Issue #25940: Use self-signed.pythontest.net in SSL tests
This is instead of svn.python.org, whose certificate recently expired, and whose new certificate uses a different root certificate. The certificate used at the pythontest server was modifed to set the "basic constraints" CA flag. This flag seems to be required for test_get_ca_certs_ capath() to work. Added the new self-signed certificate to capath with the following commands: cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/} c_rehash -v Lib/test/capath/ c_rehash -v -old Lib/test/capath/ # Note the generated file names cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0} mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0} When attempting to connect to port 444 on the new server, the resulting error code is EHOSTUNREACH on Linux, and ETIMEDOUT on Windows.
This commit is contained in:
parent
07f24c50e0
commit
71202bb053
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
|
||||
BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
|
||||
IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
|
||||
bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
|
||||
A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
|
||||
b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
|
||||
aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
|
||||
Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
|
||||
Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
|
||||
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
|
||||
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
|
||||
AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
|
||||
TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
|
||||
C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
|
||||
BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
|
||||
IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
|
||||
bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
|
||||
A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
|
||||
b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
|
||||
aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
|
||||
Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
|
||||
Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
|
||||
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
|
||||
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
|
||||
AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
|
||||
TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
|
||||
C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,41 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
|
||||
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
|
||||
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
|
||||
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
|
||||
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
|
||||
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
|
||||
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
|
||||
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
|
||||
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
|
||||
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
|
||||
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
|
||||
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
|
||||
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
|
||||
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
|
||||
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
|
||||
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
|
||||
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
|
||||
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
|
||||
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
|
||||
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
|
||||
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
|
||||
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
|
||||
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
|
||||
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
|
||||
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
|
||||
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
|
||||
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
|
||||
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
|
||||
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
|
||||
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
|
||||
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
|
||||
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
|
||||
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
|
||||
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
|
||||
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
|
||||
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
|
||||
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
|
||||
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
|
||||
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
|
||||
-----END CERTIFICATE-----
|
|
@ -1,5 +1,5 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIChzCCAfCgAwIBAgIJAKGU95wKR8pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
|
||||
MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
|
||||
BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
|
||||
IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
|
||||
bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
|
||||
|
@ -8,9 +8,9 @@ b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
|
|||
aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
|
||||
Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
|
||||
Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
|
||||
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjKTAnMCUGA1UdEQQeMByCGnNl
|
||||
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MA0GCSqGSIb3DQEBBQUAA4GBAIOXmdtM
|
||||
eG9qzP9TiXW/Gc/zI4cBfdCpC+Y4gOfC9bQUC7hefix4iO3+iZjgy3X/FaRxUUoV
|
||||
HKiXcXIaWqTSUWp45cSh0MbwZXudp6JIAptzdAhvvCrPKeC9i9GvxsPD4LtDAL97
|
||||
vSaxQBezA7hdxZd90/EeyMgVZgAnTCnvAWX9
|
||||
EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
|
||||
bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
|
||||
AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
|
||||
TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
|
||||
C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
@ -57,7 +57,8 @@ SIGNED_CERTFILE = data_file("keycert3.pem")
|
|||
SIGNED_CERTFILE2 = data_file("keycert4.pem")
|
||||
SIGNING_CA = data_file("pycacert.pem")
|
||||
|
||||
SVN_PYTHON_ORG_ROOT_CERT = data_file("https_svn_python_org_root.pem")
|
||||
REMOTE_HOST = "self-signed.pythontest.net"
|
||||
REMOTE_ROOT_CERT = data_file("selfsigned_pythontestdotnet.pem")
|
||||
|
||||
EMPTYCERT = data_file("nullcert.pem")
|
||||
BADCERT = data_file("badcert.pem")
|
||||
|
@ -244,7 +245,7 @@ class BasicSocketTests(unittest.TestCase):
|
|||
self.assertEqual(p['subjectAltName'], san)
|
||||
|
||||
def test_DER_to_PEM(self):
|
||||
with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
|
||||
with open(CAFILE_CACERT, 'r') as f:
|
||||
pem = f.read()
|
||||
d1 = ssl.PEM_cert_to_DER_cert(pem)
|
||||
p2 = ssl.DER_cert_to_PEM_cert(d1)
|
||||
|
@ -792,7 +793,7 @@ class ContextTests(unittest.TestCase):
|
|||
# Mismatching key and cert
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
with self.assertRaisesRegexp(ssl.SSLError, "key values mismatch"):
|
||||
ctx.load_cert_chain(SVN_PYTHON_ORG_ROOT_CERT, ONLYKEY)
|
||||
ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
|
||||
# Password protected key and cert
|
||||
ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
|
||||
ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
|
||||
|
@ -1013,7 +1014,7 @@ class ContextTests(unittest.TestCase):
|
|||
ctx.load_verify_locations(CERTFILE)
|
||||
self.assertEqual(ctx.cert_store_stats(),
|
||||
{'x509_ca': 0, 'crl': 0, 'x509': 1})
|
||||
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
|
||||
ctx.load_verify_locations(CAFILE_CACERT)
|
||||
self.assertEqual(ctx.cert_store_stats(),
|
||||
{'x509_ca': 1, 'crl': 0, 'x509': 2})
|
||||
|
||||
|
@ -1023,8 +1024,8 @@ class ContextTests(unittest.TestCase):
|
|||
# CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
|
||||
ctx.load_verify_locations(CERTFILE)
|
||||
self.assertEqual(ctx.get_ca_certs(), [])
|
||||
# but SVN_PYTHON_ORG_ROOT_CERT is a CA cert
|
||||
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
|
||||
# but CAFILE_CACERT is a CA cert
|
||||
ctx.load_verify_locations(CAFILE_CACERT)
|
||||
self.assertEqual(ctx.get_ca_certs(),
|
||||
[{'issuer': ((('organizationName', 'Root CA'),),
|
||||
(('organizationalUnitName', 'http://www.cacert.org'),),
|
||||
|
@ -1040,7 +1041,7 @@ class ContextTests(unittest.TestCase):
|
|||
(('emailAddress', 'support@cacert.org'),)),
|
||||
'version': 3}])
|
||||
|
||||
with open(SVN_PYTHON_ORG_ROOT_CERT) as f:
|
||||
with open(CAFILE_CACERT) as f:
|
||||
pem = f.read()
|
||||
der = ssl.PEM_cert_to_DER_cert(pem)
|
||||
self.assertEqual(ctx.get_ca_certs(True), [der])
|
||||
|
@ -1215,11 +1216,11 @@ class SSLErrorTests(unittest.TestCase):
|
|||
class NetworkedTests(unittest.TestCase):
|
||||
|
||||
def test_connect(self):
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_NONE)
|
||||
try:
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
self.assertEqual({}, s.getpeercert())
|
||||
finally:
|
||||
s.close()
|
||||
|
@ -1228,27 +1229,27 @@ class NetworkedTests(unittest.TestCase):
|
|||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_REQUIRED)
|
||||
self.assertRaisesRegexp(ssl.SSLError, "certificate verify failed",
|
||||
s.connect, ("svn.python.org", 443))
|
||||
s.connect, (REMOTE_HOST, 443))
|
||||
s.close()
|
||||
|
||||
# this should succeed because we specify the root cert
|
||||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
|
||||
ca_certs=REMOTE_ROOT_CERT)
|
||||
try:
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
self.assertTrue(s.getpeercert())
|
||||
finally:
|
||||
s.close()
|
||||
|
||||
def test_connect_ex(self):
|
||||
# Issue #11326: check connect_ex() implementation
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
|
||||
ca_certs=REMOTE_ROOT_CERT)
|
||||
try:
|
||||
self.assertEqual(0, s.connect_ex(("svn.python.org", 443)))
|
||||
self.assertEqual(0, s.connect_ex((REMOTE_HOST, 443)))
|
||||
self.assertTrue(s.getpeercert())
|
||||
finally:
|
||||
s.close()
|
||||
|
@ -1256,14 +1257,14 @@ class NetworkedTests(unittest.TestCase):
|
|||
def test_non_blocking_connect_ex(self):
|
||||
# Issue #11326: non-blocking connect_ex() should allow handshake
|
||||
# to proceed after the socket gets ready.
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ca_certs=SVN_PYTHON_ORG_ROOT_CERT,
|
||||
ca_certs=REMOTE_ROOT_CERT,
|
||||
do_handshake_on_connect=False)
|
||||
try:
|
||||
s.setblocking(False)
|
||||
rc = s.connect_ex(('svn.python.org', 443))
|
||||
rc = s.connect_ex((REMOTE_HOST, 443))
|
||||
# EWOULDBLOCK under Windows, EINPROGRESS elsewhere
|
||||
self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
|
||||
# Wait for connect to finish
|
||||
|
@ -1285,58 +1286,62 @@ class NetworkedTests(unittest.TestCase):
|
|||
def test_timeout_connect_ex(self):
