test_ssl.py 67.2 KB
Newer Older
1 2 3 4
# Test the support for SSL and sockets

import sys
import unittest
5
from test import support
6
import socket
Bill Janssen's avatar
Bill Janssen committed
7
import select
8
import time
9
import gc
10
import os
11
import errno
12
import pprint
13
import tempfile
Jeremy Hylton's avatar
Jeremy Hylton committed
14
import urllib.parse, urllib.request
15
import traceback
16
import asyncore
Antoine Pitrou's avatar
Antoine Pitrou committed
17
import weakref
18
import platform
19
import functools
20

Georg Brandl's avatar
Georg Brandl committed
21
from http.server import HTTPServer, SimpleHTTPRequestHandler
22

23 24 25 26 27 28
# Optionally test SSL support, if we have it in the tested platform
skip_expected = False
try:
    import ssl
except ImportError:
    skip_expected = True
29 30 31 32 33
else:
    PROTOCOLS = [
        ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3,
        ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1
    ]
34

35
HOST = support.HOST
36 37 38

data_file = lambda name: os.path.join(os.path.dirname(__file__), name)

39 40 41 42 43
# The custom key and certificate files used in test_ssl are generated
# using Lib/test/make_ssl_certs.py.
# Other certificates are simply fetched from the Internet servers they
# are meant to authenticate.

44
CERTFILE = data_file("keycert.pem")
45
BYTES_CERTFILE = os.fsencode(CERTFILE)
46 47
ONLYCERT = data_file("ssl_cert.pem")
ONLYKEY = data_file("ssl_key.pem")
48 49
BYTES_ONLYCERT = os.fsencode(ONLYCERT)
BYTES_ONLYKEY = os.fsencode(ONLYKEY)
50
CAPATH = data_file("capath")
51
BYTES_CAPATH = os.fsencode(CAPATH)
52 53 54 55 56 57 58 59

SVN_PYTHON_ORG_ROOT_CERT = data_file("https_svn_python_org_root.pem")

EMPTYCERT = data_file("nullcert.pem")
BADCERT = data_file("badcert.pem")
WRONGCERT = data_file("XXXnonexisting.pem")
BADKEY = data_file("badkey.pem")

60 61 62

def handle_error(prefix):
    exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
63
    if support.verbose:
64
        sys.stdout.write(prefix + exc_format)
65

66 67 68 69 70 71 72 73
def can_clear_options():
    # 0.9.8m or higher
    return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 13, 15)

def no_sslv2_implies_sslv3_hello():
    # 0.9.7h or higher
    return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)

74

75 76 77 78 79 80 81 82 83 84 85 86 87 88
# Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2
def skip_if_broken_ubuntu_ssl(func):
    @functools.wraps(func)
    def f(*args, **kwargs):
        try:
            ssl.SSLContext(ssl.PROTOCOL_SSLv2)
        except ssl.SSLError:
            if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
                platform.linux_distribution() == ('debian', 'squeeze/sid', '')):
                raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")
        return func(*args, **kwargs)
    return f


89
class BasicSocketTests(unittest.TestCase):
90

91
    def test_constants(self):
92 93 94 95 96 97 98
        ssl.PROTOCOL_SSLv2
        ssl.PROTOCOL_SSLv23
        ssl.PROTOCOL_SSLv3
        ssl.PROTOCOL_TLSv1
        ssl.CERT_NONE
        ssl.CERT_OPTIONAL
        ssl.CERT_REQUIRED
99

100
    def test_random(self):
101
        v = ssl.RAND_status()
102
        if support.verbose:
103 104 105
            sys.stdout.write("\n RAND_status is %d (%s)\n"
                             % (v, (v and "sufficient randomness") or
                                "insufficient randomness"))
106
        try:
107 108 109
            ssl.RAND_egd(1)
        except TypeError:
            pass
110
        else:
111 112 113
            print("didn't raise TypeError")
        ssl.RAND_add("this is a random string", 75.0)

114
    def test_parse_cert(self):
115 116 117 118
        # note that this uses an 'unofficial' function in _ssl.c,
        # provided solely for this test, to exercise the certificate
        # parsing code
        p = ssl._ssl._test_decode_cert(CERTFILE, False)
119
        if support.verbose:
120 121
            sys.stdout.write("\n" + pprint.pformat(p) + "\n")

122 123 124
    def test_DER_to_PEM(self):
        with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
            pem = f.read()
125 126 127
        d1 = ssl.PEM_cert_to_DER_cert(pem)
        p2 = ssl.DER_cert_to_PEM_cert(d1)
        d2 = ssl.PEM_cert_to_DER_cert(p2)
128
        self.assertEqual(d1, d2)
129 130 131 132
        if not p2.startswith(ssl.PEM_HEADER + '\n'):
            self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
        if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
            self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
133

134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
    def test_openssl_version(self):
        n = ssl.OPENSSL_VERSION_NUMBER
        t = ssl.OPENSSL_VERSION_INFO
        s = ssl.OPENSSL_VERSION
        self.assertIsInstance(n, int)
        self.assertIsInstance(t, tuple)
        self.assertIsInstance(s, str)
        # Some sanity checks follow
        # >= 0.9
        self.assertGreaterEqual(n, 0x900000)
        # < 2.0
        self.assertLess(n, 0x20000000)
        major, minor, fix, patch, status = t
        self.assertGreaterEqual(major, 0)
        self.assertLess(major, 2)
        self.assertGreaterEqual(minor, 0)
        self.assertLess(minor, 256)
        self.assertGreaterEqual(fix, 0)
        self.assertLess(fix, 256)
        self.assertGreaterEqual(patch, 0)
        self.assertLessEqual(patch, 26)
        self.assertGreaterEqual(status, 0)
        self.assertLessEqual(status, 15)
        # Version string as returned by OpenSSL, the format might change
        self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),
                        (s, t))

Antoine Pitrou's avatar
Antoine Pitrou committed
161 162 163 164 165 166 167 168 169 170
    @support.cpython_only
    def test_refcycle(self):
        # Issue #7943: an SSL object doesn't create reference cycles with
        # itself.
        s = socket.socket(socket.AF_INET)
        ss = ssl.wrap_socket(s)
        wr = weakref.ref(ss)
        del ss
        self.assertEqual(wr(), None)

171 172 173 174 175 176 177 178 179 180 181 182
    def test_wrapped_unconnected(self):
        # Methods on an unconnected SSLSocket propagate the original
        # socket.error raise by the underlying socket object.
        s = socket.socket(socket.AF_INET)
        ss = ssl.wrap_socket(s)
        self.assertRaises(socket.error, ss.recv, 1)
        self.assertRaises(socket.error, ss.recv_into, bytearray(b'x'))
        self.assertRaises(socket.error, ss.recvfrom, 1)
        self.assertRaises(socket.error, ss.recvfrom_into, bytearray(b'x'), 1)
        self.assertRaises(socket.error, ss.send, b'x')
        self.assertRaises(socket.error, ss.sendto, b'x', ('0.0.0.0', 0))

183 184 185 186 187 188 189 190 191
    def test_timeout(self):
        # Issue #8524: when creating an SSL socket, the timeout of the
        # original socket should be retained.
        for timeout in (None, 0.0, 5.0):
            s = socket.socket(socket.AF_INET)
            s.settimeout(timeout)
            ss = ssl.wrap_socket(s)
            self.assertEqual(timeout, ss.gettimeout())

