Ana Sayfa Keşfet Yardım
Giriş Yap
dream
/
Android_verify
1
1
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Ağaç: 49e71f0845
Dallar Biçim İmleri
Android_verify
/
third_party
/
android-libs
/
lib
/
python3.11
/
test
/
test_ssl.py

test_ssl.py 211 KB
Geçmiş Ham

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074 
  1. # Test the support for SSL and sockets
    2. 

  2. 

  3. import sys
    4. 

  4. import unittest
    5. 

  5. import unittest.mock
    6. 

  6. from test import support
    7. 

  7. from test.support import import_helper
    8. 

  8. from test.support import os_helper
    9. 

  9. from test.support import socket_helper
    10. 

  10. from test.support import threading_helper
    11. 

  11. from test.support import warnings_helper
    12. 

  12. import socket
    13. 

  13. import select
    14. 

  14. import time
    15. 

  15. import enum
    16. 

  16. import gc
    17. 

  17. import os
    18. 

  18. import errno
    19. 

  19. import pprint
    20. 

  20. import urllib.request
    21. 

  21. import threading
    22. 

  22. import traceback
    23. 

  23. import weakref
    24. 

  24. import platform
    25. 

  25. import sysconfig
    26. 

  26. import functools
    27. 

  27. try:
    28. 

  28.     import ctypes
    29. 

  29. except ImportError:
    30. 

  30.     ctypes = None
    31. 

  31. 

  32. 

  33. asyncore = warnings_helper.import_deprecated('asyncore')
    34. 

  34. 

  35. 

  36. ssl = import_helper.import_module("ssl")
    37. 

  37. import _ssl
    38. 

  38. 

  39. from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
    40. 

  40. 

  41. Py_DEBUG = hasattr(sys, 'gettotalrefcount')
    42. 

  42. Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
    43. 

  43. 

  44. PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
    45. 

  45. HOST = socket_helper.HOST
    46. 

  46. IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
    47. 

  47. PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
    48. 

  48. 

  49. PROTOCOL_TO_TLS_VERSION = {}
    50. 

  50. for proto, ver in (
    51. 

  51.     ("PROTOCOL_SSLv23", "SSLv3"),
    52. 

  52.     ("PROTOCOL_TLSv1", "TLSv1"),
    53. 

  53.     ("PROTOCOL_TLSv1_1", "TLSv1_1"),
    54. 

  54. ):
    55. 

  55.     try:
    56. 

  56.         proto = getattr(ssl, proto)
    57. 

  57.         ver = getattr(ssl.TLSVersion, ver)
    58. 

  58.     except AttributeError:
    59. 

  59.         continue
    60. 

  60.     PROTOCOL_TO_TLS_VERSION[proto] = ver
    61. 

  61. 

  62. def data_file(*name):
    63. 

  63.     return os.path.join(os.path.dirname(__file__), *name)
    64. 

  64. 

  65. # The custom key and certificate files used in test_ssl are generated
    66. 

  66. # using Lib/test/make_ssl_certs.py.
    67. 

  67. # Other certificates are simply fetched from the internet servers they
    68. 

  68. # are meant to authenticate.
    69. 

  69. 

  70. CERTFILE = data_file("keycert.pem")
    71. 

  71. BYTES_CERTFILE = os.fsencode(CERTFILE)
    72. 

  72. ONLYCERT = data_file("ssl_cert.pem")
    73. 

  73. ONLYKEY = data_file("ssl_key.pem")
    74. 

  74. BYTES_ONLYCERT = os.fsencode(ONLYCERT)
    75. 

  75. BYTES_ONLYKEY = os.fsencode(ONLYKEY)
    76. 

  76. CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
    77. 

  77. ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
    78. 

  78. KEY_PASSWORD = "somepass"
    79. 

  79. CAPATH = data_file("capath")
    80. 

  80. BYTES_CAPATH = os.fsencode(CAPATH)
    81. 

  81. CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
    82. 

  82. CAFILE_CACERT = data_file("capath", "5ed36f99.0")
    83. 

  83. 

  84. CERTFILE_INFO = {
    85. 

  85.     'issuer': ((('countryName', 'XY'),),
    86. 

  86.                (('localityName', 'Castle Anthrax'),),
    87. 

  87.                (('organizationName', 'Python Software Foundation'),),
    88. 

  88.                (('commonName', 'localhost'),)),
    89. 

  89.     'notAfter': 'Aug 26 14:23:15 2028 GMT',
    90. 

  90.     'notBefore': 'Aug 29 14:23:15 2018 GMT',
    91. 

  91.     'serialNumber': '98A7CF88C74A32ED',
    92. 

  92.     'subject': ((('countryName', 'XY'),),
    93. 

  93.              (('localityName', 'Castle Anthrax'),),
    94. 

  94.              (('organizationName', 'Python Software Foundation'),),
    95. 

  95.              (('commonName', 'localhost'),)),
    96. 

  96.     'subjectAltName': (('DNS', 'localhost'),),
    97. 

  97.     'version': 3
    98. 

  98. }
    99. 

  99. 

  100. # empty CRL
    101. 

  101. CRLFILE = data_file("revocation.crl")
    102. 

  102. 

  103. # Two keys and certs signed by the same CA (for SNI tests)
    104. 

  104. SIGNED_CERTFILE = data_file("keycert3.pem")
    105. 

  105. SIGNED_CERTFILE_HOSTNAME = 'localhost'
    106. 

  106. 

  107. SIGNED_CERTFILE_INFO = {
    108. 

  108.     'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
    109. 

  109.     'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
    110. 

  110.     'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
    111. 

  111.     'issuer': ((('countryName', 'XY'),),
    112. 

  112.             (('organizationName', 'Python Software Foundation CA'),),
    113. 

  113.             (('commonName', 'our-ca-server'),)),
    114. 

  114.     'notAfter': 'Oct 28 14:23:16 2037 GMT',
    115. 

  115.     'notBefore': 'Aug 29 14:23:16 2018 GMT',
    116. 

  116.     'serialNumber': 'CB2D80995A69525C',
    117. 

  117.     'subject': ((('countryName', 'XY'),),
    118. 

  118.              (('localityName', 'Castle Anthrax'),),
    119. 

  119.              (('organizationName', 'Python Software Foundation'),),
    120. 

  120.              (('commonName', 'localhost'),)),
    121. 

  121.     'subjectAltName': (('DNS', 'localhost'),),
    122. 

  122.     'version': 3
    123. 

  123. }
    124. 

  124. 

  125. SIGNED_CERTFILE2 = data_file("keycert4.pem")
    126. 

  126. SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
    127. 

  127. SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
    128. 

  128. SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
    129. 

  129. 

  130. # Same certificate as pycacert.pem, but without extra text in file
    131. 

  131. SIGNING_CA = data_file("capath", "ceff1710.0")
    132. 

  132. # cert with all kinds of subject alt names
    133. 

  133. ALLSANFILE = data_file("allsans.pem")
    134. 

  134. IDNSANSFILE = data_file("idnsans.pem")
    135. 

  135. NOSANFILE = data_file("nosan.pem")
    136. 

  136. NOSAN_HOSTNAME = 'localhost'
    137. 

  137. 

  138. REMOTE_HOST = "self-signed.pythontest.net"
    139. 

  139. 

  140. EMPTYCERT = data_file("nullcert.pem")
    141. 

  141. BADCERT = data_file("badcert.pem")
    142. 

  142. NONEXISTINGCERT = data_file("XXXnonexisting.pem")
    143. 

  143. BADKEY = data_file("badkey.pem")
    144. 

  144. NOKIACERT = data_file("nokia.pem")
    145. 

  145. NULLBYTECERT = data_file("nullbytecert.pem")
    146. 

  146. TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
    147. 

  147. 

  148. DHFILE = data_file("ffdh3072.pem")
    149. 

  149. BYTES_DHFILE = os.fsencode(DHFILE)
    150. 

  150. 

  151. # Not defined in all versions of OpenSSL
    152. 

  152. OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
    153. 

  153. OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
    154. 

  154. OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
    155. 

  155. OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
    156. 

  156. OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
    157. 

  157. OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
    158. 

  158. 

  159. # Ubuntu has patched OpenSSL and changed behavior of security level 2
    160. 

  160. # see https://bugs.python.org/issue41561#msg389003
    161. 

  161. def is_ubuntu():
    162. 

  162.     try:
    163. 

  163.         # Assume that any references of "ubuntu" implies Ubuntu-like distro
    164. 

  164.         # The workaround is not required for 18.04, but doesn't hurt either.
    165. 

  165.         with open("/etc/os-release", encoding="utf-8") as f:
    166. 

  166.             return "ubuntu" in f.read()
    167. 

  167.     except FileNotFoundError:
    168. 

  168.         return False
    169. 

  169. 

  170. if is_ubuntu():
    171. 

  171.     def seclevel_workaround(*ctxs):
    172. 

  172.         """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
    173. 

  173.         for ctx in ctxs:
    174. 

  174.             if (
    175. 

  175.                 hasattr(ctx, "minimum_version") and
    176. 

  176.                 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
    177. 

  177.             ):
    178. 

  178.                 ctx.set_ciphers("@SECLEVEL=1:ALL")
    179. 

  179. else:
    180. 

  180.     def seclevel_workaround(*ctxs):
    181. 

  181.         pass
    182. 

  182. 

  183. 

  184. def has_tls_protocol(protocol):
    185. 

  185.     """Check if a TLS protocol is available and enabled
    186. 

  186. 

  187.     :param protocol: enum ssl._SSLMethod member or name
    188. 

  188.     :return: bool
    189. 

  189.     """
    190. 

  190.     if isinstance(protocol, str):
    191. 

  191.         assert protocol.startswith('PROTOCOL_')
    192. 

  192.         protocol = getattr(ssl, protocol, None)
    193. 

  193.         if protocol is None:
    194. 

  194.             return False
    195. 

  195.     if protocol in {
    196. 

  196.         ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
    197. 

  197.         ssl.PROTOCOL_TLS_CLIENT
    198. 

  198.     }:
    199. 

  199.         # auto-negotiate protocols are always available
    200. 

  200.         return True
    201. 

  201.     name = protocol.name
    202. 

  202.     return has_tls_version(name[len('PROTOCOL_'):])
    203. 

  203. 

  204. 

  205. @functools.lru_cache
    206. 

  206. def has_tls_version(version):
    207. 

  207.     """Check if a TLS/SSL version is enabled
    208. 

  208. 

  209.     :param version: TLS version name or ssl.TLSVersion member
    210. 

  210.     :return: bool
    211. 

  211.     """
    212. 

  212.     if version == "SSLv2":
    213. 

  213.         # never supported and not even in TLSVersion enum
    214. 

  214.         return False
    215. 

  215. 

  216.     if isinstance(version, str):
    217. 

  217.         version = ssl.TLSVersion.__members__[version]
    218. 

  218. 

  219.     # check compile time flags like ssl.HAS_TLSv1_2
    220. 

  220.     if not getattr(ssl, f'HAS_{version.name}'):
    221. 

  221.         return False
    222. 

  222. 

  223.     if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
    224. 

  224.         # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
    225. 

  225.         return False
    226. 

  226. 

  227.     # check runtime and dynamic crypto policy settings. A TLS version may
    228. 

  228.     # be compiled in but disabled by a policy or config option.
    229. 

  229.     ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    230. 

  230.     if (
    231. 

  231.             hasattr(ctx, 'minimum_version') and
    232. 

  232.             ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
    233. 

  233.             version < ctx.minimum_version
    234. 

  234.     ):
    235. 

  235.         return False
    236. 

  236.     if (
    237. 

  237.         hasattr(ctx, 'maximum_version') and
    238. 

  238.         ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
    239. 

  239.         version > ctx.maximum_version
    240. 

  240.     ):
    241. 

  241.         return False
    242. 

  242. 

  243.     return True
    244. 

  244. 

  245. 

  246. def requires_tls_version(version):
    247. 

  247.     """Decorator to skip tests when a required TLS version is not available
    248. 

  248. 

  249.     :param version: TLS version name or ssl.TLSVersion member
    250. 

  250.     :return:
    251. 

  251.     """
    252. 

  252.     def decorator(func):
    253. 

  253.         @functools.wraps(func)
    254. 

  254.         def wrapper(*args, **kw):
    255. 

  255.             if not has_tls_version(version):
    256. 

  256.                 raise unittest.SkipTest(f"{version} is not available.")
    257. 

  257.             else:
    258. 

  258.                 return func(*args, **kw)
    259. 

  259.         return wrapper
    260. 

  260.     return decorator
    261. 

  261. 

  262. 

  263. def handle_error(prefix):
    264. 

  264.     exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
    265. 

  265.     if support.verbose:
    266. 

  266.         sys.stdout.write(prefix + exc_format)
    267. 

  267. 

  268. 

  269. def utc_offset(): #NOTE: ignore issues like #1647654
    270. 

  270.     # local time = utc time + utc offset
    271. 

  271.     if time.daylight and time.localtime().tm_isdst > 0:
    272. 

  272.         return -time.altzone  # seconds
    273. 

  273.     return -time.timezone
    274. 

  274. 

  275. 

  276. ignore_deprecation = warnings_helper.ignore_warnings(
    277. 

  277.     category=DeprecationWarning
    278. 

  278. )
    279. 

  279. 

  280. 

  281. def test_wrap_socket(sock, *,
    282. 

  282.                      cert_reqs=ssl.CERT_NONE, ca_certs=None,
    283. 

  283.                      ciphers=None, certfile=None, keyfile=None,
    284. 

  284.                      **kwargs):
    285. 

  285.     if not kwargs.get("server_side"):
    286. 

  286.         kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
    287. 

  287.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    288. 

  288.     else:
    289. 

  289.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    290. 

  290.     if cert_reqs is not None:
    291. 

  291.         if cert_reqs == ssl.CERT_NONE:
    292. 

  292.             context.check_hostname = False
    293. 

  293.         context.verify_mode = cert_reqs
    294. 

  294.     if ca_certs is not None:
    295. 

  295.         context.load_verify_locations(ca_certs)
    296. 

  296.     if certfile is not None or keyfile is not None:
    297. 

  297.         context.load_cert_chain(certfile, keyfile)
    298. 

  298.     if ciphers is not None:
    299. 

  299.         context.set_ciphers(ciphers)
    300. 

  300.     return context.wrap_socket(sock, **kwargs)
    301. 

  301. 

  302. 

  303. def testing_context(server_cert=SIGNED_CERTFILE, *, server_chain=True):
    304. 

  304.     """Create context
    305. 

  305. 

  306.     client_context, server_context, hostname = testing_context()
    307. 

  307.     """
    308. 

  308.     if server_cert == SIGNED_CERTFILE:
    309. 

  309.         hostname = SIGNED_CERTFILE_HOSTNAME
    310. 

  310.     elif server_cert == SIGNED_CERTFILE2:
    311. 

  311.         hostname = SIGNED_CERTFILE2_HOSTNAME
    312. 

  312.     elif server_cert == NOSANFILE:
    313. 

  313.         hostname = NOSAN_HOSTNAME
    314. 

  314.     else:
    315. 

  315.         raise ValueError(server_cert)
    316. 

  316. 

  317.     client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    318. 

  318.     client_context.load_verify_locations(SIGNING_CA)
    319. 

  319. 

  320.     server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    321. 

  321.     server_context.load_cert_chain(server_cert)
    322. 

  322.     if server_chain:
    323. 

  323.         server_context.load_verify_locations(SIGNING_CA)
    324. 

  324. 

  325.     return client_context, server_context, hostname
    326. 

  326. 

  327. 

  328. class BasicSocketTests(unittest.TestCase):
    329. 

  329. 

  330.     def test_constants(self):
    331. 

  331.         ssl.CERT_NONE
    332. 

  332.         ssl.CERT_OPTIONAL
    333. 

  333.         ssl.CERT_REQUIRED
    334. 

  334.         ssl.OP_CIPHER_SERVER_PREFERENCE
    335. 

  335.         ssl.OP_SINGLE_DH_USE
    336. 

  336.         ssl.OP_SINGLE_ECDH_USE
    337. 

  337.         ssl.OP_NO_COMPRESSION
    338. 

  338.         self.assertEqual(ssl.HAS_SNI, True)
    339. 

  339.         self.assertEqual(ssl.HAS_ECDH, True)
    340. 

  340.         self.assertEqual(ssl.HAS_TLSv1_2, True)
    341. 

  341.         self.assertEqual(ssl.HAS_TLSv1_3, True)
    342. 

  342.         ssl.OP_NO_SSLv2
    343. 

  343.         ssl.OP_NO_SSLv3
    344. 

  344.         ssl.OP_NO_TLSv1
    345. 

  345.         ssl.OP_NO_TLSv1_3
    346. 

  346.         ssl.OP_NO_TLSv1_1
    347. 

  347.         ssl.OP_NO_TLSv1_2
    348. 

  348.         self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
    349. 

  349. 

  350.     def test_ssl_types(self):
    351. 

  351.         ssl_types = [
    352. 

  352.             _ssl._SSLContext,
    353. 

  353.             _ssl._SSLSocket,
    354. 

  354.             _ssl.MemoryBIO,
    355. 

  355.             _ssl.Certificate,
    356. 

  356.             _ssl.SSLSession,
    357. 

  357.             _ssl.SSLError,
    358. 

  358.         ]
    359. 

  359.         for ssl_type in ssl_types:
    360. 

  360.             with self.subTest(ssl_type=ssl_type):
    361. 

  361.                 with self.assertRaisesRegex(TypeError, "immutable type"):
    362. 

  362.                     ssl_type.value = None
    363. 

  363.         support.check_disallow_instantiation(self, _ssl.Certificate)
    364. 

  364. 

  365.     def test_private_init(self):
    366. 

  366.         with self.assertRaisesRegex(TypeError, "public constructor"):
    367. 

  367.             with socket.socket() as s:
    368. 

  368.                 ssl.SSLSocket(s)
    369. 

  369. 

  370.     def test_str_for_enums(self):
    371. 

  371.         # Make sure that the PROTOCOL_* constants have enum-like string
    372. 

  372.         # reprs.
    373. 

  373.         proto = ssl.PROTOCOL_TLS_CLIENT
    374. 

  374.         self.assertEqual(repr(proto), '<_SSLMethod.PROTOCOL_TLS_CLIENT: %r>' % proto.value)
    375. 

  375.         self.assertEqual(str(proto), str(proto.value))
    376. 

  376.         ctx = ssl.SSLContext(proto)
    377. 

  377.         self.assertIs(ctx.protocol, proto)
    378. 

  378. 

  379.     def test_random(self):
    380. 

  380.         v = ssl.RAND_status()
    381. 

  381.         if support.verbose:
    382. 

  382.             sys.stdout.write("\n RAND_status is %d (%s)\n"
    383. 

  383.                              % (v, (v and "sufficient randomness") or
    384. 

  384.                                 "insufficient randomness"))
    385. 

  385. 

  386.         with warnings_helper.check_warnings():
    387. 

  387.             data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
    388. 

  388.         self.assertEqual(len(data), 16)
    389. 

  389.         self.assertEqual(is_cryptographic, v == 1)
    390. 

  390.         if v:
    391. 

  391.             data = ssl.RAND_bytes(16)
    392. 

  392.             self.assertEqual(len(data), 16)
    393. 

  393.         else:
    394. 

  394.             self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
    395. 

  395. 

  396.         # negative num is invalid
    397. 

  397.         self.assertRaises(ValueError, ssl.RAND_bytes, -5)
    398. 

  398.         with warnings_helper.check_warnings():
    399. 

  399.             self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
    400. 

  400. 

  401.         ssl.RAND_add("this is a random string", 75.0)
    402. 

  402.         ssl.RAND_add(b"this is a random bytes object", 75.0)
    403. 

  403.         ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
    404. 

  404. 

  405.     def test_parse_cert(self):
    406. 

  406.         # note that this uses an 'unofficial' function in _ssl.c,
    407. 

  407.         # provided solely for this test, to exercise the certificate
    408. 

  408.         # parsing code
    409. 

  409.         self.assertEqual(
    410. 

  410.             ssl._ssl._test_decode_cert(CERTFILE),
    411. 

  411.             CERTFILE_INFO
    412. 

  412.         )
    413. 

  413.         self.assertEqual(
    414. 

  414.             ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
    415. 

  415.             SIGNED_CERTFILE_INFO
    416. 

  416.         )
    417. 

  417. 

  418.         # Issue #13034: the subjectAltName in some certificates
    419. 

  419.         # (notably projects.developer.nokia.com:443) wasn't parsed
    420. 

  420.         p = ssl._ssl._test_decode_cert(NOKIACERT)
    421. 

  421.         if support.verbose:
    422. 

  422.             sys.stdout.write("\n" + pprint.pformat(p) + "\n")
    423. 

  423.         self.assertEqual(p['subjectAltName'],
    424. 

  424.                          (('DNS', 'projects.developer.nokia.com'),
    425. 

  425.                           ('DNS', 'projects.forum.nokia.com'))
    426. 

  426.                         )
    427. 

  427.         # extra OCSP and AIA fields
    428. 

  428.         self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
    429. 

  429.         self.assertEqual(p['caIssuers'],
    430. 

  430.                          ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
    431. 

  431.         self.assertEqual(p['crlDistributionPoints'],
    432. 

  432.                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
    433. 

  433. 

  434.     def test_parse_cert_CVE_2019_5010(self):
    435. 

  435.         p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
    436. 

  436.         if support.verbose:
    437. 

  437.             sys.stdout.write("\n" + pprint.pformat(p) + "\n")
    438. 

  438.         self.assertEqual(
    439. 

  439.             p,
    440. 

  440.             {
    441. 

  441.                 'issuer': (
    442. 

  442.                     (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
    443. 

  443.                 'notAfter': 'Jun 14 18:00:58 2028 GMT',
    444. 

  444.                 'notBefore': 'Jun 18 18:00:58 2018 GMT',
    445. 

  445.                 'serialNumber': '02',
    446. 

  446.                 'subject': ((('countryName', 'UK'),),
    447. 

  447.                             (('commonName',
    448. 

  448.                               'codenomicon-vm-2.test.lal.cisco.com'),)),
    449. 

  449.                 'subjectAltName': (
    450. 

  450.                     ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
    451. 

  451.                 'version': 3
    452. 

  452.             }
    453. 

  453.         )
    454. 

  454. 

  455.     def test_parse_cert_CVE_2013_4238(self):
    456. 

  456.         p = ssl._ssl._test_decode_cert(NULLBYTECERT)
    457. 

  457.         if support.verbose:
    458. 

  458.             sys.stdout.write("\n" + pprint.pformat(p) + "\n")
    459. 

  459.         subject = ((('countryName', 'US'),),
    460. 

  460.                    (('stateOrProvinceName', 'Oregon'),),
    461. 

  461.                    (('localityName', 'Beaverton'),),
    462. 

  462.                    (('organizationName', 'Python Software Foundation'),),
    463. 

  463.                    (('organizationalUnitName', 'Python Core Development'),),
    464. 

  464.                    (('commonName', 'null.python.org\x00example.org'),),
    465. 

  465.                    (('emailAddress', 'python-dev@python.org'),))
    466. 

  466.         self.assertEqual(p['subject'], subject)
    467. 

  467.         self.assertEqual(p['issuer'], subject)
    468. 

  468.         if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
    469. 

  469.             san = (('DNS', 'altnull.python.org\x00example.com'),
    470. 

  470.                    ('email', 'null@python.org\x00user@example.org'),
    471. 

  471.                    ('URI', 'http://null.python.org\x00http://example.org'),
    472. 

  472.                    ('IP Address', '192.0.2.1'),
    473. 

  473.                    ('IP Address', '2001:DB8:0:0:0:0:0:1'))
    474. 

  474.         else:
    475. 

  475.             # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
    476. 

  476.             san = (('DNS', 'altnull.python.org\x00example.com'),
    477. 

  477.                    ('email', 'null@python.org\x00user@example.org'),
    478. 

  478.                    ('URI', 'http://null.python.org\x00http://example.org'),
    479. 

  479.                    ('IP Address', '192.0.2.1'),
    480. 

  480.                    ('IP Address', '<invalid>'))
    481. 

  481. 

  482.         self.assertEqual(p['subjectAltName'], san)
    483. 

  483. 

  484.     def test_parse_all_sans(self):
    485. 

  485.         p = ssl._ssl._test_decode_cert(ALLSANFILE)
    486. 

  486.         self.assertEqual(p['subjectAltName'],
    487. 

  487.             (
    488. 

  488.                 ('DNS', 'allsans'),
    489. 

  489.                 ('othername', '<unsupported>'),
    490. 

  490.                 ('othername', '<unsupported>'),
    491. 

  491.                 ('email', 'user@example.org'),
    492. 

  492.                 ('DNS', 'www.example.org'),
    493. 

  493.                 ('DirName',
    494. 

  494.                     ((('countryName', 'XY'),),
    495. 

  495.                     (('localityName', 'Castle Anthrax'),),
    496. 

  496.                     (('organizationName', 'Python Software Foundation'),),
    497. 

  497.                     (('commonName', 'dirname example'),))),
    498. 

  498.                 ('URI', 'https://www.python.org/'),
    499. 

  499.                 ('IP Address', '127.0.0.1'),
    500. 

  500.                 ('IP Address', '0:0:0:0:0:0:0:1'),
    501. 

  501.                 ('Registered ID', '1.2.3.4.5')
    502. 

  502.             )
    503. 

  503.         )
    504. 

  504. 

  505.     def test_DER_to_PEM(self):
    506. 

  506.         with open(CAFILE_CACERT, 'r') as f:
    507. 

  507.             pem = f.read()
    508. 

  508.         d1 = ssl.PEM_cert_to_DER_cert(pem)
    509. 

  509.         p2 = ssl.DER_cert_to_PEM_cert(d1)
    510. 

  510.         d2 = ssl.PEM_cert_to_DER_cert(p2)
    511. 

  511.         self.assertEqual(d1, d2)
    512. 

  512.         if not p2.startswith(ssl.PEM_HEADER + '\n'):
    513. 

  513.             self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
    514. 

  514.         if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
    515. 

  515.             self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
    516. 

  516. 

  517.     def test_openssl_version(self):
    518. 

  518.         n = ssl.OPENSSL_VERSION_NUMBER
    519. 

  519.         t = ssl.OPENSSL_VERSION_INFO
    520. 

  520.         s = ssl.OPENSSL_VERSION
    521. 

  521.         self.assertIsInstance(n, int)
    522. 

  522.         self.assertIsInstance(t, tuple)
    523. 

  523.         self.assertIsInstance(s, str)
    524. 

  524.         # Some sanity checks follow
    525. 

  525.         # >= 1.1.1
    526. 

  526.         self.assertGreaterEqual(n, 0x10101000)
    527. 

  527.         # < 4.0
    528. 

  528.         self.assertLess(n, 0x40000000)
    529. 

  529.         major, minor, fix, patch, status = t
    530. 

  530.         self.assertGreaterEqual(major, 1)
    531. 

  531.         self.assertLess(major, 4)
    532. 

  532.         self.assertGreaterEqual(minor, 0)
    533. 

  533.         self.assertLess(minor, 256)
    534. 

  534.         self.assertGreaterEqual(fix, 0)
    535. 

  535.         self.assertLess(fix, 256)
    536. 

  536.         self.assertGreaterEqual(patch, 0)
    537. 

  537.         self.assertLessEqual(patch, 63)
    538. 

  538.         self.assertGreaterEqual(status, 0)
    539. 

  539.         self.assertLessEqual(status, 15)
    540. 

  540. 

  541.         libressl_ver = f"LibreSSL {major:d}"
    542. 

  542.         if major >= 3:
    543. 

  543.             # 3.x uses 0xMNN00PP0L
    544. 

  544.             openssl_ver = f"OpenSSL {major:d}.{minor:d}.{patch:d}"
    545. 

  545.         else:
    546. 

  546.             openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
    547. 

  547.         self.assertTrue(
    548. 

  548.             s.startswith((openssl_ver, libressl_ver)),
    549. 

  549.             (s, t, hex(n))
    550. 

  550.         )
    551. 

  551. 

  552.     @support.cpython_only
    553. 

  553.     def test_refcycle(self):
    554. 

  554.         # Issue #7943: an SSL object doesn't create reference cycles with
    555. 

  555.         # itself.
    556. 

  556.         s = socket.socket(socket.AF_INET)
    557. 

  557.         ss = test_wrap_socket(s)
    558. 

  558.         wr = weakref.ref(ss)
    559. 

  559.         with warnings_helper.check_warnings(("", ResourceWarning)):
    560. 

  560.             del ss
    561. 

  561.         self.assertEqual(wr(), None)
    562. 

  562. 

  563.     def test_wrapped_unconnected(self):
    564. 

  564.         # Methods on an unconnected SSLSocket propagate the original
    565. 

  565.         # OSError raise by the underlying socket object.
    566. 

  566.         s = socket.socket(socket.AF_INET)
    567. 

  567.         with test_wrap_socket(s) as ss:
    568. 

  568.             self.assertRaises(OSError, ss.recv, 1)
    569. 

  569.             self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
    570. 

  570.             self.assertRaises(OSError, ss.recvfrom, 1)
    571. 

  571.             self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
    572. 

  572.             self.assertRaises(OSError, ss.send, b'x')
    573. 

  573.             self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
    574. 

  574.             self.assertRaises(NotImplementedError, ss.dup)
    575. 

  575.             self.assertRaises(NotImplementedError, ss.sendmsg,
    576. 

  576.                               [b'x'], (), 0, ('0.0.0.0', 0))
    577. 

  577.             self.assertRaises(NotImplementedError, ss.recvmsg, 100)
    578. 

  578.             self.assertRaises(NotImplementedError, ss.recvmsg_into,
    579. 

  579.                               [bytearray(100)])
    580. 

  580. 

  581.     def test_timeout(self):
    582. 

  582.         # Issue #8524: when creating an SSL socket, the timeout of the
    583. 

  583.         # original socket should be retained.
    584. 

  584.         for timeout in (None, 0.0, 5.0):
    585. 

  585.             s = socket.socket(socket.AF_INET)
    586. 

  586.             s.settimeout(timeout)
    587. 

  587.             with test_wrap_socket(s) as ss:
    588. 

  588.                 self.assertEqual(timeout, ss.gettimeout())
    589. 

  589. 

  590.     def test_openssl111_deprecations(self):
    591. 

  591.         options = [
    592. 

  592.             ssl.OP_NO_TLSv1,
    593. 

  593.             ssl.OP_NO_TLSv1_1,
    594. 

  594.             ssl.OP_NO_TLSv1_2,
    595. 

  595.             ssl.OP_NO_TLSv1_3
    596. 

  596.         ]
    597. 

  597.         protocols = [
    598. 

  598.             ssl.PROTOCOL_TLSv1,
    599. 

  599.             ssl.PROTOCOL_TLSv1_1,
    600. 

  600.             ssl.PROTOCOL_TLSv1_2,
    601. 

  601.             ssl.PROTOCOL_TLS
    602. 

  602.         ]
    603. 

  603.         versions = [
    604. 

  604.             ssl.TLSVersion.SSLv3,
    605. 

  605.             ssl.TLSVersion.TLSv1,
    606. 

  606.             ssl.TLSVersion.TLSv1_1,
    607. 

  607.         ]
    608. 

  608. 

  609.         for option in options:
    610. 

  610.             with self.subTest(option=option):
    611. 

  611.                 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    612. 

  612.                 with self.assertWarns(DeprecationWarning) as cm:
    613. 

  613.                     ctx.options |= option
    614. 

  614.                 self.assertEqual(
    615. 

  615.                     'ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated',
    616. 

  616.                     str(cm.warning)
    617. 

  617.                 )
    618. 

  618. 

  619.         for protocol in protocols:
    620. 

  620.             if not has_tls_protocol(protocol):
    621. 

  621.                 continue
    622. 

  622.             with self.subTest(protocol=protocol):
    623. 

  623.                 with self.assertWarns(DeprecationWarning) as cm:
    624. 

  624.                     ssl.SSLContext(protocol)
    625. 

  625.                 self.assertEqual(
    626. 

  626.                     f'ssl.{protocol.name} is deprecated',
    627. 

  627.                     str(cm.warning)
    628. 

  628.                 )
    629. 

  629. 

  630.         for version in versions:
    631. 

  631.             if not has_tls_version(version):
    632. 

  632.                 continue
    633. 

  633.             with self.subTest(version=version):
    634. 

  634.                 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    635. 

  635.                 with self.assertWarns(DeprecationWarning) as cm:
    636. 

  636.                     ctx.minimum_version = version
    637. 

  637.                 version_text = '%s.%s' % (version.__class__.__name__, version.name)
    638. 

  638.                 self.assertEqual(
    639. 

  639.                     f'ssl.{version_text} is deprecated',
    640. 

  640.                     str(cm.warning)
    641. 

  641.                 )
    642. 

  642. 

  643.     @ignore_deprecation
    644. 

  644.     def test_errors_sslwrap(self):
    645. 

  645.         sock = socket.socket()
    646. 

  646.         self.assertRaisesRegex(ValueError,
    647. 

  647.                         "certfile must be specified",
    648. 

  648.                         ssl.wrap_socket, sock, keyfile=CERTFILE)
    649. 

  649.         self.assertRaisesRegex(ValueError,
    650. 

  650.                         "certfile must be specified for server-side operations",
    651. 

  651.                         ssl.wrap_socket, sock, server_side=True)
    652. 

  652.         self.assertRaisesRegex(ValueError,
    653. 

  653.                         "certfile must be specified for server-side operations",
    654. 

  654.                          ssl.wrap_socket, sock, server_side=True, certfile="")
    655. 

  655.         with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
    656. 

  656.             self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
    657. 

  657.                                      s.connect, (HOST, 8080))
    658. 

  658.         with self.assertRaises(OSError) as cm:
    659. 

  659.             with socket.socket() as sock:
    660. 

  660.                 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
    661. 

  661.         self.assertEqual(cm.exception.errno, errno.ENOENT)
    662. 

  662.         with self.assertRaises(OSError) as cm:
    663. 

  663.             with socket.socket() as sock:
    664. 

  664.                 ssl.wrap_socket(sock,
    665. 

  665.                     certfile=CERTFILE, keyfile=NONEXISTINGCERT)
    666. 

  666.         self.assertEqual(cm.exception.errno, errno.ENOENT)
    667. 

  667.         with self.assertRaises(OSError) as cm:
    668. 

  668.             with socket.socket() as sock:
    669. 

  669.                 ssl.wrap_socket(sock,
    670. 

  670.                     certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
    671. 

  671.         self.assertEqual(cm.exception.errno, errno.ENOENT)
    672. 

  672. 

