Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 29, 2019
Merged

[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13252

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cc6870f
[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs.…
gpshead May 6, 2019
8766941
Also skip ssl tests that fail when the system rejects TLSv1.
gpshead May 11, 2019
60d4fb9
Remove the test_httplib change; server was updated.
gpshead May 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. ( 
…GH-13124)

Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default.  This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.

Fixing the network servers is a separate issue..
(cherry picked from commit 2cc0223)

Co-authored-by: Gregory P. Smith <[email protected]>
  • Loading branch information
@gpshead
gpshead committed May 11, 2019
commit cc6870f24d39c0a397d2da94872aace4230fb24a
27 changes: 23 additions & 4 deletions Lib/test/test_httplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import itertools
import os
import array
import re
import socket

import unittest
Expand Down Expand Up @@ -1597,13 +1598,31 @@ def test_networked_good_cert(self):
# We feed the server's cert as a validating cert
import ssl
support.requires('network')
with support.transient_internet('self-signed.pythontest.net'):
selfsigned_pythontestdotnet = 'self-signed.pythontest.net'
with support.transient_internet(selfsigned_pythontestdotnet):
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.verify_mode = ssl.CERT_REQUIRED
self.assertEqual(context.verify_mode, ssl.CERT_REQUIRED)
self.assertEqual(context.check_hostname, True)
context.load_verify_locations(CERT_selfsigned_pythontestdotnet)
h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
h.request('GET', '/')
resp = h.getresponse()
try:
h = client.HTTPSConnection(selfsigned_pythontestdotnet, 443,
context=context)
h.request('GET', '/')
resp = h.getresponse()
except ssl.SSLError as ssl_err:
ssl_err_str = str(ssl_err)
# In the error message of [SSL: CERTIFICATE_VERIFY_FAILED] on
# modern Linux distros (Debian Buster, etc) default OpenSSL
# configurations it'll fail saying "key too weak" until we
# address https://bugs.python.org/issue36816 to use a proper
# key size on self-signed.pythontest.net.
if re.search(r'(?i)key.too.weak', ssl_err_str):
raise unittest.SkipTest(
f'Got {ssl_err_str} trying to connect '
f'to {selfsigned_pythontestdotnet}. '
'See https://bugs.python.org/issue36816.')
raise
server_string = resp.getheader('server')
resp.close()
h.close()
Expand Down
38 changes: 30 additions & 8 deletions Lib/test/test_nntplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
import functools
import contextlib
import os.path
import re

from test import support
from nntplib import NNTP, GroupInfo
import nntplib
Expand All @@ -22,6 +24,13 @@
TIMEOUT = 30
certfile = os.path.join(os.path.dirname(__file__), 'keycert3.pem')

if ssl is not None:
SSLError = ssl.SSLError
else:
class SSLError(Exception):
"""Non-existent exception class when we lack SSL support."""
reason = "This will never be raised."

# TODO:
# - test the `file` arg to more commands
# - test error conditions
Expand Down Expand Up @@ -262,14 +271,21 @@ def is_connected():
return False
return True

with self.NNTP_CLASS(self.NNTP_HOST, timeout=TIMEOUT, usenetrc=False) as server:
self.assertTrue(is_connected())
self.assertTrue(server.help())
self.assertFalse(is_connected())

with self.NNTP_CLASS(self.NNTP_HOST, timeout=TIMEOUT, usenetrc=False) as server:
server.quit()
self.assertFalse(is_connected())
try:
with self.NNTP_CLASS(self.NNTP_HOST, timeout=TIMEOUT, usenetrc=False) as server:
self.assertTrue(is_connected())
self.assertTrue(server.help())
self.assertFalse(is_connected())

with self.NNTP_CLASS(self.NNTP_HOST, timeout=TIMEOUT, usenetrc=False) as server:
server.quit()
self.assertFalse(is_connected())
except SSLError as ssl_err:
# matches "[SSL: DH_KEY_TOO_SMALL] dh key too small"
if re.search(r'(?i)KEY.TOO.SMALL', ssl_err.reason):
raise unittest.SkipTest(f"Got {ssl_err} connecting "
f"to {self.NNTP_HOST!r}")
raise


NetworkedNNTPTestsMixin.wrap_methods()
Expand All @@ -290,6 +306,12 @@ def setUpClass(cls):
try:
cls.server = cls.NNTP_CLASS(cls.NNTP_HOST, timeout=TIMEOUT,
usenetrc=False)
except SSLError as ssl_err:
# matches "[SSL: DH_KEY_TOO_SMALL] dh key too small"
if re.search(r'(?i)KEY.TOO.SMALL', ssl_err.reason):
raise unittest.SkipTest(f"{cls} got {ssl_err} connecting "
f"to {cls.NNTP_HOST!r}")
raise
except EOFError:
raise unittest.SkipTest(f"{cls} got EOF error on connecting "
f"to {cls.NNTP_HOST!r}")
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Tests/2019-05-06-18-29-54.bpo-35925.gwQPuC.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Skip httplib and nntplib networking tests when they would otherwise fail due to a modern OS or distro with a default OpenSSL policy of rejecting connections to servers with weak certificates.