192 193
    def test_errors(self):
        sock = socket.socket()
194 195 196 197 198 199 200 201 202
        self.assertRaisesRegexp(ValueError,
                        "certfile must be specified",
                        ssl.wrap_socket, sock, keyfile=CERTFILE)
        self.assertRaisesRegexp(ValueError,
                        "certfile must be specified for server-side operations",
                        ssl.wrap_socket, sock, server_side=True)
        self.assertRaisesRegexp(ValueError,
                        "certfile must be specified for server-side operations",
                        ssl.wrap_socket, sock, server_side=True, certfile="")
203 204 205
        s = ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE)
        self.assertRaisesRegexp(ValueError, "can't connect in server-side mode",
                                s.connect, (HOST, 8080))
206
        with self.assertRaises(IOError) as cm:
207
            ssl.wrap_socket(socket.socket(), certfile=WRONGCERT)
208
        self.assertEqual(cm.exception.errno, errno.ENOENT)
209 210 211
        with self.assertRaises(IOError) as cm:
            ssl.wrap_socket(socket.socket(), certfile=CERTFILE, keyfile=WRONGCERT)
        self.assertEqual(cm.exception.errno, errno.ENOENT)
212
        with self.assertRaises(IOError) as cm:
213
            ssl.wrap_socket(socket.socket(), certfile=WRONGCERT, keyfile=WRONGCERT)
214
        self.assertEqual(cm.exception.errno, errno.ENOENT)
215

216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286
    def test_match_hostname(self):
        def ok(cert, hostname):
            ssl.match_hostname(cert, hostname)
        def fail(cert, hostname):
            self.assertRaises(ssl.CertificateError,
                              ssl.match_hostname, cert, hostname)

        cert = {'subject': ((('commonName', 'example.com'),),)}
        ok(cert, 'example.com')
        ok(cert, 'ExAmple.cOm')
        fail(cert, 'www.example.com')
        fail(cert, '.example.com')
        fail(cert, 'example.org')
        fail(cert, 'exampleXcom')

        cert = {'subject': ((('commonName', '*.a.com'),),)}
        ok(cert, 'foo.a.com')
        fail(cert, 'bar.foo.a.com')
        fail(cert, 'a.com')
        fail(cert, 'Xa.com')
        fail(cert, '.a.com')

        cert = {'subject': ((('commonName', 'a.*.com'),),)}
        ok(cert, 'a.foo.com')
        fail(cert, 'a..com')
        fail(cert, 'a.com')

        cert = {'subject': ((('commonName', 'f*.com'),),)}
        ok(cert, 'foo.com')
        ok(cert, 'f.com')
        fail(cert, 'bar.com')
        fail(cert, 'foo.a.com')
        fail(cert, 'bar.foo.com')

        # Slightly fake real-world example
        cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
                'subject': ((('commonName', 'linuxfrz.org'),),),
                'subjectAltName': (('DNS', 'linuxfr.org'),
                                   ('DNS', 'linuxfr.com'),
                                   ('othername', '<unsupported>'))}
        ok(cert, 'linuxfr.org')
        ok(cert, 'linuxfr.com')
        # Not a "DNS" entry
        fail(cert, '<unsupported>')
        # When there is a subjectAltName, commonName isn't used
        fail(cert, 'linuxfrz.org')

        # A pristine real-world example
        cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
                'subject': ((('countryName', 'US'),),
                            (('stateOrProvinceName', 'California'),),
                            (('localityName', 'Mountain View'),),
                            (('organizationName', 'Google Inc'),),
                            (('commonName', 'mail.google.com'),))}
        ok(cert, 'mail.google.com')
        fail(cert, 'gmail.com')
        # Only commonName is considered
        fail(cert, 'California')

        # Neither commonName nor subjectAltName
        cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
                'subject': ((('countryName', 'US'),),
                            (('stateOrProvinceName', 'California'),),
                            (('localityName', 'Mountain View'),),
                            (('organizationName', 'Google Inc'),))}
        fail(cert, 'mail.google.com')

        # Empty cert / no cert
        self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
        self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')

287

288 289
class ContextTests(unittest.TestCase):

290
    @skip_if_broken_ubuntu_ssl
291 292 293 294 295 296 297 298 299
    def test_constructor(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        self.assertRaises(TypeError, ssl.SSLContext)
        self.assertRaises(ValueError, ssl.SSLContext, -1)
        self.assertRaises(ValueError, ssl.SSLContext, 42)

300
    @skip_if_broken_ubuntu_ssl
301 302 303 304 305 306 307 308 309 310
    def test_protocol(self):
        for proto in PROTOCOLS:
            ctx = ssl.SSLContext(proto)
            self.assertEqual(ctx.protocol, proto)

    def test_ciphers(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        ctx.set_ciphers("ALL")
        ctx.set_ciphers("DEFAULT")
        with self.assertRaisesRegexp(ssl.SSLError, "No cipher can be selected"):
311
            ctx.set_ciphers("^$:,;?*'dorothyx")
312

313
    @skip_if_broken_ubuntu_ssl
314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333
    def test_options(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        # OP_ALL is the default value
        self.assertEqual(ssl.OP_ALL, ctx.options)
        ctx.options |= ssl.OP_NO_SSLv2
        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
                         ctx.options)
        ctx.options |= ssl.OP_NO_SSLv3
        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
                         ctx.options)
        if can_clear_options():
            ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
            self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
                             ctx.options)
            ctx.options = 0
            self.assertEqual(0, ctx.options)
        else:
            with self.assertRaises(ValueError):
                ctx.options = 0

334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354
    def test_verify(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        # Default value
        self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
        ctx.verify_mode = ssl.CERT_OPTIONAL
        self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
        ctx.verify_mode = ssl.CERT_REQUIRED
        self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
        ctx.verify_mode = ssl.CERT_NONE
        self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
        with self.assertRaises(TypeError):
            ctx.verify_mode = None
        with self.assertRaises(ValueError):
            ctx.verify_mode = 42

    def test_load_cert_chain(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        # Combined key and cert in a single file
        ctx.load_cert_chain(CERTFILE)
        ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
        self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
355
        with self.assertRaises(IOError) as cm:
356
            ctx.load_cert_chain(WRONGCERT)
357
        self.assertEqual(cm.exception.errno, errno.ENOENT)
358 359 360 361 362
        with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
            ctx.load_cert_chain(BADCERT)
        with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
            ctx.load_cert_chain(EMPTYCERT)
        # Separate key and cert
363
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
364 365 366 367 368 369 370 371 372 373
        ctx.load_cert_chain(ONLYCERT, ONLYKEY)
        ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
        ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
        with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
            ctx.load_cert_chain(ONLYCERT)
        with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
            ctx.load_cert_chain(ONLYKEY)
        with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
            ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
        # Mismatching key and cert
374
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
375
        with self.assertRaisesRegexp(ssl.SSLError, "key values mismatch"):
376
            ctx.load_cert_chain(SVN_PYTHON_ORG_ROOT_CERT, ONLYKEY)
377 378 379 380 381 382 383 384 385

    def test_load_verify_locations(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        ctx.load_verify_locations(CERTFILE)
        ctx.load_verify_locations(cafile=CERTFILE, capath=None)
        ctx.load_verify_locations(BYTES_CERTFILE)
        ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
        self.assertRaises(TypeError, ctx.load_verify_locations)
        self.assertRaises(TypeError, ctx.load_verify_locations, None, None)
386
        with self.assertRaises(IOError) as cm:
387
            ctx.load_verify_locations(WRONGCERT)
388
        self.assertEqual(cm.exception.errno, errno.ENOENT)
389 390 391 392 393 394
        with self.assertRaisesRegexp(ssl.SSLError, "PEM lib"):
            ctx.load_verify_locations(BADCERT)
        ctx.load_verify_locations(CERTFILE, CAPATH)
        ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)


