Commit Graph

409 Commits

Author SHA1 Message Date
Martin Panter
b1321fba53 Issue #28394: More typo fixes for 3.6+ 2016-10-10 00:38:21 +00:00
Christian Heimes
a5d0765990 Finish GC code for SSLSession and increase test coverage 2016-09-24 10:48:05 +02:00
Martin Panter
22ecc4b36d Issue #28221: Merge SSL test cleanup from 3.5 into 3.6 2016-09-24 03:03:07 +00:00
Martin Panter
8609cda961 Issue #28221: Remove unused assignment from test_asyncore_server()
The later value of FOO is fine. The test just needs to verify that the server
converted it to lowercase.
2016-09-23 23:45:56 +00:00
Martin Panter
3217b1243e Merge socketserver fixes from 3.5 into 3.6 2016-09-22 10:33:51 +00:00
Martin Panter
463ef2b3cf Fix references to Python 3’s socketserver (lowercase) module 2016-09-22 09:37:56 +00:00
Christian Heimes
9017ec1ea0 Issue #28093: Check more invalid combinations of PROTOCOL_TLS_CLIENT / PROTOCOL_TLS_SERVER 2016-09-12 10:48:20 +02:00
Christian Heimes
5fe668c672 Issue #28085: Add PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER for SSLContext 2016-09-12 00:01:11 +02:00
Christian Heimes
99a6570295 Issue #19500: Add client-side SSL session resumption to the ssl module. 2016-09-10 23:44:53 +02:00
Christian Heimes
d04863771b Issue #28022: Deprecate ssl-related arguments in favor of SSLContext.
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.

ssl.wrap_socket() is not marked as deprecated yet.
2016-09-10 23:23:33 +02:00
Christian Heimes
358cfd426c Issue 28043: SSLContext has improved default settings
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
2016-09-10 22:43:48 +02:00
Christian Heimes
1c03abd026 Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. 2016-09-06 23:25:35 +02:00
Christian Heimes
598894ff48 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:19:05 +02:00
R David Murray
44b548dda8 #27364: fix "incorrect" uses of escape character in the stdlib.
And most of the tools.

Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
2016-09-08 13:59:53 -04:00
Christian Heimes
fe3c9c1ee9 Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. 2016-09-06 23:27:06 +02:00
Christian Heimes
582282b7d0 Issue 27866: relax get_cipher() test even more. Gentoo buildbot has no ECDHE 2016-09-06 11:27:25 +02:00
Christian Heimes
ea9b2dc9e3 Issue 27866: relax test case for set_cipher() and allow more cipher suites 2016-09-06 10:45:44 +02:00
Christian Heimes
25bfcd5d9e Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers. 2016-09-06 00:04:45 +02:00
Christian Heimes
01113faef9 Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. 2016-09-05 23:23:24 +02:00
Martin Panter
7386268ffd Issue #23804: Merge SSL recv() fix from 3.5 2016-07-11 01:32:09 +00:00
Martin Panter
bed7f1a512 Issue #23804: Fix SSL zero-length recv() calls to not block and raise EOF 2016-07-11 00:17:13 +00:00
Larry Hastings
c2f2ef8faa Merge from 3.5. 2016-06-26 20:00:51 -07:00
Matthias Klose
f7c562439b Issue #26867: Ubuntu's openssl OP_NO_SSLv3 is forced on by default; fix test. 2016-06-12 23:40:00 -07:00
Martin Panter
519f91215b Issue #25951: Fix SSLSocket.sendall() to return None, by Aviv Palivoda 2016-04-03 02:12:54 +00:00
Martin Panter
ef4bb1e994 Issue #23804: Merge SSL zero read fix from 3.5 2016-03-28 01:09:13 +00:00
Martin Panter
f6b1d66a3c Issue #23804: Fix SSL recv/read(0) to not return 1024 bytes 2016-03-28 00:22:09 +00:00
Martin Panter
afd465d497 Issue #26644: Merge SSL negative read fix from 3.5 2016-03-27 10:40:22 +00:00
Martin Panter
5503d4731e Issue #26644: Raise ValueError for negative SSLSocket.recv() and read() 2016-03-27 05:35:19 +00:00
Martin Panter
3840b2ac67 Issue #25940: Use internal local server more in test_ssl
Move many tests from NetworkedTests and NetworkedBIOTests to a new Simple-
BackgroundTests class, using the existing ThreadedEchoServer and SIGNED_
CERTFILE infrastructure.

For tests that cause the server to crash by rejecting its certificate,
separate them into independent test methods.

Added custom root certificate to capath with the following commands:

cp Lib/test/{pycacert.pem,capath/}
# Edit copy to remove part before certificate
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{pycacert.pem,b1930218.0}
mv Lib/test/capath/{pycacert.pem,ceff1710.0}

Change to pure PEM version of SIGNING_CA because PEM_cert_to_DER_cert() does
not like the extra text at the start.

Moved test_connect_ex_error() into BasicSocketTests and rewrote it to connect
to a reserved localhost port.

NetworkedTests.test_get_server_certificate_ipv6() split out because it needs
to connect to an IPv6 DNS address.