  673.     def bad_cert_test(self, certfile):
    674. 

  674.         """Check that trying to use the given client certificate fails"""
    675. 

  675.         certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
    676. 

  676.                                    certfile)
    677. 

  677.         sock = socket.socket()
    678. 

  678.         self.addCleanup(sock.close)
    679. 

  679.         with self.assertRaises(ssl.SSLError):
    680. 

  680.             test_wrap_socket(sock,
    681. 

  681.                              certfile=certfile)
    682. 

  682. 

  683.     def test_empty_cert(self):
    684. 

  684.         """Wrapping with an empty cert file"""
    685. 

  685.         self.bad_cert_test("nullcert.pem")
    686. 

  686. 

  687.     def test_malformed_cert(self):
    688. 

  688.         """Wrapping with a badly formatted certificate (syntax error)"""
    689. 

  689.         self.bad_cert_test("badcert.pem")
    690. 

  690. 

  691.     def test_malformed_key(self):
    692. 

  692.         """Wrapping with a badly formatted key (syntax error)"""
    693. 

  693.         self.bad_cert_test("badkey.pem")
    694. 

  694. 

  695.     @ignore_deprecation
    696. 

  696.     def test_match_hostname(self):
    697. 

  697.         def ok(cert, hostname):
    698. 

  698.             ssl.match_hostname(cert, hostname)
    699. 

  699.         def fail(cert, hostname):
    700. 

  700.             self.assertRaises(ssl.CertificateError,
    701. 

  701.                               ssl.match_hostname, cert, hostname)
    702. 

  702. 

  703.         # -- Hostname matching --
    704. 

  704. 

  705.         cert = {'subject': ((('commonName', 'example.com'),),)}
    706. 

  706.         ok(cert, 'example.com')
    707. 

  707.         ok(cert, 'ExAmple.cOm')
    708. 

  708.         fail(cert, 'www.example.com')
    709. 

  709.         fail(cert, '.example.com')
    710. 

  710.         fail(cert, 'example.org')
    711. 

  711.         fail(cert, 'exampleXcom')
    712. 

  712. 

  713.         cert = {'subject': ((('commonName', '*.a.com'),),)}
    714. 

  714.         ok(cert, 'foo.a.com')
    715. 

  715.         fail(cert, 'bar.foo.a.com')
    716. 

  716.         fail(cert, 'a.com')
    717. 

  717.         fail(cert, 'Xa.com')
    718. 

  718.         fail(cert, '.a.com')
    719. 

  719. 

  720.         # only match wildcards when they are the only thing
    721. 

  721.         # in left-most segment
    722. 

  722.         cert = {'subject': ((('commonName', 'f*.com'),),)}
    723. 

  723.         fail(cert, 'foo.com')
    724. 

  724.         fail(cert, 'f.com')
    725. 

  725.         fail(cert, 'bar.com')
    726. 

  726.         fail(cert, 'foo.a.com')
    727. 

  727.         fail(cert, 'bar.foo.com')
    728. 

  728. 

  729.         # NULL bytes are bad, CVE-2013-4073
    730. 

  730.         cert = {'subject': ((('commonName',
    731. 

  731.                               'null.python.org\x00example.org'),),)}
    732. 

  732.         ok(cert, 'null.python.org\x00example.org') # or raise an error?
    733. 

  733.         fail(cert, 'example.org')
    734. 

  734.         fail(cert, 'null.python.org')
    735. 

  735. 

  736.         # error cases with wildcards
    737. 

  737.         cert = {'subject': ((('commonName', '*.*.a.com'),),)}
    738. 

  738.         fail(cert, 'bar.foo.a.com')
    739. 

  739.         fail(cert, 'a.com')
    740. 

  740.         fail(cert, 'Xa.com')
    741. 

  741.         fail(cert, '.a.com')
    742. 

  742. 

  743.         cert = {'subject': ((('commonName', 'a.*.com'),),)}
    744. 

  744.         fail(cert, 'a.foo.com')
    745. 

  745.         fail(cert, 'a..com')
    746. 

  746.         fail(cert, 'a.com')
    747. 

  747. 

  748.         # wildcard doesn't match IDNA prefix 'xn--'
    749. 

  749.         idna = 'püthon.python.org'.encode("idna").decode("ascii")
    750. 

  750.         cert = {'subject': ((('commonName', idna),),)}
    751. 

  751.         ok(cert, idna)
    752. 

  752.         cert = {'subject': ((('commonName', 'x*.python.org'),),)}
    753. 

  753.         fail(cert, idna)
    754. 

  754.         cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
    755. 

  755.         fail(cert, idna)
    756. 

  756. 

  757.         # wildcard in first fragment and  IDNA A-labels in sequent fragments
    758. 

  758.         # are supported.
    759. 

  759.         idna = 'www*.pythön.org'.encode("idna").decode("ascii")
    760. 

  760.         cert = {'subject': ((('commonName', idna),),)}
    761. 

  761.         fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
    762. 

  762.         fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
    763. 

  763.         fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
    764. 

  764.         fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
    765. 

  765. 

  766.         # Slightly fake real-world example
    767. 

  767.         cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
    768. 

  768.                 'subject': ((('commonName', 'linuxfrz.org'),),),
    769. 

  769.                 'subjectAltName': (('DNS', 'linuxfr.org'),
    770. 

  770.                                    ('DNS', 'linuxfr.com'),
    771. 

  771.                                    ('othername', '<unsupported>'))}
    772. 

  772.         ok(cert, 'linuxfr.org')
    773. 

  773.         ok(cert, 'linuxfr.com')
    774. 

  774.         # Not a "DNS" entry
    775. 

  775.         fail(cert, '<unsupported>')
    776. 

  776.         # When there is a subjectAltName, commonName isn't used
    777. 

  777.         fail(cert, 'linuxfrz.org')
    778. 

  778. 

  779.         # A pristine real-world example
    780. 

  780.         cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
    781. 

  781.                 'subject': ((('countryName', 'US'),),
    782. 

  782.                             (('stateOrProvinceName', 'California'),),
    783. 

  783.                             (('localityName', 'Mountain View'),),
    784. 

  784.                             (('organizationName', 'Google Inc'),),
    785. 

  785.                             (('commonName', 'mail.google.com'),))}
    786. 

  786.         ok(cert, 'mail.google.com')
    787. 

  787.         fail(cert, 'gmail.com')
    788. 

  788.         # Only commonName is considered
    789. 

  789.         fail(cert, 'California')
    790. 

  790. 

  791.         # -- IPv4 matching --
    792. 

  792.         cert = {'subject': ((('commonName', 'example.com'),),),
    793. 

  793.                 'subjectAltName': (('DNS', 'example.com'),
    794. 

  794.                                    ('IP Address', '10.11.12.13'),
    795. 

  795.                                    ('IP Address', '14.15.16.17'),
    796. 

  796.                                    ('IP Address', '127.0.0.1'))}
    797. 

  797.         ok(cert, '10.11.12.13')
    798. 

  798.         ok(cert, '14.15.16.17')
    799. 

  799.         # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
    800. 

  800.         fail(cert, '127.1')
    801. 

  801.         fail(cert, '14.15.16.17 ')
    802. 

  802.         fail(cert, '14.15.16.17 extra data')
    803. 

  803.         fail(cert, '14.15.16.18')
    804. 

  804.         fail(cert, 'example.net')
    805. 

  805. 

  806.         # -- IPv6 matching --
    807. 

  807.         if socket_helper.IPV6_ENABLED:
    808. 

  808.             cert = {'subject': ((('commonName', 'example.com'),),),
    809. 

  809.                     'subjectAltName': (
    810. 

  810.                         ('DNS', 'example.com'),
    811. 

  811.                         ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
    812. 

  812.                         ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
    813. 

  813.             ok(cert, '2001::cafe')
    814. 

  814.             ok(cert, '2003::baba')
    815. 

  815.             fail(cert, '2003::baba ')
    816. 

  816.             fail(cert, '2003::baba extra data')
    817. 

  817.             fail(cert, '2003::bebe')
    818. 

  818.             fail(cert, 'example.net')
    819. 

  819. 

  820.         # -- Miscellaneous --
    821. 

  821. 

  822.         # Neither commonName nor subjectAltName
    823. 

  823.         cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
    824. 

  824.                 'subject': ((('countryName', 'US'),),
    825. 

  825.                             (('stateOrProvinceName', 'California'),),
    826. 

  826.                             (('localityName', 'Mountain View'),),
    827. 

  827.                             (('organizationName', 'Google Inc'),))}
    828. 

  828.         fail(cert, 'mail.google.com')
    829. 

  829. 

  830.         # No DNS entry in subjectAltName but a commonName
    831. 

  831.         cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
    832. 

  832.                 'subject': ((('countryName', 'US'),),
    833. 

  833.                             (('stateOrProvinceName', 'California'),),
    834. 

  834.                             (('localityName', 'Mountain View'),),
    835. 

  835.                             (('commonName', 'mail.google.com'),)),
    836. 

  836.                 'subjectAltName': (('othername', 'blabla'), )}
    837. 

  837.         ok(cert, 'mail.google.com')
    838. 

  838. 

  839.         # No DNS entry subjectAltName and no commonName
    840. 

  840.         cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
    841. 

  841.                 'subject': ((('countryName', 'US'),),
    842. 

  842.                             (('stateOrProvinceName', 'California'),),
    843. 

  843.                             (('localityName', 'Mountain View'),),
    844. 

  844.                             (('organizationName', 'Google Inc'),)),
    845. 

  845.                 'subjectAltName': (('othername', 'blabla'),)}
    846. 

  846.         fail(cert, 'google.com')
    847. 

  847. 

  848.         # Empty cert / no cert
    849. 

  849.         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
    850. 

  850.         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
    851. 

  851. 

  852.         # Issue #17980: avoid denials of service by refusing more than one
    853. 

  853.         # wildcard per fragment.
    854. 

  854.         cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
    855. 

  855.         with self.assertRaisesRegex(
    856. 

  856.                 ssl.CertificateError,
    857. 

  857.                 "partial wildcards in leftmost label are not supported"):
    858. 

  858.             ssl.match_hostname(cert, 'axxb.example.com')
    859. 

  859. 

  860.         cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
    861. 

  861.         with self.assertRaisesRegex(
    862. 

  862.                 ssl.CertificateError,
    863. 

  863.                 "wildcard can only be present in the leftmost label"):
    864. 

  864.             ssl.match_hostname(cert, 'www.sub.example.com')
    865. 

  865. 

  866.         cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
    867. 

  867.         with self.assertRaisesRegex(
    868. 

  868.                 ssl.CertificateError,
    869. 

  869.                 "too many wildcards"):
    870. 

  870.             ssl.match_hostname(cert, 'axxbxxc.example.com')
    871. 

  871. 

  872.         cert = {'subject': ((('commonName', '*'),),)}
    873. 

  873.         with self.assertRaisesRegex(
    874. 

  874.                 ssl.CertificateError,
    875. 

  875.                 "sole wildcard without additional labels are not support"):
    876. 

  876.             ssl.match_hostname(cert, 'host')
    877. 

  877. 

  878.         cert = {'subject': ((('commonName', '*.com'),),)}
    879. 

  879.         with self.assertRaisesRegex(
    880. 

  880.                 ssl.CertificateError,
    881. 

  881.                 r"hostname 'com' doesn't match '\*.com'"):
    882. 

  882.             ssl.match_hostname(cert, 'com')
    883. 

  883. 

  884.         # extra checks for _inet_paton()
    885. 

  885.         for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
    886. 

  886.             with self.assertRaises(ValueError):
    887. 

  887.                 ssl._inet_paton(invalid)
    888. 

  888.         for ipaddr in ['127.0.0.1', '192.168.0.1']:
    889. 

  889.             self.assertTrue(ssl._inet_paton(ipaddr))
    890. 

  890.         if socket_helper.IPV6_ENABLED:
    891. 

  891.             for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
    892. 

  892.                 self.assertTrue(ssl._inet_paton(ipaddr))
    893. 

  893. 

  894.     def test_server_side(self):
    895. 

  895.         # server_hostname doesn't work for server sockets
    896. 

  896.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    897. 

  897.         with socket.socket() as sock:
    898. 

  898.             self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
    899. 

  899.                               server_hostname="some.hostname")
    900. 

  900. 

  901.     def test_unknown_channel_binding(self):
    902. 

  902.         # should raise ValueError for unknown type
    903. 

  903.         s = socket.create_server(('127.0.0.1', 0))
    904. 

  904.         c = socket.socket(socket.AF_INET)
    905. 

  905.         c.connect(s.getsockname())
    906. 

  906.         with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
    907. 

  907.             with self.assertRaises(ValueError):
    908. 

  908.                 ss.get_channel_binding("unknown-type")
    909. 

  909.         s.close()
    910. 

  910. 

  911.     @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
    912. 

  912.                          "'tls-unique' channel binding not available")
    913. 

  913.     def test_tls_unique_channel_binding(self):
    914. 

  914.         # unconnected should return None for known type
    915. 

  915.         s = socket.socket(socket.AF_INET)
    916. 

  916.         with test_wrap_socket(s) as ss:
    917. 

  917.             self.assertIsNone(ss.get_channel_binding("tls-unique"))
    918. 

  918.         # the same for server-side
    919. 

  919.         s = socket.socket(socket.AF_INET)
    920. 

  920.         with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
    921. 

  921.             self.assertIsNone(ss.get_channel_binding("tls-unique"))
    922. 

  922. 

  923.     def test_dealloc_warn(self):
    924. 

  924.         ss = test_wrap_socket(socket.socket(socket.AF_INET))
    925. 

  925.         r = repr(ss)
    926. 

  926.         with self.assertWarns(ResourceWarning) as cm:
    927. 

  927.             ss = None
    928. 

  928.             support.gc_collect()
    929. 

  929.         self.assertIn(r, str(cm.warning.args[0]))
    930. 

  930. 

  931.     def test_get_default_verify_paths(self):
    932. 

  932.         paths = ssl.get_default_verify_paths()
    933. 

  933.         self.assertEqual(len(paths), 6)
    934. 

  934.         self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
    935. 

  935. 

  936.         with os_helper.EnvironmentVarGuard() as env:
    937. 

  937.             env["SSL_CERT_DIR"] = CAPATH
    938. 

  938.             env["SSL_CERT_FILE"] = CERTFILE
    939. 

  939.             paths = ssl.get_default_verify_paths()
    940. 

  940.             self.assertEqual(paths.cafile, CERTFILE)
    941. 

  941.             self.assertEqual(paths.capath, CAPATH)
    942. 

  942. 

  943.     @unittest.skipUnless(sys.platform == "win32", "Windows specific")
    944. 

  944.     def test_enum_certificates(self):
    945. 

  945.         self.assertTrue(ssl.enum_certificates("CA"))
    946. 

  946.         self.assertTrue(ssl.enum_certificates("ROOT"))
    947. 

  947. 

  948.         self.assertRaises(TypeError, ssl.enum_certificates)
    949. 

  949.         self.assertRaises(WindowsError, ssl.enum_certificates, "")
    950. 

  950. 

  951.         trust_oids = set()
    952. 

  952.         for storename in ("CA", "ROOT"):
    953. 

  953.             store = ssl.enum_certificates(storename)
    954. 

  954.             self.assertIsInstance(store, list)
    955. 

  955.             for element in store:
    956. 

  956.                 self.assertIsInstance(element, tuple)
    957. 

  957.                 self.assertEqual(len(element), 3)
    958. 

  958.                 cert, enc, trust = element
    959. 

  959.                 self.assertIsInstance(cert, bytes)
    960. 

  960.                 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
    961. 

  961.                 self.assertIsInstance(trust, (frozenset, set, bool))
    962. 

  962.                 if isinstance(trust, (frozenset, set)):
    963. 

  963.                     trust_oids.update(trust)
    964. 

  964. 

  965.         serverAuth = "1.3.6.1.5.5.7.3.1"
    966. 

  966.         self.assertIn(serverAuth, trust_oids)
    967. 

  967. 

  968.     @unittest.skipUnless(sys.platform == "win32", "Windows specific")
    969. 

  969.     def test_enum_crls(self):
    970. 

  970.         self.assertTrue(ssl.enum_crls("CA"))
    971. 

  971.         self.assertRaises(TypeError, ssl.enum_crls)
    972. 

  972.         self.assertRaises(WindowsError, ssl.enum_crls, "")
    973. 

  973. 

  974.         crls = ssl.enum_crls("CA")
    975. 

  975.         self.assertIsInstance(crls, list)
    976. 

  976.         for element in crls:
    977. 

  977.             self.assertIsInstance(element, tuple)
    978. 

  978.             self.assertEqual(len(element), 2)
    979. 

  979.             self.assertIsInstance(element[0], bytes)
    980. 

  980.             self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
    981. 

  981. 

  982. 

  983.     def test_asn1object(self):
    984. 

  984.         expected = (129, 'serverAuth', 'TLS Web Server Authentication',
    985. 

  985.                     '1.3.6.1.5.5.7.3.1')
    986. 

  986. 

  987.         val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
    988. 

  988.         self.assertEqual(val, expected)
    989. 

  989.         self.assertEqual(val.nid, 129)
    990. 

  990.         self.assertEqual(val.shortname, 'serverAuth')
    991. 

  991.         self.assertEqual(val.longname, 'TLS Web Server Authentication')
    992. 

  992.         self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
    993. 

  993.         self.assertIsInstance(val, ssl._ASN1Object)
    994. 

  994.         self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
    995. 

  995. 

  996.         val = ssl._ASN1Object.fromnid(129)
    997. 

  997.         self.assertEqual(val, expected)
    998. 

  998.         self.assertIsInstance(val, ssl._ASN1Object)
    999. 

  999.         self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
    1000. 

  1000.         with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
    1001. 

  1001.             ssl._ASN1Object.fromnid(100000)
    1002. 

  1002.         for i in range(1000):
    1003. 

  1003.             try:
    1004. 

  1004.                 obj = ssl._ASN1Object.fromnid(i)
    1005. 

  1005.             except ValueError:
    1006. 

  1006.                 pass
    1007. 

  1007.             else:
    1008. 

  1008.                 self.assertIsInstance(obj.nid, int)
    1009. 

  1009.                 self.assertIsInstance(obj.shortname, str)
    1010. 

  1010.                 self.assertIsInstance(obj.longname, str)
    1011. 

  1011.                 self.assertIsInstance(obj.oid, (str, type(None)))
    1012. 

  1012. 

  1013.         val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
    1014. 

  1014.         self.assertEqual(val, expected)
    1015. 

  1015.         self.assertIsInstance(val, ssl._ASN1Object)
    1016. 

  1016.         self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
    1017. 

  1017.         self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
    1018. 

  1018.                          expected)
    1019. 

  1019.         with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
    1020. 

  1020.             ssl._ASN1Object.fromname('serverauth')
    1021. 

  1021. 

  1022.     def test_purpose_enum(self):
    1023. 

  1023.         val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
    1024. 

  1024.         self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
    1025. 

  1025.         self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
    1026. 

  1026.         self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
    1027. 

  1027.         self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
    1028. 

  1028.         self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
    1029. 

  1029.                               '1.3.6.1.5.5.7.3.1')
    1030. 

  1030. 

  1031.         val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
    1032. 

  1032.         self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
    1033. 

  1033.         self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
    1034. 

  1034.         self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
    1035. 

  1035.         self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
    1036. 

  1036.         self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
    1037. 

  1037.                               '1.3.6.1.5.5.7.3.2')
    1038. 

  1038. 

  1039.     def test_unsupported_dtls(self):
    1040. 

  1040.         s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    1041. 

  1041.         self.addCleanup(s.close)
    1042. 

  1042.         with self.assertRaises(NotImplementedError) as cx:
    1043. 

  1043.             test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
    1044. 

  1044.         self.assertEqual(str(cx.exception), "only stream sockets are supported")
    1045. 

  1045.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1046. 

  1046.         with self.assertRaises(NotImplementedError) as cx:
    1047. 

  1047.             ctx.wrap_socket(s)
    1048. 

  1048.         self.assertEqual(str(cx.exception), "only stream sockets are supported")
    1049. 

  1049. 

  1050.     def cert_time_ok(self, timestring, timestamp):
    1051. 

  1051.         self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
    1052. 

  1052. 

  1053.     def cert_time_fail(self, timestring):
    1054. 

  1054.         with self.assertRaises(ValueError):
    1055. 

  1055.             ssl.cert_time_to_seconds(timestring)
    1056. 

  1056. 

  1057.     @unittest.skipUnless(utc_offset(),
    1058. 

  1058.                          'local time needs to be different from UTC')
    1059. 

  1059.     def test_cert_time_to_seconds_timezone(self):
    1060. 

  1060.         # Issue #19940: ssl.cert_time_to_seconds() returns wrong
    1061. 

  1061.         #               results if local timezone is not UTC
    1062. 

  1062.         self.cert_time_ok("May  9 00:00:00 2007 GMT", 1178668800.0)
    1063. 

  1063.         self.cert_time_ok("Jan  5 09:34:43 2018 GMT", 1515144883.0)
    1064. 

  1064. 

  1065.     def test_cert_time_to_seconds(self):
    1066. 

  1066.         timestring = "Jan  5 09:34:43 2018 GMT"
    1067. 

  1067.         ts = 1515144883.0
    1068. 

  1068.         self.cert_time_ok(timestring, ts)
    1069. 

  1069.         # accept keyword parameter, assert its name
    1070. 

  1070.         self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
    1071. 

  1071.         # accept both %e and %d (space or zero generated by strftime)
    1072. 

  1072.         self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
    1073. 

  1073.         # case-insensitive
    1074. 

  1074.         self.cert_time_ok("JaN  5 09:34:43 2018 GmT", ts)
    1075. 

  1075.         self.cert_time_fail("Jan  5 09:34 2018 GMT")     # no seconds
    1076. 

  1076.         self.cert_time_fail("Jan  5 09:34:43 2018")      # no GMT
    1077. 

  1077.         self.cert_time_fail("Jan  5 09:34:43 2018 UTC")  # not GMT timezone
    1078. 

  1078.         self.cert_time_fail("Jan 35 09:34:43 2018 GMT")  # invalid day
    1079. 

  1079.         self.cert_time_fail("Jon  5 09:34:43 2018 GMT")  # invalid month
    1080. 

  1080.         self.cert_time_fail("Jan  5 24:00:00 2018 GMT")  # invalid hour
    1081. 

  1081.         self.cert_time_fail("Jan  5 09:60:43 2018 GMT")  # invalid minute
    1082. 

  1082. 

  1083.         newyear_ts = 1230768000.0
    1084. 

  1084.         # leap seconds
    1085. 

  1085.         self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
    1086. 

  1086.         # same timestamp
    1087. 

  1087.         self.cert_time_ok("Jan  1 00:00:00 2009 GMT", newyear_ts)
    1088. 

  1088. 

  1089.         self.cert_time_ok("Jan  5 09:34:59 2018 GMT", 1515144899)
    1090. 

  1090.         #  allow 60th second (even if it is not a leap second)
    1091. 

  1091.         self.cert_time_ok("Jan  5 09:34:60 2018 GMT", 1515144900)
    1092. 

  1092.         #  allow 2nd leap second for compatibility with time.strptime()
    1093. 

  1093.         self.cert_time_ok("Jan  5 09:34:61 2018 GMT", 1515144901)
    1094. 

  1094.         self.cert_time_fail("Jan  5 09:34:62 2018 GMT")  # invalid seconds
    1095. 

  1095. 

  1096.         # no special treatment for the special value:
    1097. 

  1097.         #   99991231235959Z (rfc 5280)
    1098. 

  1098.         self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
    1099. 

  1099. 

  1100.     @support.run_with_locale('LC_ALL', '')
    1101. 

  1101.     def test_cert_time_to_seconds_locale(self):
    1102. 

  1102.         # `cert_time_to_seconds()` should be locale independent
    1103. 

  1103. 

  1104.         def local_february_name():
    1105. 

  1105.             return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
    1106. 

  1106. 

  1107.         if local_february_name().lower() == 'feb':
    1108. 

  1108.             self.skipTest("locale-specific month name needs to be "
    1109. 

  1109.                           "different from C locale")
    1110. 

  1110. 

  1111.         # locale-independent
    1112. 

  1112.         self.cert_time_ok("Feb  9 00:00:00 2007 GMT", 1170979200.0)
    1113. 

  1113.         self.cert_time_fail(local_february_name() + "  9 00:00:00 2007 GMT")
    1114. 

  1114. 

  1115.     def test_connect_ex_error(self):
    1116. 

  1116.         server = socket.socket(socket.AF_INET)
    1117. 

  1117.         self.addCleanup(server.close)
    1118. 

  1118.         port = socket_helper.bind_port(server)  # Reserve port but don't listen
    1119. 

  1119.         s = test_wrap_socket(socket.socket(socket.AF_INET),
    1120. 

  1120.                             cert_reqs=ssl.CERT_REQUIRED)
    1121. 

  1121.         self.addCleanup(s.close)
    1122. 

  1122.         rc = s.connect_ex((HOST, port))
    1123. 

  1123.         # Issue #19919: Windows machines or VMs hosted on Windows
    1124. 

  1124.         # machines sometimes return EWOULDBLOCK.
    1125. 

  1125.         errors = (
    1126. 

  1126.             errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
    1127. 

  1127.             errno.EWOULDBLOCK,
    1128. 

  1128.         )
    1129. 

  1129.         self.assertIn(rc, errors)
    1130. 

  1130. 

  1131.     def test_read_write_zero(self):
    1132. 

  1132.         # empty reads and writes now work, bpo-42854, bpo-31711
    1133. 

  1133.         client_context, server_context, hostname = testing_context()
    1134. 

  1134.         server = ThreadedEchoServer(context=server_context)
    1135. 

  1135.         with server:
    1136. 

  1136.             with client_context.wrap_socket(socket.socket(),
    1137. 

  1137.                                             server_hostname=hostname) as s:
    1138. 

  1138.                 s.connect((HOST, server.port))
    1139. 

  1139.                 self.assertEqual(s.recv(0), b"")
    1140. 

  1140.                 self.assertEqual(s.send(b""), 0)
    1141. 

  1141. 

  1142. 

  1143. class ContextTests(unittest.TestCase):
    1144. 

  1144. 

  1145.     def test_constructor(self):
    1146. 

  1146.         for protocol in PROTOCOLS:
    1147. 

  1147.             if has_tls_protocol(protocol):
    1148. 

  1148.                 with warnings_helper.check_warnings():
    1149. 

  1149.                     ctx = ssl.SSLContext(protocol)
    1150. 

  1150.                 self.assertEqual(ctx.protocol, protocol)
    1151. 

  1151.         with warnings_helper.check_warnings():
    1152. 

  1152.             ctx = ssl.SSLContext()
    1153. 

  1153.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
    1154. 

  1154.         self.assertRaises(ValueError, ssl.SSLContext, -1)
    1155. 

  1155.         self.assertRaises(ValueError, ssl.SSLContext, 42)
    1156. 

  1156. 

  1157.     def test_ciphers(self):
    1158. 

  1158.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1159. 

  1159.         ctx.set_ciphers("ALL")
    1160. 

  1160.         ctx.set_ciphers("DEFAULT")
    1161. 

  1161.         with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
    1162. 

  1162.             ctx.set_ciphers("^$:,;?*'dorothyx")
    1163. 

  1163. 

  1164.     @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
    1165. 

  1165.                          "Test applies only to Python default ciphers")
    1166. 

  1166.     def test_python_ciphers(self):
    1167. 

  1167.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1168. 

  1168.         ciphers = ctx.get_ciphers()
    1169. 

  1169.         for suite in ciphers:
    1170. 

  1170.             name = suite['name']
    1171. 

  1171.             self.assertNotIn("PSK", name)
    1172. 

  1172.             self.assertNotIn("SRP", name)
    1173. 

  1173.             self.assertNotIn("MD5", name)
    1174. 

  1174.             self.assertNotIn("RC4", name)
    1175. 

  1175.             self.assertNotIn("3DES", name)
    1176. 

  1176. 

  1177.     def test_get_ciphers(self):
    1178. 

  1178.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1179. 

  1179.         ctx.set_ciphers('AESGCM')
    1180. 

  1180.         names = set(d['name'] for d in ctx.get_ciphers())
    1181. 

  1181.         expected = {
    1182. 

  1182.             'AES128-GCM-SHA256',
    1183. 

  1183.             'ECDHE-ECDSA-AES128-GCM-SHA256',
    1184. 

  1184.             'ECDHE-RSA-AES128-GCM-SHA256',
    1185. 

  1185.             'DHE-RSA-AES128-GCM-SHA256',
    1186. 

  1186.             'AES256-GCM-SHA384',
    1187. 

  1187.             'ECDHE-ECDSA-AES256-GCM-SHA384',
    1188. 

  1188.             'ECDHE-RSA-AES256-GCM-SHA384',
    1189. 

  1189.             'DHE-RSA-AES256-GCM-SHA384',
    1190. 

  1190.         }
    1191. 

  1191.         intersection = names.intersection(expected)
    1192. 

  1192.         self.assertGreaterEqual(
    1193. 

  1193.             len(intersection), 2, f"\ngot: {sorted(names)}\nexpected: {sorted(expected)}"
    1194. 

  1194.         )
    1195. 

  1195. 

  1196.     def test_options(self):
    1197. 

  1197.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1198. 

  1198.         # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
    1199. 

  1199.         default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
    1200. 

  1200.         # SSLContext also enables these by default
    1201. 

  1201.         default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
    1202. 

  1202.                     OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
    1203. 

  1203.                     OP_ENABLE_MIDDLEBOX_COMPAT |
    1204. 

  1204.                     OP_IGNORE_UNEXPECTED_EOF)
    1205. 

  1205.         self.assertEqual(default, ctx.options)
    1206. 

  1206.         with warnings_helper.check_warnings():
    1207. 

  1207.             ctx.options |= ssl.OP_NO_TLSv1
    1208. 

  1208.         self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
    1209. 

  1209.         with warnings_helper.check_warnings():
    1210. 

  1210.             ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
    1211. 

  1211.         self.assertEqual(default, ctx.options)
    1212. 

  1212.         ctx.options = 0
    1213. 

  1213.         # Ubuntu has OP_NO_SSLv3 forced on by default
    1214. 

  1214.         self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
    1215. 

  1215. 

  1216.     def test_verify_mode_protocol(self):
    1217. 

  1217.         with warnings_helper.check_warnings():
    1218. 

  1218.             ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
    1219. 

  1219.         # Default value
    1220. 

  1220.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1221. 

  1221.         ctx.verify_mode = ssl.CERT_OPTIONAL
    1222. 

  1222.         self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
    1223. 

  1223.         ctx.verify_mode = ssl.CERT_REQUIRED
    1224. 

  1224.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1225. 

  1225.         ctx.verify_mode = ssl.CERT_NONE
    1226. 

  1226.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1227. 

  1227.         with self.assertRaises(TypeError):
    1228. 

  1228.             ctx.verify_mode = None
    1229. 

  1229.         with self.assertRaises(ValueError):
    1230. 

  1230.             ctx.verify_mode = 42
    1231. 

  1231. 

  1232.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1233. 

  1233.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1234. 

  1234.         self.assertFalse(ctx.check_hostname)
    1235. 

  1235. 

  1236.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1237. 

  1237.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1238. 

  1238.         self.assertTrue(ctx.check_hostname)
    1239. 

  1239. 

  1240.     def test_hostname_checks_common_name(self):
    1241. 

  1241.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1242. 

  1242.         self.assertTrue(ctx.hostname_checks_common_name)
    1243. 

  1243.         if ssl.HAS_NEVER_CHECK_COMMON_NAME:
    1244. 

  1244.             ctx.hostname_checks_common_name = True
    1245. 

  1245.             self.assertTrue(ctx.hostname_checks_common_name)
    1246. 

  1246.             ctx.hostname_checks_common_name = False
    1247. 

  1247.             self.assertFalse(ctx.hostname_checks_common_name)
    1248. 

  1248.             ctx.hostname_checks_common_name = True
    1249. 

  1249.             self.assertTrue(ctx.hostname_checks_common_name)
    1250. 

  1250.         else:
    1251. 

  1251.             with self.assertRaises(AttributeError):
    1252. 

  1252.                 ctx.hostname_checks_common_name = True
    1253. 

  1253. 

  1254.     @ignore_deprecation
    1255. 

  1255.     def test_min_max_version(self):
    1256. 

  1256.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1257. 

  1257.         # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
    1258. 

  1258.         # Fedora override the setting to TLS 1.0.
    1259. 

  1259.         minimum_range = {
    1260. 

  1260.             # stock OpenSSL
    1261. 

  1261.             ssl.TLSVersion.MINIMUM_SUPPORTED,
    1262. 

  1262.             # Fedora 29 uses TLS 1.0 by default
    1263. 

  1263.             ssl.TLSVersion.TLSv1,
    1264. 

  1264.             # RHEL 8 uses TLS 1.2 by default
    1265. 

  1265.             ssl.TLSVersion.TLSv1_2
    1266. 

  1266.         }
    1267. 

  1267.         maximum_range = {
    1268. 

  1268.             # stock OpenSSL
    1269. 

  1269.             ssl.TLSVersion.MAXIMUM_SUPPORTED,
    1270. 

  1270.             # Fedora 32 uses TLS 1.3 by default
    1271. 

  1271.             ssl.TLSVersion.TLSv1_3
    1272. 

  1272.         }
    1273. 

  1273. 

  1274.         self.assertIn(
    1275. 

  1275.             ctx.minimum_version, minimum_range
    1276. 

  1276.         )
    1277. 

  1277.         self.assertIn(
    1278. 

  1278.             ctx.maximum_version, maximum_range
    1279. 

  1279.         )
    1280. 

  1280. 

  1281.         ctx.minimum_version = ssl.TLSVersion.TLSv1_1
    1282. 

  1282.         ctx.maximum_version = ssl.TLSVersion.TLSv1_2
    1283. 

  1283.         self.assertEqual(
    1284. 

  1284.             ctx.minimum_version, ssl.TLSVersion.TLSv1_1
    1285. 

  1285.         )
    1286. 

  1286.         self.assertEqual(
    1287. 

  1287.             ctx.maximum_version, ssl.TLSVersion.TLSv1_2
    1288. 

  1288.         )
    1289. 

  1289. 

  1290.         ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
    1291. 

  1291.         ctx.maximum_version = ssl.TLSVersion.TLSv1
    1292. 

  1292.         self.assertEqual(
    1293. 

  1293.             ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
    1294. 

  1294.         )
    1295. 

  1295.         self.assertEqual(
    1296. 

  1296.             ctx.maximum_version, ssl.TLSVersion.TLSv1
    1297. 

