ctx.load_verify_locations(capath=CAPATH)
self.assertEqual(ctx.get_ca_certs(), []) self.assertEqual(ctx.get_ca_certs(), [])
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
s.connect(("svn.python.org", 443)) s.connect((REMOTE_HOST, 443))
try: try:
cert = s.getpeercert() cert = s.getpeercert()
self.assertTrue(cert) self.assertTrue(cert)
@ -1658,12 +1663,12 @@ class NetworkedTests(unittest.TestCase):
@needs_sni @needs_sni
def test_context_setget(self): def test_context_setget(self):
# Check that the context of a connected socket can be replaced. # Check that the context of a connected socket can be replaced.
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
s = socket.socket(socket.AF_INET) s = socket.socket(socket.AF_INET)
with ctx1.wrap_socket(s) as ss: with ctx1.wrap_socket(s) as ss:
ss.connect(("svn.python.org", 443)) ss.connect((REMOTE_HOST, 443))
self.assertIs(ss.context, ctx1) self.assertIs(ss.context, ctx1)
self.assertIs(ss._sslobj.context, ctx1) self.assertIs(ss._sslobj.context, ctx1)
ss.context = ctx2 ss.context = ctx2
@ -1684,13 +1689,8 @@ class NetworkedBIOTests(unittest.TestCase):
try: try:
ret = func(*args) ret = func(*args)
except ssl.SSLError as e: except ssl.SSLError as e:
# Note that we get a spurious -1/SSL_ERROR_SYSCALL for
# non-blocking IO. The SSL_shutdown manpage hints at this.
# It *should* be safe to just ignore SYS_ERROR_SYSCALL because
# with a Memory BIO there's no syscalls (for IO at least).
if e.errno not in (ssl.SSL_ERROR_WANT_READ, if e.errno not in (ssl.SSL_ERROR_WANT_READ,
ssl.SSL_ERROR_WANT_WRITE, ssl.SSL_ERROR_WANT_WRITE):
ssl.SSL_ERROR_SYSCALL):
raise raise
errno = e.errno errno = e.errno
# Get any data from the outgoing BIO irrespective of any error, and # Get any data from the outgoing BIO irrespective of any error, and
@ -1714,16 +1714,16 @@ class NetworkedBIOTests(unittest.TestCase):
@unittest.skipIf(True, "temporarily disabled: see #25940") @unittest.skipIf(True, "temporarily disabled: see #25940")
def test_handshake(self): def test_handshake(self):
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
sock = socket.socket(socket.AF_INET) sock = socket.socket(socket.AF_INET)
sock.connect(("svn.python.org", 443)) sock.connect((REMOTE_HOST, 443))
incoming = ssl.MemoryBIO() incoming = ssl.MemoryBIO()
outgoing = ssl.MemoryBIO() outgoing = ssl.MemoryBIO()
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT) ctx.load_verify_locations(REMOTE_ROOT_CERT)
ctx.check_hostname = True ctx.check_hostname = True
sslobj = ctx.wrap_bio(incoming, outgoing, False, 'svn.python.org') sslobj = ctx.wrap_bio(incoming, outgoing, False, REMOTE_HOST)
self.assertIs(sslobj._sslobj.owner, sslobj) self.assertIs(sslobj._sslobj.owner, sslobj)
self.assertIsNone(sslobj.cipher()) self.assertIsNone(sslobj.cipher())
self.assertIsNone(sslobj.shared_ciphers()) self.assertIsNone(sslobj.shared_ciphers())
@ -1736,14 +1736,20 @@ class NetworkedBIOTests(unittest.TestCase):
self.assertTrue(sslobj.getpeercert()) self.assertTrue(sslobj.getpeercert())
if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
self.assertTrue(sslobj.get_channel_binding('tls-unique')) self.assertTrue(sslobj.get_channel_binding('tls-unique'))
self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap) try:
self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
except ssl.SSLSyscallError:
# self-signed.pythontest.net probably shuts down the TCP
# connection without sending a secure shutdown message, and
# this is reported as SSL_ERROR_SYSCALL
pass
self.assertRaises(ssl.SSLError, sslobj.write, b'foo') self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
sock.close() sock.close()
def test_read_write_data(self): def test_read_write_data(self):
with support.transient_internet("svn.python.org"): with support.transient_internet(REMOTE_HOST):
sock = socket.socket(socket.AF_INET) sock = socket.socket(socket.AF_INET)
sock.connect(("svn.python.org", 443)) sock.connect((REMOTE_HOST, 443))
incoming = ssl.MemoryBIO() incoming = ssl.MemoryBIO()
outgoing = ssl.MemoryBIO() outgoing = ssl.MemoryBIO()
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
@ -3327,7 +3333,7 @@ def test_main(verbose=False):
pass pass
for filename in [ for filename in [
CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE, CERTFILE, REMOTE_ROOT_CERT, BYTES_CERTFILE,
ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY, ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA, SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
BADCERT, BADKEY, EMPTYCERT]: BADCERT, BADKEY, EMPTYCERT]:

View File

@ -564,6 +564,9 @@ Documentation
Tests Tests
----- -----
- Issue #25940: Changed test_ssl to use self-signed.pythontest.net. This
avoids relying on svn.python.org, which recently changed root certificate.
- Issue #25616: Tests for OrderedDict are extracted from test_collections - Issue #25616: Tests for OrderedDict are extracted from test_collections
into separate file test_ordered_dict. into separate file test_ordered_dict.