Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:mcepl:branches:devel:languages:python:Factory
python36
openssl-300-skip-tls-10-11-tests.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-300-skip-tls-10-11-tests.patch of Package python36
From 8bb003df9f5ec271dddd80bfea5d73ab403fa6b6 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Fri, 9 Apr 2021 07:02:03 -0700 Subject: [PATCH] OpenSSL 3.0.0: Skip TLS 1.0/1.1 tests (cherry picked from commit gh#python/cpython@5151d642004c) Fixes: bpo-43791 From-PR: gh#python/cpython!25304 Patch: openssl-300-skip-tls-10-11-tests.patch Signed-off-by: Christian Heimes <christian@python.org> --- Lib/test/test_ssl.py | 95 +++++++++++-------- .../2021-04-09-15-10-38.bpo-43791.4KxiXK.rst | 2 + 2 files changed, 56 insertions(+), 41 deletions(-) create mode 100644 Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index b9f27afc272..3824c18eefb 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -21,6 +21,7 @@ import asyncore import weakref import platform import re +import sysconfig import functools try: import ctypes @@ -41,7 +42,8 @@ HOST = support.HOST IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') IS_OPENSSL_1_1 = not IS_LIBRESSL and (ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) and ssl.OPENSSL_VERSION_INFO < (2, 0)) IS_OPENSSL_1_1_1 = not IS_LIBRESSL and (ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) and ssl.OPENSSL_VERSION_INFO < (2, 0)) - +IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0) +PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS') def data_file(*name): return os.path.join(os.path.dirname(__file__), *name) @@ -95,6 +97,7 @@ OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0) OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0) OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) +OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0) def clean_OpenSSL30_san(in_tup): if ssl._OPENSSL_API_VERSION >= (3, 0, 0): @@ -155,8 +158,8 @@ def skip_if_broken_ubuntu_ssl(func): else: return func -def skip_if_openssl_cnf_minprotocol_gt_tls1(func): - """Skip a test if the OpenSSL config MinProtocol is > TLSv1. +def skip_if_openssl_cnf_minprotocol_gt_tls11(func): + """Skip a test if the OpenSSL config MinProtocol is > TLSv1.1. OS distros with an /etc/ssl/openssl.cnf and MinProtocol set often do so to require TLSv1.2 or higher (Debian Buster). Some of our tests for older @@ -167,6 +170,8 @@ def skip_if_openssl_cnf_minprotocol_gt_tls1(func): """ @functools.wraps(func) def f(*args, **kwargs): + if IS_OPENSSL_3_0_0: + raise unittest.SkipTest('OpenSSL 3 effectively disables TLS < 1.2') openssl_cnf = os.environ.get("OPENSSL_CONF", "/etc/ssl/openssl.cnf") try: with open(openssl_cnf, "r") as config: @@ -174,7 +179,7 @@ def skip_if_openssl_cnf_minprotocol_gt_tls1(func): match = re.match(r"MinProtocol\s*=\s*(TLSv\d+\S*)", line) if match: tls_ver = match.group(1) - if tls_ver > "TLSv1": + if tls_ver > "TLSv1.1": raise unittest.SkipTest( "%s has MinProtocol = %s which is > TLSv1." % (openssl_cnf, tls_ver)) @@ -1416,7 +1421,7 @@ class ContextTests(unittest.TestCase): self._assert_context_options(ctx) def test_check_hostname(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) self.assertFalse(ctx.check_hostname) # Requires CERT_REQUIRED or CERT_OPTIONAL @@ -1474,7 +1479,7 @@ class SSLErrorTests(unittest.TestCase): def test_subclass(self): # Check that the appropriate SSLError subclass is raised # (this only tests one of them) - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) with socket.socket() as s: s.bind(("127.0.0.1", 0)) s.listen() @@ -2417,7 +2422,8 @@ if _have_threads: if support.verbose: sys.stdout.write("\n") for protocol in PROTOCOLS: - if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}: + if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER, + ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1}: continue with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]): context = ssl.SSLContext(protocol) @@ -2508,10 +2514,10 @@ if _have_threads: if support.verbose: sys.stdout.write("\n") - server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) server_context.load_cert_chain(SIGNED_CERTFILE) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations(SIGNING_CA) tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0) @@ -2549,10 +2555,10 @@ if _have_threads: if support.verbose: sys.stdout.write("\n") - server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) server_context.load_cert_chain(SIGNED_CERTFILE) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = True context.load_verify_locations(SIGNING_CA) @@ -2682,7 +2688,7 @@ if _have_threads: client_options=ssl.OP_NO_TLSv1) @skip_if_broken_ubuntu_ssl - @skip_if_openssl_cnf_minprotocol_gt_tls1 + @skip_if_openssl_cnf_minprotocol_gt_tls11 def test_protocol_sslv23(self): """Connecting to an SSLv23 server with various client options""" if support.verbose: @@ -2743,6 +2749,7 @@ if _have_threads: False, client_options=ssl.OP_NO_SSLv2) @skip_if_broken_ubuntu_ssl + @skip_if_openssl_cnf_minprotocol_gt_tls11 def test_protocol_tlsv1(self): """Connecting to a TLSv1 server with various client options""" if support.verbose: @@ -2760,7 +2767,7 @@ if _have_threads: @skip_if_broken_ubuntu_ssl @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"), "TLS version 1.1 not supported.") - @skip_if_openssl_cnf_minprotocol_gt_tls1 + @skip_if_openssl_cnf_minprotocol_gt_tls11 def test_protocol_tlsv1_1(self): """Connecting to a TLSv1.1 server with various client options. Testing against older TLS versions.""" @@ -2808,7 +2815,7 @@ if _have_threads: msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6") server = ThreadedEchoServer(CERTFILE, - ssl_version=ssl.PROTOCOL_TLSv1, + ssl_version=ssl.PROTOCOL_TLS, starttls_server=True, chatty=True, connectionchatty=True) @@ -2836,7 +2843,7 @@ if _have_threads: sys.stdout.write( " client: read %r from server, starting TLS...\n" % msg) - conn = test_wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) + conn = test_wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS) wrapped = True elif indata == b"ENDTLS" and msg.startswith(b"ok"): # ENDTLS ok, switch back to clear text @@ -2923,7 +2930,7 @@ if _have_threads: server = ThreadedEchoServer(CERTFILE, certreqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1, + ssl_version=ssl.PROTOCOL_TLS, cacerts=CERTFILE, chatty=True, connectionchatty=False) @@ -2933,7 +2940,7 @@ if _have_threads: certfile=CERTFILE, ca_certs=CERTFILE, cert_reqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1) + ssl_version=ssl.PROTOCOL_TLS) s.connect((HOST, server.port)) # helper methods for standardising recv* method signatures def _recv_into(): @@ -3075,7 +3082,7 @@ if _have_threads: def test_nonblocking_send(self): server = ThreadedEchoServer(CERTFILE, certreqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1, + ssl_version=ssl.PROTOCOL_TLS, cacerts=CERTFILE, chatty=True, connectionchatty=False) @@ -3085,7 +3092,7 @@ if _have_threads: certfile=CERTFILE, ca_certs=CERTFILE, cert_reqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1) + ssl_version=ssl.PROTOCOL_TLS) s.connect((HOST, server.port)) s.setblocking(False) @@ -3231,14 +3238,14 @@ if _have_threads: Basic tests for SSLSocket.version(). More tests are done in the test_protocol_*() methods. """ - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) with ThreadedEchoServer(CERTFILE, - ssl_version=ssl.PROTOCOL_TLSv1, + ssl_version=ssl.PROTOCOL_TLS, chatty=False) as server: with context.wrap_socket(socket.socket()) as s: self.assertIs(s.version(), None) s.connect((HOST, server.port)) - self.assertEqual(s.version(), 'TLSv1') + self.assertEqual(s.version(), 'TLSv1.3') self.assertIs(s.version(), None) @unittest.skipUnless(ssl.HAS_TLSv1_3, @@ -3289,7 +3296,7 @@ if _have_threads: server = ThreadedEchoServer(CERTFILE, certreqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1, + ssl_version=ssl.PROTOCOL_TLS, cacerts=CERTFILE, chatty=True, connectionchatty=False) @@ -3299,7 +3306,7 @@ if _have_threads: certfile=CERTFILE, ca_certs=CERTFILE, cert_reqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1) + ssl_version=ssl.PROTOCOL_TLS) s.connect((HOST, server.port)) # get the data cb_data = s.get_channel_binding("tls-unique") @@ -3309,7 +3316,10 @@ if _have_threads: # check if it is sane self.assertIsNotNone(cb_data) - self.assertEqual(len(cb_data), 12) # True for TLSv1 + if s.version() == 'TLSv1.3': + self.assertEqual(len(cb_data), 48) + else: + self.assertEqual(len(cb_data), 12) # True for TLSv1 # and compare with the peers version s.write(b"CB tls-unique\n") @@ -3324,7 +3334,7 @@ if _have_threads: certfile=CERTFILE, ca_certs=CERTFILE, cert_reqs=ssl.CERT_NONE, - ssl_version=ssl.PROTOCOL_TLSv1) + ssl_version=ssl.PROTOCOL_TLS) s.connect((HOST, server.port)) new_cb_data = s.get_channel_binding("tls-unique") if support.verbose: @@ -3333,7 +3343,10 @@ if _have_threads: # is it really unique self.assertNotEqual(cb_data, new_cb_data) self.assertIsNotNone(cb_data) - self.assertEqual(len(cb_data), 12) # True for TLSv1 + if s.version() == 'TLSv1.3': + self.assertEqual(len(cb_data), 48) + else: + self.assertEqual(len(cb_data), 12) # True for TLSv1 s.write(b"CB tls-unique\n") peer_data_repr = s.read().strip() self.assertEqual(peer_data_repr, @@ -3341,7 +3354,7 @@ if _have_threads: s.close() def test_compression(self): - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.load_cert_chain(CERTFILE) stats = server_params_test(context, context, chatty=True, connectionchatty=True) @@ -3352,7 +3365,7 @@ if _have_threads: @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'), "ssl.OP_NO_COMPRESSION needed for this test") def test_compression_disabled(self): - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.load_cert_chain(CERTFILE) context.options |= ssl.OP_NO_COMPRESSION stats = server_params_test(context, context, @@ -3361,7 +3374,7 @@ if _have_threads: def test_dh_params(self): # Check we can get a connection with ephemeral Diffie-Hellman - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) context.load_cert_chain(CERTFILE) context.load_dh_params(DHFILE) context.set_ciphers("kEDH") @@ -3374,7 +3387,7 @@ if _have_threads: def test_selected_alpn_protocol(self): # selected_alpn_protocol() is None unless ALPN is used. - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.load_cert_chain(CERTFILE) stats = server_params_test(context, context, chatty=True, connectionchatty=True) @@ -3383,9 +3396,9 @@ if _have_threads: @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required") def test_selected_alpn_protocol_if_server_uses_alpn(self): # selected_alpn_protocol() is None unless ALPN is used by the client. - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + client_context = ssl.SSLContext(ssl.PROTOCOL_TLS) client_context.load_verify_locations(CERTFILE) - server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) server_context.load_cert_chain(CERTFILE) server_context.set_alpn_protocols(['foo', 'bar']) stats = server_params_test(client_context, server_context, @@ -3437,7 +3450,7 @@ if _have_threads: def test_selected_npn_protocol(self): # selected_npn_protocol() is None unless NPN is used - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.load_cert_chain(CERTFILE) stats = server_params_test(context, context, chatty=True, connectionchatty=True) @@ -3473,11 +3486,11 @@ if _have_threads: self.assertEqual(server_result, expected, msg % (server_result, "server")) def sni_contexts(self): - server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) server_context.load_cert_chain(SIGNED_CERTFILE) - other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + other_context = ssl.SSLContext(ssl.PROTOCOL_TLS) other_context.load_cert_chain(SIGNED_CERTFILE2) - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + client_context = ssl.SSLContext(ssl.PROTOCOL_TLS) client_context.verify_mode = ssl.CERT_REQUIRED client_context.load_verify_locations(SIGNING_CA) return server_context, other_context, client_context @@ -3577,9 +3590,9 @@ if _have_threads: @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1") def test_shared_ciphers(self): - server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) server_context.load_cert_chain(SIGNED_CERTFILE) - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + client_context = ssl.SSLContext(ssl.PROTOCOL_TLS) client_context.verify_mode = ssl.CERT_REQUIRED client_context.load_verify_locations(SIGNING_CA) if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2): @@ -3639,9 +3652,9 @@ if _have_threads: self.assertEqual(s.recv(1024), TEST_DATA) def test_session(self): - server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) server_context.load_cert_chain(SIGNED_CERTFILE) - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) client_context.verify_mode = ssl.CERT_REQUIRED client_context.load_verify_locations(SIGNING_CA) diff --git a/Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst b/Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst new file mode 100644 index 00000000000..964ae5abb3d --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst @@ -0,0 +1,2 @@ +OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests +are failing with TLSV1_ALERT_INTERNAL_ERROR. -- 2.46.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