  1297.         )
    1298. 

  1298. 

  1299.         ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
    1300. 

  1300.         self.assertEqual(
    1301. 

  1301.             ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
    1302. 

  1302.         )
    1303. 

  1303. 

  1304.         ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
    1305. 

  1305.         self.assertIn(
    1306. 

  1306.             ctx.maximum_version,
    1307. 

  1307.             {ssl.TLSVersion.TLSv1, ssl.TLSVersion.TLSv1_1, ssl.TLSVersion.SSLv3}
    1308. 

  1308.         )
    1309. 

  1309. 

  1310.         ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
    1311. 

  1311.         self.assertIn(
    1312. 

  1312.             ctx.minimum_version,
    1313. 

  1313.             {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
    1314. 

  1314.         )
    1315. 

  1315. 

  1316.         with self.assertRaises(ValueError):
    1317. 

  1317.             ctx.minimum_version = 42
    1318. 

  1318. 

  1319.         if has_tls_protocol(ssl.PROTOCOL_TLSv1_1):
    1320. 

  1320.             ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
    1321. 

  1321. 

  1322.             self.assertIn(
    1323. 

  1323.                 ctx.minimum_version, minimum_range
    1324. 

  1324.             )
    1325. 

  1325.             self.assertEqual(
    1326. 

  1326.                 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
    1327. 

  1327.             )
    1328. 

  1328.             with self.assertRaises(ValueError):
    1329. 

  1329.                 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
    1330. 

  1330.             with self.assertRaises(ValueError):
    1331. 

  1331.                 ctx.maximum_version = ssl.TLSVersion.TLSv1
    1332. 

  1332. 

  1333.     @unittest.skipUnless(
    1334. 

  1334.         hasattr(ssl.SSLContext, 'security_level'),
    1335. 

  1335.         "requires OpenSSL >= 1.1.0"
    1336. 

  1336.     )
    1337. 

  1337.     def test_security_level(self):
    1338. 

  1338.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1339. 

  1339.         # The default security callback allows for levels between 0-5
    1340. 

  1340.         # with OpenSSL defaulting to 1, however some vendors override the
    1341. 

  1341.         # default value (e.g. Debian defaults to 2)
    1342. 

  1342.         security_level_range = {
    1343. 

  1343.             0,
    1344. 

  1344.             1, # OpenSSL default
    1345. 

  1345.             2, # Debian
    1346. 

  1346.             3,
    1347. 

  1347.             4,
    1348. 

  1348.             5,
    1349. 

  1349.         }
    1350. 

  1350.         self.assertIn(ctx.security_level, security_level_range)
    1351. 

  1351. 

  1352.     def test_verify_flags(self):
    1353. 

  1353.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1354. 

  1354.         # default value
    1355. 

  1355.         tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
    1356. 

  1356.         self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
    1357. 

  1357.         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
    1358. 

  1358.         self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
    1359. 

  1359.         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
    1360. 

  1360.         self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
    1361. 

  1361.         ctx.verify_flags = ssl.VERIFY_DEFAULT
    1362. 

  1362.         self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
    1363. 

  1363.         ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
    1364. 

  1364.         self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
    1365. 

  1365.         # supports any value
    1366. 

  1366.         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
    1367. 

  1367.         self.assertEqual(ctx.verify_flags,
    1368. 

  1368.                          ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
    1369. 

  1369.         with self.assertRaises(TypeError):
    1370. 

  1370.             ctx.verify_flags = None
    1371. 

  1371. 

  1372.     def test_load_cert_chain(self):
    1373. 

  1373.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1374. 

  1374.         # Combined key and cert in a single file
    1375. 

  1375.         ctx.load_cert_chain(CERTFILE, keyfile=None)
    1376. 

  1376.         ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
    1377. 

  1377.         self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
    1378. 

  1378.         with self.assertRaises(OSError) as cm:
    1379. 

  1379.             ctx.load_cert_chain(NONEXISTINGCERT)
    1380. 

  1380.         self.assertEqual(cm.exception.errno, errno.ENOENT)
    1381. 

  1381.         with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
    1382. 

  1382.             ctx.load_cert_chain(BADCERT)
    1383. 

  1383.         with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
    1384. 

  1384.             ctx.load_cert_chain(EMPTYCERT)
    1385. 

  1385.         # Separate key and cert
    1386. 

  1386.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1387. 

  1387.         ctx.load_cert_chain(ONLYCERT, ONLYKEY)
    1388. 

  1388.         ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
    1389. 

  1389.         ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
    1390. 

  1390.         with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
    1391. 

  1391.             ctx.load_cert_chain(ONLYCERT)
    1392. 

  1392.         with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
    1393. 

  1393.             ctx.load_cert_chain(ONLYKEY)
    1394. 

  1394.         with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
    1395. 

  1395.             ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
    1396. 

  1396.         # Mismatching key and cert
    1397. 

  1397.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1398. 

  1398.         with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
    1399. 

  1399.             ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
    1400. 

  1400.         # Password protected key and cert
    1401. 

  1401.         ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
    1402. 

  1402.         ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
    1403. 

  1403.         ctx.load_cert_chain(CERTFILE_PROTECTED,
    1404. 

  1404.                             password=bytearray(KEY_PASSWORD.encode()))
    1405. 

  1405.         ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
    1406. 

  1406.         ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
    1407. 

  1407.         ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
    1408. 

  1408.                             bytearray(KEY_PASSWORD.encode()))
    1409. 

  1409.         with self.assertRaisesRegex(TypeError, "should be a string"):
    1410. 

  1410.             ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
    1411. 

  1411.         with self.assertRaises(ssl.SSLError):
    1412. 

  1412.             ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
    1413. 

  1413.         with self.assertRaisesRegex(ValueError, "cannot be longer"):
    1414. 

  1414.             # openssl has a fixed limit on the password buffer.
    1415. 

  1415.             # PEM_BUFSIZE is generally set to 1kb.
    1416. 

  1416.             # Return a string larger than this.
    1417. 

  1417.             ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
    1418. 

  1418.         # Password callback
    1419. 

  1419.         def getpass_unicode():
    1420. 

  1420.             return KEY_PASSWORD
    1421. 

  1421.         def getpass_bytes():
    1422. 

  1422.             return KEY_PASSWORD.encode()
    1423. 

  1423.         def getpass_bytearray():
    1424. 

  1424.             return bytearray(KEY_PASSWORD.encode())
    1425. 

  1425.         def getpass_badpass():
    1426. 

  1426.             return "badpass"
    1427. 

  1427.         def getpass_huge():
    1428. 

  1428.             return b'a' * (1024 * 1024)
    1429. 

  1429.         def getpass_bad_type():
    1430. 

  1430.             return 9
    1431. 

  1431.         def getpass_exception():
    1432. 

  1432.             raise Exception('getpass error')
    1433. 

  1433.         class GetPassCallable:
    1434. 

  1434.             def __call__(self):
    1435. 

  1435.                 return KEY_PASSWORD
    1436. 

  1436.             def getpass(self):
    1437. 

  1437.                 return KEY_PASSWORD
    1438. 

  1438.         ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
    1439. 

  1439.         ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
    1440. 

  1440.         ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
    1441. 

  1441.         ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
    1442. 

  1442.         ctx.load_cert_chain(CERTFILE_PROTECTED,
    1443. 

  1443.                             password=GetPassCallable().getpass)
    1444. 

  1444.         with self.assertRaises(ssl.SSLError):
    1445. 

  1445.             ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
    1446. 

  1446.         with self.assertRaisesRegex(ValueError, "cannot be longer"):
    1447. 

  1447.             ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
    1448. 

  1448.         with self.assertRaisesRegex(TypeError, "must return a string"):
    1449. 

  1449.             ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
    1450. 

  1450.         with self.assertRaisesRegex(Exception, "getpass error"):
    1451. 

  1451.             ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
    1452. 

  1452.         # Make sure the password function isn't called if it isn't needed
    1453. 

  1453.         ctx.load_cert_chain(CERTFILE, password=getpass_exception)
    1454. 

  1454. 

  1455.     def test_load_verify_locations(self):
    1456. 

  1456.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1457. 

  1457.         ctx.load_verify_locations(CERTFILE)
    1458. 

  1458.         ctx.load_verify_locations(cafile=CERTFILE, capath=None)
    1459. 

  1459.         ctx.load_verify_locations(BYTES_CERTFILE)
    1460. 

  1460.         ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
    1461. 

  1461.         self.assertRaises(TypeError, ctx.load_verify_locations)
    1462. 

  1462.         self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
    1463. 

  1463.         with self.assertRaises(OSError) as cm:
    1464. 

  1464.             ctx.load_verify_locations(NONEXISTINGCERT)
    1465. 

  1465.         self.assertEqual(cm.exception.errno, errno.ENOENT)
    1466. 

  1466.         with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
    1467. 

  1467.             ctx.load_verify_locations(BADCERT)
    1468. 

  1468.         ctx.load_verify_locations(CERTFILE, CAPATH)
    1469. 

  1469.         ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
    1470. 

  1470. 

  1471.         # Issue #10989: crash if the second argument type is invalid
    1472. 

  1472.         self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
    1473. 

  1473. 

  1474.     def test_load_verify_cadata(self):
    1475. 

  1475.         # test cadata
    1476. 

  1476.         with open(CAFILE_CACERT) as f:
    1477. 

  1477.             cacert_pem = f.read()
    1478. 

  1478.         cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
    1479. 

  1479.         with open(CAFILE_NEURONIO) as f:
    1480. 

  1480.             neuronio_pem = f.read()
    1481. 

  1481.         neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
    1482. 

  1482. 

  1483.         # test PEM
    1484. 

  1484.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1485. 

  1485.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
    1486. 

  1486.         ctx.load_verify_locations(cadata=cacert_pem)
    1487. 

  1487.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
    1488. 

  1488.         ctx.load_verify_locations(cadata=neuronio_pem)
    1489. 

  1489.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1490. 

  1490.         # cert already in hash table
    1491. 

  1491.         ctx.load_verify_locations(cadata=neuronio_pem)
    1492. 

  1492.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1493. 

  1493. 

  1494.         # combined
    1495. 

  1495.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1496. 

  1496.         combined = "\n".join((cacert_pem, neuronio_pem))
    1497. 

  1497.         ctx.load_verify_locations(cadata=combined)
    1498. 

  1498.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1499. 

  1499. 

  1500.         # with junk around the certs
    1501. 

  1501.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1502. 

  1502.         combined = ["head", cacert_pem, "other", neuronio_pem, "again",
    1503. 

  1503.                     neuronio_pem, "tail"]
    1504. 

  1504.         ctx.load_verify_locations(cadata="\n".join(combined))
    1505. 

  1505.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1506. 

  1506. 

  1507.         # test DER
    1508. 

  1508.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1509. 

  1509.         ctx.load_verify_locations(cadata=cacert_der)
    1510. 

  1510.         ctx.load_verify_locations(cadata=neuronio_der)
    1511. 

  1511.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1512. 

  1512.         # cert already in hash table
    1513. 

  1513.         ctx.load_verify_locations(cadata=cacert_der)
    1514. 

  1514.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1515. 

  1515. 

  1516.         # combined
    1517. 

  1517.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1518. 

  1518.         combined = b"".join((cacert_der, neuronio_der))
    1519. 

  1519.         ctx.load_verify_locations(cadata=combined)
    1520. 

  1520.         self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
    1521. 

  1521. 

  1522.         # error cases
    1523. 

  1523.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1524. 

  1524.         self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
    1525. 

  1525. 

  1526.         with self.assertRaisesRegex(
    1527. 

  1527.             ssl.SSLError,
    1528. 

  1528.             "no start line: cadata does not contain a certificate"
    1529. 

  1529.         ):
    1530. 

  1530.             ctx.load_verify_locations(cadata="broken")
    1531. 

  1531.         with self.assertRaisesRegex(
    1532. 

  1532.             ssl.SSLError,
    1533. 

  1533.             "not enough data: cadata does not contain a certificate"
    1534. 

  1534.         ):
    1535. 

  1535.             ctx.load_verify_locations(cadata=b"broken")
    1536. 

  1536. 

  1537.     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
    1538. 

  1538.     def test_load_dh_params(self):
    1539. 

  1539.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1540. 

  1540.         ctx.load_dh_params(DHFILE)
    1541. 

  1541.         if os.name != 'nt':
    1542. 

  1542.             ctx.load_dh_params(BYTES_DHFILE)
    1543. 

  1543.         self.assertRaises(TypeError, ctx.load_dh_params)
    1544. 

  1544.         self.assertRaises(TypeError, ctx.load_dh_params, None)
    1545. 

  1545.         with self.assertRaises(FileNotFoundError) as cm:
    1546. 

  1546.             ctx.load_dh_params(NONEXISTINGCERT)
    1547. 

  1547.         self.assertEqual(cm.exception.errno, errno.ENOENT)
    1548. 

  1548.         with self.assertRaises(ssl.SSLError) as cm:
    1549. 

  1549.             ctx.load_dh_params(CERTFILE)
    1550. 

  1550. 

  1551.     def test_session_stats(self):
    1552. 

  1552.         for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
    1553. 

  1553.             ctx = ssl.SSLContext(proto)
    1554. 

  1554.             self.assertEqual(ctx.session_stats(), {
    1555. 

  1555.                 'number': 0,
    1556. 

  1556.                 'connect': 0,
    1557. 

  1557.                 'connect_good': 0,
    1558. 

  1558.                 'connect_renegotiate': 0,
    1559. 

  1559.                 'accept': 0,
    1560. 

  1560.                 'accept_good': 0,
    1561. 

  1561.                 'accept_renegotiate': 0,
    1562. 

  1562.                 'hits': 0,
    1563. 

  1563.                 'misses': 0,
    1564. 

  1564.                 'timeouts': 0,
    1565. 

  1565.                 'cache_full': 0,
    1566. 

  1566.             })
    1567. 

  1567. 

  1568.     def test_set_default_verify_paths(self):
    1569. 

  1569.         # There's not much we can do to test that it acts as expected,
    1570. 

  1570.         # so just check it doesn't crash or raise an exception.
    1571. 

  1571.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1572. 

  1572.         ctx.set_default_verify_paths()
    1573. 

  1573. 

  1574.     @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
    1575. 

  1575.     def test_set_ecdh_curve(self):
    1576. 

  1576.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1577. 

  1577.         ctx.set_ecdh_curve("prime256v1")
    1578. 

  1578.         ctx.set_ecdh_curve(b"prime256v1")
    1579. 

  1579.         self.assertRaises(TypeError, ctx.set_ecdh_curve)
    1580. 

  1580.         self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
    1581. 

  1581.         self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
    1582. 

  1582.         self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
    1583. 

  1583. 

  1584.     def test_sni_callback(self):
    1585. 

  1585.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1586. 

  1586. 

  1587.         # set_servername_callback expects a callable, or None
    1588. 

  1588.         self.assertRaises(TypeError, ctx.set_servername_callback)
    1589. 

  1589.         self.assertRaises(TypeError, ctx.set_servername_callback, 4)
    1590. 

  1590.         self.assertRaises(TypeError, ctx.set_servername_callback, "")
    1591. 

  1591.         self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
    1592. 

  1592. 

  1593.         def dummycallback(sock, servername, ctx):
    1594. 

  1594.             pass
    1595. 

  1595.         ctx.set_servername_callback(None)
    1596. 

  1596.         ctx.set_servername_callback(dummycallback)
    1597. 

  1597. 

  1598.     def test_sni_callback_refcycle(self):
    1599. 

  1599.         # Reference cycles through the servername callback are detected
    1600. 

  1600.         # and cleared.
    1601. 

  1601.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1602. 

  1602.         def dummycallback(sock, servername, ctx, cycle=ctx):
    1603. 

  1603.             pass
    1604. 

  1604.         ctx.set_servername_callback(dummycallback)
    1605. 

  1605.         wr = weakref.ref(ctx)
    1606. 

  1606.         del ctx, dummycallback
    1607. 

  1607.         gc.collect()
    1608. 

  1608.         self.assertIs(wr(), None)
    1609. 

  1609. 

  1610.     def test_cert_store_stats(self):
    1611. 

  1611.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1612. 

  1612.         self.assertEqual(ctx.cert_store_stats(),
    1613. 

  1613.             {'x509_ca': 0, 'crl': 0, 'x509': 0})
    1614. 

  1614.         ctx.load_cert_chain(CERTFILE)
    1615. 

  1615.         self.assertEqual(ctx.cert_store_stats(),
    1616. 

  1616.             {'x509_ca': 0, 'crl': 0, 'x509': 0})
    1617. 

  1617.         ctx.load_verify_locations(CERTFILE)
    1618. 

  1618.         self.assertEqual(ctx.cert_store_stats(),
    1619. 

  1619.             {'x509_ca': 0, 'crl': 0, 'x509': 1})
    1620. 

  1620.         ctx.load_verify_locations(CAFILE_CACERT)
    1621. 

  1621.         self.assertEqual(ctx.cert_store_stats(),
    1622. 

  1622.             {'x509_ca': 1, 'crl': 0, 'x509': 2})
    1623. 

  1623. 

  1624.     def test_get_ca_certs(self):
    1625. 

  1625.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1626. 

  1626.         self.assertEqual(ctx.get_ca_certs(), [])
    1627. 

  1627.         # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
    1628. 

  1628.         ctx.load_verify_locations(CERTFILE)
    1629. 

  1629.         self.assertEqual(ctx.get_ca_certs(), [])
    1630. 

  1630.         # but CAFILE_CACERT is a CA cert
    1631. 

  1631.         ctx.load_verify_locations(CAFILE_CACERT)
    1632. 

  1632.         self.assertEqual(ctx.get_ca_certs(),
    1633. 

  1633.             [{'issuer': ((('organizationName', 'Root CA'),),
    1634. 

  1634.                          (('organizationalUnitName', 'http://www.cacert.org'),),
    1635. 

  1635.                          (('commonName', 'CA Cert Signing Authority'),),
    1636. 

  1636.                          (('emailAddress', 'support@cacert.org'),)),
    1637. 

  1637.               'notAfter': 'Mar 29 12:29:49 2033 GMT',
    1638. 

  1638.               'notBefore': 'Mar 30 12:29:49 2003 GMT',
    1639. 

  1639.               'serialNumber': '00',
    1640. 

  1640.               'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
    1641. 

  1641.               'subject': ((('organizationName', 'Root CA'),),
    1642. 

  1642.                           (('organizationalUnitName', 'http://www.cacert.org'),),
    1643. 

  1643.                           (('commonName', 'CA Cert Signing Authority'),),
    1644. 

  1644.                           (('emailAddress', 'support@cacert.org'),)),
    1645. 

  1645.               'version': 3}])
    1646. 

  1646. 

  1647.         with open(CAFILE_CACERT) as f:
    1648. 

  1648.             pem = f.read()
    1649. 

  1649.         der = ssl.PEM_cert_to_DER_cert(pem)
    1650. 

  1650.         self.assertEqual(ctx.get_ca_certs(True), [der])
    1651. 

  1651. 

  1652.     def test_load_default_certs(self):
    1653. 

  1653.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1654. 

  1654.         ctx.load_default_certs()
    1655. 

  1655. 

  1656.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1657. 

  1657.         ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
    1658. 

  1658.         ctx.load_default_certs()
    1659. 

  1659. 

  1660.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1661. 

  1661.         ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
    1662. 

  1662. 

  1663.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1664. 

  1664.         self.assertRaises(TypeError, ctx.load_default_certs, None)
    1665. 

  1665.         self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
    1666. 

  1666. 

  1667.     @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
    1668. 

  1668.     def test_load_default_certs_env(self):
    1669. 

  1669.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1670. 

  1670.         with os_helper.EnvironmentVarGuard() as env:
    1671. 

  1671.             env["SSL_CERT_DIR"] = CAPATH
    1672. 

  1672.             env["SSL_CERT_FILE"] = CERTFILE
    1673. 

  1673.             ctx.load_default_certs()
    1674. 

  1674.             self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
    1675. 

  1675. 

  1676.     @unittest.skipUnless(sys.platform == "win32", "Windows specific")
    1677. 

  1677.     @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
    1678. 

  1678.     def test_load_default_certs_env_windows(self):
    1679. 

  1679.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1680. 

  1680.         ctx.load_default_certs()
    1681. 

  1681.         stats = ctx.cert_store_stats()
    1682. 

  1682. 

  1683.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1684. 

  1684.         with os_helper.EnvironmentVarGuard() as env:
    1685. 

  1685.             env["SSL_CERT_DIR"] = CAPATH
    1686. 

  1686.             env["SSL_CERT_FILE"] = CERTFILE
    1687. 

  1687.             ctx.load_default_certs()
    1688. 

  1688.             stats["x509"] += 1
    1689. 

  1689.             self.assertEqual(ctx.cert_store_stats(), stats)
    1690. 

  1690. 

  1691.     def _assert_context_options(self, ctx):
    1692. 

  1692.         self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
    1693. 

  1693.         if OP_NO_COMPRESSION != 0:
    1694. 

  1694.             self.assertEqual(ctx.options & OP_NO_COMPRESSION,
    1695. 

  1695.                              OP_NO_COMPRESSION)
    1696. 

  1696.         if OP_SINGLE_DH_USE != 0:
    1697. 

  1697.             self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
    1698. 

  1698.                              OP_SINGLE_DH_USE)
    1699. 

  1699.         if OP_SINGLE_ECDH_USE != 0:
    1700. 

  1700.             self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
    1701. 

  1701.                              OP_SINGLE_ECDH_USE)
    1702. 

  1702.         if OP_CIPHER_SERVER_PREFERENCE != 0:
    1703. 

  1703.             self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
    1704. 

  1704.                              OP_CIPHER_SERVER_PREFERENCE)
    1705. 

  1705. 

  1706.     def test_create_default_context(self):
    1707. 

  1707.         ctx = ssl.create_default_context()
    1708. 

  1708. 

  1709.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
    1710. 

  1710.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1711. 

  1711.         self.assertTrue(ctx.check_hostname)
    1712. 

  1712.         self._assert_context_options(ctx)
    1713. 

  1713. 

  1714.         with open(SIGNING_CA) as f:
    1715. 

  1715.             cadata = f.read()
    1716. 

  1716.         ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
    1717. 

  1717.                                          cadata=cadata)
    1718. 

  1718.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
    1719. 

  1719.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1720. 

  1720.         self._assert_context_options(ctx)
    1721. 

  1721. 

  1722.         ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    1723. 

  1723.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
    1724. 

  1724.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1725. 

  1725.         self._assert_context_options(ctx)
    1726. 

  1726. 

  1727.     def test__create_stdlib_context(self):
    1728. 

  1728.         ctx = ssl._create_stdlib_context()
    1729. 

  1729.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
    1730. 

  1730.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1731. 

  1731.         self.assertFalse(ctx.check_hostname)
    1732. 

  1732.         self._assert_context_options(ctx)
    1733. 

  1733. 

  1734.         if has_tls_protocol(ssl.PROTOCOL_TLSv1):
    1735. 

  1735.             with warnings_helper.check_warnings():
    1736. 

  1736.                 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
    1737. 

  1737.             self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
    1738. 

  1738.             self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1739. 

  1739.             self._assert_context_options(ctx)
    1740. 

  1740. 

  1741.         with warnings_helper.check_warnings():
    1742. 

  1742.             ctx = ssl._create_stdlib_context(
    1743. 

  1743.                 ssl.PROTOCOL_TLSv1_2,
    1744. 

  1744.                 cert_reqs=ssl.CERT_REQUIRED,
    1745. 

  1745.                 check_hostname=True
    1746. 

  1746.             )
    1747. 

  1747.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
    1748. 

  1748.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1749. 

  1749.         self.assertTrue(ctx.check_hostname)
    1750. 

  1750.         self._assert_context_options(ctx)
    1751. 

  1751. 

  1752.         ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
    1753. 

  1753.         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
    1754. 

  1754.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1755. 

  1755.         self._assert_context_options(ctx)
    1756. 

  1756. 

  1757.     def test_check_hostname(self):
    1758. 

  1758.         with warnings_helper.check_warnings():
    1759. 

  1759.             ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
    1760. 

  1760.         self.assertFalse(ctx.check_hostname)
    1761. 

  1761.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1762. 

  1762. 

  1763.         # Auto set CERT_REQUIRED
    1764. 

  1764.         ctx.check_hostname = True
    1765. 

  1765.         self.assertTrue(ctx.check_hostname)
    1766. 

  1766.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1767. 

  1767.         ctx.check_hostname = False
    1768. 

  1768.         ctx.verify_mode = ssl.CERT_REQUIRED
    1769. 

  1769.         self.assertFalse(ctx.check_hostname)
    1770. 

  1770.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1771. 

  1771. 

  1772.         # Changing verify_mode does not affect check_hostname
    1773. 

  1773.         ctx.check_hostname = False
    1774. 

  1774.         ctx.verify_mode = ssl.CERT_NONE
    1775. 

  1775.         ctx.check_hostname = False
    1776. 

  1776.         self.assertFalse(ctx.check_hostname)
    1777. 

  1777.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1778. 

  1778.         # Auto set
    1779. 

  1779.         ctx.check_hostname = True
    1780. 

  1780.         self.assertTrue(ctx.check_hostname)
    1781. 

  1781.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1782. 

  1782. 

  1783.         ctx.check_hostname = False
    1784. 

  1784.         ctx.verify_mode = ssl.CERT_OPTIONAL
    1785. 

  1785.         ctx.check_hostname = False
    1786. 

  1786.         self.assertFalse(ctx.check_hostname)
    1787. 

  1787.         self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
    1788. 

  1788.         # keep CERT_OPTIONAL
    1789. 

  1789.         ctx.check_hostname = True
    1790. 

  1790.         self.assertTrue(ctx.check_hostname)
    1791. 

  1791.         self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
    1792. 

  1792. 

  1793.         # Cannot set CERT_NONE with check_hostname enabled
    1794. 

  1794.         with self.assertRaises(ValueError):
    1795. 

  1795.             ctx.verify_mode = ssl.CERT_NONE
    1796. 

  1796.         ctx.check_hostname = False
    1797. 

  1797.         self.assertFalse(ctx.check_hostname)
    1798. 

  1798.         ctx.verify_mode = ssl.CERT_NONE
    1799. 

  1799.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1800. 

  1800. 

  1801.     def test_context_client_server(self):
    1802. 

  1802.         # PROTOCOL_TLS_CLIENT has sane defaults
    1803. 

  1803.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1804. 

  1804.         self.assertTrue(ctx.check_hostname)
    1805. 

  1805.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    1806. 

  1806. 

  1807.         # PROTOCOL_TLS_SERVER has different but also sane defaults
    1808. 

  1808.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1809. 

  1809.         self.assertFalse(ctx.check_hostname)
    1810. 

  1810.         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
    1811. 

  1811. 

  1812.     def test_context_custom_class(self):
    1813. 

  1813.         class MySSLSocket(ssl.SSLSocket):
    1814. 

  1814.             pass
    1815. 

  1815. 

  1816.         class MySSLObject(ssl.SSLObject):
    1817. 

  1817.             pass
    1818. 

  1818. 

  1819.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1820. 

  1820.         ctx.sslsocket_class = MySSLSocket
    1821. 

  1821.         ctx.sslobject_class = MySSLObject
    1822. 

  1822. 

  1823.         with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
    1824. 

  1824.             self.assertIsInstance(sock, MySSLSocket)
    1825. 

  1825.         obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(), server_side=True)
    1826. 

  1826.         self.assertIsInstance(obj, MySSLObject)
    1827. 

  1827. 

  1828.     def test_num_tickest(self):
    1829. 

  1829.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    1830. 

  1830.         self.assertEqual(ctx.num_tickets, 2)
    1831. 

  1831.         ctx.num_tickets = 1
    1832. 

  1832.         self.assertEqual(ctx.num_tickets, 1)
    1833. 

  1833.         ctx.num_tickets = 0
    1834. 

  1834.         self.assertEqual(ctx.num_tickets, 0)
    1835. 

  1835.         with self.assertRaises(ValueError):
    1836. 

  1836.             ctx.num_tickets = -1
    1837. 

  1837.         with self.assertRaises(TypeError):
    1838. 

  1838.             ctx.num_tickets = None
    1839. 

  1839. 

  1840.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1841. 

  1841.         self.assertEqual(ctx.num_tickets, 2)
    1842. 

  1842.         with self.assertRaises(ValueError):
    1843. 

  1843.             ctx.num_tickets = 1
    1844. 

  1844. 

  1845. 

  1846. class SSLErrorTests(unittest.TestCase):
    1847. 

  1847. 

  1848.     def test_str(self):
    1849. 

  1849.         # The str() of a SSLError doesn't include the errno
    1850. 

  1850.         e = ssl.SSLError(1, "foo")
    1851. 

  1851.         self.assertEqual(str(e), "foo")
    1852. 

  1852.         self.assertEqual(e.errno, 1)
    1853. 

  1853.         # Same for a subclass
    1854. 

  1854.         e = ssl.SSLZeroReturnError(1, "foo")
    1855. 

  1855.         self.assertEqual(str(e), "foo")
    1856. 

  1856.         self.assertEqual(e.errno, 1)
    1857. 

  1857. 

  1858.     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
    1859. 

  1859.     def test_lib_reason(self):
    1860. 

  1860.         # Test the library and reason attributes
    1861. 

  1861.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1862. 

  1862.         with self.assertRaises(ssl.SSLError) as cm:
    1863. 

  1863.             ctx.load_dh_params(CERTFILE)
    1864. 

  1864.         self.assertEqual(cm.exception.library, 'PEM')
    1865. 

  1865.         self.assertEqual(cm.exception.reason, 'NO_START_LINE')
    1866. 

  1866.         s = str(cm.exception)
    1867. 

  1867.         self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
    1868. 

  1868. 

  1869.     def test_subclass(self):
    1870. 

  1870.         # Check that the appropriate SSLError subclass is raised
    1871. 

  1871.         # (this only tests one of them)
    1872. 

  1872.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    1873. 

  1873.         ctx.check_hostname = False
    1874. 

  1874.         ctx.verify_mode = ssl.CERT_NONE
    1875. 

  1875.         with socket.create_server(("127.0.0.1", 0)) as s:
    1876. 

  1876.             c = socket.create_connection(s.getsockname())
    1877. 

  1877.             c.setblocking(False)
    1878. 

  1878.             with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
    1879. 

  1879.                 with self.assertRaises(ssl.SSLWantReadError) as cm:
    1880. 

  1880.                     c.do_handshake()
    1881. 

  1881.                 s = str(cm.exception)
    1882. 

  1882.                 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
    1883. 

  1883.                 # For compatibility
    1884. 

  1884.                 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
    1885. 

  1885. 

  1886. 

  1887.     def test_bad_server_hostname(self):
    1888. 

  1888.         ctx = ssl.create_default_context()
    1889. 

  1889.         with self.assertRaises(ValueError):
    1890. 

  1890.             ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
    1891. 

  1891.                          server_hostname="")
    1892. 

  1892.         with self.assertRaises(ValueError):
    1893. 

  1893.             ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
    1894. 

  1894.                          server_hostname=".example.org")
    1895. 

  1895.         with self.assertRaises(TypeError):
    1896. 

  1896.             ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
    1897. 

  1897.                          server_hostname="example.org\x00evil.com")
    1898. 

  1898. 

  1899. 

  1900. class MemoryBIOTests(unittest.TestCase):
    1901. 

  1901. 

  1902.     def test_read_write(self):
    1903. 

  1903.         bio = ssl.MemoryBIO()
    1904. 

  1904.         bio.write(b'foo')
    1905. 

  1905.         self.assertEqual(bio.read(), b'foo')
    1906. 

  1906.         self.assertEqual(bio.read(), b'')
    1907. 

  1907.         bio.write(b'foo')
    1908. 

  1908.         bio.write(b'bar')
    1909. 

  1909.         self.assertEqual(bio.read(), b'foobar')
    1910. 

  1910.         self.assertEqual(bio.read(), b'')
    1911. 

  1911.         bio.write(b'baz')
    1912. 

  1912.         self.assertEqual(bio.read(2), b'ba')
    1913. 

  1913.         self.assertEqual(bio.read(1), b'z')
    1914. 

  1914.         self.assertEqual(bio.read(1), b'')
    1915. 

  1915. 

  1916.     def test_eof(self):
    1917. 

  1917.         bio = ssl.MemoryBIO()
    1918. 

  1918.         self.assertFalse(bio.eof)
    1919. 

  1919.         self.assertEqual(bio.read(), b'')
    1920. 

  1920.         self.assertFalse(bio.eof)
    1921. 

  1921.         bio.write(b'foo')
    1922. 

  1922.         self.assertFalse(bio.eof)
    1923. 

  1923.         bio.write_eof()
    1924. 

  1924.         self.assertFalse(bio.eof)
    1925. 

  1925.         self.assertEqual(bio.read(2), b'fo')
    1926. 

  1926.         self.assertFalse(bio.eof)
    1927. 

  1927.         self.assertEqual(bio.read(1), b'o')
    1928. 

  1928.         self.assertTrue(bio.eof)
    1929. 

  1929.         self.assertEqual(bio.read(), b'')
    1930. 

  1930.         self.assertTrue(bio.eof)
    1931. 

  1931. 

  1932.     def test_pending(self):
    1933. 

  1933.         bio = ssl.MemoryBIO()
    1934. 

  1934.         self.assertEqual(bio.pending, 0)
    1935. 

  1935.         bio.write(b'foo')
    1936. 

  1936.         self.assertEqual(bio.pending, 3)
    1937. 

  1937.         for i in range(3):
    1938. 

  1938.             bio.read(1)
    1939. 

  1939.             self.assertEqual(bio.pending, 3-i-1)
    1940. 

  1940.         for i in range(3):
    1941. 

  1941.             bio.write(b'x')
    1942. 

  1942.             self.assertEqual(bio.pending, i+1)
    1943. 

  1943.         bio.read()
    1944. 

  1944.         self.assertEqual(bio.pending, 0)
    1945. 

  1945. 

  1946.     def test_buffer_types(self):
    1947. 

  1947.         bio = ssl.MemoryBIO()
    1948. 

  1948.         bio.write(b'foo')
    1949. 

  1949.         self.assertEqual(bio.read(), b'foo')
    1950. 

  1950.         bio.write(bytearray(b'bar'))
    1951. 

  1951.         self.assertEqual(bio.read(), b'bar')
    1952. 

  1952.         bio.write(memoryview(b'baz'))
    1953. 

  1953.         self.assertEqual(bio.read(), b'baz')
    1954. 

  1954. 

  1955.     def test_error_types(self):
    1956. 

  1956.         bio = ssl.MemoryBIO()
    1957. 