The only reference left to self-signed.pythontest.net is test_timeout_
connect_ex(), which needs a remote server to reliably time out the
connection, but does not rely on the server running SSL.

Made ThreadedEchoServer call unwrap() by default when it sees the client has
shut the connection down, so that the client can cleanly call unwrap().
2016-03-27 01:53:46 +00:00
Victor Stinner
e0b75b7e87 Fix test_ssl.test_refcycle()
Issue #26590: support.check_warnings() stores warnins, but ResourceWarning now
comes with a reference to the socket object which indirectly keeps the socket
alive.
2016-03-21 17:26:04 +01:00
Martin Panter
3464ea2807 Issue #26173: Separate bad cert file tests and client rejection test
Test test_wrong_cert() runs a server that rejects the client's certificate,
so ECONNRESET is reasonable in addition to SSLError. On the other hand, the
other three tests don't even need to run a server because they are just
testing the parsing of invalid certificate files.

Also fix a ResourceWarning by closing the wrapped socket.
2016-02-01 21:58:11 +00:00
Martin Panter
407b62f3e5 Issue #26173: Fix test_ssl confusion with non-existing cert and wrongcert.pem
Testing for a non-existing certificate file is already done in test_errors().
Copy wrongcert.pem from Python 2 and use it to test the behaviour with a
mismatched certificate.
2016-01-30 03:41:43 +00:00
Martin Panter
a8b43b5fc3 Issue #25940: Merge ETIMEDOUT fix from 3.4 into 3.5 2016-01-15 02:28:59 +00:00
Martin Panter
3f2240ccb6 Issue #25940: Merge ETIMEDOUT fix from 3.3 into 3.4 2016-01-15 02:18:31 +00:00
Martin Panter
fab75d9bb9 Issue #25940: Merge ETIMEDOUT fix from 3.2 into 3.3 2016-01-15 02:08:13 +00:00
Martin Panter
035583b389 Issue #25940: On Windows, connecting to port 444 returns ETIMEDOUT 2016-01-15 01:16:41 +00:00
Martin Panter
40b97ec57a Issue #25940: Update new SSL tests for self-signed.pythontest.net
Removed SSL_ERROR_SYSCALL checking from ssl_io_loop() so that the loop can
terminate when unwrap() raises that error.
2016-01-14 13:05:46 +00:00
Martin Panter
17cbee49d6 Issue #25940: Merge self-signed.pythontest.net testing from 3.4 into 3.5 2016-01-14 13:22:29 +00:00
Martin Panter
b55f8b79af Issue #25940: Update new SSL tests for self-signed.pythontest.net 2016-01-14 12:53:56 +00:00
Martin Panter
514bb0711f Issue #25940: Merge self-signed.pythontest.net testing from 3.3 into 3.4 2016-01-14 12:46:49 +00:00
Martin Panter
73f55076f6 Issue #25940: Merge self-signed.pythontest.net testing from 3.2 into 3.3 2016-01-14 12:21:02 +00:00
Martin Panter
3d81d93f34 Issue #25940: Use self-signed.pythontest.net in SSL tests
This is instead of svn.python.org, whose certificate recently expired, and
whose new certificate uses a different root certificate.

The certificate used at the pythontest server was modifed to set the "basic
constraints" CA flag. This flag seems to be required for test_get_ca_certs_
capath() to work (in Python 3.4+).

Added the new self-signed certificate to capath with the following commands:

cp Lib/test/{selfsigned_pythontestdotnet.pem,capath/}
c_rehash -v Lib/test/capath/
c_rehash -v -old Lib/test/capath/
# Note the generated file names
cp Lib/test/capath/{selfsigned_pythontestdotnet.pem,0e4015b9.0}
mv Lib/test/capath/{selfsigned_pythontestdotnet.pem,ce7b8643.0}

The new server responds with "No route to host" when connecting to port 444.
2016-01-14 09:36:00 +00:00
Benjamin Peterson
45bde5d2ee merge 3.4 (#25530) 2015-11-11 22:45:22 -08:00
Benjamin Peterson
a9dcdabccb always set OP_NO_SSLv3 by default (closes #25530) 2015-11-11 22:38:41 -08:00
Berker Peksag
9e7990ae21 Issue #24210: Silence more PendingDeprecationWarning warnings in tests. 2015-05-16 23:21:26 +03:00
Benjamin Peterson
4b9df0d33b merge 3.4 (#23844) 2015-04-02 00:08:10 -04:00
Benjamin Peterson
a7eaf56a6d replace 512 bit dh key with a 2014 bit one (closes #23844)
Patch by Cédric Krier.
2015-04-02 00:04:06 -04:00
Serhiy Storchaka
8490f5acfe Issue #23001: Few functions in modules mmap, ossaudiodev, socket, ssl, and
codecs, that accepted only read-only bytes-like object now accept writable
bytes-like object too.
2015-03-20 09:00:36 +02:00
Berker Peksag
18987a11ce Issue #20617: Remove unused import in test_ssl.
Patch by Mark Lawrence.
2015-03-12 18:50:49 +02:00
Berker Peksag
4a0e14730b Issue #20617: Remove unused import in test_ssl.
Patch by Mark Lawrence.
2015-03-12 18:51:16 +02:00