|
||||
# Issue #12065: on a timeout, connect_ex() should return the original
|
||||
# errno (mimicking the behaviour of non-SSL sockets).
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ca_certs=SVN_PYTHON_ORG_ROOT_CERT,
|
||||
ca_certs=REMOTE_ROOT_CERT,
|
||||
do_handshake_on_connect=False)
|
||||
try:
|
||||
s.settimeout(0.0000001)
|
||||
rc = s.connect_ex(('svn.python.org', 443))
|
||||
rc = s.connect_ex((REMOTE_HOST, 443))
|
||||
if rc == 0:
|
||||
self.skipTest("svn.python.org responded too quickly")
|
||||
self.skipTest("REMOTE_HOST responded too quickly")
|
||||
self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
|
||||
finally:
|
||||
s.close()
|
||||
|
||||
def test_connect_ex_error(self):
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
|
||||
ca_certs=REMOTE_ROOT_CERT)
|
||||
try:
|
||||
rc = s.connect_ex(("svn.python.org", 444))
|
||||
rc = s.connect_ex((REMOTE_HOST, 444))
|
||||
# Issue #19919: Windows machines or VMs hosted on Windows
|
||||
# machines sometimes return EWOULDBLOCK.
|
||||
self.assertIn(rc, (errno.ECONNREFUSED, errno.EWOULDBLOCK))
|
||||
errors = (
|
||||
errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
|
||||
errno.EWOULDBLOCK,
|
||||
)
|
||||
self.assertIn(rc, errors)
|
||||
finally:
|
||||
s.close()
|
||||
|
||||
def test_connect_with_context(self):
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
# Same as test_connect, but with a separately created context
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
try:
|
||||
self.assertEqual({}, s.getpeercert())
|
||||
finally:
|
||||
s.close()
|
||||
# Same with a server hostname
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET),
|
||||
server_hostname="svn.python.org")
|
||||
s.connect(("svn.python.org", 443))
|
||||
server_hostname=REMOTE_HOST)
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
s.close()
|
||||
# This should fail because we have no verification certs
|
||||
ctx.verify_mode = ssl.CERT_REQUIRED
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
|
||||
self.assertRaisesRegexp(ssl.SSLError, "certificate verify failed",
|
||||
s.connect, ("svn.python.org", 443))
|
||||
s.connect, (REMOTE_HOST, 443))
|
||||
s.close()
|
||||
# This should succeed because we specify the root cert
|
||||
ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
|
||||
ctx.load_verify_locations(REMOTE_ROOT_CERT)
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
try:
|
||||
cert = s.getpeercert()
|
||||
self.assertTrue(cert)
|
||||
|
@ -1349,12 +1354,12 @@ class NetworkedTests(unittest.TestCase):
|
|||
# OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
|
||||
# contain both versions of each certificate (same content, different
|
||||
# filename) for this test to be portable across OpenSSL releases.
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
ctx.verify_mode = ssl.CERT_REQUIRED
|
||||
ctx.load_verify_locations(capath=CAPATH)
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
try:
|
||||
cert = s.getpeercert()
|
||||
self.assertTrue(cert)
|
||||
|
@ -1365,7 +1370,7 @@ class NetworkedTests(unittest.TestCase):
|
|||
ctx.verify_mode = ssl.CERT_REQUIRED
|
||||
ctx.load_verify_locations(capath=BYTES_CAPATH)
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
try:
|
||||
cert = s.getpeercert()
|
||||
self.assertTrue(cert)
|
||||
|
@ -1373,15 +1378,15 @@ class NetworkedTests(unittest.TestCase):
|
|||
s.close()
|
||||
|
||||
def test_connect_cadata(self):
|
||||
with open(CAFILE_CACERT) as f:
|
||||
with open(REMOTE_ROOT_CERT) as f:
|
||||
pem = f.read().decode('ascii')
|
||||
der = ssl.PEM_cert_to_DER_cert(pem)
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
ctx.verify_mode = ssl.CERT_REQUIRED
|
||||
ctx.load_verify_locations(cadata=pem)
|
||||
with closing(ctx.wrap_socket(socket.socket(socket.AF_INET))) as s:
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
cert = s.getpeercert()
|
||||
self.assertTrue(cert)
|
||||
|
||||
|
@ -1390,7 +1395,7 @@ class NetworkedTests(unittest.TestCase):
|
|||
ctx.verify_mode = ssl.CERT_REQUIRED
|
||||
ctx.load_verify_locations(cadata=der)
|
||||
with closing(ctx.wrap_socket(socket.socket(socket.AF_INET))) as s:
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
cert = s.getpeercert()
|
||||
self.assertTrue(cert)
|
||||
|
||||
|
@ -1399,9 +1404,9 @@ class NetworkedTests(unittest.TestCase):
