Lines Matching defs:ssl
1 # Test the support for SSL and sockets
22 ssl = support.import_module("ssl")
31 PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
33 IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
34 IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)
84 OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
85 OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
86 OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
87 OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
97 return ssl._OPENSSL_API_VERSION >= (0, 9, 8, 13, 15)
101 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)
105 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)
116 if ssl._OPENSSL_API_VERSION == (0, 9, 8, 9, 15):
129 if hasattr(ssl, 'PROTOCOL_SSLv2'):
133 ssl.SSLContext(ssl.PROTOCOL_SSLv2)
134 except ssl.SSLError:
135 if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
143 needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test")
146 def test_wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS, *,
147 cert_reqs=ssl.CERT_NONE, ca_certs=None,
150 context = ssl.SSLContext(ssl_version)
164 ssl.CERT_NONE
165 ssl.CERT_OPTIONAL
166 ssl.CERT_REQUIRED
167 ssl.OP_CIPHER_SERVER_PREFERENCE
168 ssl.OP_SINGLE_DH_USE
169 if ssl.HAS_ECDH:
170 ssl.OP_SINGLE_ECDH_USE
171 if ssl.OPENSSL_VERSION_INFO >= (1, 0):
172 ssl.OP_NO_COMPRESSION
173 self.assertIn(ssl.HAS_SNI, {True, False})
174 self.assertIn(ssl.HAS_ECDH, {True, False})
179 proto = ssl.PROTOCOL_TLS
181 ctx = ssl.SSLContext(proto)
185 v = ssl.RAND_status()
191 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
195 data = ssl.RAND_bytes(16)
198 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
201 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
202 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
204 if hasattr(ssl, 'RAND_egd'):
205 self.assertRaises(TypeError, ssl.RAND_egd, 1)
206 self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
207 ssl.RAND_add("this is a random string", 75.0)
208 ssl.RAND_add(b"this is a random bytes object", 75.0)
209 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
213 status = ssl.RAND_status()
222 child_random = ssl.RAND_pseudo_bytes(16)[0]
238 parent_random = ssl.RAND_pseudo_bytes(16)[0]
247 p = ssl._ssl._test_decode_cert(CERTFILE)
269 p = ssl._ssl._test_decode_cert(NOKIACERT)
284 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
296 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
313 p = ssl._ssl._test_decode_cert(ALLSANFILE)
336 d1 = ssl.PEM_cert_to_DER_cert(pem)
337 p2 = ssl.DER_cert_to_PEM_cert(d1)
338 d2 = ssl.PEM_cert_to_DER_cert(p2)
340 if not p2.startswith(ssl.PEM_HEADER + '\n'):
342 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
346 n = ssl.OPENSSL_VERSION_NUMBER
347 t = ssl.OPENSSL_VERSION_INFO
348 s = ssl.OPENSSL_VERSION
368 # Version string as returned by {Open,Libre}SSL, the format might change
378 # Issue #7943: an SSL object doesn't create reference cycles with
400 # Issue #8524: when creating an SSL socket, the timeout of the
412 ssl.wrap_socket, sock, keyfile=CERTFILE)
415 ssl.wrap_socket, sock, server_side=True)
418 ssl.wrap_socket, sock, server_side=True, certfile="")
419 with ssl
424 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
428 ssl.wrap_socket(sock,
433 ssl.wrap_socket(sock,
443 with self.assertRaises(ssl.SSLError):
446 ssl_version=ssl.PROTOCOL_TLSv1)
462 ssl.match_hostname(cert, hostname)
464 self.assertRaises(ssl.CertificateError,
465 ssl.match_hostname, cert, hostname)
603 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
604 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
613 with self.assertRaises(ssl.CertificateError) as cm:
614 ssl.match_hostname(cert, 'axxbxxc.com')
619 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
636 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
657 paths = ssl.get_default_verify_paths()
659 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
664 paths = ssl.get_default_verify_paths()
670 self.assertTrue(ssl.enum_certificates("CA"))
671 self.assertTrue(ssl.enum_certificates("ROOT"))
673 self.assertRaises(TypeError, ssl.enum_certificates)
674 self.assertRaises(WindowsError, ssl.enum_certificates, "")
678 store = ssl.enum_certificates(storename)
695 self.assertTrue(ssl.enum_crls("CA"))
696 self.assertRaises(TypeError, ssl.enum_crls)
697 self.assertRaises(WindowsError, ssl.enum_crls, "")
699 crls = ssl.enum_crls("CA")
712 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
718 self.assertIsInstance(val, ssl._ASN1Object)
719 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
721 val = ssl._ASN1Object.fromnid(129)
723 self.assertIsInstance(val, ssl._ASN1Object)
724 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
726 ssl._ASN1Object.fromnid(100000)
729 obj = ssl._ASN1Object.fromnid(i)
738 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
740 self.assertIsInstance(val, ssl._ASN1Object)
741 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
742 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
745 ssl._ASN1Object.fromname('serverauth')
748 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
749 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
750 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
751 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
752 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
753 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
756 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
757 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
758 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
759 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
760 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
761 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
768 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
770 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
776 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
780 ssl.cert_time_to_seconds(timestring)
785 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
795 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
845 cert_reqs=ssl.CERT_REQUIRED)
862 ssl.SSLContext(protocol)
863 ctx = ssl.SSLContext()
864 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
865 self.assertRaises(ValueError, ssl.SSLContext, -1)
866 self.assertRaises(ValueError, ssl.SSLContext, 42)
871 ctx = ssl.SSLContext(proto)
875 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
878 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
881 @unittest.skipIf(ssl.OPENSSL_VERSION_INFO < (1, 0, 2, 0, 0), 'OpenSSL too old')
883 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
891 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
893 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
898 ctx.options |= ssl.OP_NO_TLSv1
899 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
901 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
905 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
911 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
913 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
914 ctx.verify_mode = ssl.CERT_OPTIONAL
915 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
916 ctx.verify_mode = ssl.CERT_REQUIRED
917 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
918 ctx.verify_mode = ssl.CERT_NONE
919 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
928 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
930 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