Bill Janssen's avatar
Bill Janssen committed
395 396
class NetworkedTests(unittest.TestCase):

397
    def test_connect(self):
398 399 400 401 402 403 404 405
        with support.transient_internet("svn.python.org"):
            s = ssl.wrap_socket(socket.socket(socket.AF_INET),
                                cert_reqs=ssl.CERT_NONE)
            try:
                s.connect(("svn.python.org", 443))
                self.assertEqual({}, s.getpeercert())
            finally:
                s.close()
406

407 408 409 410 411
            # this should fail because we have no verification certs
            s = ssl.wrap_socket(socket.socket(socket.AF_INET),
                                cert_reqs=ssl.CERT_REQUIRED)
            self.assertRaisesRegexp(ssl.SSLError, "certificate verify failed",
                                    s.connect, ("svn.python.org", 443))
412 413
            s.close()

414 415 416 417 418 419 420 421 422 423
            # this should succeed because we specify the root cert
            s = ssl.wrap_socket(socket.socket(socket.AF_INET),
                                cert_reqs=ssl.CERT_REQUIRED,
                                ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
            try:
                s.connect(("svn.python.org", 443))
                self.assertTrue(s.getpeercert())
            finally:
                s.close()

424
    def test_connect_with_context(self):
425 426 427 428 429 430 431 432 433 434 435 436 437 438
        with support.transient_internet("svn.python.org"):
            # Same as test_connect, but with a separately created context
            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
            s = ctx.wrap_socket(socket.socket(socket.AF_INET))
            s.connect(("svn.python.org", 443))
            try:
                self.assertEqual({}, s.getpeercert())
            finally:
                s.close()
            # This should fail because we have no verification certs
            ctx.verify_mode = ssl.CERT_REQUIRED
            s = ctx.wrap_socket(socket.socket(socket.AF_INET))
            self.assertRaisesRegexp(ssl.SSLError, "certificate verify failed",
                                    s.connect, ("svn.python.org", 443))
439
            s.close()
440 441 442 443 444 445 446 447 448
            # This should succeed because we specify the root cert
            ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
            s = ctx.wrap_socket(socket.socket(socket.AF_INET))
            s.connect(("svn.python.org", 443))
            try:
                cert = s.getpeercert()
                self.assertTrue(cert)
            finally:
                s.close()
449 450 451

    def test_connect_capath(self):
        # Verify server certificates using the `capath` argument
452 453 454
        # NOTE: the subject hashing algorithm has been changed between
        # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
        # contain both versions of each certificate (same content, different
Antoine Pitrou's avatar
Antoine Pitrou committed
455
        # filename) for this test to be portable across OpenSSL releases.
456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477
        with support.transient_internet("svn.python.org"):
            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
            ctx.verify_mode = ssl.CERT_REQUIRED
            ctx.load_verify_locations(capath=CAPATH)
            s = ctx.wrap_socket(socket.socket(socket.AF_INET))
            s.connect(("svn.python.org", 443))
            try:
                cert = s.getpeercert()
                self.assertTrue(cert)
            finally:
                s.close()
            # Same with a bytes `capath` argument
            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
            ctx.verify_mode = ssl.CERT_REQUIRED
            ctx.load_verify_locations(capath=BYTES_CAPATH)
            s = ctx.wrap_socket(socket.socket(socket.AF_INET))
            s.connect(("svn.python.org", 443))
            try:
                cert = s.getpeercert()
                self.assertTrue(cert)
            finally:
                s.close()
478

479 480 481 482 483
    @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
    def test_makefile_close(self):
        # Issue #5238: creating a file-like object with makefile() shouldn't
        # delay closing the underlying "real socket" (here tested with its
        # file descriptor, hence skipping the test under Windows).
484 485 486 487 488 489 490
        with support.transient_internet("svn.python.org"):
            ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
            ss.connect(("svn.python.org", 443))
            fd = ss.fileno()
            f = ss.makefile()
            f.close()
            # The fd is still open
491
            os.read(fd, 0)
492 493 494 495 496 497
            # Closing the SSL socket should close the fd too
            ss.close()
            gc.collect()
            with self.assertRaises(OSError) as e:
                os.read(fd, 0)
            self.assertEqual(e.exception.errno, errno.EBADF)
498

499
    def test_non_blocking_handshake(self):
500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522
        with support.transient_internet("svn.python.org"):
            s = socket.socket(socket.AF_INET)
            s.connect(("svn.python.org", 443))
            s.setblocking(False)
            s = ssl.wrap_socket(s,
                                cert_reqs=ssl.CERT_NONE,
                                do_handshake_on_connect=False)
            count = 0
            while True:
                try:
                    count += 1
                    s.do_handshake()
                    break
                except ssl.SSLError as err:
                    if err.args[0] == ssl.SSL_ERROR_WANT_READ:
                        select.select([s], [], [])
                    elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:
                        select.select([], [s], [])
                    else:
                        raise
            s.close()
            if support.verbose:
                sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
523

524
    def test_get_server_certificate(self):
525 526 527 528
        with support.transient_internet("svn.python.org"):
            pem = ssl.get_server_certificate(("svn.python.org", 443))
            if not pem:
                self.fail("No server certificate on svn.python.org:443!")
529

530 531 532 533 534 535 536 537 538 539 540 541
            try:
                pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE)
            except ssl.SSLError as x:
                #should fail
                if support.verbose:
                    sys.stdout.write("%s\n" % x)
            else:
                self.fail("Got server certificate %s for svn.python.org!" % pem)

            pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
            if not pem:
                self.fail("No server certificate on svn.python.org:443!")
542
            if support.verbose:
543
                sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem)
544

545 546
    def test_ciphers(self):
        remote = ("svn.python.org", 443)
547 548 549 550
        with support.transient_internet(remote[0]):
            s = ssl.wrap_socket(socket.socket(socket.AF_INET),
                                cert_reqs=ssl.CERT_NONE, ciphers="ALL")
            s.connect(remote)
551
            s = ssl.wrap_socket(socket.socket(socket.AF_INET),
552
                                cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT")
553
            s.connect(remote)
554 555 556 557 558
            # Error checking can happen at instantiation or when connecting
            with self.assertRaisesRegexp(ssl.SSLError, "No cipher can be selected"):
                s = ssl.wrap_socket(socket.socket(socket.AF_INET),
                                    cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
                s.connect(remote)
559

560 561 562
    def test_algorithms(self):
        # Issue #8484: all algorithms should be available when verifying a
        # certificate.
563 564 565
        # SHA256 was added in OpenSSL 0.9.8
        if ssl.OPENSSL_VERSION_INFO < (0, 9, 8, 0, 15):
            self.skipTest("SHA256 not available on %r" % ssl.OPENSSL_VERSION)
566 567 568
        # NOTE: https://sha256.tbs-internet.com is another possible test host
        remote = ("sha2.hboeck.de", 443)
        sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem")
569 570 571 572
        with support.transient_internet("sha2.hboeck.de"):
            s = ssl.wrap_socket(socket.socket(socket.AF_INET),
                                cert_reqs=ssl.CERT_REQUIRED,
                                ca_certs=sha256_cert,)
573 574 575 576 577 578 579 580 581 582
            try:
                s.connect(remote)
                if support.verbose:
                    sys.stdout.write("\nCipher with %r is %r\n" %
                                     (remote, s.cipher()))
                    sys.stdout.write("Certificate is:\n%s\n" %
                                     pprint.pformat(s.getpeercert()))
            finally:
                s.close()

583

584 585 586 587 588 589
try:
    import threading
except ImportError:
    _have_threads = False
else:
    _have_threads = True
590

591 592 593 594 595 596 597 598
    class ThreadedEchoServer(threading.Thread):

        class ConnectionHandler(threading.Thread):

            """A mildly complicated class, because we want it to work both
            with and without the SSL wrapper around the socket connection, so
            that we can test the STARTTLS functionality."""

