Lines Matching refs:ssl
25 ssl = support.import_module("ssl") variable
27 PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
29 IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
30 IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)
91 ssl.sslwrap_simple(socket.socket(socket.AF_INET))
98 ssl.sslwrap_simple(socket.socket(socket.AF_INET)._sock)
108 return ssl._OPENSSL_API_VERSION >= (0, 9, 8, 13, 15)
112 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)
116 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)
127 if ssl._OPENSSL_API_VERSION == (0, 9, 8, 9, 15):
140 if hasattr(ssl, 'PROTOCOL_SSLv2'):
144 ssl.SSLContext(ssl.PROTOCOL_SSLv2)
145 except ssl.SSLError:
146 if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
154 needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test")
160 ssl.CERT_NONE
161 ssl.CERT_OPTIONAL
162 ssl.CERT_REQUIRED
163 ssl.OP_CIPHER_SERVER_PREFERENCE
164 ssl.OP_SINGLE_DH_USE
165 if ssl.HAS_ECDH:
166 ssl.OP_SINGLE_ECDH_USE
167 if ssl.OPENSSL_VERSION_INFO >= (1, 0):
168 ssl.OP_NO_COMPRESSION
169 self.assertIn(ssl.HAS_SNI, {True, False})
170 self.assertIn(ssl.HAS_ECDH, {True, False})
173 v = ssl.RAND_status()
178 if hasattr(ssl, 'RAND_egd'):
179 self.assertRaises(TypeError, ssl.RAND_egd, 1)
180 self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
181 ssl.RAND_add("this is a random string", 75.0)
187 p = ssl._ssl._test_decode_cert(CERTFILE)
209 p = ssl._ssl._test_decode_cert(NOKIACERT)
224 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
236 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
253 p = ssl._ssl._test_decode_cert(ALLSANFILE)
276 d1 = ssl.PEM_cert_to_DER_cert(pem)
277 p2 = ssl.DER_cert_to_PEM_cert(d1)
278 d2 = ssl.PEM_cert_to_DER_cert(p2)
280 if not p2.startswith(ssl.PEM_HEADER + '\n'):
282 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
286 n = ssl.OPENSSL_VERSION_NUMBER
287 t = ssl.OPENSSL_VERSION_INFO
288 s = ssl.OPENSSL_VERSION
321 ss = ssl.wrap_socket(s)
330 with closing(ssl.wrap_socket(s)) as ss:
344 with closing(ssl.wrap_socket(s)) as ss:
351 ssl.wrap_socket, sock, keyfile=CERTFILE)
354 ssl.wrap_socket, sock, server_side=True)
357 ssl.wrap_socket, sock, server_side=True, certfile="")
358 with closing(ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE)) as s:
363 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
367 ssl.wrap_socket(sock,
372 ssl.wrap_socket(sock,
382 with self.assertRaises(ssl.SSLError):
383 ssl.wrap_socket(sock,
385 ssl_version=ssl.PROTOCOL_TLSv1)
401 ssl.match_hostname(cert, hostname)
403 self.assertRaises(ssl.CertificateError,
404 ssl.match_hostname, cert, hostname)
518 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
519 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
528 with self.assertRaises(ssl.CertificateError) as cm:
529 ssl.match_hostname(cert, 'axxbxxc.com')
534 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
542 with closing(ssl.wrap_socket(s)) as ss:
546 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
551 with closing(ssl.wrap_socket(s)) as ss:
555 with closing(ssl.wrap_socket(s, server_side=True, certfile=CERTFILE)) as ss:
559 paths = ssl.get_default_verify_paths()
561 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
566 paths = ssl.get_default_verify_paths()
572 self.assertTrue(ssl.enum_certificates("CA"))
573 self.assertTrue(ssl.enum_certificates("ROOT"))
575 self.assertRaises(TypeError, ssl.enum_certificates)
576 self.assertRaises(WindowsError, ssl.enum_certificates, "")
580 store = ssl.enum_certificates(storename)
597 self.assertTrue(ssl.enum_crls("CA"))
598 self.assertRaises(TypeError, ssl.enum_crls)
599 self.assertRaises(WindowsError, ssl.enum_crls, "")
601 crls = ssl.enum_crls("CA")
614 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
620 self.assertIsInstance(val, ssl._ASN1Object)
621 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
623 val = ssl._ASN1Object.fromnid(129)
625 self.assertIsInstance(val, ssl._ASN1Object)
626 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
628 ssl._ASN1Object.fromnid(100000)
631 obj = ssl._ASN1Object.fromnid(i)
640 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
642 self.assertIsInstance(val, ssl._ASN1Object)
643 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
644 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
647 ssl._ASN1Object.fromname('serverauth')
650 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
651 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
652 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
653 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
654 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
655 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
658 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
659 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
660 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
661 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
662 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
663 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
670 ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
672 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
678 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
682 ssl.cert_time_to_seconds(timestring)
697 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
748 ssl.SSLContext(protocol)
749 self.assertRaises(TypeError, ssl.SSLContext)
750 self.assertRaises(ValueError, ssl.SSLContext, -1)
751 self.assertRaises(ValueError, ssl.SSLContext, 42)
756 ctx = ssl.SSLContext(proto)
760 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
763 with self.assertRaisesRegexp(ssl.SSLError, "No cipher can be selected"):
772 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
774 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
775 if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
776 default |= ssl.OP_NO_COMPRESSION
777 default |= ssl.OP_ENABLE_MIDDLEBOX_COMPAT
779 ctx.options |= ssl.OP_NO_TLSv1
780 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
782 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
791 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
793 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
794 ctx.verify_mode = ssl.CERT_OPTIONAL