931 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
932 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
933 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
934 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
935 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
936 ctx.verify_flags = ssl.VERIFY_DEFAULT
937 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
939 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
941 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
946 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
954 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
956 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
959 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
963 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
965 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
967 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
970 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
971 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
984 with self.assertRaises(ssl.SSLError):
1017 with self.assertRaises(ssl.SSLError):
1029 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1039 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
1051 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1054 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1057 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1068 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1074 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1081 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1090 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1096 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1099 with self.assertRaisesRegex(ssl.SSLError, "no start line"):
1101 with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
1106 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1115 with self.assertRaises(ssl.SSLError) as cm:
1121 ctx = ssl.SSLContext(proto)
1139 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1142 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
1144 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1154 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1171 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1181 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1195 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1219 der = ssl.PEM_cert_to_DER_cert(pem)
1223 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1226 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1227 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1230 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1231 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1233 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1240 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1249 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1253 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1262 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1277 ctx = ssl.create_default_context()
1279 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1280 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1287 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1289 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1290 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1293 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
1294 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1295 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1299 ctx = ssl._create_stdlib_context()
1300 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1301 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1305 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
1306 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1307 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1310 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,
1311 cert_reqs=ssl.CERT_REQUIRED,
1313 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1314 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1318 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
1319 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1320 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1324 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1330 ctx.verify_mode = ssl.CERT_REQUIRED
1335 ctx.verify_mode = ssl.CERT_OPTIONAL
1341 ctx.verify_mode = ssl.CERT_NONE
1347 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1349 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1352 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1354 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1361 e = ssl.SSLError(1, "foo")
1365 e = ssl.SSLZeroReturnError(1, "foo")
1371 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1372 with self.assertRaises(ssl.SSLError) as cm:
1382 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1390 with self.assertRaises(ssl.SSLWantReadError) as cm:
1395 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1401 bio = ssl.MemoryBIO()
1415 bio = ssl.MemoryBIO()
1431 bio = ssl.MemoryBIO()
1445 bio = ssl.MemoryBIO()
1454 bio = ssl.MemoryBIO()
1474 cert_reqs=ssl.CERT_NONE) as s:
1481 cert_reqs=ssl.CERT_REQUIRED,
1492 cert_reqs=ssl.CERT_REQUIRED)
1494 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1500 cert_reqs=ssl.CERT_REQUIRED,
1510 cert_reqs=ssl.CERT_REQUIRED,
1525 except ssl.SSLWantReadError:
1527 except ssl.SSLWantWriteError:
1529 # SSL established
1534 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1542 ctx.verify_mode = ssl.CERT_REQUIRED
1554 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1555 ctx.verify_mode = ssl.CERT_REQUIRED
1558 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1567 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1568 ctx.verify_mode = ssl.CERT_REQUIRED
1575 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1576 ctx.verify_mode = ssl.CERT_REQUIRED
1586 der = ssl.PEM_cert_to_DER_cert(pem)
1587 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1588 ctx.verify_mode = ssl.CERT_REQUIRED
1596 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1597 ctx.verify_mode = ssl.CERT_REQUIRED
1616 # Closing the SSL socket should close the fd too
1628 cert_reqs=ssl.CERT_NONE,
1637 except ssl.SSLWantReadError:
1639 except ssl.SSLWantWriteError:
1654 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
1657 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
1660 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
1663 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
1668 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1669 ctx.verify_mode = ssl.CERT_REQUIRED
1681 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1682 ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1702 except ssl.SSLError as e:
1703 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
1704 ssl.SSL_ERROR_WANT_WRITE):
1715 elif errno == ssl.SSL_ERROR_WANT_READ:
1730 incoming = ssl.MemoryBIO()
1731 outgoing = ssl.MemoryBIO()
1732 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1733 ctx.verify_mode = ssl.CERT_REQUIRED
1741 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
1747 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
1751 except ssl.SSLSyscallError:
1755 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
1761 incoming = ssl.MemoryBIO()
1762 outgoing = ssl.MemoryBIO()
1763 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1764 ctx.verify_mode = ssl.CERT_NONE
1778 # errno (mimicking the behaviour of non-SSL sockets).