Bill Janssen's avatar
Bill Janssen committed
599
            def __init__(self, server, connsock, addr):
600
                self.server = server
601
                self.running = False
602
                self.sock = connsock
Bill Janssen's avatar
Bill Janssen committed
603
                self.addr = addr
604 605 606
                self.sock.setblocking(1)
                self.sslconn = None
                threading.Thread.__init__(self)
607
                self.daemon = True
608

609
            def wrap_conn(self):
610
                try:
611 612
                    self.sslconn = self.server.context.wrap_socket(
                        self.sock, server_side=True)
613 614 615 616
                except ssl.SSLError:
                    # XXX Various errors can have happened here, for example
                    # a mismatching protocol version, an invalid certificate,
                    # or a low-level bug. This should be made more discriminating.
617
                    if self.server.chatty:
Bill Janssen's avatar
Bill Janssen committed
618
                        handle_error("\n server:  bad connection attempt from " + repr(self.addr) + ":\n")
619 620
                    self.running = False
                    self.server.stop()
Bill Janssen's avatar
Bill Janssen committed
621
                    self.close()
622 623
                    return False
                else:
624
                    if self.server.context.verify_mode == ssl.CERT_REQUIRED:
625
                        cert = self.sslconn.getpeercert()
626
                        if support.verbose and self.server.chatty:
627 628
                            sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
                        cert_binary = self.sslconn.getpeercert(True)
629
                        if support.verbose and self.server.chatty:
630 631
                            sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n")
                    cipher = self.sslconn.cipher()
632
                    if support.verbose and self.server.chatty:
633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653
                        sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
                    return True

            def read(self):
                if self.sslconn:
                    return self.sslconn.read()
                else:
                    return self.sock.recv(1024)

            def write(self, bytes):
                if self.sslconn:
                    return self.sslconn.write(bytes)
                else:
                    return self.sock.send(bytes)

            def close(self):
                if self.sslconn:
                    self.sslconn.close()
                else:
                    self.sock.close()

654
            def run(self):
655 656 657 658 659 660 661
                self.running = True
                if not self.server.starttls_server:
                    if not self.wrap_conn():
                        return
                while self.running:
                    try:
                        msg = self.read()
662 663
                        stripped = msg.strip()
                        if not stripped:
664 665 666
                            # eof, so quit this handler
                            self.running = False
                            self.close()
667
                        elif stripped == b'over':
668
                            if support.verbose and self.server.connectionchatty:
669 670 671
                                sys.stdout.write(" server: client closed connection\n")
                            self.close()
                            return
Bill Janssen's avatar
Bill Janssen committed
672
                        elif (self.server.starttls_server and
Antoine Pitrou's avatar
Antoine Pitrou committed
673
                              stripped == b'STARTTLS'):
674
                            if support.verbose and self.server.connectionchatty:
675
                                sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
676
                            self.write(b"OK\n")
677 678
                            if not self.wrap_conn():
                                return
679
                        elif (self.server.starttls_server and self.sslconn
Antoine Pitrou's avatar
Antoine Pitrou committed
680
                              and stripped == b'ENDTLS'):
681 682
                            if support.verbose and self.server.connectionchatty:
                                sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
683
                            self.write(b"OK\n")
684 685 686 687
                            self.sock = self.sslconn.unwrap()
                            self.sslconn = None
                            if support.verbose and self.server.connectionchatty:
                                sys.stdout.write(" server: connection is now unencrypted...\n")
688
                        else:
689
                            if (support.verbose and
690 691
                                self.server.connectionchatty):
                                ctype = (self.sslconn and "encrypted") or "unencrypted"
692 693 694
                                sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
                                                 % (msg, ctype, msg.lower(), ctype))
                            self.write(msg.lower())
Bill Janssen's avatar
Bill Janssen committed
695
                    except socket.error:
696 697 698
                        if self.server.chatty:
                            handle_error("Test server failure:\n")
                        self.close()
699
                        self.running = False
700 701 702 703
                        # normally, we'd just stop here, but for the test
                        # harness, we want to stop the server
                        self.server.stop()

704
        def __init__(self, certificate=None, ssl_version=None,
705
                     certreqs=None, cacerts=None,
706
                     chatty=True, connectionchatty=False, starttls_server=False,
707 708 709 710 711 712 713 714 715 716 717 718 719 720 721
                     ciphers=None, context=None):
            if context:
                self.context = context
            else:
                self.context = ssl.SSLContext(ssl_version
                                              if ssl_version is not None
                                              else ssl.PROTOCOL_TLSv1)
                self.context.verify_mode = (certreqs if certreqs is not None
                                            else ssl.CERT_NONE)
                if cacerts:
                    self.context.load_verify_locations(cacerts)
                if certificate:
                    self.context.load_cert_chain(certificate)
                if ciphers:
                    self.context.set_ciphers(ciphers)
722 723 724 725
            self.chatty = chatty
            self.connectionchatty = connectionchatty
            self.starttls_server = starttls_server
            self.sock = socket.socket()
726
            self.port = support.bind_port(self.sock)
727 728 729
            self.flag = None
            self.active = False
            threading.Thread.__init__(self)
730
            self.daemon = True
731

732
        def start(self, flag=None):
733 734 735
            self.flag = flag
            threading.Thread.start(self)

736
        def run(self):
737
            self.sock.settimeout(0.05)
738 739 740 741 742 743 744 745
            self.sock.listen(5)
            self.active = True
            if self.flag:
                # signal an event
                self.flag.set()
            while self.active:
                try:
                    newconn, connaddr = self.sock.accept()
746
                    if support.verbose and self.chatty:
747
                        sys.stdout.write(' server:  new connection from '
Bill Janssen's avatar
Bill Janssen committed
748 749
                                         + repr(connaddr) + '\n')
                    handler = self.ConnectionHandler(self, newconn, connaddr)
750 751 752 753 754
                    handler.start()
                except socket.timeout:
                    pass
                except KeyboardInterrupt:
                    self.stop()
Bill Janssen's avatar
Bill Janssen committed
755
            self.sock.close()
756

757
        def stop(self):
758 759
            self.active = False

760 761 762
    class OurHTTPSServer(threading.Thread):

        # This one's based on HTTPServer, which is based on SocketServer
763 764 765 766 767 768 769 770 771

        class HTTPSServer(HTTPServer):

            def __init__(self, server_address, RequestHandlerClass, certfile):
                HTTPServer.__init__(self, server_address, RequestHandlerClass)
                # we assume the certfile contains both private key and certificate
                self.certfile = certfile
                self.allow_reuse_address = True

Bill Janssen's avatar
Bill Janssen committed
772 773 774 775 776 777
            def __str__(self):
                return ('<%s %s:%s>' %
                        (self.__class__.__name__,
                         self.server_name,
                         self.server_port))

778
            def get_request(self):
779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802
                # override this to wrap socket with SSL
                sock, addr = self.socket.accept()
                sslconn = ssl.wrap_socket(sock, server_side=True,
                                          certfile=self.certfile)
                return sslconn, addr

        class RootedHTTPRequestHandler(SimpleHTTPRequestHandler):
            # need to override translate_path to get a known root,
            # instead of using os.curdir, since the test could be
            # run from anywhere

            server_version = "TestHTTPS/1.0"

            root = None

            def translate_path(self, path):
                """Translate a /-separated PATH to the local filename syntax.

