[Python-checkins] r80318 - in python/branches/release31-maint: Lib/test/sha256.pem Lib/test/support.py Lib/test/test_ssl.py Misc/NEWS Modules/_ssl.c

antoine.pitrou python-checkins at python.org
Wed Apr 21 21:52:52 CEST 2010 

Author: antoine.pitrou
Date: Wed Apr 21 21:52:52 2010
New Revision: 80318

Log:
Merged revisions 80317 via svnmerge from 
svn+ssh://pythondev@svn.python.org/python/branches/py3k

................
  r80317 | antoine.pitrou | 2010-04-21 21:46:23 +0200 (mer., 21 avril 2010) | 15 lines
  
  Merged revisions 80314-80315 via svnmerge from 
  svn+ssh://pythondev@svn.python.org/python/trunk
  
  ........
    r80314 | antoine.pitrou | 2010-04-21 21:28:03 +0200 (mer., 21 avril 2010) | 5 lines
    
    Issue #8484: Load all ciphers and digest algorithms when initializing
    the _ssl extension, such that verification of some SSL certificates
    doesn't fail because of an "unknown algorithm".
  ........
    r80315 | antoine.pitrou | 2010-04-21 21:36:23 +0200 (mer., 21 avril 2010) | 3 lines
    
    Forgot to add the sample certificate (followup to r80314)
  ........
................


Added:
   python/branches/release31-maint/Lib/test/sha256.pem
      - copied unchanged from r80317, /python/branches/py3k/Lib/test/sha256.pem
Modified:
   python/branches/release31-maint/   (props changed)
   python/branches/release31-maint/Lib/test/support.py
   python/branches/release31-maint/Lib/test/test_ssl.py
   python/branches/release31-maint/Misc/NEWS
   python/branches/release31-maint/Modules/_ssl.c

Modified: python/branches/release31-maint/Lib/test/support.py
==============================================================================
--- python/branches/release31-maint/Lib/test/support.py	(original)
+++ python/branches/release31-maint/Lib/test/support.py	Wed Apr 21 21:52:52 2010
@@ -607,6 +607,17 @@
 
 
 @contextlib.contextmanager
+def transient_internet():
+    """Return a context manager that raises ResourceDenied when various issues
+    with the Internet connection manifest themselves as exceptions."""
+    time_out = TransientResource(IOError, errno=errno.ETIMEDOUT)
+    socket_peer_reset = TransientResource(socket.error, errno=errno.ECONNRESET)
+    ioerror_peer_reset = TransientResource(IOError, errno=errno.ECONNRESET)
+    with time_out, socket_peer_reset, ioerror_peer_reset:
+        yield
+
+
+ at contextlib.contextmanager
 def captured_output(stream_name):
     """Run the 'with' statement body using a StringIO object in place of a
     specific attribute on the sys module.

Modified: python/branches/release31-maint/Lib/test/test_ssl.py
==============================================================================
--- python/branches/release31-maint/Lib/test/test_ssl.py	(original)
+++ python/branches/release31-maint/Lib/test/test_ssl.py	Wed Apr 21 21:52:52 2010
@@ -176,6 +176,26 @@
         if support.verbose:
             sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem)
 
+    def test_algorithms(self):
+        # Issue #8484: all algorithms should be available when verifying a
+        # certificate.
+        # NOTE: https://sha256.tbs-internet.com is another possible test host
+        remote = ("sha2.hboeck.de", 443)
+        sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem")
+        s = ssl.wrap_socket(socket.socket(socket.AF_INET),
+                            cert_reqs=ssl.CERT_REQUIRED,
+                            ca_certs=sha256_cert,)
+        with support.transient_internet():
+            try:
+                s.connect(remote)
+                if support.verbose:
+                    sys.stdout.write("\nCipher with %r is %r\n" %
+                                     (remote, s.cipher()))
+                    sys.stdout.write("Certificate is:\n%s\n" %
+                                     pprint.pformat(s.getpeercert()))
+            finally:
+                s.close()
+
 
 try:
     import threading

Modified: python/branches/release31-maint/Misc/NEWS
==============================================================================
--- python/branches/release31-maint/Misc/NEWS	(original)
+++ python/branches/release31-maint/Misc/NEWS	Wed Apr 21 21:52:52 2010
@@ -33,6 +33,10 @@
 Library
 -------
 
+- Issue #8484: Load all ciphers and digest algorithms when initializing
+  the _ssl extension, such that verification of some SSL certificates
+  doesn't fail because of an "unknown algorithm".
+
 - Issue #4814: timeout parameter is now applied also for connections resulting
   from PORT/EPRT commands.
 

Modified: python/branches/release31-maint/Modules/_ssl.c
==============================================================================
--- python/branches/release31-maint/Modules/_ssl.c	(original)
+++ python/branches/release31-maint/Modules/_ssl.c	Wed Apr 21 21:52:52 2010
@@ -1652,13 +1652,14 @@
 
 	/* Init OpenSSL */
 	SSL_load_error_strings();
+	SSL_library_init();
 #ifdef WITH_THREAD
 	/* note that this will start threading if not already started */
 	if (!_setup_ssl_threads()) {
 		return NULL;
 	}
 #endif
-	SSLeay_add_ssl_algorithms();
+	OpenSSL_add_all_algorithms();
 
 	/* Add symbols to module dict */
 	PySSLErrorObject = PyErr_NewException("ssl.SSLError",

More information about the Python-checkins mailing list