  1957.         self.assertRaises(TypeError, bio.write, 'foo')
    1958. 

  1958.         self.assertRaises(TypeError, bio.write, None)
    1959. 

  1959.         self.assertRaises(TypeError, bio.write, True)
    1960. 

  1960.         self.assertRaises(TypeError, bio.write, 1)
    1961. 

  1961. 

  1962. 

  1963. class SSLObjectTests(unittest.TestCase):
    1964. 

  1964.     def test_private_init(self):
    1965. 

  1965.         bio = ssl.MemoryBIO()
    1966. 

  1966.         with self.assertRaisesRegex(TypeError, "public constructor"):
    1967. 

  1967.             ssl.SSLObject(bio, bio)
    1968. 

  1968. 

  1969.     def test_unwrap(self):
    1970. 

  1970.         client_ctx, server_ctx, hostname = testing_context()
    1971. 

  1971.         c_in = ssl.MemoryBIO()
    1972. 

  1972.         c_out = ssl.MemoryBIO()
    1973. 

  1973.         s_in = ssl.MemoryBIO()
    1974. 

  1974.         s_out = ssl.MemoryBIO()
    1975. 

  1975.         client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
    1976. 

  1976.         server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
    1977. 

  1977. 

  1978.         # Loop on the handshake for a bit to get it settled
    1979. 

  1979.         for _ in range(5):
    1980. 

  1980.             try:
    1981. 

  1981.                 client.do_handshake()
    1982. 

  1982.             except ssl.SSLWantReadError:
    1983. 

  1983.                 pass
    1984. 

  1984.             if c_out.pending:
    1985. 

  1985.                 s_in.write(c_out.read())
    1986. 

  1986.             try:
    1987. 

  1987.                 server.do_handshake()
    1988. 

  1988.             except ssl.SSLWantReadError:
    1989. 

  1989.                 pass
    1990. 

  1990.             if s_out.pending:
    1991. 

  1991.                 c_in.write(s_out.read())
    1992. 

  1992.         # Now the handshakes should be complete (don't raise WantReadError)
    1993. 

  1993.         client.do_handshake()
    1994. 

  1994.         server.do_handshake()
    1995. 

  1995. 

  1996.         # Now if we unwrap one side unilaterally, it should send close-notify
    1997. 

  1997.         # and raise WantReadError:
    1998. 

  1998.         with self.assertRaises(ssl.SSLWantReadError):
    1999. 

  1999.             client.unwrap()
    2000. 

  2000. 

  2001.         # But server.unwrap() does not raise, because it reads the client's
    2002. 

  2002.         # close-notify:
    2003. 

  2003.         s_in.write(c_out.read())
    2004. 

  2004.         server.unwrap()
    2005. 

  2005. 

  2006.         # And now that the client gets the server's close-notify, it doesn't
    2007. 

  2007.         # raise either.
    2008. 

  2008.         c_in.write(s_out.read())
    2009. 

  2009.         client.unwrap()
    2010. 

  2010. 

  2011. class SimpleBackgroundTests(unittest.TestCase):
    2012. 

  2012.     """Tests that connect to a simple server running in the background"""
    2013. 

  2013. 

  2014.     def setUp(self):
    2015. 

  2015.         self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    2016. 

  2016.         self.server_context.load_cert_chain(SIGNED_CERTFILE)
    2017. 

  2017.         server = ThreadedEchoServer(context=self.server_context)
    2018. 

  2018.         self.enterContext(server)
    2019. 

  2019.         self.server_addr = (HOST, server.port)
    2020. 

  2020. 

  2021.     def test_connect(self):
    2022. 

  2022.         with test_wrap_socket(socket.socket(socket.AF_INET),
    2023. 

  2023.                             cert_reqs=ssl.CERT_NONE) as s:
    2024. 

  2024.             s.connect(self.server_addr)
    2025. 

  2025.             self.assertEqual({}, s.getpeercert())
    2026. 

  2026.             self.assertFalse(s.server_side)
    2027. 

  2027. 

  2028.         # this should succeed because we specify the root cert
    2029. 

  2029.         with test_wrap_socket(socket.socket(socket.AF_INET),
    2030. 

  2030.                             cert_reqs=ssl.CERT_REQUIRED,
    2031. 

  2031.                             ca_certs=SIGNING_CA) as s:
    2032. 

  2032.             s.connect(self.server_addr)
    2033. 

  2033.             self.assertTrue(s.getpeercert())
    2034. 

  2034.             self.assertFalse(s.server_side)
    2035. 

  2035. 

  2036.     def test_connect_fail(self):
    2037. 

  2037.         # This should fail because we have no verification certs. Connection
    2038. 

  2038.         # failure crashes ThreadedEchoServer, so run this in an independent
    2039. 

  2039.         # test method.
    2040. 

  2040.         s = test_wrap_socket(socket.socket(socket.AF_INET),
    2041. 

  2041.                             cert_reqs=ssl.CERT_REQUIRED)
    2042. 

  2042.         self.addCleanup(s.close)
    2043. 

  2043.         self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
    2044. 

  2044.                                s.connect, self.server_addr)
    2045. 

  2045. 

  2046.     def test_connect_ex(self):
    2047. 

  2047.         # Issue #11326: check connect_ex() implementation
    2048. 

  2048.         s = test_wrap_socket(socket.socket(socket.AF_INET),
    2049. 

  2049.                             cert_reqs=ssl.CERT_REQUIRED,
    2050. 

  2050.                             ca_certs=SIGNING_CA)
    2051. 

  2051.         self.addCleanup(s.close)
    2052. 

  2052.         self.assertEqual(0, s.connect_ex(self.server_addr))
    2053. 

  2053.         self.assertTrue(s.getpeercert())
    2054. 

  2054. 

  2055.     def test_non_blocking_connect_ex(self):
    2056. 

  2056.         # Issue #11326: non-blocking connect_ex() should allow handshake
    2057. 

  2057.         # to proceed after the socket gets ready.
    2058. 

  2058.         s = test_wrap_socket(socket.socket(socket.AF_INET),
    2059. 

  2059.                             cert_reqs=ssl.CERT_REQUIRED,
    2060. 

  2060.                             ca_certs=SIGNING_CA,
    2061. 

  2061.                             do_handshake_on_connect=False)
    2062. 

  2062.         self.addCleanup(s.close)
    2063. 

  2063.         s.setblocking(False)
    2064. 

  2064.         rc = s.connect_ex(self.server_addr)
    2065. 

  2065.         # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
    2066. 

  2066.         self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
    2067. 

  2067.         # Wait for connect to finish
    2068. 

  2068.         select.select([], [s], [], 5.0)
    2069. 

  2069.         # Non-blocking handshake
    2070. 

  2070.         while True:
    2071. 

  2071.             try:
    2072. 

  2072.                 s.do_handshake()
    2073. 

  2073.                 break
    2074. 

  2074.             except ssl.SSLWantReadError:
    2075. 

  2075.                 select.select([s], [], [], 5.0)
    2076. 

  2076.             except ssl.SSLWantWriteError:
    2077. 

  2077.                 select.select([], [s], [], 5.0)
    2078. 

  2078.         # SSL established
    2079. 

  2079.         self.assertTrue(s.getpeercert())
    2080. 

  2080. 

  2081.     def test_connect_with_context(self):
    2082. 

  2082.         # Same as test_connect, but with a separately created context
    2083. 

  2083.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2084. 

  2084.         ctx.check_hostname = False
    2085. 

  2085.         ctx.verify_mode = ssl.CERT_NONE
    2086. 

  2086.         with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
    2087. 

  2087.             s.connect(self.server_addr)
    2088. 

  2088.             self.assertEqual({}, s.getpeercert())
    2089. 

  2089.         # Same with a server hostname
    2090. 

  2090.         with ctx.wrap_socket(socket.socket(socket.AF_INET),
    2091. 

  2091.                             server_hostname="dummy") as s:
    2092. 

  2092.             s.connect(self.server_addr)
    2093. 

  2093.         ctx.verify_mode = ssl.CERT_REQUIRED
    2094. 

  2094.         # This should succeed because we specify the root cert
    2095. 

  2095.         ctx.load_verify_locations(SIGNING_CA)
    2096. 

  2096.         with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
    2097. 

  2097.             s.connect(self.server_addr)
    2098. 

  2098.             cert = s.getpeercert()
    2099. 

  2099.             self.assertTrue(cert)
    2100. 

  2100. 

  2101.     def test_connect_with_context_fail(self):
    2102. 

  2102.         # This should fail because we have no verification certs. Connection
    2103. 

  2103.         # failure crashes ThreadedEchoServer, so run this in an independent
    2104. 

  2104.         # test method.
    2105. 

  2105.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2106. 

  2106.         s = ctx.wrap_socket(
    2107. 

  2107.             socket.socket(socket.AF_INET),
    2108. 

  2108.             server_hostname=SIGNED_CERTFILE_HOSTNAME
    2109. 

  2109.         )
    2110. 

  2110.         self.addCleanup(s.close)
    2111. 

  2111.         self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
    2112. 

  2112.                                 s.connect, self.server_addr)
    2113. 

  2113. 

  2114.     def test_connect_capath(self):
    2115. 

  2115.         # Verify server certificates using the `capath` argument
    2116. 

  2116.         # NOTE: the subject hashing algorithm has been changed between
    2117. 

  2117.         # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
    2118. 

  2118.         # contain both versions of each certificate (same content, different
    2119. 

  2119.         # filename) for this test to be portable across OpenSSL releases.
    2120. 

  2120.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2121. 

  2121.         ctx.load_verify_locations(capath=CAPATH)
    2122. 

  2122.         with ctx.wrap_socket(socket.socket(socket.AF_INET),
    2123. 

  2123.                              server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
    2124. 

  2124.             s.connect(self.server_addr)
    2125. 

  2125.             cert = s.getpeercert()
    2126. 

  2126.             self.assertTrue(cert)
    2127. 

  2127. 

  2128.         # Same with a bytes `capath` argument
    2129. 

  2129.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2130. 

  2130.         ctx.load_verify_locations(capath=BYTES_CAPATH)
    2131. 

  2131.         with ctx.wrap_socket(socket.socket(socket.AF_INET),
    2132. 

  2132.                              server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
    2133. 

  2133.             s.connect(self.server_addr)
    2134. 

  2134.             cert = s.getpeercert()
    2135. 

  2135.             self.assertTrue(cert)
    2136. 

  2136. 

  2137.     def test_connect_cadata(self):
    2138. 

  2138.         with open(SIGNING_CA) as f:
    2139. 

  2139.             pem = f.read()
    2140. 

  2140.         der = ssl.PEM_cert_to_DER_cert(pem)
    2141. 

  2141.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2142. 

  2142.         ctx.load_verify_locations(cadata=pem)
    2143. 

  2143.         with ctx.wrap_socket(socket.socket(socket.AF_INET),
    2144. 

  2144.                              server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
    2145. 

  2145.             s.connect(self.server_addr)
    2146. 

  2146.             cert = s.getpeercert()
    2147. 

  2147.             self.assertTrue(cert)
    2148. 

  2148. 

  2149.         # same with DER
    2150. 

  2150.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2151. 

  2151.         ctx.load_verify_locations(cadata=der)
    2152. 

  2152.         with ctx.wrap_socket(socket.socket(socket.AF_INET),
    2153. 

  2153.                              server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
    2154. 

  2154.             s.connect(self.server_addr)
    2155. 

  2155.             cert = s.getpeercert()
    2156. 

  2156.             self.assertTrue(cert)
    2157. 

  2157. 

  2158.     @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
    2159. 

  2159.     def test_makefile_close(self):
    2160. 

  2160.         # Issue #5238: creating a file-like object with makefile() shouldn't
    2161. 

  2161.         # delay closing the underlying "real socket" (here tested with its
    2162. 

  2162.         # file descriptor, hence skipping the test under Windows).
    2163. 

  2163.         ss = test_wrap_socket(socket.socket(socket.AF_INET))
    2164. 

  2164.         ss.connect(self.server_addr)
    2165. 

  2165.         fd = ss.fileno()
    2166. 

  2166.         f = ss.makefile()
    2167. 

  2167.         f.close()
    2168. 

  2168.         # The fd is still open
    2169. 

  2169.         os.read(fd, 0)
    2170. 

  2170.         # Closing the SSL socket should close the fd too
    2171. 

  2171.         ss.close()
    2172. 

  2172.         gc.collect()
    2173. 

  2173.         with self.assertRaises(OSError) as e:
    2174. 

  2174.             os.read(fd, 0)
    2175. 

  2175.         self.assertEqual(e.exception.errno, errno.EBADF)
    2176. 

  2176. 

  2177.     def test_non_blocking_handshake(self):
    2178. 

  2178.         s = socket.socket(socket.AF_INET)
    2179. 

  2179.         s.connect(self.server_addr)
    2180. 

  2180.         s.setblocking(False)
    2181. 

  2181.         s = test_wrap_socket(s,
    2182. 

  2182.                             cert_reqs=ssl.CERT_NONE,
    2183. 

  2183.                             do_handshake_on_connect=False)
    2184. 

  2184.         self.addCleanup(s.close)
    2185. 

  2185.         count = 0
    2186. 

  2186.         while True:
    2187. 

  2187.             try:
    2188. 

  2188.                 count += 1
    2189. 

  2189.                 s.do_handshake()
    2190. 

  2190.                 break
    2191. 

  2191.             except ssl.SSLWantReadError:
    2192. 

  2192.                 select.select([s], [], [])
    2193. 

  2193.             except ssl.SSLWantWriteError:
    2194. 

  2194.                 select.select([], [s], [])
    2195. 

  2195.         if support.verbose:
    2196. 

  2196.             sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
    2197. 

  2197. 

  2198.     def test_get_server_certificate(self):
    2199. 

  2199.         _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
    2200. 

  2200. 

  2201.     def test_get_server_certificate_sni(self):
    2202. 

  2202.         host, port = self.server_addr
    2203. 

  2203.         server_names = []
    2204. 

  2204. 

  2205.         # We store servername_cb arguments to make sure they match the host
    2206. 

  2206.         def servername_cb(ssl_sock, server_name, initial_context):
    2207. 

  2207.             server_names.append(server_name)
    2208. 

  2208.         self.server_context.set_servername_callback(servername_cb)
    2209. 

  2209. 

  2210.         pem = ssl.get_server_certificate((host, port))
    2211. 

  2211.         if not pem:
    2212. 

  2212.             self.fail("No server certificate on %s:%s!" % (host, port))
    2213. 

  2213. 

  2214.         pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
    2215. 

  2215.         if not pem:
    2216. 

  2216.             self.fail("No server certificate on %s:%s!" % (host, port))
    2217. 

  2217.         if support.verbose:
    2218. 

  2218.             sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
    2219. 

  2219. 

  2220.         self.assertEqual(server_names, [host, host])
    2221. 

  2221. 

  2222.     def test_get_server_certificate_fail(self):
    2223. 

  2223.         # Connection failure crashes ThreadedEchoServer, so run this in an
    2224. 

  2224.         # independent test method
    2225. 

  2225.         _test_get_server_certificate_fail(self, *self.server_addr)
    2226. 

  2226. 

  2227.     def test_get_server_certificate_timeout(self):
    2228. 

  2228.         def servername_cb(ssl_sock, server_name, initial_context):
    2229. 

  2229.             time.sleep(0.2)
    2230. 

  2230.         self.server_context.set_servername_callback(servername_cb)
    2231. 

  2231. 

  2232.         with self.assertRaises(socket.timeout):
    2233. 

  2233.             ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
    2234. 

  2234.                                        timeout=0.1)
    2235. 

  2235. 

  2236.     def test_ciphers(self):
    2237. 

  2237.         with test_wrap_socket(socket.socket(socket.AF_INET),
    2238. 

  2238.                              cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
    2239. 

  2239.             s.connect(self.server_addr)
    2240. 

  2240.         with test_wrap_socket(socket.socket(socket.AF_INET),
    2241. 

  2241.                              cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
    2242. 

  2242.             s.connect(self.server_addr)
    2243. 

  2243.         # Error checking can happen at instantiation or when connecting
    2244. 

  2244.         with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
    2245. 

  2245.             with socket.socket(socket.AF_INET) as sock:
    2246. 

  2246.                 s = test_wrap_socket(sock,
    2247. 

  2247.                                     cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
    2248. 

  2248.                 s.connect(self.server_addr)
    2249. 

  2249. 

  2250.     def test_get_ca_certs_capath(self):
    2251. 

  2251.         # capath certs are loaded on request
    2252. 

  2252.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2253. 

  2253.         ctx.load_verify_locations(capath=CAPATH)
    2254. 

  2254.         self.assertEqual(ctx.get_ca_certs(), [])
    2255. 

  2255.         with ctx.wrap_socket(socket.socket(socket.AF_INET),
    2256. 

  2256.                              server_hostname='localhost') as s:
    2257. 

  2257.             s.connect(self.server_addr)
    2258. 

  2258.             cert = s.getpeercert()
    2259. 

  2259.             self.assertTrue(cert)
    2260. 

  2260.         self.assertEqual(len(ctx.get_ca_certs()), 1)
    2261. 

  2261. 

  2262.     def test_context_setget(self):
    2263. 

  2263.         # Check that the context of a connected socket can be replaced.
    2264. 

  2264.         ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2265. 

  2265.         ctx1.load_verify_locations(capath=CAPATH)
    2266. 

  2266.         ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2267. 

  2267.         ctx2.load_verify_locations(capath=CAPATH)
    2268. 

  2268.         s = socket.socket(socket.AF_INET)
    2269. 

  2269.         with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
    2270. 

  2270.             ss.connect(self.server_addr)
    2271. 

  2271.             self.assertIs(ss.context, ctx1)
    2272. 

  2272.             self.assertIs(ss._sslobj.context, ctx1)
    2273. 

  2273.             ss.context = ctx2
    2274. 

  2274.             self.assertIs(ss.context, ctx2)
    2275. 

  2275.             self.assertIs(ss._sslobj.context, ctx2)
    2276. 

  2276. 

  2277.     def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
    2278. 

  2278.         # A simple IO loop. Call func(*args) depending on the error we get
    2279. 

  2279.         # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
    2280. 

  2280.         timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
    2281. 

  2281.         deadline = time.monotonic() + timeout
    2282. 

  2282.         count = 0
    2283. 

  2283.         while True:
    2284. 

  2284.             if time.monotonic() > deadline:
    2285. 

  2285.                 self.fail("timeout")
    2286. 

  2286.             errno = None
    2287. 

  2287.             count += 1
    2288. 

  2288.             try:
    2289. 

  2289.                 ret = func(*args)
    2290. 

  2290.             except ssl.SSLError as e:
    2291. 

  2291.                 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
    2292. 

  2292.                                    ssl.SSL_ERROR_WANT_WRITE):
    2293. 

  2293.                     raise
    2294. 

  2294.                 errno = e.errno
    2295. 

  2295.             # Get any data from the outgoing BIO irrespective of any error, and
    2296. 

  2296.             # send it to the socket.
    2297. 

  2297.             buf = outgoing.read()
    2298. 

  2298.             sock.sendall(buf)
    2299. 

  2299.             # If there's no error, we're done. For WANT_READ, we need to get
    2300. 

  2300.             # data from the socket and put it in the incoming BIO.
    2301. 

  2301.             if errno is None:
    2302. 

  2302.                 break
    2303. 

  2303.             elif errno == ssl.SSL_ERROR_WANT_READ:
    2304. 

  2304.                 buf = sock.recv(32768)
    2305. 

  2305.                 if buf:
    2306. 

  2306.                     incoming.write(buf)
    2307. 

  2307.                 else:
    2308. 

  2308.                     incoming.write_eof()
    2309. 

  2309.         if support.verbose:
    2310. 

  2310.             sys.stdout.write("Needed %d calls to complete %s().\n"
    2311. 

  2311.                              % (count, func.__name__))
    2312. 

  2312.         return ret
    2313. 

  2313. 

  2314.     def test_bio_handshake(self):
    2315. 

  2315.         sock = socket.socket(socket.AF_INET)
    2316. 

  2316.         self.addCleanup(sock.close)
    2317. 

  2317.         sock.connect(self.server_addr)
    2318. 

  2318.         incoming = ssl.MemoryBIO()
    2319. 

  2319.         outgoing = ssl.MemoryBIO()
    2320. 

  2320.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2321. 

  2321.         self.assertTrue(ctx.check_hostname)
    2322. 

  2322.         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    2323. 

  2323.         ctx.load_verify_locations(SIGNING_CA)
    2324. 

  2324.         sslobj = ctx.wrap_bio(incoming, outgoing, False,
    2325. 

  2325.                               SIGNED_CERTFILE_HOSTNAME)
    2326. 

  2326.         self.assertIs(sslobj._sslobj.owner, sslobj)
    2327. 

  2327.         self.assertIsNone(sslobj.cipher())
    2328. 

  2328.         self.assertIsNone(sslobj.version())
    2329. 

  2329.         self.assertIsNotNone(sslobj.shared_ciphers())
    2330. 

  2330.         self.assertRaises(ValueError, sslobj.getpeercert)
    2331. 

  2331.         if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
    2332. 

  2332.             self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
    2333. 

  2333.         self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
    2334. 

  2334.         self.assertTrue(sslobj.cipher())
    2335. 

  2335.         self.assertIsNotNone(sslobj.shared_ciphers())
    2336. 

  2336.         self.assertIsNotNone(sslobj.version())
    2337. 

  2337.         self.assertTrue(sslobj.getpeercert())
    2338. 

  2338.         if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
    2339. 

  2339.             self.assertTrue(sslobj.get_channel_binding('tls-unique'))
    2340. 

  2340.         try:
    2341. 

  2341.             self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
    2342. 

  2342.         except ssl.SSLSyscallError:
    2343. 

  2343.             # If the server shuts down the TCP connection without sending a
    2344. 

  2344.             # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
    2345. 

  2345.             pass
    2346. 

  2346.         self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
    2347. 

  2347. 

  2348.     def test_bio_read_write_data(self):
    2349. 

  2349.         sock = socket.socket(socket.AF_INET)
    2350. 

  2350.         self.addCleanup(sock.close)
    2351. 

  2351.         sock.connect(self.server_addr)
    2352. 

  2352.         incoming = ssl.MemoryBIO()
    2353. 

  2353.         outgoing = ssl.MemoryBIO()
    2354. 

  2354.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    2355. 

  2355.         ctx.check_hostname = False
    2356. 

  2356.         ctx.verify_mode = ssl.CERT_NONE
    2357. 

  2357.         sslobj = ctx.wrap_bio(incoming, outgoing, False)
    2358. 

  2358.         self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
    2359. 

  2359.         req = b'FOO\n'
    2360. 

  2360.         self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
    2361. 

  2361.         buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
    2362. 

  2362.         self.assertEqual(buf, b'foo\n')
    2363. 

  2363.         self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
    2364. 

  2364. 

  2365. 

  2366. @support.requires_resource('network')
    2367. 

  2367. class NetworkedTests(unittest.TestCase):
    2368. 

  2368. 

  2369.     def test_timeout_connect_ex(self):
    2370. 

  2370.         # Issue #12065: on a timeout, connect_ex() should return the original
    2371. 

  2371.         # errno (mimicking the behaviour of non-SSL sockets).
    2372. 

  2372.         with socket_helper.transient_internet(REMOTE_HOST):
    2373. 

  2373.             s = test_wrap_socket(socket.socket(socket.AF_INET),
    2374. 

  2374.                                 cert_reqs=ssl.CERT_REQUIRED,
    2375. 

  2375.                                 do_handshake_on_connect=False)
    2376. 

  2376.             self.addCleanup(s.close)
    2377. 

  2377.             s.settimeout(0.0000001)
    2378. 

  2378.             rc = s.connect_ex((REMOTE_HOST, 443))
    2379. 

  2379.             if rc == 0:
    2380. 

  2380.                 self.skipTest("REMOTE_HOST responded too quickly")
    2381. 

  2381.             elif rc == errno.ENETUNREACH:
    2382. 

  2382.                 self.skipTest("Network unreachable.")
    2383. 

  2383.             self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
    2384. 

  2384. 

  2385.     @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
    2386. 

  2386.     def test_get_server_certificate_ipv6(self):
    2387. 

  2387.         with socket_helper.transient_internet('ipv6.google.com'):
    2388. 

  2388.             _test_get_server_certificate(self, 'ipv6.google.com', 443)
    2389. 

  2389.             _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
    2390. 

  2390. 

  2391. 

  2392. def _test_get_server_certificate(test, host, port, cert=None):
    2393. 

  2393.     pem = ssl.get_server_certificate((host, port))
    2394. 

  2394.     if not pem:
    2395. 

  2395.         test.fail("No server certificate on %s:%s!" % (host, port))
    2396. 

  2396. 

  2397.     pem = ssl.get_server_certificate((host, port), ca_certs=cert)
    2398. 

  2398.     if not pem:
    2399. 

  2399.         test.fail("No server certificate on %s:%s!" % (host, port))
    2400. 

  2400.     if support.verbose:
    2401. 

  2401.         sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
    2402. 

  2402. 

  2403. def _test_get_server_certificate_fail(test, host, port):
    2404. 

  2404.     try:
    2405. 

  2405.         pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
    2406. 

  2406.     except ssl.SSLError as x:
    2407. 

  2407.         #should fail
    2408. 

  2408.         if support.verbose:
    2409. 

  2409.             sys.stdout.write("%s\n" % x)
    2410. 

  2410.     else:
    2411. 

  2411.         test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
    2412. 

  2412. 

  2413. 

  2414. from test.ssl_servers import make_https_server
    2415. 

  2415. 

  2416. class ThreadedEchoServer(threading.Thread):
    2417. 

  2417. 

  2418.     class ConnectionHandler(threading.Thread):
    2419. 

  2419. 

  2420.         """A mildly complicated class, because we want it to work both
    2421. 

  2421.         with and without the SSL wrapper around the socket connection, so
    2422. 

  2422.         that we can test the STARTTLS functionality."""
    2423. 

  2423. 

  2424.         def __init__(self, server, connsock, addr):
    2425. 

  2425.             self.server = server
    2426. 

  2426.             self.running = False
    2427. 

  2427.             self.sock = connsock
    2428. 

  2428.             self.addr = addr
    2429. 

  2429.             self.sock.setblocking(True)
    2430. 

  2430.             self.sslconn = None
    2431. 

  2431.             threading.Thread.__init__(self)
    2432. 

  2432.             self.daemon = True
    2433. 

  2433. 

  2434.         def wrap_conn(self):
    2435. 

  2435.             try:
    2436. 

  2436.                 self.sslconn = self.server.context.wrap_socket(
    2437. 

  2437.                     self.sock, server_side=True)
    2438. 

  2438.                 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
    2439. 

  2439.             except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
    2440. 

  2440.                 # We treat ConnectionResetError as though it were an
    2441. 

  2441.                 # SSLError - OpenSSL on Ubuntu abruptly closes the
    2442. 

  2442.                 # connection when asked to use an unsupported protocol.
    2443. 

  2443.                 #
    2444. 

  2444.                 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
    2445. 

  2445.                 # tries to send session tickets after handshake.
    2446. 

  2446.                 # https://github.com/openssl/openssl/issues/6342
    2447. 

  2447.                 #
    2448. 

  2448.                 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
    2449. 

  2449.                 # tries to send session tickets after handshake when using WinSock.
    2450. 

  2450.                 self.server.conn_errors.append(str(e))
    2451. 

  2451.                 if self.server.chatty:
    2452. 

  2452.                     handle_error("\n server:  bad connection attempt from " + repr(self.addr) + ":\n")
    2453. 

  2453.                 self.running = False
    2454. 

  2454.                 self.close()
    2455. 

  2455.                 return False
    2456. 

  2456.             except (ssl.SSLError, OSError) as e:
    2457. 

  2457.                 # OSError may occur with wrong protocols, e.g. both
    2458. 

  2458.                 # sides use PROTOCOL_TLS_SERVER.
    2459. 

  2459.                 #
    2460. 

  2460.                 # XXX Various errors can have happened here, for example
    2461. 

  2461.                 # a mismatching protocol version, an invalid certificate,
    2462. 

  2462.                 # or a low-level bug. This should be made more discriminating.
    2463. 

  2463.                 #
    2464. 

  2464.                 # bpo-31323: Store the exception as string to prevent
    2465. 

  2465.                 # a reference leak: server -> conn_errors -> exception
    2466. 

  2466.                 # -> traceback -> self (ConnectionHandler) -> server
    2467. 

  2467.                 self.server.conn_errors.append(str(e))
    2468. 

  2468.                 if self.server.chatty:
    2469. 

  2469.                     handle_error("\n server:  bad connection attempt from " + repr(self.addr) + ":\n")
    2470. 

  2470. 

  2471.                 # bpo-44229, bpo-43855, bpo-44237, and bpo-33450:
    2472. 

  2472.                 # Ignore spurious EPROTOTYPE returned by write() on macOS.
    2473. 

  2473.                 # See also http://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/
    2474. 

  2474.                 if e.errno != errno.EPROTOTYPE and sys.platform != "darwin":
    2475. 

  2475.                     self.running = False
    2476. 

  2476.                     self.server.stop()
    2477. 

  2477.                     self.close()
    2478. 

  2478.                 return False
    2479. 

  2479.             else:
    2480. 

  2480.                 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
    2481. 

  2481.                 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
    2482. 

  2482.                     cert = self.sslconn.getpeercert()
    2483. 

  2483.                     if support.verbose and self.server.chatty:
    2484. 

  2484.                         sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
    2485. 

  2485.                     cert_binary = self.sslconn.getpeercert(True)
    2486. 

  2486.                     if support.verbose and self.server.chatty:
    2487. 

  2487.                         if cert_binary is None:
    2488. 

  2488.                             sys.stdout.write(" client did not provide a cert\n")
    2489. 

  2489.                         else:
    2490. 

  2490.                             sys.stdout.write(f" cert binary is {len(cert_binary)}b\n")
    2491. 

  2491.                 cipher = self.sslconn.cipher()
    2492. 

  2492.                 if support.verbose and self.server.chatty:
    2493. 

  2493.                     sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
    2494. 

  2494.                 return True
    2495. 

  2495. 

  2496.         def read(self):
    2497. 

  2497.             if self.sslconn:
    2498. 

  2498.                 return self.sslconn.read()
    2499. 

  2499.             else:
    2500. 

  2500.                 return self.sock.recv(1024)
    2501. 

  2501. 

  2502.         def write(self, bytes):
    2503. 

  2503.             if self.sslconn:
    2504. 

  2504.                 return self.sslconn.write(bytes)
    2505. 

  2505.             else:
    2506. 

  2506.                 return self.sock.send(bytes)
    2507. 

  2507. 

  2508.         def close(self):
    2509. 

  2509.             if self.sslconn:
    2510. 

  2510.                 self.sslconn.close()
    2511. 

  2511.             else:
    2512. 

  2512.                 self.sock.close()
    2513. 

  2513. 

  2514.         def run(self):
    2515. 

  2515.             self.running = True
    2516. 

  2516.             if not self.server.starttls_server:
    2517. 

  2517.                 if not self.wrap_conn():
    2518. 

  2518.                     return
    2519. 

  2519.             while self.running:
    2520. 

  2520.                 try:
    2521. 

  2521.                     msg = self.read()
    2522. 

  2522.                     stripped = msg.strip()
    2523. 

  2523.                     if not stripped:
    2524. 

  2524.                         # eof, so quit this handler
    2525. 

  2525.                         self.running = False
    2526. 

  2526.                         try:
    2527. 

  2527.                             self.sock = self.sslconn.unwrap()
    2528. 

  2528.                         except OSError:
    2529. 

  2529.                             # Many tests shut the TCP connection down
    2530. 

  2530.                             # without an SSL shutdown. This causes
    2531. 

  2531.                             # unwrap() to raise OSError with errno=0!
    2532. 

  2532.                             pass
    2533. 

  2533.                         else:
    2534. 

  2534.                             self.sslconn = None
    2535. 

  2535.                         self.close()
    2536. 

  2536.                     elif stripped == b'over':
    2537. 

  2537.                         if support.verbose and self.server.connectionchatty:
    2538. 

  2538.                             sys.stdout.write(" server: client closed connection\n")
    2539. 

  2539.                         self.close()
    2540. 

  2540.                         return
    2541. 

  2541.                     elif (self.server.starttls_server and
    2542. 

  2542.                           stripped == b'STARTTLS'):
    2543. 

  2543.                         if support.verbose and self.server.connectionchatty:
    2544. 

  2544.                             sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
    2545. 

  2545.                         self.write(b"OK\n")
    2546. 

  2546.                         if not self.wrap_conn():
    2547. 

  2547.                             return
    2548. 

  2548.                     elif (self.server.starttls_server and self.sslconn
    2549. 

  2549.                           and stripped == b'ENDTLS'):
    2550. 

  2550.                         if support.verbose and self.server.connectionchatty:
    2551. 

  2551.                             sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
    2552. 

  2552.                         self.write(b"OK\n")
    2553. 

  2553.                         self.sock = self.sslconn.unwrap()
    2554. 

  2554.                         self.sslconn = None
    2555. 

  2555.                         if support.verbose and self.server.connectionchatty:
    2556. 

  2556.                             sys.stdout.write(" server: connection is now unencrypted...\n")
    2557. 

  2557.                     elif stripped == b'CB tls-unique':
    2558. 

  2558.                         if support.verbose and self.server.connectionchatty:
    2559. 

  2559.                             sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
    2560. 

  2560.                         data = self.sslconn.get_channel_binding("tls-unique")
    2561. 

  2561.                         self.write(repr(data).encode("us-ascii") + b"\n")
    2562. 

  2562.                     elif stripped == b'PHA':
    2563. 

  2563.                         if support.verbose and self.server.connectionchatty:
    2564. 

  2564.                             sys.stdout.write(" server: initiating post handshake auth\n")
    2565. 

  2565.                         try:
    2566. 

  2566.                             self.sslconn.verify_client_post_handshake()
    2567. 

  2567.                         except ssl.SSLError as e:
    2568. 

  2568.                             self.write(repr(e).encode("us-ascii") + b"\n")
    2569. 

  2569.                         else:
    2570. 

  2570.                             self.write(b"OK\n")
    2571. 

  2571.                     elif stripped == b'HASCERT':
    2572. 

  2572.                         if self.sslconn.getpeercert() is not None:
    2573. 

  2573.                             self.write(b'TRUE\n')
    2574. 

  2574.                         else:
    2575. 

  2575.                             self.write(b'FALSE\n')
    2576. 

  2576.                     elif stripped == b'GETCERT':
    2577. 

  2577.                         cert = self.sslconn.getpeercert()
    2578. 