795 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
796 ctx.verify_mode = ssl.CERT_REQUIRED
797 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
798 ctx.verify_mode = ssl.CERT_NONE
799 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
808 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
810 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
811 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
812 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
813 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
814 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
815 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
816 ctx.verify_flags = ssl.VERIFY_DEFAULT
817 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
819 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
821 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
826 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
834 with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
836 with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
839 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
843 with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
845 with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
847 with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
850 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
851 with self.assertRaisesRegexp(ssl.SSLError, "key values mismatch"):
864 with self.assertRaises(ssl.SSLError):
897 with self.assertRaises(ssl.SSLError):
909 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
922 with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
934 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
937 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
940 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
951 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
957 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
964 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
973 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
979 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
982 with self.assertRaisesRegexp(ssl.SSLError, "no start line"):
984 with self.assertRaisesRegexp(ssl.SSLError, "not enough data"):
989 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
998 with self.assertRaises(ssl.SSLError) as cm:
1004 ctx = ssl.SSLContext(proto)
1022 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1025 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
1027 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1037 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1054 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1064 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1078 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1102 der = ssl.PEM_cert_to_DER_cert(pem)
1106 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1109 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1110 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1113 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1114 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1116 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1123 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1132 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1136 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1145 ctx = ssl.create_default_context()
1146 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1147 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1149 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1151 ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
1152 getattr(ssl, "OP_NO_COMPRESSION", 0),
1157 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1159 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1160 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1161 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1163 ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
1164 getattr(ssl, "OP_NO_COMPRESSION", 0),
1167 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
1168 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1169 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1170 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1172 ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
1173 getattr(ssl, "OP_NO_COMPRESSION", 0),
1176 ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0),
1177 getattr(ssl, "OP_SINGLE_DH_USE", 0),
1180 ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
1181 getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
1185 ctx = ssl._create_stdlib_context()
1186 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1187 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1189 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1191 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
1192 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1193 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1194 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1196 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,
1197 cert_reqs=ssl.CERT_REQUIRED,
1199 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1200 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1202 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1204 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
1205 self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
1206 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1207 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1253 extra_env[ssl._https_verify_envvar] = "0"
1257 extra_env[ssl._https_verify_envvar] = setting
1261 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1267 ctx.verify_mode = ssl.CERT_REQUIRED
1272 ctx.verify_mode = ssl.CERT_OPTIONAL
1278 ctx.verify_mode = ssl.CERT_NONE
1287 e = ssl.SSLError(1, "foo")
1291 e = ssl.SSLZeroReturnError(1, "foo")
1297 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1298 with self.assertRaises(ssl.SSLError) as cm:
1308 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1316 with self.assertRaises(ssl.SSLWantReadError) as cm:
1321 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1328 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1329 cert_reqs=ssl.CERT_NONE)
1337 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1338 cert_reqs=ssl.CERT_REQUIRED)