|
|||
# Issue #5238: creating a file-like object with makefile() shouldn't
|
||||
# delay closing the underlying "real socket" (here tested with its
|
||||
# file descriptor, hence skipping the test under Windows).
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
|
||||
ss.connect(("svn.python.org", 443))
|
||||
ss.connect((REMOTE_HOST, 443))
|
||||
fd = ss.fileno()
|
||||
f = ss.makefile()
|
||||
f.close()
|
||||
|
@ -1415,9 +1420,9 @@ class NetworkedTests(unittest.TestCase):
|
|||
self.assertEqual(e.exception.errno, errno.EBADF)
|
||||
|
||||
def test_non_blocking_handshake(self):
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
s = socket.socket(socket.AF_INET)
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
s.setblocking(False)
|
||||
s = ssl.wrap_socket(s,
|
||||
cert_reqs=ssl.CERT_NONE,
|
||||
|
@ -1460,12 +1465,12 @@ class NetworkedTests(unittest.TestCase):
|
|||
if support.verbose:
|
||||
sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
|
||||
|
||||
_test_get_server_certificate('svn.python.org', 443, SVN_PYTHON_ORG_ROOT_CERT)
|
||||
_test_get_server_certificate(REMOTE_HOST, 443, REMOTE_ROOT_CERT)
|
||||
if support.IPV6_ENABLED:
|
||||
_test_get_server_certificate('ipv6.google.com', 443)
|
||||
|
||||
def test_ciphers(self):
|
||||
remote = ("svn.python.org", 443)
|
||||
remote = (REMOTE_HOST, 443)
|
||||
with support.transient_internet(remote[0]):
|
||||
with closing(ssl.wrap_socket(socket.socket(socket.AF_INET),
|
||||
cert_reqs=ssl.CERT_NONE, ciphers="ALL")) as s:
|
||||
|
@ -1510,13 +1515,13 @@ class NetworkedTests(unittest.TestCase):
|
|||
|
||||
def test_get_ca_certs_capath(self):
|
||||
# capath certs are loaded on request
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
ctx.verify_mode = ssl.CERT_REQUIRED
|
||||
ctx.load_verify_locations(capath=CAPATH)
|
||||
self.assertEqual(ctx.get_ca_certs(), [])
|
||||
s = ctx.wrap_socket(socket.socket(socket.AF_INET))
|
||||
s.connect(("svn.python.org", 443))
|
||||
s.connect((REMOTE_HOST, 443))
|
||||
try:
|
||||
cert = s.getpeercert()
|
||||
self.assertTrue(cert)
|
||||
|
@ -1527,12 +1532,12 @@ class NetworkedTests(unittest.TestCase):
|
|||
@needs_sni
|
||||
def test_context_setget(self):
|
||||
# Check that the context of a connected socket can be replaced.
|
||||
with support.transient_internet("svn.python.org"):
|
||||
with support.transient_internet(REMOTE_HOST):
|
||||
ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
s = socket.socket(socket.AF_INET)
|
||||
with closing(ctx1.wrap_socket(s)) as ss:
|
||||
ss.connect(("svn.python.org", 443))
|
||||
ss.connect((REMOTE_HOST, 443))
|
||||
self.assertIs(ss.context, ctx1)
|
||||
self.assertIs(ss._sslobj.context, ctx1)
|
||||
ss.context = ctx2
|
||||
|
@ -3026,7 +3031,7 @@ def test_main(verbose=False):
|
|||
pass
|
||||
|
||||
for filename in [
|
||||
CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE,
|
||||
CERTFILE, REMOTE_ROOT_CERT, BYTES_CERTFILE,
|
||||
ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
|
||||
SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
|
||||
BADCERT, BADKEY, EMPTYCERT]:
|
||||
|
|
|
@ -79,6 +79,9 @@ Library
|
|||
Tests
|
||||
-----
|
||||
|
||||
- Issue #25940: Changed test_ssl to use self-signed.pythontest.net. This
|
||||
avoids relying on svn.python.org, which recently changed root certificate.
|
||||
|
||||
- Issue #25616: Tests for OrderedDict are extracted from test_collections
|
||||
into separate file test_ordered_dict.
|
||||
|
||||
|
|
Loading…
Reference in New Issue