                Components that mean special things to the local file system
                (e.g. drive or directory names) are ignored.  (XXX They should
                probably be diagnosed.)

                """
                # abandon query parameters
Jeremy Hylton's avatar
Jeremy Hylton committed
803 804
                path = urllib.parse.urlparse(path)[2]
                path = os.path.normpath(urllib.parse.unquote(path))
805 806 807 808 809 810 811 812 813 814 815 816 817
                words = path.split('/')
                words = filter(None, words)
                path = self.root
                for word in words:
                    drive, word = os.path.splitdrive(word)
                    head, word = os.path.split(word)
                    if word in self.root: continue
                    path = os.path.join(path, word)
                return path

            def log_message(self, format, *args):
                # we override this to suppress logging unless "verbose"

818
                if support.verbose:
Bill Janssen's avatar
Bill Janssen committed
819 820
                    sys.stdout.write(" server (%s:%d %s):\n   [%s] %s\n" %
                                     (self.server.server_address,
821 822 823 824 825 826
                                      self.server.server_port,
                                      self.request.cipher(),
                                      self.log_date_time_string(),
                                      format%args))


827
        def __init__(self, certfile):
828 829 830
            self.flag = None
            self.RootedHTTPRequestHandler.root = os.path.split(CERTFILE)[0]
            self.server = self.HTTPSServer(
831 832
                (HOST, 0), self.RootedHTTPRequestHandler, certfile)
            self.port = self.server.server_port
833
            threading.Thread.__init__(self)
834
            self.daemon = True
835 836

        def __str__(self):
Bill Janssen's avatar
Bill Janssen committed
837
            return "<%s %s>" % (self.__class__.__name__, self.server)
838

839
        def start(self, flag=None):
840 841 842
            self.flag = flag
            threading.Thread.start(self)

843
        def run(self):
844 845
            if self.flag:
                self.flag.set()
846
            self.server.serve_forever(0.05)
847

848
        def stop(self):
849
            self.server.shutdown()
850 851


852 853 854 855 856 857 858 859 860 861 862 863 864
    class AsyncoreEchoServer(threading.Thread):

        # this one's based on asyncore.dispatcher

        class EchoServer (asyncore.dispatcher):

            class ConnectionHandler (asyncore.dispatcher_with_send):

                def __init__(self, conn, certfile):
                    self.socket = ssl.wrap_socket(conn, server_side=True,
                                                  certfile=certfile,
                                                  do_handshake_on_connect=False)
                    asyncore.dispatcher_with_send.__init__(self, self.socket)
865 866
                    self._ssl_accepting = True
                    self._do_ssl_handshake()
867 868 869 870 871 872 873

                def readable(self):
                    if isinstance(self.socket, ssl.SSLSocket):
                        while self.socket.pending() > 0:
                            self.handle_read_event()
                    return True

874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889
                def _do_ssl_handshake(self):
                    try:
                        self.socket.do_handshake()
                    except ssl.SSLError as err:
                        if err.args[0] in (ssl.SSL_ERROR_WANT_READ,
                                           ssl.SSL_ERROR_WANT_WRITE):
                            return
                        elif err.args[0] == ssl.SSL_ERROR_EOF:
                            return self.handle_close()
                        raise
                    except socket.error as err:
                        if err.args[0] == errno.ECONNABORTED:
                            return self.handle_close()
                    else:
                        self._ssl_accepting = False

890
                def handle_read(self):
891 892
                    if self._ssl_accepting:
                        self._do_ssl_handshake()
893
                    else:
894 895 896 897 898 899
                        data = self.recv(1024)
                        if support.verbose:
                            sys.stdout.write(" server:  read %s from client\n" % repr(data))
                        if not data:
                            self.close()
                        else:
900
                            self.send(data.lower())
901 902

                def handle_close(self):
903
                    self.close()
904
                    if support.verbose:
905 906 907 908 909
                        sys.stdout.write(" server:  closed connection %s\n" % self.socket)

                def handle_error(self):
                    raise

910
            def __init__(self, certfile):
911
                self.certfile = certfile
912 913 914
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                self.port = support.bind_port(sock, '')
                asyncore.dispatcher.__init__(self, sock)
915 916
                self.listen(5)

917
            def handle_accepted(self, sock_obj, addr):
918
                if support.verbose:
919 920 921 922 923 924
                    sys.stdout.write(" server:  new connection from %s:%s\n" %addr)
                self.ConnectionHandler(sock_obj, self.certfile)

            def handle_error(self):
                raise

925
        def __init__(self, certfile):
926 927
            self.flag = None
            self.active = False
928 929
            self.server = self.EchoServer(certfile)
            self.port = self.server.port
930
            threading.Thread.__init__(self)
931
            self.daemon = True
932 933 934 935 936 937 938 939

        def __str__(self):
            return "<%s %s>" % (self.__class__.__name__, self.server)

        def start (self, flag=None):
            self.flag = flag
            threading.Thread.start(self)

940
        def run(self):
941 942 943 944 945 946 947 948 949
            self.active = True
            if self.flag:
                self.flag.set()
            while self.active:
                try:
                    asyncore.loop(1)
                except:
                    pass

950
        def stop(self):
951 952 953
            self.active = False
            self.server.close()

954 955 956 957 958
    def bad_cert_test(certfile):
        """
        Launch a server with CERT_REQUIRED, and check that trying to
        connect to it with the given client certificate fails.
        """
959
        server = ThreadedEchoServer(CERTFILE,
960
                                    certreqs=ssl.CERT_REQUIRED,
Bill Janssen's avatar
Bill Janssen committed
961 962
                                    cacerts=CERTFILE, chatty=False,
                                    connectionchatty=False)
963 964 965 966 967 968
        flag = threading.Event()
        server.start(flag)
        # wait for it to start
        flag.wait()
        # try to connect
        try:
969
            try:
970 971 972
                s = ssl.wrap_socket(socket.socket(),
                                    certfile=certfile,
                                    ssl_version=ssl.PROTOCOL_TLSv1)
973
                s.connect((HOST, server.port))
974
            except ssl.SSLError as x:
975
                if support.verbose:
976
                    sys.stdout.write("\nSSLError is %s\n" % x.args[1])
977
            except socket.error as x:
978
                if support.verbose:
979
                    sys.stdout.write("\nsocket.error is %s\n" % x[1])
980
            except IOError as x:
981 982
                if x.errno != errno.ENOENT:
                    raise
983
                if support.verbose:
984
                    sys.stdout.write("\IOError is %s\n" % str(x))
985
            else:
986
                raise AssertionError("Use of invalid cert should have failed!")
987 988 989 990
        finally:
            server.stop()
            server.join()