1781 cert_reqs=ssl.CERT_REQUIRED,
1800 if ssl.OPENSSL_VERSION_INFO < (0, 9, 8, 0, 15):
1801 self.skipTest("SHA256 not available on %r" % ssl.OPENSSL_VERSION)
1803 if not ssl.HAS_SNI:
1809 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1810 ctx.verify_mode = ssl.CERT_REQUIRED
1826 pem = ssl.get_server_certificate((host, port))
1830 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
1838 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
1839 except ssl.SSLError as x:
1855 with and without the SSL wrapper around the socket connection, so
1874 except (ssl.SSLError, ConnectionResetError) as e:
1891 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
1939 # without an SSL shutdown. This causes
1995 self.context = ssl.SSLContext(ssl_version
1997 else ssl.PROTOCOL_TLSv1)
1999 else ssl.CERT_NONE)
2079 if isinstance(self.socket, ssl.SSLSocket):
2087 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2089 except ssl.SSLEOFError:
2091 except ssl.SSLError:
2231 Try to SSL-connect using *client_protocol* to *server_protocol*.
2238 certsreqs = ssl.CERT_NONE
2240 ssl.CERT_NONE: "CERT_NONE",
2241 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2242 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2247 (ssl.get_protocol_name(client_protocol),
2248 ssl.get_protocol_name(server_protocol),
2250 client_context = ssl.SSLContext(client_protocol)
2252 server_context = ssl.SSLContext(server_protocol)
2258 if client_context.protocol == ssl.PROTOCOL_SSLv23:
2270 except ssl.SSLError:
2280 % (ssl.get_protocol_name(client_protocol),
2281 ssl.get_protocol_name(server_protocol)))
2292 SSL client connecting to a server"""
2296 if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
2298 with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
2299 context = ssl.SSLContext(protocol)
2304 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2306 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
2310 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2317 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2318 with self.assertRaises(ssl.SSLError) as e:
2326 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2327 with self.assertRaises(ssl.SSLError) as e:
2334 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2335 with self.assertRaises(ssl.SSLError) as e:
2346 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2347 context.verify_mode = ssl.CERT_REQUIRED
2376 before = ssl.cert_time_to_seconds(cert['notBefore'])
2377 after = ssl.cert_time_to_seconds(cert['notAfter'])
2387 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2390 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2391 context.verify_mode = ssl.CERT_REQUIRED
2393 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
2394 self.assertEqual(context.verify_flags, ssl.VERIFY_DEFAULT | tf)
2405 context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
2410 with self.assertRaisesRegex(ssl.SSLError,
2428 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2431 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2432 context.verify_mode = ssl.CERT_REQUIRED
2450 with self.assertRaisesRegex(ssl.CertificateError,
2471 certreqs=ssl.CERT_REQUIRED,
2478 ssl_version=ssl.PROTOCOL_TLSv1) as s:
2480 # Expect either an SSL error about the server rejecting
2484 except ssl.SSLError as e:
2496 """A brutal shutdown of an SSL server should raise an OSError
2527 self.fail('connecting to closed SSL socket should have failed')
2537 @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'),
2543 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
2544 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
2545 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
2546 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
2547 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2548 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
2549 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
2550 # SSLv23 client with specific SSL options
2553 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2554 client_options=ssl.OP_NO_SSLv2)
2555 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2556 client_options=ssl.OP_NO_SSLv3)
2557 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2558 client_options=ssl.OP_NO_TLSv1)
2565 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2567 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
2574 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2575 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
2576 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
2577 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
2579 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2580 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
2581 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
2582 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
2584 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2585 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
2586 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
2587 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
2589 # Server with specific SSL options
2590 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2591 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,
2592 server_options=ssl.OP_NO_SSLv3)
2594 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,
2595 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
2596 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, False,
2597 server_options=ssl.OP_NO_TLSv1)
2601 @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv3'),
2607 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
2608 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
2609 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
2610 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2611 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
2612 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,
2613 ssl.OP_NO_SSLv3)
2614 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
2617 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,
2618 False, client_options=ssl.OP_NO_SSLv2)
2625 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
2626 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
2627 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
2628 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2629 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
2630 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2631 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
2632 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
2633 client_options=ssl.OP_NO_TLSv1)
2636 @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
2643 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
2644 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2645 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
2646 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2647 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
2648 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
2649 client_options=ssl.OP_NO_TLSv1_1)
2651 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
2652 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
2653 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
2657 @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
2664 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
2665 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
2666 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
2667 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2668 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
2669 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2670 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
2671 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv23, False,
2672 client_options=ssl.OP_NO_TLSv1_2)
2674 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
2675 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
2676 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
2677 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
2678 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
2685 ssl_version=ssl.PROTOCOL_TLSv1,
2713 conn = test_wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
2739 """Using socketserver to create and manage SSL connections."""
