Skip to content

[2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gpshead merged 1 commit into from
May 13, 2019
Merged

[2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
[2.7] bpo-35925: Skip SSL tests that fail due to weak external certs … 
…or old TLS (GH-13124)

Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default. This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a
failure.

Fixing the network servers is a separate issue.
(cherry picked from commit 2cc0223)

Changes to test_ssl.py required as 2.7 has legacy protocol tests.

The test_httplib.py change is omitted from this backport as
self-signed.pythontest.net's certificate was updated and the
test_nntplib.py change is not applicable on 2.7.

Authored-by: Gregory P. Smith greg@krypto.org
  • Loading branch information
@gpshead
gpshead committed May 11, 2019
commit dba6346d5329f88c2af8bf9203fed0ee0a92927e
33 changes: 33 additions & 0 deletions Lib/test/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import traceback
import weakref
import platform
import re
import functools
from contextlib import closing

Expand Down Expand Up @@ -159,6 +160,36 @@ def f(*args, **kwargs):
else:
return func

def skip_if_openssl_cnf_minprotocol_gt_tls1(func):
"""Skip a test if the OpenSSL config MinProtocol is > TLSv1.
OS distros with an /etc/ssl/openssl.cnf and MinProtocol set often do so to
require TLSv1.2 or higher (Debian Buster). Some of our tests for older
protocol versions will fail under such a config.
Alternative workaround: Run this test in a process with
OPENSSL_CONF=/dev/null in the environment.
"""
@functools.wraps(func)
def f(*args, **kwargs):
openssl_cnf = os.environ.get("OPENSSL_CONF", "/etc/ssl/openssl.cnf")
try:
with open(openssl_cnf, "r") as config:
for line in config:
match = re.match(r"MinProtocol\s*=\s*(TLSv\d+\S*)", line)
if match:
tls_ver = match.group(1)
if tls_ver > "TLSv1":
raise unittest.SkipTest(
"%s has MinProtocol = %s which is > TLSv1." %
(openssl_cnf, tls_ver))
except (EnvironmentError, UnicodeDecodeError) as err:
# no config file found, etc.
if support.verbose:
sys.stdout.write("\n Could not scan %s for MinProtocol: %s\n"
% (openssl_cnf, err))
return func(*args, **kwargs)
return f


needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test")


Expand Down Expand Up @@ -2351,6 +2382,7 @@ def test_protocol_sslv2(self):
client_options=ssl.OP_NO_TLSv1)

@skip_if_broken_ubuntu_ssl
@skip_if_openssl_cnf_minprotocol_gt_tls1
def test_protocol_sslv23(self):
"""Connecting to an SSLv23 server with various client options"""
if support.verbose:
Expand Down Expand Up @@ -2428,6 +2460,7 @@ def test_protocol_tlsv1(self):
@skip_if_broken_ubuntu_ssl
@unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
"TLS version 1.1 not supported.")
@skip_if_openssl_cnf_minprotocol_gt_tls1
def test_protocol_tlsv1_1(self):
"""Connecting to a TLSv1.1 server with various client options.
Testing against older TLS versions."""
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Tests/2019-05-06-18-29-54.bpo-35925.gwQPuC.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Skip specific nntplib and ssl networking tests when they would otherwise fail due to a modern OS or distro with a default OpenSSL policy of rejecting connections to servers with weak certificates or disabling TLS below TLSv1.2.