991 992
    def server_params_test(client_context, server_context, indata=b"FOO\n",
                           chatty=True, connectionchatty=False):
993 994 995 996
        """
        Launch a server, connect a client to it and try various reads
        and writes.
        """
997
        server = ThreadedEchoServer(context=server_context,
998
                                    chatty=chatty,
Bill Janssen's avatar
Bill Janssen committed
999
                                    connectionchatty=False)
1000 1001 1002 1003 1004 1005
        flag = threading.Event()
        server.start(flag)
        # wait for it to start
        flag.wait()
        # try to connect
        try:
1006
            s = client_context.wrap_socket(socket.socket())
1007
            s.connect((HOST, server.port))
1008
            for arg in [indata, bytearray(indata), memoryview(indata)]:
1009 1010 1011
                if connectionchatty:
                    if support.verbose:
                        sys.stdout.write(
1012
                            " client:  sending %r...\n" % indata)
1013 1014 1015 1016
                s.write(arg)
                outdata = s.read()
                if connectionchatty:
                    if support.verbose:
1017
                        sys.stdout.write(" client:  read %r\n" % outdata)
1018
                if outdata != indata.lower():
1019
                    raise AssertionError(
1020 1021 1022 1023
                        "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
                        % (outdata[:20], len(outdata),
                           indata[:20].lower(), len(indata)))
            s.write(b"over\n")
Bill Janssen's avatar
Bill Janssen committed
1024
            if connectionchatty:
1025
                if support.verbose:
Bill Janssen's avatar
Bill Janssen committed
1026 1027
                    sys.stdout.write(" client:  closing connection.\n")
            s.close()
1028 1029 1030 1031
        finally:
            server.stop()
            server.join()

1032 1033
    def try_protocol_combo(server_protocol, client_protocol, expect_success,
                           certsreqs=None, server_options=0, client_options=0):
1034
        if certsreqs is None:
1035
            certsreqs = ssl.CERT_NONE
1036 1037 1038 1039 1040
        certtype = {
            ssl.CERT_NONE: "CERT_NONE",
            ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
            ssl.CERT_REQUIRED: "CERT_REQUIRED",
        }[certsreqs]
1041
        if support.verbose:
1042
            formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
1043 1044 1045 1046
            sys.stdout.write(formatstr %
                             (ssl.get_protocol_name(client_protocol),
                              ssl.get_protocol_name(server_protocol),
                              certtype))
1047 1048 1049 1050 1051 1052
        client_context = ssl.SSLContext(client_protocol)
        client_context.options = ssl.OP_ALL | client_options
        server_context = ssl.SSLContext(server_protocol)
        server_context.options = ssl.OP_ALL | server_options
        for ctx in (client_context, server_context):
            ctx.verify_mode = certsreqs
1053 1054 1055
            # NOTE: we must enable "ALL" ciphers, otherwise an SSLv23 client
            # will send an SSLv3 hello (rather than SSLv2) starting from
            # OpenSSL 1.0.0 (see issue #8322).
1056 1057 1058 1059 1060 1061
            ctx.set_ciphers("ALL")
            ctx.load_cert_chain(CERTFILE)
            ctx.load_verify_locations(CERTFILE)
        try:
            server_params_test(client_context, server_context,
                               chatty=False, connectionchatty=False)
1062 1063 1064
        # Protocol mismatch can result in either an SSLError, or a
        # "Connection reset by peer" error.
        except ssl.SSLError:
1065
            if expect_success:
1066
                raise
1067
        except socket.error as e:
1068
            if expect_success or e.errno != errno.ECONNRESET:
1069
                raise
1070
        else:
1071
            if not expect_success:
1072
                raise AssertionError(
1073 1074 1075 1076 1077
                    "Client protocol %s succeeded with server protocol %s!"
                    % (ssl.get_protocol_name(client_protocol),
                       ssl.get_protocol_name(server_protocol)))


Bill Janssen's avatar
Bill Janssen committed
1078
    class ThreadedTests(unittest.TestCase):
1079

1080
        @skip_if_broken_ubuntu_ssl
1081 1082
        def test_echo(self):
            """Basic test of an SSL client connecting to a server"""
1083
            if support.verbose:
1084
                sys.stdout.write("\n")
1085 1086 1087 1088 1089
            for protocol in PROTOCOLS:
                context = ssl.SSLContext(protocol)
                context.load_cert_chain(CERTFILE)
                server_params_test(context, context,
                                   chatty=True, connectionchatty=True)
1090

1091
        def test_getpeercert(self):
1092
            if support.verbose:
1093
                sys.stdout.write("\n")
1094 1095 1096 1097 1098
            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
            context.verify_mode = ssl.CERT_REQUIRED
            context.load_verify_locations(CERTFILE)
            context.load_cert_chain(CERTFILE)
            server = ThreadedEchoServer(context=context, chatty=False)
1099 1100 1101 1102 1103 1104
            flag = threading.Event()
            server.start(flag)
            # wait for it to start
            flag.wait()
            # try to connect
            try:
1105
                s = context.wrap_socket(socket.socket())
1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121
                s.connect((HOST, server.port))
                cert = s.getpeercert()
                self.assertTrue(cert, "Can't get peer certificate.")
                cipher = s.cipher()
                if support.verbose:
                    sys.stdout.write(pprint.pformat(cert) + '\n')
                    sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
                if 'subject' not in cert:
                    self.fail("No subject field in certificate: %s." %
                              pprint.pformat(cert))
                if ((('organizationName', 'Python Software Foundation'),)
                    not in cert['subject']):
                    self.fail(
                        "Missing or invalid 'organizationName' field in certificate subject; "
                        "should be 'Python Software Foundation'.")
                s.close()
1122 1123 1124 1125
            finally:
                server.stop()
                server.join()

1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146
        def test_empty_cert(self):
            """Connecting with an empty cert file"""
            bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
                                      "nullcert.pem"))
        def test_malformed_cert(self):
            """Connecting with a badly formatted certificate (syntax error)"""
            bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
                                       "badcert.pem"))
        def test_nonexisting_cert(self):
            """Connecting with a non-existing cert file"""
            bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
                                       "wrongcert.pem"))
        def test_malformed_key(self):
            """Connecting with a badly formatted key (syntax error)"""
            bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
                                       "badkey.pem"))

        def test_rude_shutdown(self):
            """A brutal shutdown of an SSL server should raise an IOError
            in the client when attempting handshake.
            """
1147 1148
            listener_ready = threading.Event()
            listener_gone = threading.Event()
1149

1150 1151
            s = socket.socket()
            port = support.bind_port(s, HOST)
1152

1153 1154 1155 1156
            # `listener` runs in a thread.  It sits in an accept() until
            # the main thread connects.  Then it rudely closes the socket,
            # and sets Event `listener_gone` to let the main thread know
            # the socket is gone.
1157 1158 1159 1160
            def listener():
                s.listen(5)
                listener_ready.set()
                s.accept()
1161
                s.close()
1162 1163 1164 1165
                listener_gone.set()

            def connector():
                listener_ready.wait()
1166 1167
                c = socket.socket()
                c.connect((HOST, port))
1168 1169
                listener_gone.wait()
                try:
1170
                    ssl_sock = ssl.wrap_socket(c)
1171 1172 1173
                except IOError:
                    pass
                else:
1174
                    self.fail('connecting to closed SSL socket should have failed')
1175 1176 1177

            t = threading.Thread(target=listener)
            t.start()
1178 1179 1180 1181
            try:
                connector()
            finally:
                t.join()
1182

1183
        @skip_if_broken_ubuntu_ssl
1184 1185
        def test_protocol_sslv2(self):
            """Connecting to an SSLv2 server with various client options"""
1186
            if support.verbose:
1187
                sys.stdout.write("\n")
1188 1189 1190 1191 1192 1193
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
1194 1195 1196 1197 1198 1199 1200 1201 1202
            # SSLv23 client with specific SSL options
            if no_sslv2_implies_sslv3_hello():
                # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
                try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
                                   client_options=ssl.OP_NO_SSLv2)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
                               client_options=ssl.OP_NO_SSLv3)
            try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
                               client_options=ssl.OP_NO_TLSv1)
1203