1339 self.assertRaisesRegexp(ssl.SSLError, "certificate verify failed",
1344 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1345 cert_reqs=ssl.CERT_REQUIRED,
1356 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1357 cert_reqs=ssl.CERT_REQUIRED,
1369 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1370 cert_reqs=ssl.CERT_REQUIRED,
1385 except ssl.SSLWantReadError:
1387 except ssl.SSLWantWriteError:
1398 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1399 cert_reqs=ssl.CERT_REQUIRED,
1413 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
1414 cert_reqs=ssl.CERT_REQUIRED,
1431 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1444 ctx.verify_mode = ssl.CERT_REQUIRED
1446 self.assertRaisesRegexp(ssl.SSLError, "certificate verify failed",
1466 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1467 ctx.verify_mode = ssl.CERT_REQUIRED
1477 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1478 ctx.verify_mode = ssl.CERT_REQUIRED
1491 der = ssl.PEM_cert_to_DER_cert(pem)
1493 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1494 ctx.verify_mode = ssl.CERT_REQUIRED
1502 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1503 ctx.verify_mode = ssl.CERT_REQUIRED
1516 ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
1535 s = ssl.wrap_socket(s,
1536 cert_reqs=ssl.CERT_NONE,
1544 except ssl.SSLWantReadError:
1546 except ssl.SSLWantWriteError:
1555 pem = ssl.get_server_certificate((host, port))
1560 pem = ssl.get_server_certificate((host, port),
1562 except ssl.SSLError as x:
1568 pem = ssl.get_server_certificate((host, port),
1582 with closing(ssl.wrap_socket(socket.socket(socket.AF_INET),
1583 cert_reqs=ssl.CERT_NONE, ciphers="ALL")) as s:
1585 with closing(ssl.wrap_socket(socket.socket(socket.AF_INET),
1586 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT")) as s:
1589 with self.assertRaisesRegexp(ssl.SSLError, "No cipher can be selected"):
1591 s = ssl.wrap_socket(sock,
1592 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
1599 if ssl.OPENSSL_VERSION_INFO < (0, 9, 8, 0, 15):
1600 self.skipTest("SHA256 not available on %r" % ssl.OPENSSL_VERSION)
1602 if not ssl.HAS_SNI:
1608 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1609 ctx.verify_mode = ssl.CERT_REQUIRED
1626 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1627 ctx.verify_mode = ssl.CERT_REQUIRED
1643 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1644 ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1695 if not isinstance(e, ssl.SSLError) and e.errno != errno.ECONNRESET:
1705 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
1783 except ssl.SSLError:
1800 self.context = ssl.SSLContext(ssl_version
1802 else ssl.PROTOCOL_TLSv1)
1804 else ssl.CERT_NONE)
1873 self.socket = ssl.wrap_socket(conn, server_side=True,
1881 if isinstance(self.socket, ssl.SSLSocket):
1889 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
1891 except ssl.SSLEOFError:
1893 except ssl.SSLError:
2037 certsreqs = ssl.CERT_NONE
2039 ssl.CERT_NONE: "CERT_NONE",
2040 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2041 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2046 (ssl.get_protocol_name(client_protocol),
2047 ssl.get_protocol_name(server_protocol),
2049 client_context = ssl.SSLContext(client_protocol)
2051 server_context = ssl.SSLContext(server_protocol)
2057 if client_context.protocol == ssl.PROTOCOL_SSLv23:
2069 except ssl.SSLError:
2079 % (ssl.get_protocol_name(client_protocol),
2080 ssl.get_protocol_name(server_protocol)))
2095 context = ssl.SSLContext(protocol)
2103 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2104 context.verify_mode = ssl.CERT_REQUIRED
2133 before = ssl.cert_time_to_seconds(cert['notBefore'])
2134 after = ssl.cert_time_to_seconds(cert['notAfter'])
2144 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2147 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2148 context.verify_mode = ssl.CERT_REQUIRED
2150 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
2151 self.assertEqual(context.verify_flags, ssl.VERIFY_DEFAULT | tf)
2162 context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
2167 with self.assertRaisesRegexp(ssl.SSLError,
2185 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2188 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2189 context.verify_mode = ssl.CERT_REQUIRED
2207 with self.assertRaisesRegexp(ssl.CertificateError,
2228 certreqs=ssl.CERT_REQUIRED,
2233 closing(ssl.wrap_socket(sock,
2235 ssl_version=ssl.PROTOCOL_TLSv1)) as s:
2241 except ssl.SSLError as e:
2280 ssl_sock = ssl.wrap_socket(c)
2294 @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'),
2300 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
2301 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
2302 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
2303 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)
2304 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
2305 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
2309 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2310 client_options=ssl.OP_NO_SSLv2)
2311 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2312 client_options=ssl.OP_NO_SSLv3)
2313 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
2314 client_options=ssl.OP_NO_TLSv1)
2321 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2323 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
2330 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2331 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
2332 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
2333 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
2335 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2336 … try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
2337 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
2338 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
2340 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2341 … try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
2342 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
2343 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
2346 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2347 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,
2348 server_options=ssl.OP_NO_SSLv3)