  2578.                         self.write(repr(cert).encode("us-ascii") + b"\n")
    2579. 

  2579.                     elif stripped == b'VERIFIEDCHAIN':
    2580. 

  2580.                         certs = self.sslconn._sslobj.get_verified_chain()
    2581. 

  2581.                         self.write(len(certs).to_bytes(1, "big") + b"\n")
    2582. 

  2582.                     elif stripped == b'UNVERIFIEDCHAIN':
    2583. 

  2583.                         certs = self.sslconn._sslobj.get_unverified_chain()
    2584. 

  2584.                         self.write(len(certs).to_bytes(1, "big") + b"\n")
    2585. 

  2585.                     else:
    2586. 

  2586.                         if (support.verbose and
    2587. 

  2587.                             self.server.connectionchatty):
    2588. 

  2588.                             ctype = (self.sslconn and "encrypted") or "unencrypted"
    2589. 

  2589.                             sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
    2590. 

  2590.                                              % (msg, ctype, msg.lower(), ctype))
    2591. 

  2591.                         self.write(msg.lower())
    2592. 

  2592.                 except OSError as e:
    2593. 

  2593.                     # handles SSLError and socket errors
    2594. 

  2594.                     if self.server.chatty and support.verbose:
    2595. 

  2595.                         if isinstance(e, ConnectionError):
    2596. 

  2596.                             # OpenSSL 1.1.1 sometimes raises
    2597. 

  2597.                             # ConnectionResetError when connection is not
    2598. 

  2598.                             # shut down gracefully.
    2599. 

  2599.                             print(
    2600. 

  2600.                                 f" Connection reset by peer: {self.addr}"
    2601. 

  2601.                             )
    2602. 

  2602.                         else:
    2603. 

  2603.                             handle_error("Test server failure:\n")
    2604. 

  2604.                     try:
    2605. 

  2605.                         self.write(b"ERROR\n")
    2606. 

  2606.                     except OSError:
    2607. 

  2607.                         pass
    2608. 

  2608.                     self.close()
    2609. 

  2609.                     self.running = False
    2610. 

  2610. 

  2611.                     # normally, we'd just stop here, but for the test
    2612. 

  2612.                     # harness, we want to stop the server
    2613. 

  2613.                     self.server.stop()
    2614. 

  2614. 

  2615.     def __init__(self, certificate=None, ssl_version=None,
    2616. 

  2616.                  certreqs=None, cacerts=None,
    2617. 

  2617.                  chatty=True, connectionchatty=False, starttls_server=False,
    2618. 

  2618.                  alpn_protocols=None,
    2619. 

  2619.                  ciphers=None, context=None):
    2620. 

  2620.         if context:
    2621. 

  2621.             self.context = context
    2622. 

  2622.         else:
    2623. 

  2623.             self.context = ssl.SSLContext(ssl_version
    2624. 

  2624.                                           if ssl_version is not None
    2625. 

  2625.                                           else ssl.PROTOCOL_TLS_SERVER)
    2626. 

  2626.             self.context.verify_mode = (certreqs if certreqs is not None
    2627. 

  2627.                                         else ssl.CERT_NONE)
    2628. 

  2628.             if cacerts:
    2629. 

  2629.                 self.context.load_verify_locations(cacerts)
    2630. 

  2630.             if certificate:
    2631. 

  2631.                 self.context.load_cert_chain(certificate)
    2632. 

  2632.             if alpn_protocols:
    2633. 

  2633.                 self.context.set_alpn_protocols(alpn_protocols)
    2634. 

  2634.             if ciphers:
    2635. 

  2635.                 self.context.set_ciphers(ciphers)
    2636. 

  2636.         self.chatty = chatty
    2637. 

  2637.         self.connectionchatty = connectionchatty
    2638. 

  2638.         self.starttls_server = starttls_server
    2639. 

  2639.         self.sock = socket.socket()
    2640. 

  2640.         self.port = socket_helper.bind_port(self.sock)
    2641. 

  2641.         self.flag = None
    2642. 

  2642.         self.active = False
    2643. 

  2643.         self.selected_alpn_protocols = []
    2644. 

  2644.         self.shared_ciphers = []
    2645. 

  2645.         self.conn_errors = []
    2646. 

  2646.         threading.Thread.__init__(self)
    2647. 

  2647.         self.daemon = True
    2648. 

  2648. 

  2649.     def __enter__(self):
    2650. 

  2650.         self.start(threading.Event())
    2651. 

  2651.         self.flag.wait()
    2652. 

  2652.         return self
    2653. 

  2653. 

  2654.     def __exit__(self, *args):
    2655. 

  2655.         self.stop()
    2656. 

  2656.         self.join()
    2657. 

  2657. 

  2658.     def start(self, flag=None):
    2659. 

  2659.         self.flag = flag
    2660. 

  2660.         threading.Thread.start(self)
    2661. 

  2661. 

  2662.     def run(self):
    2663. 

  2663.         self.sock.settimeout(1.0)
    2664. 

  2664.         self.sock.listen(5)
    2665. 

  2665.         self.active = True
    2666. 

  2666.         if self.flag:
    2667. 

  2667.             # signal an event
    2668. 

  2668.             self.flag.set()
    2669. 

  2669.         while self.active:
    2670. 

  2670.             try:
    2671. 

  2671.                 newconn, connaddr = self.sock.accept()
    2672. 

  2672.                 if support.verbose and self.chatty:
    2673. 

  2673.                     sys.stdout.write(' server:  new connection from '
    2674. 

  2674.                                      + repr(connaddr) + '\n')
    2675. 

  2675.                 handler = self.ConnectionHandler(self, newconn, connaddr)
    2676. 

  2676.                 handler.start()
    2677. 

  2677.                 handler.join()
    2678. 

  2678.             except TimeoutError as e:
    2679. 

  2679.                 if support.verbose:
    2680. 

  2680.                     sys.stdout.write(f' connection timeout {e!r}\n')
    2681. 

  2681.             except KeyboardInterrupt:
    2682. 

  2682.                 self.stop()
    2683. 

  2683.             except BaseException as e:
    2684. 

  2684.                 if support.verbose and self.chatty:
    2685. 

  2685.                     sys.stdout.write(
    2686. 

  2686.                         ' connection handling failed: ' + repr(e) + '\n')
    2687. 

  2687. 

  2688.         self.close()
    2689. 

  2689. 

  2690.     def close(self):
    2691. 

  2691.         if self.sock is not None:
    2692. 

  2692.             self.sock.close()
    2693. 

  2693.             self.sock = None
    2694. 

  2694. 

  2695.     def stop(self):
    2696. 

  2696.         self.active = False
    2697. 

  2697. 

  2698. class AsyncoreEchoServer(threading.Thread):
    2699. 

  2699. 

  2700.     # this one's based on asyncore.dispatcher
    2701. 

  2701. 

  2702.     class EchoServer (asyncore.dispatcher):
    2703. 

  2703. 

  2704.         class ConnectionHandler(asyncore.dispatcher_with_send):
    2705. 

  2705. 

  2706.             def __init__(self, conn, certfile):
    2707. 

  2707.                 self.socket = test_wrap_socket(conn, server_side=True,
    2708. 

  2708.                                               certfile=certfile,
    2709. 

  2709.                                               do_handshake_on_connect=False)
    2710. 

  2710.                 asyncore.dispatcher_with_send.__init__(self, self.socket)
    2711. 

  2711.                 self._ssl_accepting = True
    2712. 

  2712.                 self._do_ssl_handshake()
    2713. 

  2713. 

  2714.             def readable(self):
    2715. 

  2715.                 if isinstance(self.socket, ssl.SSLSocket):
    2716. 

  2716.                     while self.socket.pending() > 0:
    2717. 

  2717.                         self.handle_read_event()
    2718. 

  2718.                 return True
    2719. 

  2719. 

  2720.             def _do_ssl_handshake(self):
    2721. 

  2721.                 try:
    2722. 

  2722.                     self.socket.do_handshake()
    2723. 

  2723.                 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
    2724. 

  2724.                     return
    2725. 

  2725.                 except ssl.SSLEOFError:
    2726. 

  2726.                     return self.handle_close()
    2727. 

  2727.                 except ssl.SSLError:
    2728. 

  2728.                     raise
    2729. 

  2729.                 except OSError as err:
    2730. 

  2730.                     if err.args[0] == errno.ECONNABORTED:
    2731. 

  2731.                         return self.handle_close()
    2732. 

  2732.                 else:
    2733. 

  2733.                     self._ssl_accepting = False
    2734. 

  2734. 

  2735.             def handle_read(self):
    2736. 

  2736.                 if self._ssl_accepting:
    2737. 

  2737.                     self._do_ssl_handshake()
    2738. 

  2738.                 else:
    2739. 

  2739.                     data = self.recv(1024)
    2740. 

  2740.                     if support.verbose:
    2741. 

  2741.                         sys.stdout.write(" server:  read %s from client\n" % repr(data))
    2742. 

  2742.                     if not data:
    2743. 

  2743.                         self.close()
    2744. 

  2744.                     else:
    2745. 

  2745.                         self.send(data.lower())
    2746. 

  2746. 

  2747.             def handle_close(self):
    2748. 

  2748.                 self.close()
    2749. 

  2749.                 if support.verbose:
    2750. 

  2750.                     sys.stdout.write(" server:  closed connection %s\n" % self.socket)
    2751. 

  2751. 

  2752.             def handle_error(self):
    2753. 

  2753.                 raise
    2754. 

  2754. 

  2755.         def __init__(self, certfile):
    2756. 

  2756.             self.certfile = certfile
    2757. 

  2757.             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    2758. 

  2758.             self.port = socket_helper.bind_port(sock, '')
    2759. 

  2759.             asyncore.dispatcher.__init__(self, sock)
    2760. 

  2760.             self.listen(5)
    2761. 

  2761. 

  2762.         def handle_accepted(self, sock_obj, addr):
    2763. 

  2763.             if support.verbose:
    2764. 

  2764.                 sys.stdout.write(" server:  new connection from %s:%s\n" %addr)
    2765. 

  2765.             self.ConnectionHandler(sock_obj, self.certfile)
    2766. 

  2766. 

  2767.         def handle_error(self):
    2768. 

  2768.             raise
    2769. 

  2769. 

  2770.     def __init__(self, certfile):
    2771. 

  2771.         self.flag = None
    2772. 

  2772.         self.active = False
    2773. 

  2773.         self.server = self.EchoServer(certfile)
    2774. 

  2774.         self.port = self.server.port
    2775. 

  2775.         threading.Thread.__init__(self)
    2776. 

  2776.         self.daemon = True
    2777. 

  2777. 

  2778.     def __str__(self):
    2779. 

  2779.         return "<%s %s>" % (self.__class__.__name__, self.server)
    2780. 

  2780. 

  2781.     def __enter__(self):
    2782. 

  2782.         self.start(threading.Event())
    2783. 

  2783.         self.flag.wait()
    2784. 

  2784.         return self
    2785. 

  2785. 

  2786.     def __exit__(self, *args):
    2787. 

  2787.         if support.verbose:
    2788. 

  2788.             sys.stdout.write(" cleanup: stopping server.\n")
    2789. 

  2789.         self.stop()
    2790. 

  2790.         if support.verbose:
    2791. 

  2791.             sys.stdout.write(" cleanup: joining server thread.\n")
    2792. 

  2792.         self.join()
    2793. 

  2793.         if support.verbose:
    2794. 

  2794.             sys.stdout.write(" cleanup: successfully joined.\n")
    2795. 

  2795.         # make sure that ConnectionHandler is removed from socket_map
    2796. 

  2796.         asyncore.close_all(ignore_all=True)
    2797. 

  2797. 

  2798.     def start (self, flag=None):
    2799. 

  2799.         self.flag = flag
    2800. 

  2800.         threading.Thread.start(self)
    2801. 

  2801. 

  2802.     def run(self):
    2803. 

  2803.         self.active = True
    2804. 

  2804.         if self.flag:
    2805. 

  2805.             self.flag.set()
    2806. 

  2806.         while self.active:
    2807. 

  2807.             try:
    2808. 

  2808.                 asyncore.loop(1)
    2809. 

  2809.             except:
    2810. 

  2810.                 pass
    2811. 

  2811. 

  2812.     def stop(self):
    2813. 

  2813.         self.active = False
    2814. 

  2814.         self.server.close()
    2815. 

  2815. 

  2816. def server_params_test(client_context, server_context, indata=b"FOO\n",
    2817. 

  2817.                        chatty=True, connectionchatty=False, sni_name=None,
    2818. 

  2818.                        session=None):
    2819. 

  2819.     """
    2820. 

  2820.     Launch a server, connect a client to it and try various reads
    2821. 

  2821.     and writes.
    2822. 

  2822.     """
    2823. 

  2823.     stats = {}
    2824. 

  2824.     server = ThreadedEchoServer(context=server_context,
    2825. 

  2825.                                 chatty=chatty,
    2826. 

  2826.                                 connectionchatty=False)
    2827. 

  2827.     with server:
    2828. 

  2828.         with client_context.wrap_socket(socket.socket(),
    2829. 

  2829.                 server_hostname=sni_name, session=session) as s:
    2830. 

  2830.             s.connect((HOST, server.port))
    2831. 

  2831.             for arg in [indata, bytearray(indata), memoryview(indata)]:
    2832. 

  2832.                 if connectionchatty:
    2833. 

  2833.                     if support.verbose:
    2834. 

  2834.                         sys.stdout.write(
    2835. 

  2835.                             " client:  sending %r...\n" % indata)
    2836. 

  2836.                 s.write(arg)
    2837. 

  2837.                 outdata = s.read()
    2838. 

  2838.                 if connectionchatty:
    2839. 

  2839.                     if support.verbose:
    2840. 

  2840.                         sys.stdout.write(" client:  read %r\n" % outdata)
    2841. 

  2841.                 if outdata != indata.lower():
    2842. 

  2842.                     raise AssertionError(
    2843. 

  2843.                         "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
    2844. 

  2844.                         % (outdata[:20], len(outdata),
    2845. 

  2845.                            indata[:20].lower(), len(indata)))
    2846. 

  2846.             s.write(b"over\n")
    2847. 

  2847.             if connectionchatty:
    2848. 

  2848.                 if support.verbose:
    2849. 

  2849.                     sys.stdout.write(" client:  closing connection.\n")
    2850. 

  2850.             stats.update({
    2851. 

  2851.                 'compression': s.compression(),
    2852. 

  2852.                 'cipher': s.cipher(),
    2853. 

  2853.                 'peercert': s.getpeercert(),
    2854. 

  2854.                 'client_alpn_protocol': s.selected_alpn_protocol(),
    2855. 

  2855.                 'version': s.version(),
    2856. 

  2856.                 'session_reused': s.session_reused,
    2857. 

  2857.                 'session': s.session,
    2858. 

  2858.             })
    2859. 

  2859.             s.close()
    2860. 

  2860.         stats['server_alpn_protocols'] = server.selected_alpn_protocols
    2861. 

  2861.         stats['server_shared_ciphers'] = server.shared_ciphers
    2862. 

  2862.     return stats
    2863. 

  2863. 

  2864. def try_protocol_combo(server_protocol, client_protocol, expect_success,
    2865. 

  2865.                        certsreqs=None, server_options=0, client_options=0):
    2866. 

  2866.     """
    2867. 

  2867.     Try to SSL-connect using *client_protocol* to *server_protocol*.
    2868. 

  2868.     If *expect_success* is true, assert that the connection succeeds,
    2869. 

  2869.     if it's false, assert that the connection fails.
    2870. 

  2870.     Also, if *expect_success* is a string, assert that it is the protocol
    2871. 

  2871.     version actually used by the connection.
    2872. 

  2872.     """
    2873. 

  2873.     if certsreqs is None:
    2874. 

  2874.         certsreqs = ssl.CERT_NONE
    2875. 

  2875.     certtype = {
    2876. 

  2876.         ssl.CERT_NONE: "CERT_NONE",
    2877. 

  2877.         ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
    2878. 

  2878.         ssl.CERT_REQUIRED: "CERT_REQUIRED",
    2879. 

  2879.     }[certsreqs]
    2880. 

  2880.     if support.verbose:
    2881. 

  2881.         formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
    2882. 

  2882.         sys.stdout.write(formatstr %
    2883. 

  2883.                          (ssl.get_protocol_name(client_protocol),
    2884. 

  2884.                           ssl.get_protocol_name(server_protocol),
    2885. 

  2885.                           certtype))
    2886. 

  2886. 

  2887.     with warnings_helper.check_warnings():
    2888. 

  2888.         # ignore Deprecation warnings
    2889. 

  2889.         client_context = ssl.SSLContext(client_protocol)
    2890. 

  2890.         client_context.options |= client_options
    2891. 

  2891.         server_context = ssl.SSLContext(server_protocol)
    2892. 

  2892.         server_context.options |= server_options
    2893. 

  2893. 

  2894.     min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
    2895. 

  2895.     if (min_version is not None
    2896. 

  2896.         # SSLContext.minimum_version is only available on recent OpenSSL
    2897. 

  2897.         # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
    2898. 

  2898.         and hasattr(server_context, 'minimum_version')
    2899. 

  2899.         and server_protocol == ssl.PROTOCOL_TLS
    2900. 

  2900.         and server_context.minimum_version > min_version
    2901. 

  2901.     ):
    2902. 

  2902.         # If OpenSSL configuration is strict and requires more recent TLS
    2903. 

  2903.         # version, we have to change the minimum to test old TLS versions.
    2904. 

  2904.         with warnings_helper.check_warnings():
    2905. 

  2905.             server_context.minimum_version = min_version
    2906. 

  2906. 

  2907.     # NOTE: we must enable "ALL" ciphers on the client, otherwise an
    2908. 

  2908.     # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
    2909. 

  2909.     # starting from OpenSSL 1.0.0 (see issue #8322).
    2910. 

  2910.     if client_context.protocol == ssl.PROTOCOL_TLS:
    2911. 

  2911.         client_context.set_ciphers("ALL")
    2912. 

  2912. 

  2913.     seclevel_workaround(server_context, client_context)
    2914. 

  2914. 

  2915.     for ctx in (client_context, server_context):
    2916. 

  2916.         ctx.verify_mode = certsreqs
    2917. 

  2917.         ctx.load_cert_chain(SIGNED_CERTFILE)
    2918. 

  2918.         ctx.load_verify_locations(SIGNING_CA)
    2919. 

  2919.     try:
    2920. 

  2920.         stats = server_params_test(client_context, server_context,
    2921. 

  2921.                                    chatty=False, connectionchatty=False)
    2922. 

  2922.     # Protocol mismatch can result in either an SSLError, or a
    2923. 

  2923.     # "Connection reset by peer" error.
    2924. 

  2924.     except ssl.SSLError:
    2925. 

  2925.         if expect_success:
    2926. 

  2926.             raise
    2927. 

  2927.     except OSError as e:
    2928. 

  2928.         if expect_success or e.errno != errno.ECONNRESET:
    2929. 

  2929.             raise
    2930. 

  2930.     else:
    2931. 

  2931.         if not expect_success:
    2932. 

  2932.             raise AssertionError(
    2933. 

  2933.                 "Client protocol %s succeeded with server protocol %s!"
    2934. 

  2934.                 % (ssl.get_protocol_name(client_protocol),
    2935. 

  2935.                    ssl.get_protocol_name(server_protocol)))
    2936. 

  2936.         elif (expect_success is not True
    2937. 

  2937.               and expect_success != stats['version']):
    2938. 

  2938.             raise AssertionError("version mismatch: expected %r, got %r"
    2939. 

  2939.                                  % (expect_success, stats['version']))
    2940. 

  2940. 

  2941. 

  2942. class ThreadedTests(unittest.TestCase):
    2943. 

  2943. 

  2944.     def test_echo(self):
    2945. 

  2945.         """Basic test of an SSL client connecting to a server"""
    2946. 

  2946.         if support.verbose:
    2947. 

  2947.             sys.stdout.write("\n")
    2948. 

  2948. 

  2949.         client_context, server_context, hostname = testing_context()
    2950. 

  2950. 

  2951.         with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
    2952. 

  2952.             server_params_test(client_context=client_context,
    2953. 

  2953.                                server_context=server_context,
    2954. 

  2954.                                chatty=True, connectionchatty=True,
    2955. 

  2955.                                sni_name=hostname)
    2956. 

  2956. 

  2957.         client_context.check_hostname = False
    2958. 

  2958.         with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
    2959. 

  2959.             with self.assertRaises(ssl.SSLError) as e:
    2960. 

  2960.                 server_params_test(client_context=server_context,
    2961. 

  2961.                                    server_context=client_context,
    2962. 

  2962.                                    chatty=True, connectionchatty=True,
    2963. 

  2963.                                    sni_name=hostname)
    2964. 

  2964.             self.assertIn(
    2965. 

  2965.                 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
    2966. 

  2966.                 str(e.exception)
    2967. 

  2967.             )
    2968. 

  2968. 

  2969.         with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
    2970. 

  2970.             with self.assertRaises(ssl.SSLError) as e:
    2971. 

  2971.                 server_params_test(client_context=server_context,
    2972. 

  2972.                                    server_context=server_context,
    2973. 

  2973.                                    chatty=True, connectionchatty=True)
    2974. 

  2974.             self.assertIn(
    2975. 

  2975.                 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
    2976. 

  2976.                 str(e.exception)
    2977. 

  2977.             )
    2978. 

  2978. 

  2979.         with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
    2980. 

  2980.             with self.assertRaises(ssl.SSLError) as e:
    2981. 

  2981.                 server_params_test(client_context=server_context,
    2982. 

  2982.                                    server_context=client_context,
    2983. 

  2983.                                    chatty=True, connectionchatty=True)
    2984. 

  2984.             self.assertIn(
    2985. 

  2985.                 'Cannot create a client socket with a PROTOCOL_TLS_SERVER context',
    2986. 

  2986.                 str(e.exception))
    2987. 

  2987. 

  2988.     def test_getpeercert(self):
    2989. 

  2989.         if support.verbose:
    2990. 

  2990.             sys.stdout.write("\n")
    2991. 

  2991. 

  2992.         client_context, server_context, hostname = testing_context()
    2993. 

  2993.         server = ThreadedEchoServer(context=server_context, chatty=False)
    2994. 

  2994.         with server:
    2995. 

  2995.             with client_context.wrap_socket(socket.socket(),
    2996. 

  2996.                                             do_handshake_on_connect=False,
    2997. 

  2997.                                             server_hostname=hostname) as s:
    2998. 

  2998.                 s.connect((HOST, server.port))
    2999. 

  2999.                 # getpeercert() raise ValueError while the handshake isn't
    3000. 

  3000.                 # done.
    3001. 

  3001.                 with self.assertRaises(ValueError):
    3002. 

  3002.                     s.getpeercert()
    3003. 

  3003.                 s.do_handshake()
    3004. 

  3004.                 cert = s.getpeercert()
    3005. 

  3005.                 self.assertTrue(cert, "Can't get peer certificate.")
    3006. 

  3006.                 cipher = s.cipher()
    3007. 

  3007.                 if support.verbose:
    3008. 

  3008.                     sys.stdout.write(pprint.pformat(cert) + '\n')
    3009. 

  3009.                     sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
    3010. 

  3010.                 if 'subject' not in cert:
    3011. 

  3011.                     self.fail("No subject field in certificate: %s." %
    3012. 

  3012.                               pprint.pformat(cert))
    3013. 

  3013.                 if ((('organizationName', 'Python Software Foundation'),)
    3014. 

  3014.                     not in cert['subject']):
    3015. 

  3015.                     self.fail(
    3016. 

  3016.                         "Missing or invalid 'organizationName' field in certificate subject; "
    3017. 

  3017.                         "should be 'Python Software Foundation'.")
    3018. 

  3018.                 self.assertIn('notBefore', cert)
    3019. 

  3019.                 self.assertIn('notAfter', cert)
    3020. 

  3020.                 before = ssl.cert_time_to_seconds(cert['notBefore'])
    3021. 

  3021.                 after = ssl.cert_time_to_seconds(cert['notAfter'])
    3022. 

  3022.                 self.assertLess(before, after)
    3023. 

  3023. 

  3024.     def test_crl_check(self):
    3025. 

  3025.         if support.verbose:
    3026. 

  3026.             sys.stdout.write("\n")
    3027. 

  3027. 

  3028.         client_context, server_context, hostname = testing_context()
    3029. 

  3029. 

  3030.         tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
    3031. 

  3031.         self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
    3032. 

  3032. 

  3033.         # VERIFY_DEFAULT should pass
    3034. 

  3034.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3035. 

  3035.         with server:
    3036. 

  3036.             with client_context.wrap_socket(socket.socket(),
    3037. 

  3037.                                             server_hostname=hostname) as s:
    3038. 

  3038.                 s.connect((HOST, server.port))
    3039. 

  3039.                 cert = s.getpeercert()
    3040. 

  3040.                 self.assertTrue(cert, "Can't get peer certificate.")
    3041. 

  3041. 

  3042.         # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
    3043. 

  3043.         client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
    3044. 

  3044. 

  3045.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3046. 

  3046.         with server:
    3047. 

  3047.             with client_context.wrap_socket(socket.socket(),
    3048. 

  3048.                                             server_hostname=hostname) as s:
    3049. 

  3049.                 with self.assertRaisesRegex(ssl.SSLError,
    3050. 

  3050.                                             "certificate verify failed"):
    3051. 

  3051.                     s.connect((HOST, server.port))
    3052. 

  3052. 

  3053.         # now load a CRL file. The CRL file is signed by the CA.
    3054. 

  3054.         client_context.load_verify_locations(CRLFILE)
    3055. 

  3055. 

  3056.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3057. 

  3057.         with server:
    3058. 

  3058.             with client_context.wrap_socket(socket.socket(),
    3059. 

  3059.                                             server_hostname=hostname) as s:
    3060. 

  3060.                 s.connect((HOST, server.port))
    3061. 

  3061.                 cert = s.getpeercert()
    3062. 

  3062.                 self.assertTrue(cert, "Can't get peer certificate.")
    3063. 

  3063. 

  3064.     def test_check_hostname(self):
    3065. 

  3065.         if support.verbose:
    3066. 

  3066.             sys.stdout.write("\n")
    3067. 

  3067. 

  3068.         client_context, server_context, hostname = testing_context()
    3069. 

  3069. 

  3070.         # correct hostname should verify
    3071. 

  3071.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3072. 

  3072.         with server:
    3073. 

  3073.             with client_context.wrap_socket(socket.socket(),
    3074. 

  3074.                                             server_hostname=hostname) as s:
    3075. 

  3075.                 s.connect((HOST, server.port))
    3076. 

  3076.                 cert = s.getpeercert()
    3077. 

  3077.                 self.assertTrue(cert, "Can't get peer certificate.")
    3078. 

  3078. 

  3079.         # incorrect hostname should raise an exception
    3080. 

  3080.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3081. 

  3081.         with server:
    3082. 

  3082.             with client_context.wrap_socket(socket.socket(),
    3083. 

  3083.                                             server_hostname="invalid") as s:
    3084. 

  3084.                 with self.assertRaisesRegex(
    3085. 

  3085.                         ssl.CertificateError,
    3086. 

  3086.                         "Hostname mismatch, certificate is not valid for 'invalid'."):
    3087. 

  3087.                     s.connect((HOST, server.port))
    3088. 

  3088. 

  3089.         # missing server_hostname arg should cause an exception, too
    3090. 

  3090.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3091. 

  3091.         with server:
    3092. 

  3092.             with socket.socket() as s:
    3093. 

  3093.                 with self.assertRaisesRegex(ValueError,
    3094. 

  3094.                                             "check_hostname requires server_hostname"):
    3095. 

  3095.                     client_context.wrap_socket(s)
    3096. 

  3096. 

  3097.     @unittest.skipUnless(
    3098. 

  3098.         ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
    3099. 

  3099.     )
    3100. 

  3100.     def test_hostname_checks_common_name(self):
    3101. 

  3101.         client_context, server_context, hostname = testing_context()
    3102. 

  3102.         assert client_context.hostname_checks_common_name
    3103. 

  3103.         client_context.hostname_checks_common_name = False
    3104. 

  3104. 

  3105.         # default cert has a SAN
    3106. 

  3106.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3107. 

  3107.         with server:
    3108. 

  3108.             with client_context.wrap_socket(socket.socket(),
    3109. 

  3109.                                             server_hostname=hostname) as s:
    3110. 

  3110.                 s.connect((HOST, server.port))
    3111. 

  3111. 

  3112.         client_context, server_context, hostname = testing_context(NOSANFILE)
    3113. 

  3113.         client_context.hostname_checks_common_name = False
    3114. 

  3114.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3115. 

  3115.         with server:
    3116. 

  3116.             with client_context.wrap_socket(socket.socket(),
    3117. 

  3117.                                             server_hostname=hostname) as s:
    3118. 

  3118.                 with self.assertRaises(ssl.SSLCertVerificationError):
    3119. 

  3119.                     s.connect((HOST, server.port))
    3120. 

  3120. 

  3121.     def test_ecc_cert(self):
    3122. 

  3122.         client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3123. 

  3123.         client_context.load_verify_locations(SIGNING_CA)
    3124. 

  3124.         client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
    3125. 

  3125.         hostname = SIGNED_CERTFILE_ECC_HOSTNAME
    3126. 

  3126. 

  3127.         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    3128. 

  3128.         # load ECC cert
    3129. 

  3129.         server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
    3130. 

  3130. 

  3131.         # correct hostname should verify
    3132. 

  3132.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3133. 

  3133.         with server:
    3134. 

  3134.             with client_context.wrap_socket(socket.socket(),
    3135. 

  3135.                                             server_hostname=hostname) as s:
    3136. 

  3136.                 s.connect((HOST, server.port))
    3137. 

  3137.                 cert = s.getpeercert()
    3138. 

  3138.                 self.assertTrue(cert, "Can't get peer certificate.")
    3139. 

  3139.                 cipher = s.cipher()[0].split('-')
    3140. 

  3140.                 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
    3141. 

  3141. 

  3142.     def test_dual_rsa_ecc(self):
    3143. 

  3143.         client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3144. 

  3144.         client_context.load_verify_locations(SIGNING_CA)
    3145. 

  3145.         # TODO: fix TLSv1.3 once SSLContext can restrict signature
    3146. 

  3146.         #       algorithms.
    3147. 

  3147.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3148. 

  3148.         # only ECDSA certs
    3149. 

  3149.         client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
    3150. 

  3150.         hostname = SIGNED_CERTFILE_ECC_HOSTNAME
    3151. 

  3151. 

  3152.         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    3153. 

  3153.         # load ECC and RSA key/cert pairs
    3154. 

  3154.         server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
    3155. 

  3155.         server_context.load_cert_chain(SIGNED_CERTFILE)
    3156. 

  3156. 

  3157.         # correct hostname should verify
    3158. 

  3158.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3159. 

  3159.         with server:
    3160. 

  3160.             with client_context.wrap_socket(socket.socket(),
    3161. 

  3161.                                             server_hostname=hostname) as s:
    3162. 

  3162.                 s.connect((HOST, server.port))
    3163. 

  3163.                 cert = s.getpeercert()
    3164. 

  3164.                 self.assertTrue(cert, "Can't get peer certificate.")
    3165. 

  3165.                 cipher = s.cipher()[0].split('-')
    3166. 

  3166.                 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
    3167. 

  3167. 

  3168.     def test_check_hostname_idn(self):
    3169. 

  3169.         if support.verbose:
    3170. 

  3170.             sys.stdout.write("\n")
    3171. 

  3171. 

  3172.         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    3173. 

  3173.         server_context.load_cert_chain(IDNSANSFILE)
    3174. 

  3174. 

  3175.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3176. 

  3176.         context.verify_mode = ssl.CERT_REQUIRED
    3177. 

  3177.         context.check_hostname = True
    3178. 

  3178.         context.load_verify_locations(SIGNING_CA)
    3179. 

  3179. 

  3180.         # correct hostname should verify, when specified in several
    3181. 

  3181.         # different ways
    3182. 

  3182.         idn_hostnames = [
    3183. 

  3183.             ('könig.idn.pythontest.net',
    3184. 

  3184.              'xn--knig-5qa.idn.pythontest.net'),
    3185. 

  3185.             ('xn--knig-5qa.idn.pythontest.net',
    3186. 

  3186.              'xn--knig-5qa.idn.pythontest.net'),
    3187. 

  3187.             (b'xn--knig-5qa.idn.pythontest.net',
    3188. 

  3188.              'xn--knig-5qa.idn.pythontest.net'),
    3189. 

  3189. 

  3190.             ('königsgäßchen.idna2003.pythontest.net',
    3191. 

  3191.              'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
    3192. 

  3192.             ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
    3193. 

  3193.              'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
    3194. 

  3194.             (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
    3195. 

  3195.              'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
    3196. 

  3196. 

  3197.             # ('königsgäßchen.idna2008.pythontest.net',
    3198. 

  3198.             #  'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
    3199. 

  3199.             ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
    3200. 

  3200.              'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
    3201. 

  3201.             (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
    3202. 

  3202.              'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
    3203. 

  3203. 

  3204.         ]
    3205. 

  3205.         for server_hostname, expected_hostname in idn_hostnames:
    3206. 

  3206.             server = ThreadedEchoServer(context=server_context, chatty=True)
    3207. 

  3207.             with server:
    3208. 

  3208.                 with context.wrap_socket(socket.socket(),
    3209. 

  3209.                                          server_hostname=server_hostname) as s:
    3210. 

  3210.                     self.assertEqual(s.server_hostname, expected_hostname)
    3211. 

  3211.                     s.connect((HOST, server.port))
    3212. 

  3212.                     cert = s.getpeercert()
    3213. 

  3213.                     self.assertEqual(s.server_hostname, expected_hostname)
    3214. 

  3214.                     self.assertTrue(cert, "Can't get peer certificate.")
    3215. 

  3215. 

  3216.         # incorrect hostname should raise an exception
    3217. 

  3217.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3218. 

  3218.         with server:
    3219. 

  3219.             with context.wrap_socket(socket.socket(),
    3220. 

  3220.                                      server_hostname="python.example.org") as s:
    3221. 

  3221.                 with self.assertRaises(ssl.CertificateError):
    3222. 

  3222.                     s.connect((HOST, server.port))
    3223. 

  3223. 

  3224.     def test_wrong_cert_tls12(self):
    3225. 

  3225.         """Connecting when the server rejects the client's certificate
    3226. 

  3226. 

  3227.         Launch a server with CERT_REQUIRED, and check that trying to
    3228. 

  3228.         connect to it with a wrong client certificate fails.
    3229. 