1204
        @skip_if_broken_ubuntu_ssl
1205 1206
        def test_protocol_sslv23(self):
            """Connecting to an SSLv23 server with various client options"""
1207
            if support.verbose:
1208 1209
                sys.stdout.write("\n")
            try:
1210
                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
1211
            except (ssl.SSLError, socket.error) as x:
1212
                # this fails on some older versions of OpenSSL (0.9.7l, for instance)
1213
                if support.verbose:
1214 1215 1216
                    sys.stdout.write(
                        " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
                        % str(x))
1217 1218 1219
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
1220

1221 1222 1223
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
1224

1225 1226 1227
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
1228

1229 1230 1231 1232 1233 1234 1235 1236 1237 1238
            # Server with specific SSL options
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,
                               server_options=ssl.OP_NO_SSLv3)
            # Will choose TLSv1
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,
                               server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, False,
                               server_options=ssl.OP_NO_TLSv1)


1239
        @skip_if_broken_ubuntu_ssl
1240 1241
        def test_protocol_sslv3(self):
            """Connecting to an SSLv3 server with various client options"""
1242
            if support.verbose:
1243
                sys.stdout.write("\n")
1244 1245 1246 1247 1248 1249
            try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
            try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
            try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
            try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
            try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
            try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
1250 1251 1252 1253
            if no_sslv2_implies_sslv3_hello():
                # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True,
                                   client_options=ssl.OP_NO_SSLv2)
1254

1255
        @skip_if_broken_ubuntu_ssl
1256 1257
        def test_protocol_tlsv1(self):
            """Connecting to a TLSv1 server with various client options"""
1258
            if support.verbose:
1259
                sys.stdout.write("\n")
1260 1261 1262 1263 1264 1265
            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
1266

1267 1268 1269
        def test_starttls(self):
            """Switching from clear text to encrypted and back again."""
            msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
1270

1271
            server = ThreadedEchoServer(CERTFILE,
1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282
                                        ssl_version=ssl.PROTOCOL_TLSv1,
                                        starttls_server=True,
                                        chatty=True,
                                        connectionchatty=True)
            flag = threading.Event()
            server.start(flag)
            # wait for it to start
            flag.wait()
            # try to connect
            wrapped = False
            try:
1283 1284 1285 1286 1287 1288
                s = socket.socket()
                s.setblocking(1)
                s.connect((HOST, server.port))
                if support.verbose:
                    sys.stdout.write("\n")
                for indata in msgs:
1289
                    if support.verbose:
1290
                        sys.stdout.write(
1291
                            " client:  sending %r...\n" % indata)
1292
                    if wrapped:
1293
                        conn.write(indata)
1294 1295
                        outdata = conn.read()
                    else:
1296
                        s.send(indata)
1297
                        outdata = s.recv(1024)
1298 1299 1300
                    msg = outdata.strip().lower()
                    if indata == b"STARTTLS" and msg.startswith(b"ok"):
                        # STARTTLS ok, switch to secure mode
1301
                        if support.verbose:
1302
                            sys.stdout.write(
1303 1304
                                " client:  read %r from server, starting TLS...\n"
                                % msg)
1305 1306
                        conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
                        wrapped = True
1307 1308
                    elif indata == b"ENDTLS" and msg.startswith(b"ok"):
                        # ENDTLS ok, switch back to clear text
1309 1310
                        if support.verbose:
                            sys.stdout.write(
1311 1312
                                " client:  read %r from server, ending TLS...\n"
                                % msg)
1313 1314
                        s = conn.unwrap()
                        wrapped = False
1315
                    else:
1316 1317
                        if support.verbose:
                            sys.stdout.write(
1318
                                " client:  read %r from server\n" % msg)
1319 1320 1321
                if support.verbose:
                    sys.stdout.write(" client:  closing connection.\n")
                if wrapped:
1322
                    conn.write(b"over\n")
1323
                else:
1324
                    s.send(b"over\n")
Bill Janssen's avatar
Bill Janssen committed
1325 1326 1327
                if wrapped:
                    conn.close()
                else:
1328 1329 1330 1331 1332
                    s.close()
            finally:
                server.stop()
                server.join()

1333 1334
        def test_socketserver(self):
            """Using a SocketServer to create and manage SSL connections."""
1335
            server = OurHTTPSServer(CERTFILE)
1336 1337 1338 1339 1340 1341
            flag = threading.Event()
            server.start(flag)
            # wait for it to start
            flag.wait()
            # try to connect
            try:
1342
                if support.verbose:
1343
                    sys.stdout.write('\n')
1344 1345
                with open(CERTFILE, 'rb') as f:
                    d1 = f.read()
1346 1347
                d2 = ''
                # now fetch the same data from the HTTPS server
1348 1349
                url = 'https://%s:%d/%s' % (
                    HOST, server.port, os.path.split(CERTFILE)[1])
Jeremy Hylton's avatar
Jeremy Hylton committed
1350
                f = urllib.request.urlopen(url)
1351
                dlen = f.info().get("content-length")
1352 1353
                if dlen and (int(dlen) > 0):
                    d2 = f.read(int(dlen))
1354
                    if support.verbose:
1355 1356 1357 1358
                        sys.stdout.write(
                            " client: read %d bytes from remote server '%s'\n"
                            % (len(d2), server))
                f.close()
1359
                self.assertEqual(d1, d2)
1360
            finally:
1361
                if support.verbose:
1362
                    sys.stdout.write('stopping server\n')
1363
                server.stop()
1364
                if support.verbose:
1365
                    sys.stdout.write('joining thread\n')
1366 1367
                server.join()

1368 1369 1370
        def test_asyncore_server(self):
            """Check the example asyncore integration."""
            indata = "TEST MESSAGE of mixed case\n"
1371

1372
            if support.verbose:
1373 1374
                sys.stdout.write("\n")

1375
            indata = b"FOO\n"
1376
            server = AsyncoreEchoServer(CERTFILE)
1377 1378 1379 1380 1381 1382 1383
            flag = threading.Event()
            server.start(flag)
            # wait for it to start
            flag.wait()
            # try to connect
            try:
                s = ssl.wrap_socket(socket.socket())
1384
                s.connect(('127.0.0.1', server.port))
1385
                if support.verbose:
1386
                    sys.stdout.write(
1387 1388
                        " client:  sending %r...\n" % indata)
                s.write(indata)
1389
                outdata = s.read()
1390
                if support.verbose:
1391
                    sys.stdout.write(" client:  read %r\n" % outdata)
1392
                if outdata != indata.lower():
1393
                    self.fail(
1394 1395 1396 1397
                        "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
                        % (outdata[:20], len(outdata),
                           indata[:20].lower(), len(indata)))
                s.write(b"over\n")
1398
                if support.verbose:
1399 1400
                    sys.stdout.write(" client:  closing connection.\n")
                s.close()
1401 1402
                if support.verbose:
                    sys.stdout.write(" client:  connection closed.\n")
1403
            finally:
1404 1405
                if support.verbose:
                    sys.stdout.write(" cleanup: stopping server.\n")
1406
                server.stop()
1407 1408
                if support.verbose:
                    sys.stdout.write(" cleanup: joining server thread.\n")
1409
                server.join()
1410 1411
                if support.verbose:
                    sys.stdout.write(" cleanup: successfully joined.\n")
1412