2750 context = ssl.create_default_context(cafile=CERTFILE)
2799 certreqs=ssl.CERT_NONE,
2800 ssl_version=ssl.PROTOCOL_TLSv1,
2809 cert_reqs=ssl.CERT_NONE,
2810 ssl_version=ssl.PROTOCOL_TLSv1)
2945 certreqs=ssl.CERT_NONE,
2946 ssl_version=ssl.PROTOCOL_TLSv1,
2955 cert_reqs=ssl.CERT_NONE,
2956 ssl_version=ssl.PROTOCOL_TLSv1)
2966 self.assertRaises((ssl.SSLWantWriteError,
2967 ssl.SSLWantReadError), fill_buffer)
2974 # Issue #5103: SSL handshake must respect the socket timeout
3025 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3026 context.verify_mode = ssl.CERT_REQUIRED
3058 self.assertIsInstance(remote, ssl.SSLSocket)
3062 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3069 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3076 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3080 except ssl.SSLError:
3083 ssl_version=ssl.PROTOCOL_SSLv23,
3095 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3097 ssl_version=ssl.PROTOCOL_TLSv1,
3105 @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
3108 # should be enabled by default on SSL contexts.
3109 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3115 if ssl.OPENSSL_VERSION_INFO < (1, 0, 0):
3122 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
3130 certreqs=ssl.CERT_NONE,
3131 ssl_version=ssl.PROTOCOL_TLSv1,
3140 cert_reqs=ssl.CERT_NONE,
3141 ssl_version=ssl.PROTOCOL_TLSv1)
3165 cert_reqs=ssl.CERT_NONE,
3166 ssl_version=ssl.PROTOCOL_TLSv1)
3183 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3191 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
3192 "ssl.OP_NO_COMPRESSION needed for this test")
3194 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3196 context.options |= ssl.OP_NO_COMPRESSION
3203 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3216 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3222 @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")
3225 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3227 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3234 @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support needed for this test")
3244 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
3247 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
3256 except ssl.SSLError as e:
3261 self.assertIsInstance(stats, ssl.SSLError)
3277 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3283 @unittest.skipUnless(ssl.HAS_NPN, "NPN support needed for this test")
3293 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3296 client_context = sslssl.PROTOCOL_TLSv1)
3313 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3315 other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3317 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3318 client_context.verify_mode = ssl.CERT_REQUIRED
3371 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
3374 with self.assertRaises(ssl.SSLError) as cm:
3389 with self.assertRaises(ssl.SSLError) as cm, \
3407 with self.assertRaises(ssl.SSLError) as cm, \
3416 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3418 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3419 client_context.verify_mode = ssl.CERT_REQUIRED
3421 if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
3440 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3441 context.verify_mode = ssl.CERT_REQUIRED
3459 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3460 context.verify_mode = ssl.CERT_REQUIRED
3472 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3474 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3475 client_context.verify_mode = ssl.CERT_REQUIRED
3485 if ssl.OPENSSL_VERSION_INFO > (1, 0, 1):
3528 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3529 context.verify_mode = ssl.CERT_REQUIRED
3533 context2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3534 context2.verify_mode = ssl.CERT_REQUIRED
3600 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
3602 print(" HAS_SNI = %r" % ssl.HAS_SNI)
3603 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
3605 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
