[Python-checkins] [3.7] bpo-38275: Skip ssl tests for disabled versions (GH-16427)
Christian Heimes
webhook-mailer at python.org
Thu Sep 26 16:54:38 EDT 2019
https://github.com/python/cpython/commit/2c24f2cae00bbfe9af1e59778f6516d4c56ffc4e
commit: 2c24f2cae00bbfe9af1e59778f6516d4c56ffc4e
branch: 3.7
author: Christian Heimes <christian at python.org>
committer: GitHub <noreply at github.com>
date: 2019-09-26T22:54:33+02:00
summary:
[3.7] bpo-38275: Skip ssl tests for disabled versions (GH-16427)
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
policy and run-time settings are recognized and tests for disabled versions
are skipped.
Signed-off-by: Christian Heimes <christian at python.org>
https://bugs.python.org/issue38275
(cherry picked from commit df6ac7e2b82d921a6e9ff5571b40c6dbcf635581)
files:
A Misc/NEWS.d/next/Tests/2019-09-25-14-40-57.bpo-38275.-kdveI.rst
M Lib/test/test_ssl.py
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 04ede28ab7c0..e21e7e07455c 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -19,6 +19,7 @@
import platform
import functools
import sysconfig
+import functools
try:
import ctypes
except ImportError:
@@ -142,6 +143,87 @@ def data_file(*name):
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
+def has_tls_protocol(protocol):
+ """Check if a TLS protocol is available and enabled
+
+ :param protocol: enum ssl._SSLMethod member or name
+ :return: bool
+ """
+ if isinstance(protocol, str):
+ assert protocol.startswith('PROTOCOL_')
+ protocol = getattr(ssl, protocol, None)
+ if protocol is None:
+ return False
+ if protocol in {
+ ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
+ ssl.PROTOCOL_TLS_CLIENT
+ }:
+ # auto-negotiate protocols are always available
+ return True
+ name = protocol.name
+ return has_tls_version(name[len('PROTOCOL_'):])
+
+
+ at functools.lru_cache()
+def has_tls_version(version):
+ """Check if a TLS/SSL version is enabled
+
+ :param version: TLS version name or ssl.TLSVersion member
+ :return: bool
+ """
+ if version == "SSLv2":
+ # never supported and not even in TLSVersion enum
+ return False
+
+ if isinstance(version, str):
+ version = ssl.TLSVersion.__members__[version]
+
+ # check compile time flags like ssl.HAS_TLSv1_2
+ if not getattr(ssl, f'HAS_{version.name}'):
+ return False
+
+ # check runtime and dynamic crypto policy settings. A TLS version may
+ # be compiled in but disabled by a policy or config option.
+ ctx = ssl.SSLContext()
+ if (
+ hasattr(ctx, 'minimum_version') and
+ ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
+ version < ctx.minimum_version
+ ):
+ return False
+ if (
+ hasattr(ctx, 'maximum_version') and
+ ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
+ version > ctx.maximum_version
+ ):
+ return False
+
+ return True
+
+
+def requires_tls_version(version):
+ """Decorator to skip tests when a required TLS version is not available
+
+ :param version: TLS version name or ssl.TLSVersion member
+ :return:
+ """
+ def decorator(func):
+ @functools.wraps(func)
+ def wrapper(*args, **kw):
+ if not has_tls_version(version):
+ raise unittest.SkipTest(f"{version} is not available.")
+ else:
+ return func(*args, **kw)
+ return wrapper
+ return decorator
+
+
+requires_minimum_version = unittest.skipUnless(
+ hasattr(ssl.SSLContext, 'minimum_version'),
+ "required OpenSSL >= 1.1.0g"
+)
+
+
def handle_error(prefix):
exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
if support.verbose:
@@ -1124,19 +1206,23 @@ def test_hostname_checks_common_name(self):
with self.assertRaises(AttributeError):
ctx.hostname_checks_common_name = True
- @unittest.skipUnless(hasattr(ssl.SSLContext, 'minimum_version'),
- "required OpenSSL 1.1.0g")
+ @requires_minimum_version
+ @unittest.skipIf(IS_LIBRESSL, "see bpo-34001")