  3229.         """
    3230. 

  3230.         client_context, server_context, hostname = testing_context()
    3231. 

  3231.         # load client cert that is not signed by trusted CA
    3232. 

  3232.         client_context.load_cert_chain(CERTFILE)
    3233. 

  3233.         # require TLS client authentication
    3234. 

  3234.         server_context.verify_mode = ssl.CERT_REQUIRED
    3235. 

  3235.         # TLS 1.3 has different handshake
    3236. 

  3236.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3237. 

  3237. 

  3238.         server = ThreadedEchoServer(
    3239. 

  3239.             context=server_context, chatty=True, connectionchatty=True,
    3240. 

  3240.         )
    3241. 

  3241. 

  3242.         with server, \
    3243. 

  3243.                 client_context.wrap_socket(socket.socket(),
    3244. 

  3244.                                            server_hostname=hostname) as s:
    3245. 

  3245.             try:
    3246. 

  3246.                 # Expect either an SSL error about the server rejecting
    3247. 

  3247.                 # the connection, or a low-level connection reset (which
    3248. 

  3248.                 # sometimes happens on Windows)
    3249. 

  3249.                 s.connect((HOST, server.port))
    3250. 

  3250.             except ssl.SSLError as e:
    3251. 

  3251.                 if support.verbose:
    3252. 

  3252.                     sys.stdout.write("\nSSLError is %r\n" % e)
    3253. 

  3253.             except OSError as e:
    3254. 

  3254.                 if e.errno != errno.ECONNRESET:
    3255. 

  3255.                     raise
    3256. 

  3256.                 if support.verbose:
    3257. 

  3257.                     sys.stdout.write("\nsocket.error is %r\n" % e)
    3258. 

  3258.             else:
    3259. 

  3259.                 self.fail("Use of invalid cert should have failed!")
    3260. 

  3260. 

  3261.     @requires_tls_version('TLSv1_3')
    3262. 

  3262.     def test_wrong_cert_tls13(self):
    3263. 

  3263.         client_context, server_context, hostname = testing_context()
    3264. 

  3264.         # load client cert that is not signed by trusted CA
    3265. 

  3265.         client_context.load_cert_chain(CERTFILE)
    3266. 

  3266.         server_context.verify_mode = ssl.CERT_REQUIRED
    3267. 

  3267.         server_context.minimum_version = ssl.TLSVersion.TLSv1_3
    3268. 

  3268.         client_context.minimum_version = ssl.TLSVersion.TLSv1_3
    3269. 

  3269. 

  3270.         server = ThreadedEchoServer(
    3271. 

  3271.             context=server_context, chatty=True, connectionchatty=True,
    3272. 

  3272.         )
    3273. 

  3273.         with server, \
    3274. 

  3274.              client_context.wrap_socket(socket.socket(),
    3275. 

  3275.                                         server_hostname=hostname,
    3276. 

  3276.                                         suppress_ragged_eofs=False) as s:
    3277. 

  3277.             s.connect((HOST, server.port))
    3278. 

  3278.             with self.assertRaisesRegex(
    3279. 

  3279.                 ssl.SSLError,
    3280. 

  3280.                 'alert unknown ca|EOF occurred'
    3281. 

  3281.             ):
    3282. 

  3282.                 # TLS 1.3 perform client cert exchange after handshake
    3283. 

  3283.                 s.write(b'data')
    3284. 

  3284.                 s.read(1000)
    3285. 

  3285.                 s.write(b'should have failed already')
    3286. 

  3286.                 s.read(1000)
    3287. 

  3287. 

  3288.     def test_rude_shutdown(self):
    3289. 

  3289.         """A brutal shutdown of an SSL server should raise an OSError
    3290. 

  3290.         in the client when attempting handshake.
    3291. 

  3291.         """
    3292. 

  3292.         listener_ready = threading.Event()
    3293. 

  3293.         listener_gone = threading.Event()
    3294. 

  3294. 

  3295.         s = socket.socket()
    3296. 

  3296.         port = socket_helper.bind_port(s, HOST)
    3297. 

  3297. 

  3298.         # `listener` runs in a thread.  It sits in an accept() until
    3299. 

  3299.         # the main thread connects.  Then it rudely closes the socket,
    3300. 

  3300.         # and sets Event `listener_gone` to let the main thread know
    3301. 

  3301.         # the socket is gone.
    3302. 

  3302.         def listener():
    3303. 

  3303.             s.listen()
    3304. 

  3304.             listener_ready.set()
    3305. 

  3305.             newsock, addr = s.accept()
    3306. 

  3306.             newsock.close()
    3307. 

  3307.             s.close()
    3308. 

  3308.             listener_gone.set()
    3309. 

  3309. 

  3310.         def connector():
    3311. 

  3311.             listener_ready.wait()
    3312. 

  3312.             with socket.socket() as c:
    3313. 

  3313.                 c.connect((HOST, port))
    3314. 

  3314.                 listener_gone.wait()
    3315. 

  3315.                 try:
    3316. 

  3316.                     ssl_sock = test_wrap_socket(c)
    3317. 

  3317.                 except OSError:
    3318. 

  3318.                     pass
    3319. 

  3319.                 else:
    3320. 

  3320.                     self.fail('connecting to closed SSL socket should have failed')
    3321. 

  3321. 

  3322.         t = threading.Thread(target=listener)
    3323. 

  3323.         t.start()
    3324. 

  3324.         try:
    3325. 

  3325.             connector()
    3326. 

  3326.         finally:
    3327. 

  3327.             t.join()
    3328. 

  3328. 

  3329.     def test_ssl_cert_verify_error(self):
    3330. 

  3330.         if support.verbose:
    3331. 

  3331.             sys.stdout.write("\n")
    3332. 

  3332. 

  3333.         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    3334. 

  3334.         server_context.load_cert_chain(SIGNED_CERTFILE)
    3335. 

  3335. 

  3336.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3337. 

  3337. 

  3338.         server = ThreadedEchoServer(context=server_context, chatty=True)
    3339. 

  3339.         with server:
    3340. 

  3340.             with context.wrap_socket(socket.socket(),
    3341. 

  3341.                                      server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
    3342. 

  3342.                 try:
    3343. 

  3343.                     s.connect((HOST, server.port))
    3344. 

  3344.                 except ssl.SSLError as e:
    3345. 

  3345.                     msg = 'unable to get local issuer certificate'
    3346. 

  3346.                     self.assertIsInstance(e, ssl.SSLCertVerificationError)
    3347. 

  3347.                     self.assertEqual(e.verify_code, 20)
    3348. 

  3348.                     self.assertEqual(e.verify_message, msg)
    3349. 

  3349.                     self.assertIn(msg, repr(e))
    3350. 

  3350.                     self.assertIn('certificate verify failed', repr(e))
    3351. 

  3351. 

  3352.     @requires_tls_version('SSLv2')
    3353. 

  3353.     def test_protocol_sslv2(self):
    3354. 

  3354.         """Connecting to an SSLv2 server with various client options"""
    3355. 

  3355.         if support.verbose:
    3356. 

  3356.             sys.stdout.write("\n")
    3357. 

  3357.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
    3358. 

  3358.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
    3359. 

  3359.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
    3360. 

  3360.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
    3361. 

  3361.         if has_tls_version('SSLv3'):
    3362. 

  3362.             try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
    3363. 

  3363.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
    3364. 

  3364.         # SSLv23 client with specific SSL options
    3365. 

  3365.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
    3366. 

  3366.                            client_options=ssl.OP_NO_SSLv3)
    3367. 

  3367.         try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
    3368. 

  3368.                            client_options=ssl.OP_NO_TLSv1)
    3369. 

  3369. 

  3370.     def test_PROTOCOL_TLS(self):
    3371. 

  3371.         """Connecting to an SSLv23 server with various client options"""
    3372. 

  3372.         if support.verbose:
    3373. 

  3373.             sys.stdout.write("\n")
    3374. 

  3374.         if has_tls_version('SSLv2'):
    3375. 

  3375.             try:
    3376. 

  3376.                 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
    3377. 

  3377.             except OSError as x:
    3378. 

  3378.                 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
    3379. 

  3379.                 if support.verbose:
    3380. 

  3380.                     sys.stdout.write(
    3381. 

  3381.                         " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
    3382. 

  3382.                         % str(x))
    3383. 

  3383.         if has_tls_version('SSLv3'):
    3384. 

  3384.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
    3385. 

  3385.         try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
    3386. 

  3386.         if has_tls_version('TLSv1'):
    3387. 

  3387.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
    3388. 

  3388. 

  3389.         if has_tls_version('SSLv3'):
    3390. 

  3390.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
    3391. 

  3391.         try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
    3392. 

  3392.         if has_tls_version('TLSv1'):
    3393. 

  3393.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
    3394. 

  3394. 

  3395.         if has_tls_version('SSLv3'):
    3396. 

  3396.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
    3397. 

  3397.         try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
    3398. 

  3398.         if has_tls_version('TLSv1'):
    3399. 

  3399.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
    3400. 

  3400. 

  3401.         # Server with specific SSL options
    3402. 

  3402.         if has_tls_version('SSLv3'):
    3403. 

  3403.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
    3404. 

  3404.                            server_options=ssl.OP_NO_SSLv3)
    3405. 

  3405.         # Will choose TLSv1
    3406. 

  3406.         try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
    3407. 

  3407.                            server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
    3408. 

  3408.         if has_tls_version('TLSv1'):
    3409. 

  3409.             try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
    3410. 

  3410.                                server_options=ssl.OP_NO_TLSv1)
    3411. 

  3411. 

  3412.     @requires_tls_version('SSLv3')
    3413. 

  3413.     def test_protocol_sslv3(self):
    3414. 

  3414.         """Connecting to an SSLv3 server with various client options"""
    3415. 

  3415.         if support.verbose:
    3416. 

  3416.             sys.stdout.write("\n")
    3417. 

  3417.         try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
    3418. 

  3418.         try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
    3419. 

  3419.         try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
    3420. 

  3420.         if has_tls_version('SSLv2'):
    3421. 

  3421.             try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
    3422. 

  3422.         try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
    3423. 

  3423.                            client_options=ssl.OP_NO_SSLv3)
    3424. 

  3424.         try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
    3425. 

  3425. 

  3426.     @requires_tls_version('TLSv1')
    3427. 

  3427.     def test_protocol_tlsv1(self):
    3428. 

  3428.         """Connecting to a TLSv1 server with various client options"""
    3429. 

  3429.         if support.verbose:
    3430. 

  3430.             sys.stdout.write("\n")
    3431. 

  3431.         try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
    3432. 

  3432.         try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
    3433. 

  3433.         try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
    3434. 

  3434.         if has_tls_version('SSLv2'):
    3435. 

  3435.             try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
    3436. 

  3436.         if has_tls_version('SSLv3'):
    3437. 

  3437.             try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
    3438. 

  3438.         try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
    3439. 

  3439.                            client_options=ssl.OP_NO_TLSv1)
    3440. 

  3440. 

  3441.     @requires_tls_version('TLSv1_1')
    3442. 

  3442.     def test_protocol_tlsv1_1(self):
    3443. 

  3443.         """Connecting to a TLSv1.1 server with various client options.
    3444. 

  3444.            Testing against older TLS versions."""
    3445. 

  3445.         if support.verbose:
    3446. 

  3446.             sys.stdout.write("\n")
    3447. 

  3447.         try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
    3448. 

  3448.         if has_tls_version('SSLv2'):
    3449. 

  3449.             try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
    3450. 

  3450.         if has_tls_version('SSLv3'):
    3451. 

  3451.             try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
    3452. 

  3452.         try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
    3453. 

  3453.                            client_options=ssl.OP_NO_TLSv1_1)
    3454. 

  3454. 

  3455.         try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
    3456. 

  3456.         try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
    3457. 

  3457.         try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
    3458. 

  3458. 

  3459.     @requires_tls_version('TLSv1_2')
    3460. 

  3460.     def test_protocol_tlsv1_2(self):
    3461. 

  3461.         """Connecting to a TLSv1.2 server with various client options.
    3462. 

  3462.            Testing against older TLS versions."""
    3463. 

  3463.         if support.verbose:
    3464. 

  3464.             sys.stdout.write("\n")
    3465. 

  3465.         try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
    3466. 

  3466.                            server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
    3467. 

  3467.                            client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
    3468. 

  3468.         if has_tls_version('SSLv2'):
    3469. 

  3469.             try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
    3470. 

  3470.         if has_tls_version('SSLv3'):
    3471. 

  3471.             try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
    3472. 

  3472.         try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
    3473. 

  3473.                            client_options=ssl.OP_NO_TLSv1_2)
    3474. 

  3474. 

  3475.         try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
    3476. 

  3476.         if has_tls_protocol(ssl.PROTOCOL_TLSv1):
    3477. 

  3477.             try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
    3478. 

  3478.             try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
    3479. 

  3479.         if has_tls_protocol(ssl.PROTOCOL_TLSv1_1):
    3480. 

  3480.             try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
    3481. 

  3481.             try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
    3482. 

  3482. 

  3483.     def test_starttls(self):
    3484. 

  3484.         """Switching from clear text to encrypted and back again."""
    3485. 

  3485.         msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
    3486. 

  3486. 

  3487.         server = ThreadedEchoServer(CERTFILE,
    3488. 

  3488.                                     starttls_server=True,
    3489. 

  3489.                                     chatty=True,
    3490. 

  3490.                                     connectionchatty=True)
    3491. 

  3491.         wrapped = False
    3492. 

  3492.         with server:
    3493. 

  3493.             s = socket.socket()
    3494. 

  3494.             s.setblocking(True)
    3495. 

  3495.             s.connect((HOST, server.port))
    3496. 

  3496.             if support.verbose:
    3497. 

  3497.                 sys.stdout.write("\n")
    3498. 

  3498.             for indata in msgs:
    3499. 

  3499.                 if support.verbose:
    3500. 

  3500.                     sys.stdout.write(
    3501. 

  3501.                         " client:  sending %r...\n" % indata)
    3502. 

  3502.                 if wrapped:
    3503. 

  3503.                     conn.write(indata)
    3504. 

  3504.                     outdata = conn.read()
    3505. 

  3505.                 else:
    3506. 

  3506.                     s.send(indata)
    3507. 

  3507.                     outdata = s.recv(1024)
    3508. 

  3508.                 msg = outdata.strip().lower()
    3509. 

  3509.                 if indata == b"STARTTLS" and msg.startswith(b"ok"):
    3510. 

  3510.                     # STARTTLS ok, switch to secure mode
    3511. 

  3511.                     if support.verbose:
    3512. 

  3512.                         sys.stdout.write(
    3513. 

  3513.                             " client:  read %r from server, starting TLS...\n"
    3514. 

  3514.                             % msg)
    3515. 

  3515.                     conn = test_wrap_socket(s)
    3516. 

  3516.                     wrapped = True
    3517. 

  3517.                 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
    3518. 

  3518.                     # ENDTLS ok, switch back to clear text
    3519. 

  3519.                     if support.verbose:
    3520. 

  3520.                         sys.stdout.write(
    3521. 

  3521.                             " client:  read %r from server, ending TLS...\n"
    3522. 

  3522.                             % msg)
    3523. 

  3523.                     s = conn.unwrap()
    3524. 

  3524.                     wrapped = False
    3525. 

  3525.                 else:
    3526. 

  3526.                     if support.verbose:
    3527. 

  3527.                         sys.stdout.write(
    3528. 

  3528.                             " client:  read %r from server\n" % msg)
    3529. 

  3529.             if support.verbose:
    3530. 

  3530.                 sys.stdout.write(" client:  closing connection.\n")
    3531. 

  3531.             if wrapped:
    3532. 

  3532.                 conn.write(b"over\n")
    3533. 

  3533.             else:
    3534. 

  3534.                 s.send(b"over\n")
    3535. 

  3535.             if wrapped:
    3536. 

  3536.                 conn.close()
    3537. 

  3537.             else:
    3538. 

  3538.                 s.close()
    3539. 

  3539. 

  3540.     def test_socketserver(self):
    3541. 

  3541.         """Using socketserver to create and manage SSL connections."""
    3542. 

  3542.         server = make_https_server(self, certfile=SIGNED_CERTFILE)
    3543. 

  3543.         # try to connect
    3544. 

  3544.         if support.verbose:
    3545. 

  3545.             sys.stdout.write('\n')
    3546. 

  3546.         with open(CERTFILE, 'rb') as f:
    3547. 

  3547.             d1 = f.read()
    3548. 

  3548.         d2 = ''
    3549. 

  3549.         # now fetch the same data from the HTTPS server
    3550. 

  3550.         url = 'https://localhost:%d/%s' % (
    3551. 

  3551.             server.port, os.path.split(CERTFILE)[1])
    3552. 

  3552.         context = ssl.create_default_context(cafile=SIGNING_CA)
    3553. 

  3553.         f = urllib.request.urlopen(url, context=context)
    3554. 

  3554.         try:
    3555. 

  3555.             dlen = f.info().get("content-length")
    3556. 

  3556.             if dlen and (int(dlen) > 0):
    3557. 

  3557.                 d2 = f.read(int(dlen))
    3558. 

  3558.                 if support.verbose:
    3559. 

  3559.                     sys.stdout.write(
    3560. 

  3560.                         " client: read %d bytes from remote server '%s'\n"
    3561. 

  3561.                         % (len(d2), server))
    3562. 

  3562.         finally:
    3563. 

  3563.             f.close()
    3564. 

  3564.         self.assertEqual(d1, d2)
    3565. 

  3565. 

  3566.     def test_asyncore_server(self):
    3567. 

  3567.         """Check the example asyncore integration."""
    3568. 

  3568.         if support.verbose:
    3569. 

  3569.             sys.stdout.write("\n")
    3570. 

  3570. 

  3571.         indata = b"FOO\n"
    3572. 

  3572.         server = AsyncoreEchoServer(CERTFILE)
    3573. 

  3573.         with server:
    3574. 

  3574.             s = test_wrap_socket(socket.socket())
    3575. 

  3575.             s.connect(('127.0.0.1', server.port))
    3576. 

  3576.             if support.verbose:
    3577. 

  3577.                 sys.stdout.write(
    3578. 

  3578.                     " client:  sending %r...\n" % indata)
    3579. 

  3579.             s.write(indata)
    3580. 

  3580.             outdata = s.read()
    3581. 

  3581.             if support.verbose:
    3582. 

  3582.                 sys.stdout.write(" client:  read %r\n" % outdata)
    3583. 

  3583.             if outdata != indata.lower():
    3584. 

  3584.                 self.fail(
    3585. 

  3585.                     "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
    3586. 

  3586.                     % (outdata[:20], len(outdata),
    3587. 

  3587.                        indata[:20].lower(), len(indata)))
    3588. 

  3588.             s.write(b"over\n")
    3589. 

  3589.             if support.verbose:
    3590. 

  3590.                 sys.stdout.write(" client:  closing connection.\n")
    3591. 

  3591.             s.close()
    3592. 

  3592.             if support.verbose:
    3593. 

  3593.                 sys.stdout.write(" client:  connection closed.\n")
    3594. 

  3594. 

  3595.     def test_recv_send(self):
    3596. 

  3596.         """Test recv(), send() and friends."""
    3597. 

  3597.         if support.verbose:
    3598. 

  3598.             sys.stdout.write("\n")
    3599. 

  3599. 

  3600.         server = ThreadedEchoServer(CERTFILE,
    3601. 

  3601.                                     certreqs=ssl.CERT_NONE,
    3602. 

  3602.                                     ssl_version=ssl.PROTOCOL_TLS_SERVER,
    3603. 

  3603.                                     cacerts=CERTFILE,
    3604. 

  3604.                                     chatty=True,
    3605. 

  3605.                                     connectionchatty=False)
    3606. 

  3606.         with server:
    3607. 

  3607.             s = test_wrap_socket(socket.socket(),
    3608. 

  3608.                                 server_side=False,
    3609. 

  3609.                                 certfile=CERTFILE,
    3610. 

  3610.                                 ca_certs=CERTFILE,
    3611. 

  3611.                                 cert_reqs=ssl.CERT_NONE)
    3612. 

  3612.             s.connect((HOST, server.port))
    3613. 

  3613.             # helper methods for standardising recv* method signatures
    3614. 

  3614.             def _recv_into():
    3615. 

  3615.                 b = bytearray(b"\0"*100)
    3616. 

  3616.                 count = s.recv_into(b)
    3617. 

  3617.                 return b[:count]
    3618. 

  3618. 

  3619.             def _recvfrom_into():
    3620. 

  3620.                 b = bytearray(b"\0"*100)
    3621. 

  3621.                 count, addr = s.recvfrom_into(b)
    3622. 

  3622.                 return b[:count]
    3623. 

  3623. 

  3624.             # (name, method, expect success?, *args, return value func)
    3625. 

  3625.             send_methods = [
    3626. 

  3626.                 ('send', s.send, True, [], len),
    3627. 

  3627.                 ('sendto', s.sendto, False, ["some.address"], len),
    3628. 

  3628.                 ('sendall', s.sendall, True, [], lambda x: None),
    3629. 

  3629.             ]
    3630. 

  3630.             # (name, method, whether to expect success, *args)
    3631. 

  3631.             recv_methods = [
    3632. 

  3632.                 ('recv', s.recv, True, []),
    3633. 

  3633.                 ('recvfrom', s.recvfrom, False, ["some.address"]),
    3634. 

  3634.                 ('recv_into', _recv_into, True, []),
    3635. 

  3635.                 ('recvfrom_into', _recvfrom_into, False, []),
    3636. 

  3636.             ]
    3637. 

  3637.             data_prefix = "PREFIX_"
    3638. 

  3638. 

  3639.             for (meth_name, send_meth, expect_success, args,
    3640. 

  3640.                     ret_val_meth) in send_methods:
    3641. 

  3641.                 indata = (data_prefix + meth_name).encode('ascii')
    3642. 

  3642.                 try:
    3643. 

  3643.                     ret = send_meth(indata, *args)
    3644. 

  3644.                     msg = "sending with {}".format(meth_name)
    3645. 

  3645.                     self.assertEqual(ret, ret_val_meth(indata), msg=msg)
    3646. 

  3646.                     outdata = s.read()
    3647. 

  3647.                     if outdata != indata.lower():
    3648. 

  3648.                         self.fail(
    3649. 

  3649.                             "While sending with <<{name:s}>> bad data "
    3650. 

  3650.                             "<<{outdata:r}>> ({nout:d}) received; "
    3651. 

  3651.                             "expected <<{indata:r}>> ({nin:d})\n".format(
    3652. 

  3652.                                 name=meth_name, outdata=outdata[:20],
    3653. 

  3653.                                 nout=len(outdata),
    3654. 

  3654.                                 indata=indata[:20], nin=len(indata)
    3655. 

  3655.                             )
    3656. 

  3656.                         )
    3657. 

  3657.                 except ValueError as e:
    3658. 

  3658.                     if expect_success:
    3659. 

  3659.                         self.fail(
    3660. 

  3660.                             "Failed to send with method <<{name:s}>>; "
    3661. 

  3661.                             "expected to succeed.\n".format(name=meth_name)
    3662. 

  3662.                         )
    3663. 

  3663.                     if not str(e).startswith(meth_name):
    3664. 

  3664.                         self.fail(
    3665. 

  3665.                             "Method <<{name:s}>> failed with unexpected "
    3666. 

  3666.                             "exception message: {exp:s}\n".format(
    3667. 

  3667.                                 name=meth_name, exp=e
    3668. 

  3668.                             )
    3669. 

  3669.                         )
    3670. 

  3670. 

  3671.             for meth_name, recv_meth, expect_success, args in recv_methods:
    3672. 

  3672.                 indata = (data_prefix + meth_name).encode('ascii')
    3673. 

  3673.                 try:
    3674. 

  3674.                     s.send(indata)
    3675. 

  3675.                     outdata = recv_meth(*args)
    3676. 

  3676.                     if outdata != indata.lower():
    3677. 

  3677.                         self.fail(
    3678. 

  3678.                             "While receiving with <<{name:s}>> bad data "
    3679. 

  3679.                             "<<{outdata:r}>> ({nout:d}) received; "
    3680. 

  3680.                             "expected <<{indata:r}>> ({nin:d})\n".format(
    3681. 

  3681.                                 name=meth_name, outdata=outdata[:20],
    3682. 

  3682.                                 nout=len(outdata),
    3683. 

  3683.                                 indata=indata[:20], nin=len(indata)
    3684. 

  3684.                             )
    3685. 

  3685.                         )
    3686. 

  3686.                 except ValueError as e:
    3687. 

  3687.                     if expect_success:
    3688. 

  3688.                         self.fail(
    3689. 

  3689.                             "Failed to receive with method <<{name:s}>>; "
    3690. 

  3690.                             "expected to succeed.\n".format(name=meth_name)
    3691. 

  3691.                         )
    3692. 

  3692.                     if not str(e).startswith(meth_name):
    3693. 

  3693.                         self.fail(
    3694. 

  3694.                             "Method <<{name:s}>> failed with unexpected "
    3695. 

  3695.                             "exception message: {exp:s}\n".format(
    3696. 

  3696.                                 name=meth_name, exp=e
    3697. 

  3697.                             )
    3698. 

  3698.                         )
    3699. 

  3699.                     # consume data
    3700. 

  3700.                     s.read()
    3701. 

  3701. 

  3702.             # read(-1, buffer) is supported, even though read(-1) is not
    3703. 

  3703.             data = b"data"
    3704. 

  3704.             s.send(data)
    3705. 

  3705.             buffer = bytearray(len(data))
    3706. 

  3706.             self.assertEqual(s.read(-1, buffer), len(data))
    3707. 

  3707.             self.assertEqual(buffer, data)
    3708. 

  3708. 

  3709.             # sendall accepts bytes-like objects
    3710. 

  3710.             if ctypes is not None:
    3711. 

  3711.                 ubyte = ctypes.c_ubyte * len(data)
    3712. 

  3712.                 byteslike = ubyte.from_buffer_copy(data)
    3713. 

  3713.                 s.sendall(byteslike)
    3714. 

  3714.                 self.assertEqual(s.read(), data)
    3715. 

  3715. 

  3716.             # Make sure sendmsg et al are disallowed to avoid
    3717. 

  3717.             # inadvertent disclosure of data and/or corruption
    3718. 

  3718.             # of the encrypted data stream
    3719. 

  3719.             self.assertRaises(NotImplementedError, s.dup)
    3720. 

  3720.             self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
    3721. 

  3721.             self.assertRaises(NotImplementedError, s.recvmsg, 100)
    3722. 

  3722.             self.assertRaises(NotImplementedError,
    3723. 

  3723.                               s.recvmsg_into, [bytearray(100)])
    3724. 

  3724.             s.write(b"over\n")
    3725. 

  3725. 

  3726.             self.assertRaises(ValueError, s.recv, -1)
    3727. 

  3727.             self.assertRaises(ValueError, s.read, -1)
    3728. 

  3728. 

  3729.             s.close()
    3730. 

  3730. 

  3731.     def test_recv_zero(self):
    3732. 

  3732.         server = ThreadedEchoServer(CERTFILE)
    3733. 

  3733.         self.enterContext(server)
    3734. 

  3734.         s = socket.create_connection((HOST, server.port))
    3735. 

  3735.         self.addCleanup(s.close)
    3736. 

  3736.         s = test_wrap_socket(s, suppress_ragged_eofs=False)
    3737. 

  3737.         self.addCleanup(s.close)
    3738. 

  3738. 

  3739.         # recv/read(0) should return no data
    3740. 

  3740.         s.send(b"data")
    3741. 

  3741.         self.assertEqual(s.recv(0), b"")
    3742. 

  3742.         self.assertEqual(s.read(0), b"")
    3743. 

  3743.         self.assertEqual(s.read(), b"data")
    3744. 

  3744. 

  3745.         # Should not block if the other end sends no data
    3746. 

  3746.         s.setblocking(False)
    3747. 

  3747.         self.assertEqual(s.recv(0), b"")
    3748. 

  3748.         self.assertEqual(s.recv_into(bytearray()), 0)
    3749. 

  3749. 

  3750.     def test_nonblocking_send(self):
    3751. 

  3751.         server = ThreadedEchoServer(CERTFILE,
    3752. 

  3752.                                     certreqs=ssl.CERT_NONE,
    3753. 

  3753.                                     ssl_version=ssl.PROTOCOL_TLS_SERVER,
    3754. 

  3754.                                     cacerts=CERTFILE,
    3755. 

  3755.                                     chatty=True,
    3756. 

  3756.                                     connectionchatty=False)
    3757. 

  3757.         with server:
    3758. 

  3758.             s = test_wrap_socket(socket.socket(),
    3759. 

  3759.                                 server_side=False,
    3760. 

  3760.                                 certfile=CERTFILE,
    3761. 

  3761.                                 ca_certs=CERTFILE,
    3762. 

  3762.                                 cert_reqs=ssl.CERT_NONE)
    3763. 

  3763.             s.connect((HOST, server.port))
    3764. 

  3764.             s.setblocking(False)
    3765. 

  3765. 

  3766.             # If we keep sending data, at some point the buffers
    3767. 

  3767.             # will be full and the call will block
    3768. 

  3768.             buf = bytearray(8192)
    3769. 

  3769.             def fill_buffer():
    3770. 

  3770.                 while True:
    3771. 

  3771.                     s.send(buf)
    3772. 

  3772.             self.assertRaises((ssl.SSLWantWriteError,
    3773. 

  3773.                                ssl.SSLWantReadError), fill_buffer)
    3774. 

  3774. 

  3775.             # Now read all the output and discard it
    3776. 

  3776.             s.setblocking(True)
    3777. 

  3777.             s.close()
    3778. 

  3778. 

  3779.     def test_handshake_timeout(self):
    3780. 

  3780.         # Issue #5103: SSL handshake must respect the socket timeout
    3781. 

  3781.         server = socket.socket(socket.AF_INET)
    3782. 

  3782.         host = "127.0.0.1"
    3783. 

  3783.         port = socket_helper.bind_port(server)
    3784. 

  3784.         started = threading.Event()
    3785. 

  3785.         finish = False
    3786. 

  3786. 

  3787.         def serve():
    3788. 

  3788.             server.listen()
    3789. 

  3789.             started.set()
    3790. 

  3790.             conns = []
    3791. 

  3791.             while not finish:
    3792. 

  3792.                 r, w, e = select.select([server], [], [], 0.1)
    3793. 

  3793.                 if server in r:
    3794. 

  3794.                     # Let the socket hang around rather than having
    3795. 

  3795.                     # it closed by garbage collection.
    3796. 

  3796.                     conns.append(server.accept()[0])
    3797. 

  3797.             for sock in conns:
    3798. 

  3798.                 sock.close()
    3799. 

  3799. 

  3800.         t = threading.Thread(target=serve)
    3801. 

  3801.         t.start()
    3802. 

  3802.         started.wait()
    3803. 

  3803. 

  3804.         try:
    3805. 

  3805.             try:
    3806. 

  3806.                 c = socket.socket(socket.AF_INET)
    3807. 

  3807.                 c.settimeout(0.2)
    3808. 

  3808.                 c.connect((host, port))
    3809. 

  3809.                 # Will attempt handshake and time out
    3810. 

  3810.                 self.assertRaisesRegex(TimeoutError, "timed out",
    3811. 

  3811.                                        test_wrap_socket, c)
    3812. 

  3812.             finally:
    3813. 

  3813.                 c.close()
    3814. 

  3814.             try:
    3815. 

  3815.                 c = socket.socket(socket.AF_INET)
    3816. 

  3816.                 c = test_wrap_socket(c)
    3817. 

  3817.                 c.settimeout(0.2)
    3818. 

  3818.                 # Will attempt handshake and time out
    3819. 

  3819.                 self.assertRaisesRegex(TimeoutError, "timed out",
    3820. 

  3820.                                        c.connect, (host, port))
    3821. 

  3821.             finally:
    3822. 

  3822.                 c.close()
    3823. 

  3823.         finally:
    3824. 

  3824.             finish = True
    3825. 

  3825.             t.join()
    3826. 

  3826.             server.close()
    3827. 

  3827. 

  3828.     def test_server_accept(self):
    3829. 

  3829.         # Issue #16357: accept() on a SSLSocket created through
    3830. 

  3830.         # SSLContext.wrap_socket().
    3831. 

  3831.         client_ctx, server_ctx, hostname = testing_context()
    3832. 

  3832.         server = socket.socket(socket.AF_INET)
    3833. 

  3833.         host = "127.0.0.1"
    3834. 

  3834.         port = socket_helper.bind_port(server)
    3835. 

  3835.         server = server_ctx.wrap_socket(server, server_side=True)
    3836. 

  3836.         self.assertTrue(server.server_side)
    3837. 

  3837. 

  3838.         evt = threading.Event()
    3839. 

  3839.         remote = None
    3840. 

  3840.         peer = None
    3841. 

  3841.         def serve():
    3842. 

  3842.             nonlocal remote, peer
    3843. 

  3843.             server.listen()
    3844. 

  3844.             # Block on the accept and wait on the connection to close.
    3845. 

  3845.             evt.set()
    3846. 

  3846.             remote, peer = server.accept()
    3847. 

  3847.             remote.send(remote.recv(4))
    3848. 

  3848. 

  3849.         t = threading.Thread(target=serve)
    3850. 

  3850.         t.start()
    3851. 

  3851.         # Client wait until server setup and perform a connect.
    3852. 

  3852.         evt.wait()
    3853. 

  3853.         client = client_ctx.wrap_socket(
    3854. 

  3854.             socket.socket(), server_hostname=hostname
    3855. 

  3855.         )
    3856. 

  3856.         client.connect((hostname, port))
    3857. 

  3857.         client.send(b'data')
    3858. 

  3858.         client.recv()
    3859. 

  3859.         client_addr = client.getsockname()
    3860. 

  3860.         client.close()
    3861. 

  3861.         t.join()
    3862. 

  3862.         remote.close()
    3863. 

  3863.         server.close()
    3864. 

  3864.         # Sanity checks.
    3865. 

  3865.         self.assertIsInstance(remote, ssl.SSLSocket)
    3866. 

  3866.         self.assertEqual(peer, client_addr)
    3867. 

  3867. 

  3868.     def test_getpeercert_enotconn(self):
    3869. 

  3869.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3870. 

  3870.         context.check_hostname = False
    3871. 

  3871.         with context.wrap_socket(socket.socket()) as sock:
    3872. 

  3872.             with self.assertRaises(OSError) as cm:
    3873. 

  3873.                 sock.getpeercert()
    3874. 

  3874.             self.assertEqual(cm.exception.errno, errno.ENOTCONN)
    3875. 

