[Python-checkins] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347)
miss-islington
webhook-mailer at python.org
Tue Jun 28 03:53:29 EDT 2022
https://github.com/python/cpython/commit/5e08eecb57d0d57c396d5f54468680490e6cd1cd
commit: 5e08eecb57d0d57c396d5f54468680490e6cd1cd
branch: 3.10
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2022-06-28T00:53:23-07:00
summary:
gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian at python.org>
files:
A Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst
M Lib/test/test_ssl.py
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 873db6403d1a0..9f364fa4bbb6d 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -617,6 +617,8 @@ def test_openssl111_deprecations(self):
)
for protocol in protocols:
+ if not has_tls_protocol(protocol):
+ continue
with self.subTest(protocol=protocol):
with self.assertWarns(DeprecationWarning) as cm:
ssl.SSLContext(protocol)
@@ -626,6 +628,8 @@ def test_openssl111_deprecations(self):
)
for version in versions:
+ if not has_tls_version(version):
+ continue
with self.subTest(version=version):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
with self.assertWarns(DeprecationWarning) as cm:
@@ -1139,9 +1143,10 @@ class ContextTests(unittest.TestCase):
def test_constructor(self):
for protocol in PROTOCOLS:
- with warnings_helper.check_warnings():
- ctx = ssl.SSLContext(protocol)
- self.assertEqual(ctx.protocol, protocol)
+ if has_tls_protocol(protocol):
+ with warnings_helper.check_warnings():
+ ctx = ssl.SSLContext(protocol)
+ self.assertEqual(ctx.protocol, protocol)
with warnings_helper.check_warnings():
ctx = ssl.SSLContext()
self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
@@ -1286,7 +1291,7 @@ def test_min_max_version(self):
ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
self.assertIn(
ctx.maximum_version,
- {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
+ {ssl.TLSVersion.TLSv1, ssl.TLSVersion.TLSv1_1, ssl.TLSVersion.SSLv3}
)
ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
@@ -1298,19 +1303,19 @@ def test_min_max_version(self):
with self.assertRaises(ValueError):
ctx.minimum_version = 42
- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
-
- self.assertIn(
- ctx.minimum_version, minimum_range
- )
- self.assertEqual(
- ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
- )
- with self.assertRaises(ValueError):
- ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
- with self.assertRaises(ValueError):
- ctx.maximum_version = ssl.TLSVersion.TLSv1
+ if has_tls_protocol(ssl.PROTOCOL_TLSv1_1):
+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
+ self.assertIn(
+ ctx.minimum_version, minimum_range
+ )
+ self.assertEqual(
+ ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
+ )
+ with self.assertRaises(ValueError):
+ ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
+ with self.assertRaises(ValueError):
+ ctx.maximum_version = ssl.TLSVersion.TLSv1
@unittest.skipUnless(
hasattr(ssl.SSLContext, 'security_level'),
@@ -1706,8 +1711,6 @@ def test_create_default_context(self):
self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
self._assert_context_options(ctx)
-
-
def test__create_stdlib_context(self):
ctx = ssl._create_stdlib_context()
self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
@@ -1715,11 +1718,12 @@ def test__create_stdlib_context(self):
self.assertFalse(ctx.check_hostname)
self._assert_context_options(ctx)
- with warnings_helper.check_warnings():
- ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
- self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
- self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
- self._assert_context_options(ctx)
+ if has_tls_protocol(ssl.PROTOCOL_TLSv1):
+ with warnings_helper.check_warnings():
+ ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
+ self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
+ self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
+ self._assert_context_options(ctx)
with warnings_helper.check_warnings():
ctx = ssl._create_stdlib_context(
@@ -3464,10 +3468,12 @@ def test_protocol_tlsv1_2(self):
client_options=ssl.OP_NO_TLSv1_2)
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
- try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
- try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
+ if has_tls_protocol(ssl.PROTOCOL_TLSv1):
+ try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
+ try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
+ if has_tls_protocol(ssl.PROTOCOL_TLSv1_1):
+ try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
+ try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
def test_starttls(self):
"""Switching from clear text to encrypted and back again."""
diff --git a/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst b/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst
new file mode 100644
index 0000000000000..d0f970ad286b1
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst
@@ -0,0 +1,2 @@
+``test_ssl`` is now checking for supported TLS version and protocols in more
+tests.
More information about the Python-checkins
mailing list