def test_min_max_version(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
# OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
# Fedora override the setting to TLS 1.0.
+ minimum_range = {
+ # stock OpenSSL
+ ssl.TLSVersion.MINIMUM_SUPPORTED,
+ # Fedora 29 uses TLS 1.0 by default
+ ssl.TLSVersion.TLSv1,
+ # RHEL 8 uses TLS 1.2 by default
+ ssl.TLSVersion.TLSv1_2
+ }
+
self.assertIn(
- ctx.minimum_version,
- {ssl.TLSVersion.MINIMUM_SUPPORTED,
- # Fedora 29 uses TLS 1.0 by default
- ssl.TLSVersion.TLSv1,
- # RHEL 8 uses TLS 1.2 by default
- ssl.TLSVersion.TLSv1_2}
+ ctx.minimum_version, minimum_range
)
self.assertEqual(
ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
@@ -1182,8 +1268,8 @@ def test_min_max_version(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
- self.assertEqual(
- ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
+ self.assertIn(
+ ctx.minimum_version, minimum_range
)
self.assertEqual(
ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
@@ -2723,6 +2809,8 @@ def test_echo(self):
for protocol in PROTOCOLS:
if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
continue
+ if not has_tls_protocol(protocol):
+ continue
with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
context = ssl.SSLContext(protocol)
context.load_cert_chain(CERTFILE)
@@ -3014,7 +3102,7 @@ def test_wrong_cert_tls12(self):
else:
self.fail("Use of invalid cert should have failed!")
- @unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
+ @requires_tls_version('TLSv1_3')
def test_wrong_cert_tls13(self):
client_context, server_context, hostname = testing_context()
# load client cert that is not signed by trusted CA
@@ -3109,9 +3197,7 @@ def test_ssl_cert_verify_error(self):
self.assertIn(msg, repr(e))
self.assertIn('certificate verify failed', repr(e))
- @skip_if_broken_ubuntu_ssl
- @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'),
- "OpenSSL is compiled without SSLv2 support")
+ @requires_tls_version('SSLv2')
def test_protocol_sslv2(self):
"""Connecting to an SSLv2 server with various client options"""
if support.verbose:
@@ -3120,7 +3206,7 @@ def test_protocol_sslv2(self):
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
# SSLv23 client with specific SSL options
@@ -3138,7 +3224,7 @@ def test_PROTOCOL_TLS(self):
"""Connecting to an SSLv23 server with various client options"""
if support.verbose:
sys.stdout.write("\n")
- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ if has_tls_version('SSLv2'):
try:
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
except OSError as x:
@@ -3147,35 +3233,36 @@ def test_PROTOCOL_TLS(self):
sys.stdout.write(
" SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
% str(x))
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
- try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
+ if has_tls_version('TLSv1'):
+ try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
- try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
+ if has_tls_version('TLSv1'):
+ try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
- try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
+ if has_tls_version('TLSv1'):
+ try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
# Server with specific SSL options
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
server_options=ssl.OP_NO_SSLv3)
# Will choose TLSv1
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
- try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
- server_options=ssl.OP_NO_TLSv1)
-
+ if has_tls_version('TLSv1'):
+ try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
+ server_options=ssl.OP_NO_TLSv1)
- @skip_if_broken_ubuntu_ssl
- @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv3'),
- "OpenSSL is compiled without SSLv3 support")
+ @requires_tls_version('SSLv3')
def test_protocol_sslv3(self):
"""Connecting to an SSLv3 server with various client options"""
if support.verbose:
@@ -3183,7 +3270,7 @@ def test_protocol_sslv3(self):
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ if has_tls_version('SSLv2'):
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
client_options=ssl.OP_NO_SSLv3)
@@ -3193,7 +3280,7 @@ def test_protocol_sslv3(self):
try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS,
False, client_options=ssl.OP_NO_SSLv2)
- @skip_if_broken_ubuntu_ssl
+ @requires_tls_version('TLSv1')
def test_protocol_tlsv1(self):
"""Connecting to a TLSv1 server with various client options"""
if support.verbose:
@@ -3201,36 +3288,32 @@ def test_protocol_tlsv1(self):
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ if has_tls_version('SSLv2'):
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
client_options=ssl.OP_NO_TLSv1)
- @skip_if_broken_ubuntu_ssl
- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
- "TLS version 1.1 not supported.")
+ @requires_tls_version('TLSv1_1')
def test_protocol_tlsv1_1(self):
"""Connecting to a TLSv1.1 server with various client options.
Testing against older TLS versions."""
if support.verbose:
sys.stdout.write("\n")
try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ if has_tls_version('SSLv2'):
try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
client_options=ssl.OP_NO_TLSv1_1)
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
+ try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
+ try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
- @skip_if_broken_ubuntu_ssl
- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
- "TLS version 1.2 not supported.")
+ @requires_tls_version('TLSv1_2')
def test_protocol_tlsv1_2(self):
"""Connecting to a TLSv1.2 server with various client options.