  3875. 

  3876.     def test_do_handshake_enotconn(self):
    3877. 

  3877.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3878. 

  3878.         context.check_hostname = False
    3879. 

  3879.         with context.wrap_socket(socket.socket()) as sock:
    3880. 

  3880.             with self.assertRaises(OSError) as cm:
    3881. 

  3881.                 sock.do_handshake()
    3882. 

  3882.             self.assertEqual(cm.exception.errno, errno.ENOTCONN)
    3883. 

  3883. 

  3884.     def test_no_shared_ciphers(self):
    3885. 

  3885.         client_context, server_context, hostname = testing_context()
    3886. 

  3886.         # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
    3887. 

  3887.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3888. 

  3888.         # Force different suites on client and server
    3889. 

  3889.         client_context.set_ciphers("AES128")
    3890. 

  3890.         server_context.set_ciphers("AES256")
    3891. 

  3891.         with ThreadedEchoServer(context=server_context) as server:
    3892. 

  3892.             with client_context.wrap_socket(socket.socket(),
    3893. 

  3893.                                             server_hostname=hostname) as s:
    3894. 

  3894.                 with self.assertRaises(OSError):
    3895. 

  3895.                     s.connect((HOST, server.port))
    3896. 

  3896.         self.assertIn("no shared cipher", server.conn_errors[0])
    3897. 

  3897. 

  3898.     def test_version_basic(self):
    3899. 

  3899.         """
    3900. 

  3900.         Basic tests for SSLSocket.version().
    3901. 

  3901.         More tests are done in the test_protocol_*() methods.
    3902. 

  3902.         """
    3903. 

  3903.         context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    3904. 

  3904.         context.check_hostname = False
    3905. 

  3905.         context.verify_mode = ssl.CERT_NONE
    3906. 

  3906.         with ThreadedEchoServer(CERTFILE,
    3907. 

  3907.                                 ssl_version=ssl.PROTOCOL_TLS_SERVER,
    3908. 

  3908.                                 chatty=False) as server:
    3909. 

  3909.             with context.wrap_socket(socket.socket()) as s:
    3910. 

  3910.                 self.assertIs(s.version(), None)
    3911. 

  3911.                 self.assertIs(s._sslobj, None)
    3912. 

  3912.                 s.connect((HOST, server.port))
    3913. 

  3913.                 self.assertEqual(s.version(), 'TLSv1.3')
    3914. 

  3914.             self.assertIs(s._sslobj, None)
    3915. 

  3915.             self.assertIs(s.version(), None)
    3916. 

  3916. 

  3917.     @requires_tls_version('TLSv1_3')
    3918. 

  3918.     def test_tls1_3(self):
    3919. 

  3919.         client_context, server_context, hostname = testing_context()
    3920. 

  3920.         client_context.minimum_version = ssl.TLSVersion.TLSv1_3
    3921. 

  3921.         with ThreadedEchoServer(context=server_context) as server:
    3922. 

  3922.             with client_context.wrap_socket(socket.socket(),
    3923. 

  3923.                                             server_hostname=hostname) as s:
    3924. 

  3924.                 s.connect((HOST, server.port))
    3925. 

  3925.                 self.assertIn(s.cipher()[0], {
    3926. 

  3926.                     'TLS_AES_256_GCM_SHA384',
    3927. 

  3927.                     'TLS_CHACHA20_POLY1305_SHA256',
    3928. 

  3928.                     'TLS_AES_128_GCM_SHA256',
    3929. 

  3929.                 })
    3930. 

  3930.                 self.assertEqual(s.version(), 'TLSv1.3')
    3931. 

  3931. 

  3932.     @requires_tls_version('TLSv1_2')
    3933. 

  3933.     @requires_tls_version('TLSv1')
    3934. 

  3934.     @ignore_deprecation
    3935. 

  3935.     def test_min_max_version_tlsv1_2(self):
    3936. 

  3936.         client_context, server_context, hostname = testing_context()
    3937. 

  3937.         # client TLSv1.0 to 1.2
    3938. 

  3938.         client_context.minimum_version = ssl.TLSVersion.TLSv1
    3939. 

  3939.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3940. 

  3940.         # server only TLSv1.2
    3941. 

  3941.         server_context.minimum_version = ssl.TLSVersion.TLSv1_2
    3942. 

  3942.         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3943. 

  3943. 

  3944.         with ThreadedEchoServer(context=server_context) as server:
    3945. 

  3945.             with client_context.wrap_socket(socket.socket(),
    3946. 

  3946.                                             server_hostname=hostname) as s:
    3947. 

  3947.                 s.connect((HOST, server.port))
    3948. 

  3948.                 self.assertEqual(s.version(), 'TLSv1.2')
    3949. 

  3949. 

  3950.     @requires_tls_version('TLSv1_1')
    3951. 

  3951.     @ignore_deprecation
    3952. 

  3952.     def test_min_max_version_tlsv1_1(self):
    3953. 

  3953.         client_context, server_context, hostname = testing_context()
    3954. 

  3954.         # client 1.0 to 1.2, server 1.0 to 1.1
    3955. 

  3955.         client_context.minimum_version = ssl.TLSVersion.TLSv1
    3956. 

  3956.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3957. 

  3957.         server_context.minimum_version = ssl.TLSVersion.TLSv1
    3958. 

  3958.         server_context.maximum_version = ssl.TLSVersion.TLSv1_1
    3959. 

  3959.         seclevel_workaround(client_context, server_context)
    3960. 

  3960. 

  3961.         with ThreadedEchoServer(context=server_context) as server:
    3962. 

  3962.             with client_context.wrap_socket(socket.socket(),
    3963. 

  3963.                                             server_hostname=hostname) as s:
    3964. 

  3964.                 s.connect((HOST, server.port))
    3965. 

  3965.                 self.assertEqual(s.version(), 'TLSv1.1')
    3966. 

  3966. 

  3967.     @requires_tls_version('TLSv1_2')
    3968. 

  3968.     @requires_tls_version('TLSv1')
    3969. 

  3969.     @ignore_deprecation
    3970. 

  3970.     def test_min_max_version_mismatch(self):
    3971. 

  3971.         client_context, server_context, hostname = testing_context()
    3972. 

  3972.         # client 1.0, server 1.2 (mismatch)
    3973. 

  3973.         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
    3974. 

  3974.         server_context.minimum_version = ssl.TLSVersion.TLSv1_2
    3975. 

  3975.         client_context.maximum_version = ssl.TLSVersion.TLSv1
    3976. 

  3976.         client_context.minimum_version = ssl.TLSVersion.TLSv1
    3977. 

  3977.         seclevel_workaround(client_context, server_context)
    3978. 

  3978. 

  3979.         with ThreadedEchoServer(context=server_context) as server:
    3980. 

  3980.             with client_context.wrap_socket(socket.socket(),
    3981. 

  3981.                                             server_hostname=hostname) as s:
    3982. 

  3982.                 with self.assertRaises(ssl.SSLError) as e:
    3983. 

  3983.                     s.connect((HOST, server.port))
    3984. 

  3984.                 self.assertIn("alert", str(e.exception))
    3985. 

  3985. 

  3986.     @requires_tls_version('SSLv3')
    3987. 

  3987.     def test_min_max_version_sslv3(self):
    3988. 

  3988.         client_context, server_context, hostname = testing_context()
    3989. 

  3989.         server_context.minimum_version = ssl.TLSVersion.SSLv3
    3990. 

  3990.         client_context.minimum_version = ssl.TLSVersion.SSLv3
    3991. 

  3991.         client_context.maximum_version = ssl.TLSVersion.SSLv3
    3992. 

  3992.         seclevel_workaround(client_context, server_context)
    3993. 

  3993. 

  3994.         with ThreadedEchoServer(context=server_context) as server:
    3995. 

  3995.             with client_context.wrap_socket(socket.socket(),
    3996. 

  3996.                                             server_hostname=hostname) as s:
    3997. 

  3997.                 s.connect((HOST, server.port))
    3998. 

  3998.                 self.assertEqual(s.version(), 'SSLv3')
    3999. 

  3999. 

  4000.     def test_default_ecdh_curve(self):
    4001. 

  4001.         # Issue #21015: elliptic curve-based Diffie Hellman key exchange
    4002. 

  4002.         # should be enabled by default on SSL contexts.
    4003. 

  4003.         client_context, server_context, hostname = testing_context()
    4004. 

  4004.         # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
    4005. 

  4005.         # cipher name.
    4006. 

  4006.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4007. 

  4007.         # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
    4008. 

  4008.         # explicitly using the 'ECCdraft' cipher alias.  Otherwise,
    4009. 

  4009.         # our default cipher list should prefer ECDH-based ciphers
    4010. 

  4010.         # automatically.
    4011. 

  4011.         with ThreadedEchoServer(context=server_context) as server:
    4012. 

  4012.             with client_context.wrap_socket(socket.socket(),
    4013. 

  4013.                                             server_hostname=hostname) as s:
    4014. 

  4014.                 s.connect((HOST, server.port))
    4015. 

  4015.                 self.assertIn("ECDH", s.cipher()[0])
    4016. 

  4016. 

  4017.     @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
    4018. 

  4018.                          "'tls-unique' channel binding not available")
    4019. 

  4019.     def test_tls_unique_channel_binding(self):
    4020. 

  4020.         """Test tls-unique channel binding."""
    4021. 

  4021.         if support.verbose:
    4022. 

  4022.             sys.stdout.write("\n")
    4023. 

  4023. 

  4024.         client_context, server_context, hostname = testing_context()
    4025. 

  4025. 

  4026.         server = ThreadedEchoServer(context=server_context,
    4027. 

  4027.                                     chatty=True,
    4028. 

  4028.                                     connectionchatty=False)
    4029. 

  4029. 

  4030.         with server:
    4031. 

  4031.             with client_context.wrap_socket(
    4032. 

  4032.                     socket.socket(),
    4033. 

  4033.                     server_hostname=hostname) as s:
    4034. 

  4034.                 s.connect((HOST, server.port))
    4035. 

  4035.                 # get the data
    4036. 

  4036.                 cb_data = s.get_channel_binding("tls-unique")
    4037. 

  4037.                 if support.verbose:
    4038. 

  4038.                     sys.stdout.write(
    4039. 

  4039.                         " got channel binding data: {0!r}\n".format(cb_data))
    4040. 

  4040. 

  4041.                 # check if it is sane
    4042. 

  4042.                 self.assertIsNotNone(cb_data)
    4043. 

  4043.                 if s.version() == 'TLSv1.3':
    4044. 

  4044.                     self.assertEqual(len(cb_data), 48)
    4045. 

  4045.                 else:
    4046. 

  4046.                     self.assertEqual(len(cb_data), 12)  # True for TLSv1
    4047. 

  4047. 

  4048.                 # and compare with the peers version
    4049. 

  4049.                 s.write(b"CB tls-unique\n")
    4050. 

  4050.                 peer_data_repr = s.read().strip()
    4051. 

  4051.                 self.assertEqual(peer_data_repr,
    4052. 

  4052.                                  repr(cb_data).encode("us-ascii"))
    4053. 

  4053. 

  4054.             # now, again
    4055. 

  4055.             with client_context.wrap_socket(
    4056. 

  4056.                     socket.socket(),
    4057. 

  4057.                     server_hostname=hostname) as s:
    4058. 

  4058.                 s.connect((HOST, server.port))
    4059. 

  4059.                 new_cb_data = s.get_channel_binding("tls-unique")
    4060. 

  4060.                 if support.verbose:
    4061. 

  4061.                     sys.stdout.write(
    4062. 

  4062.                         "got another channel binding data: {0!r}\n".format(
    4063. 

  4063.                             new_cb_data)
    4064. 

  4064.                     )
    4065. 

  4065.                 # is it really unique
    4066. 

  4066.                 self.assertNotEqual(cb_data, new_cb_data)
    4067. 

  4067.                 self.assertIsNotNone(cb_data)
    4068. 

  4068.                 if s.version() == 'TLSv1.3':
    4069. 

  4069.                     self.assertEqual(len(cb_data), 48)
    4070. 

  4070.                 else:
    4071. 

  4071.                     self.assertEqual(len(cb_data), 12)  # True for TLSv1
    4072. 

  4072.                 s.write(b"CB tls-unique\n")
    4073. 

  4073.                 peer_data_repr = s.read().strip()
    4074. 

  4074.                 self.assertEqual(peer_data_repr,
    4075. 

  4075.                                  repr(new_cb_data).encode("us-ascii"))
    4076. 

  4076. 

  4077.     def test_compression(self):
    4078. 

  4078.         client_context, server_context, hostname = testing_context()
    4079. 

  4079.         stats = server_params_test(client_context, server_context,
    4080. 

  4080.                                    chatty=True, connectionchatty=True,
    4081. 

  4081.                                    sni_name=hostname)
    4082. 

  4082.         if support.verbose:
    4083. 

  4083.             sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
    4084. 

  4084.         self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
    4085. 

  4085. 

  4086.     @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
    4087. 

  4087.                          "ssl.OP_NO_COMPRESSION needed for this test")
    4088. 

  4088.     def test_compression_disabled(self):
    4089. 

  4089.         client_context, server_context, hostname = testing_context()
    4090. 

  4090.         client_context.options |= ssl.OP_NO_COMPRESSION
    4091. 

  4091.         server_context.options |= ssl.OP_NO_COMPRESSION
    4092. 

  4092.         stats = server_params_test(client_context, server_context,
    4093. 

  4093.                                    chatty=True, connectionchatty=True,
    4094. 

  4094.                                    sni_name=hostname)
    4095. 

  4095.         self.assertIs(stats['compression'], None)
    4096. 

  4096. 

  4097.     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
    4098. 

  4098.     def test_dh_params(self):
    4099. 

  4099.         # Check we can get a connection with ephemeral Diffie-Hellman
    4100. 

  4100.         client_context, server_context, hostname = testing_context()
    4101. 

  4101.         # test scenario needs TLS <= 1.2
    4102. 

  4102.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4103. 

  4103.         server_context.load_dh_params(DHFILE)
    4104. 

  4104.         server_context.set_ciphers("kEDH")
    4105. 

  4105.         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4106. 

  4106.         stats = server_params_test(client_context, server_context,
    4107. 

  4107.                                    chatty=True, connectionchatty=True,
    4108. 

  4108.                                    sni_name=hostname)
    4109. 

  4109.         cipher = stats["cipher"][0]
    4110. 

  4110.         parts = cipher.split("-")
    4111. 

  4111.         if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
    4112. 

  4112.             self.fail("Non-DH cipher: " + cipher[0])
    4113. 

  4113. 

  4114.     def test_ecdh_curve(self):
    4115. 

  4115.         # server secp384r1, client auto
    4116. 

  4116.         client_context, server_context, hostname = testing_context()
    4117. 

  4117. 

  4118.         server_context.set_ecdh_curve("secp384r1")
    4119. 

  4119.         server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
    4120. 

  4120.         server_context.minimum_version = ssl.TLSVersion.TLSv1_2
    4121. 

  4121.         stats = server_params_test(client_context, server_context,
    4122. 

  4122.                                    chatty=True, connectionchatty=True,
    4123. 

  4123.                                    sni_name=hostname)
    4124. 

  4124. 

  4125.         # server auto, client secp384r1
    4126. 

  4126.         client_context, server_context, hostname = testing_context()
    4127. 

  4127.         client_context.set_ecdh_curve("secp384r1")
    4128. 

  4128.         server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
    4129. 

  4129.         server_context.minimum_version = ssl.TLSVersion.TLSv1_2
    4130. 

  4130.         stats = server_params_test(client_context, server_context,
    4131. 

  4131.                                    chatty=True, connectionchatty=True,
    4132. 

  4132.                                    sni_name=hostname)
    4133. 

  4133. 

  4134.         # server / client curve mismatch
    4135. 

  4135.         client_context, server_context, hostname = testing_context()
    4136. 

  4136.         client_context.set_ecdh_curve("prime256v1")
    4137. 

  4137.         server_context.set_ecdh_curve("secp384r1")
    4138. 

  4138.         server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
    4139. 

  4139.         server_context.minimum_version = ssl.TLSVersion.TLSv1_2
    4140. 

  4140.         with self.assertRaises(ssl.SSLError):
    4141. 

  4141.             server_params_test(client_context, server_context,
    4142. 

  4142.                                chatty=True, connectionchatty=True,
    4143. 

  4143.                                sni_name=hostname)
    4144. 

  4144. 

  4145.     def test_selected_alpn_protocol(self):
    4146. 

  4146.         # selected_alpn_protocol() is None unless ALPN is used.
    4147. 

  4147.         client_context, server_context, hostname = testing_context()
    4148. 

  4148.         stats = server_params_test(client_context, server_context,
    4149. 

  4149.                                    chatty=True, connectionchatty=True,
    4150. 

  4150.                                    sni_name=hostname)
    4151. 

  4151.         self.assertIs(stats['client_alpn_protocol'], None)
    4152. 

  4152. 

  4153.     def test_selected_alpn_protocol_if_server_uses_alpn(self):
    4154. 

  4154.         # selected_alpn_protocol() is None unless ALPN is used by the client.
    4155. 

  4155.         client_context, server_context, hostname = testing_context()
    4156. 

  4156.         server_context.set_alpn_protocols(['foo', 'bar'])
    4157. 

  4157.         stats = server_params_test(client_context, server_context,
    4158. 

  4158.                                    chatty=True, connectionchatty=True,
    4159. 

  4159.                                    sni_name=hostname)
    4160. 

  4160.         self.assertIs(stats['client_alpn_protocol'], None)
    4161. 

  4161. 

  4162.     def test_alpn_protocols(self):
    4163. 

  4163.         server_protocols = ['foo', 'bar', 'milkshake']
    4164. 

  4164.         protocol_tests = [
    4165. 

  4165.             (['foo', 'bar'], 'foo'),
    4166. 

  4166.             (['bar', 'foo'], 'foo'),
    4167. 

  4167.             (['milkshake'], 'milkshake'),
    4168. 

  4168.             (['http/3.0', 'http/4.0'], None)
    4169. 

  4169.         ]
    4170. 

  4170.         for client_protocols, expected in protocol_tests:
    4171. 

  4171.             client_context, server_context, hostname = testing_context()
    4172. 

  4172.             server_context.set_alpn_protocols(server_protocols)
    4173. 

  4173.             client_context.set_alpn_protocols(client_protocols)
    4174. 

  4174. 

  4175.             try:
    4176. 

  4176.                 stats = server_params_test(client_context,
    4177. 

  4177.                                            server_context,
    4178. 

  4178.                                            chatty=True,
    4179. 

  4179.                                            connectionchatty=True,
    4180. 

  4180.                                            sni_name=hostname)
    4181. 

  4181.             except ssl.SSLError as e:
    4182. 

  4182.                 stats = e
    4183. 

  4183. 

  4184.             msg = "failed trying %s (s) and %s (c).\n" \
    4185. 

  4185.                 "was expecting %s, but got %%s from the %%s" \
    4186. 

  4186.                     % (str(server_protocols), str(client_protocols),
    4187. 

  4187.                         str(expected))
    4188. 

  4188.             client_result = stats['client_alpn_protocol']
    4189. 

  4189.             self.assertEqual(client_result, expected,
    4190. 

  4190.                              msg % (client_result, "client"))
    4191. 

  4191.             server_result = stats['server_alpn_protocols'][-1] \
    4192. 

  4192.                 if len(stats['server_alpn_protocols']) else 'nothing'
    4193. 

  4193.             self.assertEqual(server_result, expected,
    4194. 

  4194.                              msg % (server_result, "server"))
    4195. 

  4195. 

  4196.     def test_npn_protocols(self):
    4197. 

  4197.         assert not ssl.HAS_NPN
    4198. 

  4198. 

  4199.     def sni_contexts(self):
    4200. 

  4200.         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    4201. 

  4201.         server_context.load_cert_chain(SIGNED_CERTFILE)
    4202. 

  4202.         other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    4203. 

  4203.         other_context.load_cert_chain(SIGNED_CERTFILE2)
    4204. 

  4204.         client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    4205. 

  4205.         client_context.load_verify_locations(SIGNING_CA)
    4206. 

  4206.         return server_context, other_context, client_context
    4207. 

  4207. 

  4208.     def check_common_name(self, stats, name):
    4209. 

  4209.         cert = stats['peercert']
    4210. 

  4210.         self.assertIn((('commonName', name),), cert['subject'])
    4211. 

  4211. 

  4212.     def test_sni_callback(self):
    4213. 

  4213.         calls = []
    4214. 

  4214.         server_context, other_context, client_context = self.sni_contexts()
    4215. 

  4215. 

  4216.         client_context.check_hostname = False
    4217. 

  4217. 

  4218.         def servername_cb(ssl_sock, server_name, initial_context):
    4219. 

  4219.             calls.append((server_name, initial_context))
    4220. 

  4220.             if server_name is not None:
    4221. 

  4221.                 ssl_sock.context = other_context
    4222. 

  4222.         server_context.set_servername_callback(servername_cb)
    4223. 

  4223. 

  4224.         stats = server_params_test(client_context, server_context,
    4225. 

  4225.                                    chatty=True,
    4226. 

  4226.                                    sni_name='supermessage')
    4227. 

  4227.         # The hostname was fetched properly, and the certificate was
    4228. 

  4228.         # changed for the connection.
    4229. 

  4229.         self.assertEqual(calls, [("supermessage", server_context)])
    4230. 

  4230.         # CERTFILE4 was selected
    4231. 

  4231.         self.check_common_name(stats, 'fakehostname')
    4232. 

  4232. 

  4233.         calls = []
    4234. 

  4234.         # The callback is called with server_name=None
    4235. 

  4235.         stats = server_params_test(client_context, server_context,
    4236. 

  4236.                                    chatty=True,
    4237. 

  4237.                                    sni_name=None)
    4238. 

  4238.         self.assertEqual(calls, [(None, server_context)])
    4239. 

  4239.         self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
    4240. 

  4240. 

  4241.         # Check disabling the callback
    4242. 

  4242.         calls = []
    4243. 

  4243.         server_context.set_servername_callback(None)
    4244. 

  4244. 

  4245.         stats = server_params_test(client_context, server_context,
    4246. 

  4246.                                    chatty=True,
    4247. 

  4247.                                    sni_name='notfunny')
    4248. 

  4248.         # Certificate didn't change
    4249. 

  4249.         self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
    4250. 

  4250.         self.assertEqual(calls, [])
    4251. 

  4251. 

  4252.     def test_sni_callback_alert(self):
    4253. 

  4253.         # Returning a TLS alert is reflected to the connecting client
    4254. 

  4254.         server_context, other_context, client_context = self.sni_contexts()
    4255. 

  4255. 

  4256.         def cb_returning_alert(ssl_sock, server_name, initial_context):
    4257. 

  4257.             return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
    4258. 

  4258.         server_context.set_servername_callback(cb_returning_alert)
    4259. 

  4259.         with self.assertRaises(ssl.SSLError) as cm:
    4260. 

  4260.             stats = server_params_test(client_context, server_context,
    4261. 

  4261.                                        chatty=False,
    4262. 

  4262.                                        sni_name='supermessage')
    4263. 

  4263.         self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
    4264. 

  4264. 

  4265.     def test_sni_callback_raising(self):
    4266. 

  4266.         # Raising fails the connection with a TLS handshake failure alert.
    4267. 

  4267.         server_context, other_context, client_context = self.sni_contexts()
    4268. 

  4268. 

  4269.         def cb_raising(ssl_sock, server_name, initial_context):
    4270. 

  4270.             1/0
    4271. 

  4271.         server_context.set_servername_callback(cb_raising)
    4272. 

  4272. 

  4273.         with support.catch_unraisable_exception() as catch:
    4274. 

  4274.             with self.assertRaises(ssl.SSLError) as cm:
    4275. 

  4275.                 stats = server_params_test(client_context, server_context,
    4276. 

  4276.                                            chatty=False,
    4277. 

  4277.                                            sni_name='supermessage')
    4278. 

  4278. 

  4279.             self.assertEqual(cm.exception.reason,
    4280. 

  4280.                              'SSLV3_ALERT_HANDSHAKE_FAILURE')
    4281. 

  4281.             self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
    4282. 

  4282. 

  4283.     def test_sni_callback_wrong_return_type(self):
    4284. 

  4284.         # Returning the wrong return type terminates the TLS connection
    4285. 

  4285.         # with an internal error alert.
    4286. 

  4286.         server_context, other_context, client_context = self.sni_contexts()
    4287. 

  4287. 

  4288.         def cb_wrong_return_type(ssl_sock, server_name, initial_context):
    4289. 

  4289.             return "foo"
    4290. 

  4290.         server_context.set_servername_callback(cb_wrong_return_type)
    4291. 

  4291. 

  4292.         with support.catch_unraisable_exception() as catch:
    4293. 

  4293.             with self.assertRaises(ssl.SSLError) as cm:
    4294. 

  4294.                 stats = server_params_test(client_context, server_context,
    4295. 

  4295.                                            chatty=False,
    4296. 

  4296.                                            sni_name='supermessage')
    4297. 

  4297. 

  4298. 

  4299.             self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
    4300. 

  4300.             self.assertEqual(catch.unraisable.exc_type, TypeError)
    4301. 

  4301. 

  4302.     def test_shared_ciphers(self):
    4303. 

  4303.         client_context, server_context, hostname = testing_context()
    4304. 

  4304.         client_context.set_ciphers("AES128:AES256")
    4305. 

  4305.         server_context.set_ciphers("AES256")
    4306. 

  4306.         expected_algs = [
    4307. 

  4307.             "AES256", "AES-256",
    4308. 

  4308.             # TLS 1.3 ciphers are always enabled
    4309. 

  4309.             "TLS_CHACHA20", "TLS_AES",
    4310. 

  4310.         ]
    4311. 

  4311. 

  4312.         stats = server_params_test(client_context, server_context,
    4313. 

  4313.                                    sni_name=hostname)
    4314. 

  4314.         ciphers = stats['server_shared_ciphers'][0]
    4315. 

  4315.         self.assertGreater(len(ciphers), 0)
    4316. 

  4316.         for name, tls_version, bits in ciphers:
    4317. 

  4317.             if not any(alg in name for alg in expected_algs):
    4318. 

  4318.                 self.fail(name)
    4319. 

  4319. 

  4320.     def test_read_write_after_close_raises_valuerror(self):
    4321. 

  4321.         client_context, server_context, hostname = testing_context()
    4322. 

  4322.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4323. 

  4323. 

  4324.         with server:
    4325. 

  4325.             s = client_context.wrap_socket(socket.socket(),
    4326. 

  4326.                                            server_hostname=hostname)
    4327. 

  4327.             s.connect((HOST, server.port))
    4328. 

  4328.             s.close()
    4329. 

  4329. 

  4330.             self.assertRaises(ValueError, s.read, 1024)
    4331. 

  4331.             self.assertRaises(ValueError, s.write, b'hello')
    4332. 

  4332. 

  4333.     def test_sendfile(self):
    4334. 

  4334.         TEST_DATA = b"x" * 512
    4335. 

  4335.         with open(os_helper.TESTFN, 'wb') as f:
    4336. 

  4336.             f.write(TEST_DATA)
    4337. 

  4337.         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
    4338. 

  4338.         client_context, server_context, hostname = testing_context()
    4339. 

  4339.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4340. 

  4340.         with server:
    4341. 

  4341.             with client_context.wrap_socket(socket.socket(),
    4342. 

  4342.                                             server_hostname=hostname) as s:
    4343. 

  4343.                 s.connect((HOST, server.port))
    4344. 

  4344.                 with open(os_helper.TESTFN, 'rb') as file:
    4345. 

  4345.                     s.sendfile(file)
    4346. 

  4346.                     self.assertEqual(s.recv(1024), TEST_DATA)
    4347. 

  4347. 

  4348.     def test_session(self):
    4349. 

  4349.         client_context, server_context, hostname = testing_context()
    4350. 

  4350.         # TODO: sessions aren't compatible with TLSv1.3 yet
    4351. 

  4351.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4352. 

  4352. 

  4353.         # first connection without session
    4354. 

  4354.         stats = server_params_test(client_context, server_context,
    4355. 

  4355.                                    sni_name=hostname)
    4356. 

  4356.         session = stats['session']
    4357. 

  4357.         self.assertTrue(session.id)
    4358. 

  4358.         self.assertGreater(session.time, 0)
    4359. 

  4359.         self.assertGreater(session.timeout, 0)
    4360. 

  4360.         self.assertTrue(session.has_ticket)
    4361. 

  4361.         self.assertGreater(session.ticket_lifetime_hint, 0)
    4362. 

  4362.         self.assertFalse(stats['session_reused'])
    4363. 

  4363.         sess_stat = server_context.session_stats()
    4364. 

  4364.         self.assertEqual(sess_stat['accept'], 1)
    4365. 

  4365.         self.assertEqual(sess_stat['hits'], 0)
    4366. 

  4366. 

  4367.         # reuse session
    4368. 

  4368.         stats = server_params_test(client_context, server_context,
    4369. 

  4369.                                    session=session, sni_name=hostname)
    4370. 

  4370.         sess_stat = server_context.session_stats()
    4371. 

  4371.         self.assertEqual(sess_stat['accept'], 2)
    4372. 

  4372.         self.assertEqual(sess_stat['hits'], 1)
    4373. 

  4373.         self.assertTrue(stats['session_reused'])
    4374. 

  4374.         session2 = stats['session']
    4375. 

  4375.         self.assertEqual(session2.id, session.id)
    4376. 

  4376.         self.assertEqual(session2, session)
    4377. 

  4377.         self.assertIsNot(session2, session)
    4378. 

  4378.         self.assertGreaterEqual(session2.time, session.time)
    4379. 

  4379.         self.assertGreaterEqual(session2.timeout, session.timeout)
    4380. 

  4380. 

  4381.         # another one without session
    4382. 

  4382.         stats = server_params_test(client_context, server_context,
    4383. 

  4383.                                    sni_name=hostname)
    4384. 

  4384.         self.assertFalse(stats['session_reused'])
    4385. 

  4385.         session3 = stats['session']
    4386. 

  4386.         self.assertNotEqual(session3.id, session.id)
    4387. 

  4387.         self.assertNotEqual(session3, session)
    4388. 

  4388.         sess_stat = server_context.session_stats()
    4389. 

  4389.         self.assertEqual(sess_stat['accept'], 3)
    4390. 

  4390.         self.assertEqual(sess_stat['hits'], 1)
    4391. 

  4391. 

  4392.         # reuse session again
    4393. 

  4393.         stats = server_params_test(client_context, server_context,
    4394. 

  4394.                                    session=session, sni_name=hostname)
    4395. 

  4395.         self.assertTrue(stats['session_reused'])
    4396. 

  4396.         session4 = stats['session']
    4397. 

  4397.         self.assertEqual(session4.id, session.id)
    4398. 

  4398.         self.assertEqual(session4, session)
    4399. 

  4399.         self.assertGreaterEqual(session4.time, session.time)
    4400. 

  4400.         self.assertGreaterEqual(session4.timeout, session.timeout)
    4401. 

  4401.         sess_stat = server_context.session_stats()
    4402. 

  4402.         self.assertEqual(sess_stat['accept'], 4)
    4403. 

  4403.         self.assertEqual(sess_stat['hits'], 2)
    4404. 

  4404. 

  4405.     def test_session_handling(self):
    4406. 

  4406.         client_context, server_context, hostname = testing_context()
    4407. 

  4407.         client_context2, _, _ = testing_context()
    4408. 

  4408. 

  4409.         # TODO: session reuse does not work with TLSv1.3
    4410. 

  4410.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4411. 

  4411.         client_context2.maximum_version = ssl.TLSVersion.TLSv1_2
    4412. 

  4412. 

  4413.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4414. 

  4414.         with server:
    4415. 

  4415.             with client_context.wrap_socket(socket.socket(),
    4416. 

  4416.                                             server_hostname=hostname) as s:
    4417. 

  4417.                 # session is None before handshake
    4418. 

  4418.                 self.assertEqual(s.session, None)
    4419. 

  4419.                 self.assertEqual(s.session_reused, None)
    4420. 

  4420.                 s.connect((HOST, server.port))
    4421. 

  4421.                 session = s.session
    4422. 

  4422.                 self.assertTrue(session)
    4423. 

  4423.                 with self.assertRaises(TypeError) as e:
    4424. 

  4424.                     s.session = object
    4425. 

  4425.                 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
    4426. 

  4426. 

  4427.             with client_context.wrap_socket(socket.socket(),
    4428. 

  4428.                                             server_hostname=hostname) as s:
    4429. 

  4429.                 s.connect((HOST, server.port))
    4430. 

  4430.                 # cannot set session after handshake
    4431. 

  4431.                 with self.assertRaises(ValueError) as e:
    4432. 

  4432.                     s.session = session
    4433. 

  4433.                 self.assertEqual(str(e.exception),
    4434. 

  4434.                                  'Cannot set session after handshake.')
    4435. 

  4435. 

  4436.             with client_context.wrap_socket(socket.socket(),
    4437. 

  4437.                                             server_hostname=hostname) as s:
    4438. 

  4438.                 # can set session before handshake and before the
    4439. 

  4439.                 # connection was established
    4440. 

  4440.                 s.session = session
    4441. 

  4441.                 s.connect((HOST, server.port))
    4442. 

  4442.                 self.assertEqual(s.session.id, session.id)
    4443. 

  4443.                 self.assertEqual(s.session, session)
    4444. 

  4444.                 self.assertEqual(s.session_reused, True)
    4445. 

  4445. 

  4446.             with client_context2.wrap_socket(socket.socket(),
    4447. 

  4447.                                              server_hostname=hostname) as s:
    4448. 

  4448.                 # cannot re-use session with a different SSLContext
    4449. 

  4449.                 with self.assertRaises(ValueError) as e:
    4450. 

  4450.                     s.session = session
    4451. 

  4451.                     s.connect((HOST, server.port))
    4452. 

  4452.                 self.assertEqual(str(e.exception),
    4453. 

  4453.                                  'Session refers to a different SSLContext.')
    4454. 

  4454. 

  4455. 

  4456. @unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
    4457. 

  4457. class TestPostHandshakeAuth(unittest.TestCase):
    4458. 

  4458.     def test_pha_setter(self):
    4459. 

  4459.         protocols = [
    4460. 

  4460.             ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
    4461. 

  4461.         ]
    4462. 

  4462.         for protocol in protocols:
    4463. 

  4463.             ctx = ssl.SSLContext(protocol)
    4464. 

  4464.             self.assertEqual(ctx.post_handshake_auth, False)
    4465. 

  4465. 

  4466.             ctx.post_handshake_auth = True
    4467. 

