From d0aacfd183fbbfecabe6c4300564f3aec71235e7 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 19 Sep 2017 20:48:59 +0200 Subject: [PATCH] bpo-31518: Change TLS protocol for Debian Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to make them pass on Debian. Signed-off-by: Christian Heimes --- Lib/test/test_ftplib.py | 6 +++--- Lib/test/test_httplib.py | 8 ++++---- Lib/test/test_poplib.py | 4 ++-- Lib/test/test_ssl.py | 4 ++-- Lib/test/test_urllib2_localnet.py | 2 +- .../next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst | 3 +++ 6 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py index b593313db0950a..44dd73aecaca92 100644 --- a/Lib/test/test_ftplib.py +++ b/Lib/test/test_ftplib.py @@ -908,11 +908,11 @@ def test_auth_ssl(self): self.client.auth() self.assertRaises(ValueError, self.client.auth) finally: - self.client.ssl_version = ssl.PROTOCOL_TLSv1 + self.client.ssl_version = ssl.PROTOCOL_TLS def test_context(self): self.client.quit() - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) self.assertRaises(ValueError, ftplib.FTP_TLS, keyfile=CERTFILE, context=ctx) self.assertRaises(ValueError, ftplib.FTP_TLS, certfile=CERTFILE, @@ -941,7 +941,7 @@ def test_ccc(self): def test_check_hostname(self): self.client.quit() - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) ctx.verify_mode = ssl.CERT_REQUIRED ctx.check_hostname = True ctx.load_verify_locations(CAFILE) diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 68f6946a3a12b6..64d6e43537b381 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -1583,7 +1583,7 @@ def test_networked_good_cert(self): import ssl support.requires('network') with support.transient_internet('self-signed.pythontest.net'): - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations(CERT_selfsigned_pythontestdotnet) h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context) @@ -1599,7 +1599,7 @@ def test_networked_bad_cert(self): import ssl support.requires('network') with support.transient_internet('self-signed.pythontest.net'): - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations(CERT_localhost) h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context) @@ -1620,7 +1620,7 @@ def test_local_good_hostname(self): # The (valid) cert validates the HTTP hostname import ssl server = self.make_server(CERT_localhost) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations(CERT_localhost) h = client.HTTPSConnection('localhost', server.port, context=context) @@ -1634,7 +1634,7 @@ def test_local_bad_hostname(self): # The (valid) cert doesn't validate the HTTP hostname import ssl server = self.make_server(CERT_fakehostname) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = True context.load_verify_locations(CERT_fakehostname) diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py index 1269199423c0ce..608eac57f35c9e 100644 --- a/Lib/test/test_poplib.py +++ b/Lib/test/test_poplib.py @@ -352,7 +352,7 @@ def test_stls(self): @requires_ssl def test_stls_context(self): expected = b'+OK Begin TLS negotiation' - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) ctx.load_verify_locations(CAFILE) ctx.verify_mode = ssl.CERT_REQUIRED ctx.check_hostname = True @@ -392,7 +392,7 @@ def test__all__(self): self.assertIn('POP3_SSL', poplib.__all__) def test_context(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) self.assertRaises(ValueError, poplib.POP3_SSL, self.server.host, self.server.port, keyfile=CERTFILE, context=ctx) self.assertRaises(ValueError, poplib.POP3_SSL, self.server.host, diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index daffaf7af87956..8dd3b4145078a9 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1689,7 +1689,7 @@ def test_get_ca_certs_capath(self): @needs_sni def test_context_setget(self): # Check that the context of a connected socket can be replaced. - ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23) s = socket.socket(socket.AF_INET) with ctx1.wrap_socket(s) as ss: @@ -1986,7 +1986,7 @@ def __init__(self, certificate=None, ssl_version=None, else: self.context = ssl.SSLContext(ssl_version if ssl_version is not None - else ssl.PROTOCOL_TLSv1) + else ssl.PROTOCOL_TLS) self.context.verify_mode = (certreqs if certreqs is not None else ssl.CERT_NONE) if cacerts: diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py index f83f9ccb786727..9d9ec8726d8a6b 100644 --- a/Lib/test/test_urllib2_localnet.py +++ b/Lib/test/test_urllib2_localnet.py @@ -598,7 +598,7 @@ def test_https_sni(self): def cb_sni(ssl_sock, server_name, initial_context): nonlocal sni_name sni_name = server_name - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.set_servername_callback(cb_sni) handler = self.start_https_server(context=context, certfile=CERT_localhost) context = ssl.create_default_context(cafile=CERT_localhost) diff --git a/Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst b/Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst new file mode 100644 index 00000000000000..7378df0747333d --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2017-09-19-20-48-50.bpo-31518.KwTMMz.rst @@ -0,0 +1,3 @@ +Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change +TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to make +them pass on Debian.