Testing against older TLS versions."""
@@ -3239,9 +3322,9 @@ def test_protocol_tlsv1_2(self):
try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+ if has_tls_version('SSLv2'):
try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+ if has_tls_version('SSLv3'):
try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
client_options=ssl.OP_NO_TLSv1_2)
@@ -3684,7 +3767,7 @@ def test_version_basic(self):
self.assertIs(s.version(), None)
self.assertIs(s._sslobj, None)
s.connect((HOST, server.port))
- if IS_OPENSSL_1_1_1 and ssl.HAS_TLSv1_3:
+ if IS_OPENSSL_1_1_1 and has_tls_version('TLSv1_3'):
self.assertEqual(s.version(), 'TLSv1.3')
elif ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
self.assertEqual(s.version(), 'TLSv1.2')
@@ -3693,8 +3776,7 @@ def test_version_basic(self):
self.assertIs(s._sslobj, None)
self.assertIs(s.version(), None)
- @unittest.skipUnless(ssl.HAS_TLSv1_3,
- "test requires TLSv1.3 enabled OpenSSL")
+ @requires_tls_version('TLSv1_3')
def test_tls1_3(self):
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.load_cert_chain(CERTFILE)
@@ -3711,9 +3793,9 @@ def test_tls1_3(self):
})
self.assertEqual(s.version(), 'TLSv1.3')
- @unittest.skipUnless(hasattr(ssl.SSLContext, 'minimum_version'),
- "required OpenSSL 1.1.0g")
- def test_min_max_version(self):
+ @requires_minimum_version
+ @requires_tls_version('TLSv1_2')
+ def test_min_max_version_tlsv1_2(self):
client_context, server_context, hostname = testing_context()
# client TLSv1.0 to 1.2
client_context.minimum_version = ssl.TLSVersion.TLSv1
@@ -3728,7 +3810,13 @@ def test_min_max_version(self):
s.connect((HOST, server.port))
self.assertEqual(s.version(), 'TLSv1.2')
+ @requires_minimum_version
+ @requires_tls_version('TLSv1_1')
+ def test_min_max_version_tlsv1_1(self):
+ client_context, server_context, hostname = testing_context()
# client 1.0 to 1.2, server 1.0 to 1.1
+ client_context.minimum_version = ssl.TLSVersion.TLSv1
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
server_context.minimum_version = ssl.TLSVersion.TLSv1
server_context.maximum_version = ssl.TLSVersion.TLSv1_1
@@ -3738,6 +3826,10 @@ def test_min_max_version(self):
s.connect((HOST, server.port))
self.assertEqual(s.version(), 'TLSv1.1')
+ @requires_minimum_version
+ @requires_tls_version('TLSv1_2')
+ def test_min_max_version_mismatch(self):
+ client_context, server_context, hostname = testing_context()
# client 1.0, server 1.2 (mismatch)
server_context.minimum_version = ssl.TLSVersion.TLSv1_2
server_context.maximum_version = ssl.TLSVersion.TLSv1_2
@@ -3750,10 +3842,8 @@ def test_min_max_version(self):
s.connect((HOST, server.port))
self.assertIn("alert", str(e.exception))
-
- @unittest.skipUnless(hasattr(ssl.SSLContext, 'minimum_version'),
- "required OpenSSL 1.1.0g")
- @unittest.skipUnless(ssl.HAS_SSLv3, "requires SSLv3 support")
+ @requires_minimum_version
+ @requires_tls_version('SSLv3')
def test_min_max_version_sslv3(self):
client_context, server_context, hostname = testing_context()
server_context.minimum_version = ssl.TLSVersion.SSLv3
@@ -4272,7 +4362,7 @@ def test_session_handling(self):
'Session refers to a different SSLContext.')
- at unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
+ at unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
class TestPostHandshakeAuth(unittest.TestCase):
def test_pha_setter(self):
protocols = [
diff --git a/Misc/NEWS.d/next/Tests/2019-09-25-14-40-57.bpo-38275.-kdveI.rst b/Misc/NEWS.d/next/Tests/2019-09-25-14-40-57.bpo-38275.-kdveI.rst
new file mode 100644
index 000000000000..893c0f137aea
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2019-09-25-14-40-57.bpo-38275.-kdveI.rst
@@ -0,0 +1,4 @@
+test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
+policy and run-time settings are recognized and tests for disabled versions
+are skipped. Tests also accept more TLS minimum_versions for platforms that
+override OpenSSL's default with strict settings.
More information about the Python-checkins
mailing list