  4467.             self.assertEqual(ctx.post_handshake_auth, True)
    4468. 

  4468. 

  4469.             ctx.verify_mode = ssl.CERT_REQUIRED
    4470. 

  4470.             self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    4471. 

  4471.             self.assertEqual(ctx.post_handshake_auth, True)
    4472. 

  4472. 

  4473.             ctx.post_handshake_auth = False
    4474. 

  4474.             self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
    4475. 

  4475.             self.assertEqual(ctx.post_handshake_auth, False)
    4476. 

  4476. 

  4477.             ctx.verify_mode = ssl.CERT_OPTIONAL
    4478. 

  4478.             ctx.post_handshake_auth = True
    4479. 

  4479.             self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
    4480. 

  4480.             self.assertEqual(ctx.post_handshake_auth, True)
    4481. 

  4481. 

  4482.     def test_pha_required(self):
    4483. 

  4483.         client_context, server_context, hostname = testing_context()
    4484. 

  4484.         server_context.post_handshake_auth = True
    4485. 

  4485.         server_context.verify_mode = ssl.CERT_REQUIRED
    4486. 

  4486.         client_context.post_handshake_auth = True
    4487. 

  4487.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4488. 

  4488. 

  4489.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4490. 

  4490.         with server:
    4491. 

  4491.             with client_context.wrap_socket(socket.socket(),
    4492. 

  4492.                                             server_hostname=hostname) as s:
    4493. 

  4493.                 s.connect((HOST, server.port))
    4494. 

  4494.                 s.write(b'HASCERT')
    4495. 

  4495.                 self.assertEqual(s.recv(1024), b'FALSE\n')
    4496. 

  4496.                 s.write(b'PHA')
    4497. 

  4497.                 self.assertEqual(s.recv(1024), b'OK\n')
    4498. 

  4498.                 s.write(b'HASCERT')
    4499. 

  4499.                 self.assertEqual(s.recv(1024), b'TRUE\n')
    4500. 

  4500.                 # PHA method just returns true when cert is already available
    4501. 

  4501.                 s.write(b'PHA')
    4502. 

  4502.                 self.assertEqual(s.recv(1024), b'OK\n')
    4503. 

  4503.                 s.write(b'GETCERT')
    4504. 

  4504.                 cert_text = s.recv(4096).decode('us-ascii')
    4505. 

  4505.                 self.assertIn('Python Software Foundation CA', cert_text)
    4506. 

  4506. 

  4507.     def test_pha_required_nocert(self):
    4508. 

  4508.         client_context, server_context, hostname = testing_context()
    4509. 

  4509.         server_context.post_handshake_auth = True
    4510. 

  4510.         server_context.verify_mode = ssl.CERT_REQUIRED
    4511. 

  4511.         client_context.post_handshake_auth = True
    4512. 

  4512. 

  4513.         def msg_cb(conn, direction, version, content_type, msg_type, data):
    4514. 

  4514.             if support.verbose and content_type == _TLSContentType.ALERT:
    4515. 

  4515.                 info = (conn, direction, version, content_type, msg_type, data)
    4516. 

  4516.                 sys.stdout.write(f"TLS: {info!r}\n")
    4517. 

  4517. 

  4518.         server_context._msg_callback = msg_cb
    4519. 

  4519.         client_context._msg_callback = msg_cb
    4520. 

  4520. 

  4521.         server = ThreadedEchoServer(context=server_context, chatty=True)
    4522. 

  4522.         with server:
    4523. 

  4523.             with client_context.wrap_socket(socket.socket(),
    4524. 

  4524.                                             server_hostname=hostname,
    4525. 

  4525.                                             suppress_ragged_eofs=False) as s:
    4526. 

  4526.                 s.connect((HOST, server.port))
    4527. 

  4527.                 s.write(b'PHA')
    4528. 

  4528.                 # test sometimes fails with EOF error. Test passes as long as
    4529. 

  4529.                 # server aborts connection with an error.
    4530. 

  4530.                 with self.assertRaisesRegex(
    4531. 

  4531.                     ssl.SSLError,
    4532. 

  4532.                     '(certificate required|EOF occurred)'
    4533. 

  4533.                 ):
    4534. 

  4534.                     # receive CertificateRequest
    4535. 

  4535.                     data = s.recv(1024)
    4536. 

  4536.                     self.assertEqual(data, b'OK\n')
    4537. 

  4537. 

  4538.                     # send empty Certificate + Finish
    4539. 

  4539.                     s.write(b'HASCERT')
    4540. 

  4540. 

  4541.                     # receive alert
    4542. 

  4542.                     s.recv(1024)
    4543. 

  4543. 

  4544.     def test_pha_optional(self):
    4545. 

  4545.         if support.verbose:
    4546. 

  4546.             sys.stdout.write("\n")
    4547. 

  4547. 

  4548.         client_context, server_context, hostname = testing_context()
    4549. 

  4549.         server_context.post_handshake_auth = True
    4550. 

  4550.         server_context.verify_mode = ssl.CERT_REQUIRED
    4551. 

  4551.         client_context.post_handshake_auth = True
    4552. 

  4552.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4553. 

  4553. 

  4554.         # check CERT_OPTIONAL
    4555. 

  4555.         server_context.verify_mode = ssl.CERT_OPTIONAL
    4556. 

  4556.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4557. 

  4557.         with server:
    4558. 

  4558.             with client_context.wrap_socket(socket.socket(),
    4559. 

  4559.                                             server_hostname=hostname) as s:
    4560. 

  4560.                 s.connect((HOST, server.port))
    4561. 

  4561.                 s.write(b'HASCERT')
    4562. 

  4562.                 self.assertEqual(s.recv(1024), b'FALSE\n')
    4563. 

  4563.                 s.write(b'PHA')
    4564. 

  4564.                 self.assertEqual(s.recv(1024), b'OK\n')
    4565. 

  4565.                 s.write(b'HASCERT')
    4566. 

  4566.                 self.assertEqual(s.recv(1024), b'TRUE\n')
    4567. 

  4567. 

  4568.     def test_pha_optional_nocert(self):
    4569. 

  4569.         if support.verbose:
    4570. 

  4570.             sys.stdout.write("\n")
    4571. 

  4571. 

  4572.         client_context, server_context, hostname = testing_context()
    4573. 

  4573.         server_context.post_handshake_auth = True
    4574. 

  4574.         server_context.verify_mode = ssl.CERT_OPTIONAL
    4575. 

  4575.         client_context.post_handshake_auth = True
    4576. 

  4576. 

  4577.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4578. 

  4578.         with server:
    4579. 

  4579.             with client_context.wrap_socket(socket.socket(),
    4580. 

  4580.                                             server_hostname=hostname) as s:
    4581. 

  4581.                 s.connect((HOST, server.port))
    4582. 

  4582.                 s.write(b'HASCERT')
    4583. 

  4583.                 self.assertEqual(s.recv(1024), b'FALSE\n')
    4584. 

  4584.                 s.write(b'PHA')
    4585. 

  4585.                 self.assertEqual(s.recv(1024), b'OK\n')
    4586. 

  4586.                 # optional doesn't fail when client does not have a cert
    4587. 

  4587.                 s.write(b'HASCERT')
    4588. 

  4588.                 self.assertEqual(s.recv(1024), b'FALSE\n')
    4589. 

  4589. 

  4590.     def test_pha_no_pha_client(self):
    4591. 

  4591.         client_context, server_context, hostname = testing_context()
    4592. 

  4592.         server_context.post_handshake_auth = True
    4593. 

  4593.         server_context.verify_mode = ssl.CERT_REQUIRED
    4594. 

  4594.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4595. 

  4595. 

  4596.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4597. 

  4597.         with server:
    4598. 

  4598.             with client_context.wrap_socket(socket.socket(),
    4599. 

  4599.                                             server_hostname=hostname) as s:
    4600. 

  4600.                 s.connect((HOST, server.port))
    4601. 

  4601.                 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
    4602. 

  4602.                     s.verify_client_post_handshake()
    4603. 

  4603.                 s.write(b'PHA')
    4604. 

  4604.                 self.assertIn(b'extension not received', s.recv(1024))
    4605. 

  4605. 

  4606.     def test_pha_no_pha_server(self):
    4607. 

  4607.         # server doesn't have PHA enabled, cert is requested in handshake
    4608. 

  4608.         client_context, server_context, hostname = testing_context()
    4609. 

  4609.         server_context.verify_mode = ssl.CERT_REQUIRED
    4610. 

  4610.         client_context.post_handshake_auth = True
    4611. 

  4611.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4612. 

  4612. 

  4613.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4614. 

  4614.         with server:
    4615. 

  4615.             with client_context.wrap_socket(socket.socket(),
    4616. 

  4616.                                             server_hostname=hostname) as s:
    4617. 

  4617.                 s.connect((HOST, server.port))
    4618. 

  4618.                 s.write(b'HASCERT')
    4619. 

  4619.                 self.assertEqual(s.recv(1024), b'TRUE\n')
    4620. 

  4620.                 # PHA doesn't fail if there is already a cert
    4621. 

  4621.                 s.write(b'PHA')
    4622. 

  4622.                 self.assertEqual(s.recv(1024), b'OK\n')
    4623. 

  4623.                 s.write(b'HASCERT')
    4624. 

  4624.                 self.assertEqual(s.recv(1024), b'TRUE\n')
    4625. 

  4625. 

  4626.     def test_pha_not_tls13(self):
    4627. 

  4627.         # TLS 1.2
    4628. 

  4628.         client_context, server_context, hostname = testing_context()
    4629. 

  4629.         server_context.verify_mode = ssl.CERT_REQUIRED
    4630. 

  4630.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4631. 

  4631.         client_context.post_handshake_auth = True
    4632. 

  4632.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4633. 

  4633. 

  4634.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4635. 

  4635.         with server:
    4636. 

  4636.             with client_context.wrap_socket(socket.socket(),
    4637. 

  4637.                                             server_hostname=hostname) as s:
    4638. 

  4638.                 s.connect((HOST, server.port))
    4639. 

  4639.                 # PHA fails for TLS != 1.3
    4640. 

  4640.                 s.write(b'PHA')
    4641. 

  4641.                 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
    4642. 

  4642. 

  4643.     def test_bpo37428_pha_cert_none(self):
    4644. 

  4644.         # verify that post_handshake_auth does not implicitly enable cert
    4645. 

  4645.         # validation.
    4646. 

  4646.         hostname = SIGNED_CERTFILE_HOSTNAME
    4647. 

  4647.         client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    4648. 

  4648.         client_context.post_handshake_auth = True
    4649. 

  4649.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4650. 

  4650.         # no cert validation and CA on client side
    4651. 

  4651.         client_context.check_hostname = False
    4652. 

  4652.         client_context.verify_mode = ssl.CERT_NONE
    4653. 

  4653. 

  4654.         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    4655. 

  4655.         server_context.load_cert_chain(SIGNED_CERTFILE)
    4656. 

  4656.         server_context.load_verify_locations(SIGNING_CA)
    4657. 

  4657.         server_context.post_handshake_auth = True
    4658. 

  4658.         server_context.verify_mode = ssl.CERT_REQUIRED
    4659. 

  4659. 

  4660.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4661. 

  4661.         with server:
    4662. 

  4662.             with client_context.wrap_socket(socket.socket(),
    4663. 

  4663.                                             server_hostname=hostname) as s:
    4664. 

  4664.                 s.connect((HOST, server.port))
    4665. 

  4665.                 s.write(b'HASCERT')
    4666. 

  4666.                 self.assertEqual(s.recv(1024), b'FALSE\n')
    4667. 

  4667.                 s.write(b'PHA')
    4668. 

  4668.                 self.assertEqual(s.recv(1024), b'OK\n')
    4669. 

  4669.                 s.write(b'HASCERT')
    4670. 

  4670.                 self.assertEqual(s.recv(1024), b'TRUE\n')
    4671. 

  4671.                 # server cert has not been validated
    4672. 

  4672.                 self.assertEqual(s.getpeercert(), {})
    4673. 

  4673. 

  4674.     def test_internal_chain_client(self):
    4675. 

  4675.         client_context, server_context, hostname = testing_context(
    4676. 

  4676.             server_chain=False
    4677. 

  4677.         )
    4678. 

  4678.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4679. 

  4679.         with server:
    4680. 

  4680.             with client_context.wrap_socket(
    4681. 

  4681.                 socket.socket(),
    4682. 

  4682.                 server_hostname=hostname
    4683. 

  4683.             ) as s:
    4684. 

  4684.                 s.connect((HOST, server.port))
    4685. 

  4685.                 vc = s._sslobj.get_verified_chain()
    4686. 

  4686.                 self.assertEqual(len(vc), 2)
    4687. 

  4687.                 ee, ca = vc
    4688. 

  4688.                 uvc = s._sslobj.get_unverified_chain()
    4689. 

  4689.                 self.assertEqual(len(uvc), 1)
    4690. 

  4690. 

  4691.                 self.assertEqual(ee, uvc[0])
    4692. 

  4692.                 self.assertEqual(hash(ee), hash(uvc[0]))
    4693. 

  4693.                 self.assertEqual(repr(ee), repr(uvc[0]))
    4694. 

  4694. 

  4695.                 self.assertNotEqual(ee, ca)
    4696. 

  4696.                 self.assertNotEqual(hash(ee), hash(ca))
    4697. 

  4697.                 self.assertNotEqual(repr(ee), repr(ca))
    4698. 

  4698.                 self.assertNotEqual(ee.get_info(), ca.get_info())
    4699. 

  4699.                 self.assertIn("CN=localhost", repr(ee))
    4700. 

  4700.                 self.assertIn("CN=our-ca-server", repr(ca))
    4701. 

  4701. 

  4702.                 pem = ee.public_bytes(_ssl.ENCODING_PEM)
    4703. 

  4703.                 der = ee.public_bytes(_ssl.ENCODING_DER)
    4704. 

  4704.                 self.assertIsInstance(pem, str)
    4705. 

  4705.                 self.assertIn("-----BEGIN CERTIFICATE-----", pem)
    4706. 

  4706.                 self.assertIsInstance(der, bytes)
    4707. 

  4707.                 self.assertEqual(
    4708. 

  4708.                     ssl.PEM_cert_to_DER_cert(pem), der
    4709. 

  4709.                 )
    4710. 

  4710. 

  4711.     def test_internal_chain_server(self):
    4712. 

  4712.         client_context, server_context, hostname = testing_context()
    4713. 

  4713.         client_context.load_cert_chain(SIGNED_CERTFILE)
    4714. 

  4714.         server_context.verify_mode = ssl.CERT_REQUIRED
    4715. 

  4715.         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4716. 

  4716. 

  4717.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4718. 

  4718.         with server:
    4719. 

  4719.             with client_context.wrap_socket(
    4720. 

  4720.                 socket.socket(),
    4721. 

  4721.                 server_hostname=hostname
    4722. 

  4722.             ) as s:
    4723. 

  4723.                 s.connect((HOST, server.port))
    4724. 

  4724.                 s.write(b'VERIFIEDCHAIN\n')
    4725. 

  4725.                 res = s.recv(1024)
    4726. 

  4726.                 self.assertEqual(res, b'\x02\n')
    4727. 

  4727.                 s.write(b'UNVERIFIEDCHAIN\n')
    4728. 

  4728.                 res = s.recv(1024)
    4729. 

  4729.                 self.assertEqual(res, b'\x02\n')
    4730. 

  4730. 

  4731. 

  4732. HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
    4733. 

  4733. requires_keylog = unittest.skipUnless(
    4734. 

  4734.     HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
    4735. 

  4735. 

  4736. class TestSSLDebug(unittest.TestCase):
    4737. 

  4737. 

  4738.     def keylog_lines(self, fname=os_helper.TESTFN):
    4739. 

  4739.         with open(fname) as f:
    4740. 

  4740.             return len(list(f))
    4741. 

  4741. 

  4742.     @requires_keylog
    4743. 

  4743.     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
    4744. 

  4744.     def test_keylog_defaults(self):
    4745. 

  4745.         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
    4746. 

  4746.         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    4747. 

  4747.         self.assertEqual(ctx.keylog_filename, None)
    4748. 

  4748. 

  4749.         self.assertFalse(os.path.isfile(os_helper.TESTFN))
    4750. 

  4750.         ctx.keylog_filename = os_helper.TESTFN
    4751. 

  4751.         self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
    4752. 

  4752.         self.assertTrue(os.path.isfile(os_helper.TESTFN))
    4753. 

  4753.         self.assertEqual(self.keylog_lines(), 1)
    4754. 

  4754. 

  4755.         ctx.keylog_filename = None
    4756. 

  4756.         self.assertEqual(ctx.keylog_filename, None)
    4757. 

  4757. 

  4758.         with self.assertRaises((IsADirectoryError, PermissionError)):
    4759. 

  4759.             # Windows raises PermissionError
    4760. 

  4760.             ctx.keylog_filename = os.path.dirname(
    4761. 

  4761.                 os.path.abspath(os_helper.TESTFN))
    4762. 

  4762. 

  4763.         with self.assertRaises(TypeError):
    4764. 

  4764.             ctx.keylog_filename = 1
    4765. 

  4765. 

  4766.     @requires_keylog
    4767. 

  4767.     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
    4768. 

  4768.     def test_keylog_filename(self):
    4769. 

  4769.         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
    4770. 

  4770.         client_context, server_context, hostname = testing_context()
    4771. 

  4771. 

  4772.         client_context.keylog_filename = os_helper.TESTFN
    4773. 

  4773.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4774. 

  4774.         with server:
    4775. 

  4775.             with client_context.wrap_socket(socket.socket(),
    4776. 

  4776.                                             server_hostname=hostname) as s:
    4777. 

  4777.                 s.connect((HOST, server.port))
    4778. 

  4778.         # header, 5 lines for TLS 1.3
    4779. 

  4779.         self.assertEqual(self.keylog_lines(), 6)
    4780. 

  4780. 

  4781.         client_context.keylog_filename = None
    4782. 

  4782.         server_context.keylog_filename = os_helper.TESTFN
    4783. 

  4783.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4784. 

  4784.         with server:
    4785. 

  4785.             with client_context.wrap_socket(socket.socket(),
    4786. 

  4786.                                             server_hostname=hostname) as s:
    4787. 

  4787.                 s.connect((HOST, server.port))
    4788. 

  4788.         self.assertGreaterEqual(self.keylog_lines(), 11)
    4789. 

  4789. 

  4790.         client_context.keylog_filename = os_helper.TESTFN
    4791. 

  4791.         server_context.keylog_filename = os_helper.TESTFN
    4792. 

  4792.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4793. 

  4793.         with server:
    4794. 

  4794.             with client_context.wrap_socket(socket.socket(),
    4795. 

  4795.                                             server_hostname=hostname) as s:
    4796. 

  4796.                 s.connect((HOST, server.port))
    4797. 

  4797.         self.assertGreaterEqual(self.keylog_lines(), 21)
    4798. 

  4798. 

  4799.         client_context.keylog_filename = None
    4800. 

  4800.         server_context.keylog_filename = None
    4801. 

  4801. 

  4802.     @requires_keylog
    4803. 

  4803.     @unittest.skipIf(sys.flags.ignore_environment,
    4804. 

  4804.                      "test is not compatible with ignore_environment")
    4805. 

  4805.     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
    4806. 

  4806.     def test_keylog_env(self):
    4807. 

  4807.         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
    4808. 

  4808.         with unittest.mock.patch.dict(os.environ):
    4809. 

  4809.             os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
    4810. 

  4810.             self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
    4811. 

  4811. 

  4812.             ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    4813. 

  4813.             self.assertEqual(ctx.keylog_filename, None)
    4814. 

  4814. 

  4815.             ctx = ssl.create_default_context()
    4816. 

  4816.             self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
    4817. 

  4817. 

  4818.             ctx = ssl._create_stdlib_context()
    4819. 

  4819.             self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
    4820. 

  4820. 

  4821.     def test_msg_callback(self):
    4822. 

  4822.         client_context, server_context, hostname = testing_context()
    4823. 

  4823. 

  4824.         def msg_cb(conn, direction, version, content_type, msg_type, data):
    4825. 

  4825.             pass
    4826. 

  4826. 

  4827.         self.assertIs(client_context._msg_callback, None)
    4828. 

  4828.         client_context._msg_callback = msg_cb
    4829. 

  4829.         self.assertIs(client_context._msg_callback, msg_cb)
    4830. 

  4830.         with self.assertRaises(TypeError):
    4831. 

  4831.             client_context._msg_callback = object()
    4832. 

  4832. 

  4833.     def test_msg_callback_tls12(self):
    4834. 

  4834.         client_context, server_context, hostname = testing_context()
    4835. 

  4835.         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
    4836. 

  4836. 

  4837.         msg = []
    4838. 

  4838. 

  4839.         def msg_cb(conn, direction, version, content_type, msg_type, data):
    4840. 

  4840.             self.assertIsInstance(conn, ssl.SSLSocket)
    4841. 

  4841.             self.assertIsInstance(data, bytes)
    4842. 

  4842.             self.assertIn(direction, {'read', 'write'})
    4843. 

  4843.             msg.append((direction, version, content_type, msg_type))
    4844. 

  4844. 

  4845.         client_context._msg_callback = msg_cb
    4846. 

  4846. 

  4847.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4848. 

  4848.         with server:
    4849. 

  4849.             with client_context.wrap_socket(socket.socket(),
    4850. 

  4850.                                             server_hostname=hostname) as s:
    4851. 

  4851.                 s.connect((HOST, server.port))
    4852. 

  4852. 

  4853.         self.assertIn(
    4854. 

  4854.             ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
    4855. 

  4855.              _TLSMessageType.SERVER_KEY_EXCHANGE),
    4856. 

  4856.             msg
    4857. 

  4857.         )
    4858. 

  4858.         self.assertIn(
    4859. 

  4859.             ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
    4860. 

  4860.              _TLSMessageType.CHANGE_CIPHER_SPEC),
    4861. 

  4861.             msg
    4862. 

  4862.         )
    4863. 

  4863. 

  4864.     def test_msg_callback_deadlock_bpo43577(self):
    4865. 

  4865.         client_context, server_context, hostname = testing_context()
    4866. 

  4866.         server_context2 = testing_context()[1]
    4867. 

  4867. 

  4868.         def msg_cb(conn, direction, version, content_type, msg_type, data):
    4869. 

  4869.             pass
    4870. 

  4870. 

  4871.         def sni_cb(sock, servername, ctx):
    4872. 

  4872.             sock.context = server_context2
    4873. 

  4873. 

  4874.         server_context._msg_callback = msg_cb
    4875. 

  4875.         server_context.sni_callback = sni_cb
    4876. 

  4876. 

  4877.         server = ThreadedEchoServer(context=server_context, chatty=False)
    4878. 

  4878.         with server:
    4879. 

  4879.             with client_context.wrap_socket(socket.socket(),
    4880. 

  4880.                                             server_hostname=hostname) as s:
    4881. 

  4881.                 s.connect((HOST, server.port))
    4882. 

  4882.             with client_context.wrap_socket(socket.socket(),
    4883. 

  4883.                                             server_hostname=hostname) as s:
    4884. 

  4884.                 s.connect((HOST, server.port))
    4885. 

  4885. 

  4886. 

  4887. class TestEnumerations(unittest.TestCase):
    4888. 

  4888. 

  4889.     def test_tlsversion(self):
    4890. 

  4890.         class CheckedTLSVersion(enum.IntEnum):
    4891. 

  4891.             MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
    4892. 

  4892.             SSLv3 = _ssl.PROTO_SSLv3
    4893. 

  4893.             TLSv1 = _ssl.PROTO_TLSv1
    4894. 

  4894.             TLSv1_1 = _ssl.PROTO_TLSv1_1
    4895. 

  4895.             TLSv1_2 = _ssl.PROTO_TLSv1_2
    4896. 

  4896.             TLSv1_3 = _ssl.PROTO_TLSv1_3
    4897. 

  4897.             MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
    4898. 

  4898.         enum._test_simple_enum(CheckedTLSVersion, TLSVersion)
    4899. 

  4899. 

  4900.     def test_tlscontenttype(self):
    4901. 

  4901.         class Checked_TLSContentType(enum.IntEnum):
    4902. 

  4902.             """Content types (record layer)
    4903. 

  4903. 

  4904.             See RFC 8446, section B.1
    4905. 

  4905.             """
    4906. 

  4906.             CHANGE_CIPHER_SPEC = 20
    4907. 

  4907.             ALERT = 21
    4908. 

  4908.             HANDSHAKE = 22
    4909. 

  4909.             APPLICATION_DATA = 23
    4910. 

  4910.             # pseudo content types
    4911. 

  4911.             HEADER = 0x100
    4912. 

  4912.             INNER_CONTENT_TYPE = 0x101
    4913. 

  4913.         enum._test_simple_enum(Checked_TLSContentType, _TLSContentType)
    4914. 

  4914. 

  4915.     def test_tlsalerttype(self):
    4916. 

  4916.         class Checked_TLSAlertType(enum.IntEnum):
    4917. 

  4917.             """Alert types for TLSContentType.ALERT messages
    4918. 

  4918. 

  4919.             See RFC 8466, section B.2
    4920. 

  4920.             """
    4921. 

  4921.             CLOSE_NOTIFY = 0
    4922. 

  4922.             UNEXPECTED_MESSAGE = 10
    4923. 

  4923.             BAD_RECORD_MAC = 20
    4924. 

  4924.             DECRYPTION_FAILED = 21
    4925. 

  4925.             RECORD_OVERFLOW = 22
    4926. 

  4926.             DECOMPRESSION_FAILURE = 30
    4927. 

  4927.             HANDSHAKE_FAILURE = 40
    4928. 

  4928.             NO_CERTIFICATE = 41
    4929. 

  4929.             BAD_CERTIFICATE = 42
    4930. 

  4930.             UNSUPPORTED_CERTIFICATE = 43
    4931. 

  4931.             CERTIFICATE_REVOKED = 44
    4932. 

  4932.             CERTIFICATE_EXPIRED = 45
    4933. 

  4933.             CERTIFICATE_UNKNOWN = 46
    4934. 

  4934.             ILLEGAL_PARAMETER = 47
    4935. 

  4935.             UNKNOWN_CA = 48
    4936. 

  4936.             ACCESS_DENIED = 49
    4937. 

  4937.             DECODE_ERROR = 50
    4938. 

  4938.             DECRYPT_ERROR = 51
    4939. 

  4939.             EXPORT_RESTRICTION = 60
    4940. 

  4940.             PROTOCOL_VERSION = 70
    4941. 

  4941.             INSUFFICIENT_SECURITY = 71
    4942. 

  4942.             INTERNAL_ERROR = 80
    4943. 

  4943.             INAPPROPRIATE_FALLBACK = 86
    4944. 

  4944.             USER_CANCELED = 90
    4945. 

  4945.             NO_RENEGOTIATION = 100
    4946. 

  4946.             MISSING_EXTENSION = 109
    4947. 

  4947.             UNSUPPORTED_EXTENSION = 110
    4948. 

  4948.             CERTIFICATE_UNOBTAINABLE = 111
    4949. 

  4949.             UNRECOGNIZED_NAME = 112
    4950. 

  4950.             BAD_CERTIFICATE_STATUS_RESPONSE = 113
    4951. 

  4951.             BAD_CERTIFICATE_HASH_VALUE = 114
    4952. 

  4952.             UNKNOWN_PSK_IDENTITY = 115
    4953. 

  4953.             CERTIFICATE_REQUIRED = 116
    4954. 

  4954.             NO_APPLICATION_PROTOCOL = 120
    4955. 

  4955.         enum._test_simple_enum(Checked_TLSAlertType, _TLSAlertType)
    4956. 

  4956. 

  4957.     def test_tlsmessagetype(self):
    4958. 

  4958.         class Checked_TLSMessageType(enum.IntEnum):
    4959. 

  4959.             """Message types (handshake protocol)
    4960. 

  4960. 

  4961.             See RFC 8446, section B.3
    4962. 

  4962.             """
    4963. 

  4963.             HELLO_REQUEST = 0
    4964. 

  4964.             CLIENT_HELLO = 1
    4965. 

  4965.             SERVER_HELLO = 2
    4966. 

  4966.             HELLO_VERIFY_REQUEST = 3
    4967. 

  4967.             NEWSESSION_TICKET = 4
    4968. 

  4968.             END_OF_EARLY_DATA = 5
    4969. 

  4969.             HELLO_RETRY_REQUEST = 6
    4970. 

  4970.             ENCRYPTED_EXTENSIONS = 8
    4971. 

  4971.             CERTIFICATE = 11
    4972. 

  4972.             SERVER_KEY_EXCHANGE = 12
    4973. 

  4973.             CERTIFICATE_REQUEST = 13
    4974. 

  4974.             SERVER_DONE = 14
    4975. 

  4975.             CERTIFICATE_VERIFY = 15
    4976. 

  4976.             CLIENT_KEY_EXCHANGE = 16
    4977. 

  4977.             FINISHED = 20
    4978. 

  4978.             CERTIFICATE_URL = 21
    4979. 

  4979.             CERTIFICATE_STATUS = 22
    4980. 

  4980.             SUPPLEMENTAL_DATA = 23
    4981. 

  4981.             KEY_UPDATE = 24
    4982. 

  4982.             NEXT_PROTO = 67
    4983. 

  4983.             MESSAGE_HASH = 254
    4984. 

  4984.             CHANGE_CIPHER_SPEC = 0x0101
    4985. 

  4985.         enum._test_simple_enum(Checked_TLSMessageType, _TLSMessageType)
    4986. 

  4986. 

  4987.     def test_sslmethod(self):
    4988. 

  4988.         Checked_SSLMethod = enum._old_convert_(
    4989. 

  4989.                 enum.IntEnum, '_SSLMethod', 'ssl',
    4990. 

  4990.                 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
    4991. 

  4991.                 source=ssl._ssl,
    4992. 

  4992.                 )
    4993. 

  4993.         # This member is assigned dynamically in `ssl.py`:
    4994. 

  4994.         Checked_SSLMethod.PROTOCOL_SSLv23 = Checked_SSLMethod.PROTOCOL_TLS
    4995. 

  4995.         enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
    4996. 

  4996. 

  4997.     def test_options(self):
    4998. 

  4998.         CheckedOptions = enum._old_convert_(
    4999. 

  4999.                 enum.IntFlag, 'Options', 'ssl',
    5000. 

  5000.                 lambda name: name.startswith('OP_'),
    5001. 

  5001.                 source=ssl._ssl,
    5002. 

  5002.                 )
    5003. 

  5003.         enum._test_simple_enum(CheckedOptions, ssl.Options)
    5004. 

  5004. 

  5005.     def test_alertdescription(self):
    5006. 

  5006.         CheckedAlertDescription = enum._old_convert_(
    5007. 

  5007.                 enum.IntEnum, 'AlertDescription', 'ssl',
    5008. 

  5008.                 lambda name: name.startswith('ALERT_DESCRIPTION_'),
    5009. 

  5009.                 source=ssl._ssl,
    5010. 

  5010.                 )
    5011. 

  5011.         enum._test_simple_enum(CheckedAlertDescription, ssl.AlertDescription)
    5012. 

  5012. 

  5013.     def test_sslerrornumber(self):
    5014. 

  5014.         Checked_SSLErrorNumber = enum._old_convert_(
    5015. 

  5015.                 enum.IntEnum, 'SSLErrorNumber', 'ssl',
    5016. 

  5016.                 lambda name: name.startswith('SSL_ERROR_'),
    5017. 

  5017.                 source=ssl._ssl,
    5018. 

  5018.                 )
    5019. 

  5019.         enum._test_simple_enum(Checked_SSLErrorNumber, ssl.SSLErrorNumber)
    5020. 

  5020. 

  5021.     def test_verifyflags(self):
    5022. 

  5022.         CheckedVerifyFlags = enum._old_convert_(
    5023. 

  5023.                 enum.IntFlag, 'VerifyFlags', 'ssl',
    5024. 

  5024.                 lambda name: name.startswith('VERIFY_'),
    5025. 

  5025.                 source=ssl._ssl,
    5026. 

  5026.                 )
    5027. 

  5027.         enum._test_simple_enum(CheckedVerifyFlags, ssl.VerifyFlags)
    5028. 

  5028. 

  5029.     def test_verifymode(self):
    5030. 

  5030.         CheckedVerifyMode = enum._old_convert_(
    5031. 

  5031.                 enum.IntEnum, 'VerifyMode', 'ssl',
    5032. 

  5032.                 lambda name: name.startswith('CERT_'),
    5033. 

  5033.                 source=ssl._ssl,
    5034. 

  5034.                 )
    5035. 

  5035.         enum._test_simple_enum(CheckedVerifyMode, ssl.VerifyMode)
    5036. 

  5036. 

  5037. 

  5038. def setUpModule():
    5039. 

  5039.     if support.verbose:
    5040. 

  5040.         plats = {
    5041. 

  5041.             'Mac': platform.mac_ver,
    5042. 

  5042.             'Windows': platform.win32_ver,
    5043. 

  5043.         }
    5044. 

  5044.         for name, func in plats.items():
    5045. 

  5045.             plat = func()
    5046. 

  5046.             if plat and plat[0]:
    5047. 

  5047.                 plat = '%s %r' % (name, plat)
    5048. 

  5048.                 break
    5049. 

  5049.         else:
    5050. 

  5050.             plat = repr(platform.platform())
    5051. 

  5051.         print("test_ssl: testing with %r %r" %
    5052. 

  5052.             (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
    5053. 

  5053.         print("          under %s" % plat)
    5054. 

  5054.         print("          HAS_SNI = %r" % ssl.HAS_SNI)
    5055. 

  5055.         print("          OP_ALL = 0x%8x" % ssl.OP_ALL)
    5056. 

  5056.         try:
    5057. 

  5057.             print("          OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
    5058. 

  5058.         except AttributeError:
    5059. 

  5059.             pass
    5060. 

  5060. 

  5061.     for filename in [
    5062. 

  5062.         CERTFILE, BYTES_CERTFILE,
    5063. 

  5063.         ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
    5064. 

  5064.         SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
    5065. 

  5065.         BADCERT, BADKEY, EMPTYCERT]:
    5066. 

  5066.         if not os.path.exists(filename):
    5067. 

  5067.             raise support.TestFailed("Can't read certificate file %r" % filename)
    5068. 

  5068. 

  5069.     thread_info = threading_helper.threading_setup()
    5070. 

  5070.     unittest.addModuleCleanup(threading_helper.threading_cleanup, *thread_info)
    5071. 

  5071. 

  5072. 

  5073. if __name__ == "__main__":
    5074. 

  5074.     unittest.main()
    5075.