1413 1414
        def test_recv_send(self):
            """Test recv(), send() and friends."""
1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428
            if support.verbose:
                sys.stdout.write("\n")

            server = ThreadedEchoServer(CERTFILE,
                                        certreqs=ssl.CERT_NONE,
                                        ssl_version=ssl.PROTOCOL_TLSv1,
                                        cacerts=CERTFILE,
                                        chatty=True,
                                        connectionchatty=False)
            flag = threading.Event()
            server.start(flag)
            # wait for it to start
            flag.wait()
            # try to connect
1429 1430 1431 1432 1433 1434 1435
            s = ssl.wrap_socket(socket.socket(),
                                server_side=False,
                                certfile=CERTFILE,
                                ca_certs=CERTFILE,
                                cert_reqs=ssl.CERT_NONE,
                                ssl_version=ssl.PROTOCOL_TLSv1)
            s.connect((HOST, server.port))
1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462
            try:
                # helper methods for standardising recv* method signatures
                def _recv_into():
                    b = bytearray(b"\0"*100)
                    count = s.recv_into(b)
                    return b[:count]

                def _recvfrom_into():
                    b = bytearray(b"\0"*100)
                    count, addr = s.recvfrom_into(b)
                    return b[:count]

                # (name, method, whether to expect success, *args)
                send_methods = [
                    ('send', s.send, True, []),
                    ('sendto', s.sendto, False, ["some.address"]),
                    ('sendall', s.sendall, True, []),
                ]
                recv_methods = [
                    ('recv', s.recv, True, []),
                    ('recvfrom', s.recvfrom, False, ["some.address"]),
                    ('recv_into', _recv_into, True, []),
                    ('recvfrom_into', _recvfrom_into, False, []),
                ]
                data_prefix = "PREFIX_"

                for meth_name, send_meth, expect_success, args in send_methods:
1463
                    indata = (data_prefix + meth_name).encode('ascii')
1464
                    try:
1465
                        send_meth(indata, *args)
1466 1467
                        outdata = s.read()
                        if outdata != indata.lower():
Georg Brandl's avatar
Georg Brandl committed
1468
                            self.fail(
1469
                                "While sending with <<{name:s}>> bad data "
1470 1471 1472
                                "<<{outdata:r}>> ({nout:d}) received; "
                                "expected <<{indata:r}>> ({nin:d})\n".format(
                                    name=meth_name, outdata=outdata[:20],
1473
                                    nout=len(outdata),
1474
                                    indata=indata[:20], nin=len(indata)
1475 1476 1477 1478
                                )
                            )
                    except ValueError as e:
                        if expect_success:
Georg Brandl's avatar
Georg Brandl committed
1479
                            self.fail(
1480 1481 1482 1483
                                "Failed to send with method <<{name:s}>>; "
                                "expected to succeed.\n".format(name=meth_name)
                            )
                        if not str(e).startswith(meth_name):
Georg Brandl's avatar
Georg Brandl committed
1484
                            self.fail(
1485 1486 1487 1488 1489 1490 1491
                                "Method <<{name:s}>> failed with unexpected "
                                "exception message: {exp:s}\n".format(
                                    name=meth_name, exp=e
                                )
                            )

                for meth_name, recv_meth, expect_success, args in recv_methods:
1492
                    indata = (data_prefix + meth_name).encode('ascii')
1493
                    try:
1494
                        s.send(indata)
1495 1496
                        outdata = recv_meth(*args)
                        if outdata != indata.lower():
Georg Brandl's avatar
Georg Brandl committed
1497
                            self.fail(
1498
                                "While receiving with <<{name:s}>> bad data "
1499 1500 1501
                                "<<{outdata:r}>> ({nout:d}) received; "
                                "expected <<{indata:r}>> ({nin:d})\n".format(
                                    name=meth_name, outdata=outdata[:20],
1502
                                    nout=len(outdata),
1503
                                    indata=indata[:20], nin=len(indata)
1504 1505 1506 1507
                                )
                            )
                    except ValueError as e:
                        if expect_success:
Georg Brandl's avatar
Georg Brandl committed
1508
                            self.fail(
1509 1510 1511 1512
                                "Failed to receive with method <<{name:s}>>; "
                                "expected to succeed.\n".format(name=meth_name)
                            )
                        if not str(e).startswith(meth_name):
Georg Brandl's avatar
Georg Brandl committed
1513
                            self.fail(
1514 1515 1516 1517 1518 1519 1520 1521
                                "Method <<{name:s}>> failed with unexpected "
                                "exception message: {exp:s}\n".format(
                                    name=meth_name, exp=e
                                )
                            )
                        # consume data
                        s.read()

1522
                s.write(b"over\n")
1523 1524 1525 1526 1527
                s.close()
            finally:
                server.stop()
                server.join()

1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551
        def test_handshake_timeout(self):
            # Issue #5103: SSL handshake must respect the socket timeout
            server = socket.socket(socket.AF_INET)
            host = "127.0.0.1"
            port = support.bind_port(server)
            started = threading.Event()
            finish = False

            def serve():
                server.listen(5)
                started.set()
                conns = []
                while not finish:
                    r, w, e = select.select([server], [], [], 0.1)
                    if server in r:
                        # Let the socket hang around rather than having
                        # it closed by garbage collection.
                        conns.append(server.accept()[0])

            t = threading.Thread(target=serve)
            t.start()
            started.wait()

            try:
1552 1553 1554 1555 1556 1557 1558 1559 1560
                try:
                    c = socket.socket(socket.AF_INET)
                    c.settimeout(0.2)
                    c.connect((host, port))
                    # Will attempt handshake and time out
                    self.assertRaisesRegexp(ssl.SSLError, "timed out",
                                            ssl.wrap_socket, c)
                finally:
                    c.close()
1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574
                try:
                    c = socket.socket(socket.AF_INET)
                    c = ssl.wrap_socket(c)
                    c.settimeout(0.2)
                    # Will attempt handshake and time out
                    self.assertRaisesRegexp(ssl.SSLError, "timed out",
                                            c.connect, (host, port))
                finally:
                    c.close()
            finally:
                finish = True
                t.join()
                server.close()

1575

1576 1577
def test_main(verbose=False):
    if skip_expected:
Benjamin Peterson's avatar
Benjamin Peterson committed
1578
        raise unittest.SkipTest("No SSL support")
1579

1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596
    if support.verbose:
        plats = {
            'Linux': platform.linux_distribution,
            'Mac': platform.mac_ver,
            'Windows': platform.win32_ver,
        }
        for name, func in plats.items():
            plat = func()
            if plat and plat[0]:
                plat = '%s %r' % (name, plat)
                break
        else:
            plat = repr(platform.platform())
        print("test_ssl: testing with %r %r" %
            (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
        print("          under %s" % plat)

1597 1598 1599 1600 1601 1602
    for filename in [
        CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE,
        ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
        BADCERT, BADKEY, EMPTYCERT]:
        if not os.path.exists(filename):
            raise support.TestFailed("Can't read certificate file %r" % filename)
Bill Janssen's avatar
Bill Janssen committed
1603

1604
    tests = [ContextTests, BasicSocketTests]
1605

1606
    if support.is_resource_enabled('network'):
Bill Janssen's avatar
Bill Janssen committed
1607
        tests.append(NetworkedTests)
1608

1609
    if _have_threads:
1610 1611
        thread_info = support.threading_setup()
        if thread_info and support.is_resource_enabled('network'):
Bill Janssen's avatar
Bill Janssen committed
1612
            tests.append(ThreadedTests)
1613

1614 1615 1616 1617 1618
    try:
        support.run_unittest(*tests)
    finally:
        if _have_threads:
            support.threading_cleanup(*thread_info)
1619 1620 1621

if __name__ == "__main__":
    test_main()