2350 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,
2351 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
2352 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, False,
2353 server_options=ssl.OP_NO_TLSv1)
2357 @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv3'),
2363 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
2364 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
2365 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
2366 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2367 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
2368 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,
2369 client_options=ssl.OP_NO_SSLv3)
2370 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
2373 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,
2374 False, client_options=ssl.OP_NO_SSLv2)
2381 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
2382 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
2383 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
2384 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2385 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
2386 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2387 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
2388 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
2389 client_options=ssl.OP_NO_TLSv1)
2392 @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
2399 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
2400 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2401 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
2402 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2403 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
2404 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
2405 client_options=ssl.OP_NO_TLSv1_1)
2407 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
2408 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
2409 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
2413 @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
2420 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
2421 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
2422 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
2423 if hasattr(ssl, 'PROTOCOL_SSLv2'):
2424 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
2425 if hasattr(ssl, 'PROTOCOL_SSLv3'):
2426 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
2427 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv23, False,
2428 client_options=ssl.OP_NO_TLSv1_2)
2430 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
2431 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
2432 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
2433 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
2434 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
2441 ssl_version=ssl.PROTOCOL_TLSv1,
2469 conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
2506 context = ssl.create_default_context(cafile=CERTFILE)
2528 s = ssl.wrap_socket(socket.socket())
2555 certreqs=ssl.CERT_NONE,
2556 ssl_version=ssl.PROTOCOL_TLSv1,
2561 s = ssl.wrap_socket(socket.socket(),
2565 cert_reqs=ssl.CERT_NONE,
2566 ssl_version=ssl.PROTOCOL_TLSv1)
2673 s = ssl.wrap_socket(s, suppress_ragged_eofs=False)
2718 self.assertRaisesRegexp(ssl.SSLError, "timed out",
2719 ssl.wrap_socket, c)
2724 c = ssl.wrap_socket(c)
2727 self.assertRaisesRegexp(ssl.SSLError, "timed out",
2739 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2740 context.verify_mode = ssl.CERT_REQUIRED
2770 self.assertIsInstance(remote[0], ssl.SSLSocket)
2774 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2781 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2788 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2792 except ssl.SSLError:
2795 ssl_version=ssl.PROTOCOL_SSLv23,
2798 with self.assertRaises(ssl.SSLError):
2807 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2809 ssl_version=ssl.PROTOCOL_TLSv1,
2817 @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
2821 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
2827 if ssl.OPENSSL_VERSION_INFO < (1, 0, 0):
2834 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
2842 certreqs=ssl.CERT_NONE,
2843 ssl_version=ssl.PROTOCOL_TLSv1,
2848 s = ssl.wrap_socket(socket.socket(),
2852 cert_reqs=ssl.CERT_NONE,
2853 ssl_version=ssl.PROTOCOL_TLSv1)
2873 s = ssl.wrap_socket(socket.socket(),
2877 cert_reqs=ssl.CERT_NONE,
2878 ssl_version=ssl.PROTOCOL_TLSv1)
2895 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2903 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
2906 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2908 context.options |= ssl.OP_NO_COMPRESSION
2915 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2928 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2934 @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")
2937 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2939 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2946 @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support needed for this test")
2956 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
2959 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
2968 except ssl.SSLError as e:
2973 self.assertIsInstance(stats, ssl.SSLError)
2989 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
2995 @unittest.skipUnless(ssl.HAS_NPN, "NPN support needed for this test")
3005 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3008 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3025 server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3027 other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3029 client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
3030 client_context.verify_mode = ssl.CERT_REQUIRED
3083 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
3086 with self.assertRaises(ssl.SSLError) as cm:
3101 with self.assertRaises(ssl.SSLError) as cm, \
3119 with self.assertRaises(ssl.SSLError) as cm, \
3128 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
3129 context.verify_mode = ssl.CERT_REQUIRED
3158 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
3160 print(" HAS_SNI = %r" % ssl.HAS_SNI)
3161 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
3163 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)