Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(93161)

Side by Side Diff: Lib/test/test_httplib.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Patch Set: Created 4 years, 9 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Lib/ssl.py ('k') | Lib/test/test_ssl.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 import errno 1 import errno
2 from http import client 2 from http import client
3 import io 3 import io
4 import os 4 import os
5 import array 5 import array
6 import socket 6 import socket
7 7
8 import unittest 8 import unittest
9 TestCase = unittest.TestCase 9 TestCase = unittest.TestCase
10 10
(...skipping 994 matching lines...) Expand 10 before | Expand all | Expand 10 after
1005 # simple test to check it's storing the timeout 1005 # simple test to check it's storing the timeout
1006 h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30) 1006 h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
1007 self.assertEqual(h.timeout, 30) 1007 self.assertEqual(h.timeout, 30)
1008 1008
1009 def _check_svn_python_org(self, resp): 1009 def _check_svn_python_org(self, resp):
1010 # Just a simple check that everything went fine 1010 # Just a simple check that everything went fine
1011 server_string = resp.getheader('server') 1011 server_string = resp.getheader('server')
1012 self.assertIn('Apache', server_string) 1012 self.assertIn('Apache', server_string)
1013 1013
1014 def test_networked(self): 1014 def test_networked(self):
1015 # Default settings: no cert verification is done 1015 # Default settings: requires a valid cert from a trusted CA
1016 import ssl
1016 support.requires('network') 1017 support.requires('network')
1017 with support.transient_internet('svn.python.org'): 1018 with support.transient_internet('self-signed.pythontest.net'):
1018 h = client.HTTPSConnection('svn.python.org', 443) 1019 h = client.HTTPSConnection('self-signed.pythontest.net', 443)
1020 with self.assertRaises(ssl.SSLError) as exc_info:
1021 h.request('GET', '/')
1022 self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAIL ED')
1023
1024 def test_networked_noverification(self):
1025 # Switch off cert verification
1026 import ssl
1027 support.requires('network')
1028 with support.transient_internet('self-signed.pythontest.net'):
1029 context = ssl._create_unverified_context()
1030 h = client.HTTPSConnection('self-signed.pythontest.net', 443,
1031 context=context)
1019 h.request('GET', '/') 1032 h.request('GET', '/')
1020 resp = h.getresponse() 1033 resp = h.getresponse()
1021 self._check_svn_python_org(resp) 1034 self.assertIn('nginx', resp.getheader('server'))
1035
1036 def test_networked_trusted_by_default_cert(self):
1037 # Default settings: requires a valid cert from a trusted CA
1038 support.requires('network')
1039 with support.transient_internet('www.python.org'):
1040 h = client.HTTPSConnection('www.python.org', 443)
1041 h.request('GET', '/')
1042 resp = h.getresponse()
1043 content_type = resp.getheader('content-type')
1044 self.assertIn('text/html', content_type)
1022 1045
1023 def test_networked_good_cert(self): 1046 def test_networked_good_cert(self):
1024 # We feed a CA cert that validates the server's cert 1047 # We feed a CA cert that validates the server's cert
1025 import ssl 1048 import ssl
1026 support.requires('network') 1049 support.requires('network')
1027 with support.transient_internet('svn.python.org'): 1050 with support.transient_internet('svn.python.org'):
1028 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1051 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1029 context.verify_mode = ssl.CERT_REQUIRED 1052 context.verify_mode = ssl.CERT_REQUIRED
1030 context.load_verify_locations(CACERT_svn_python_org) 1053 context.load_verify_locations(CACERT_svn_python_org)
1031 h = client.HTTPSConnection('svn.python.org', 443, context=context) 1054 h = client.HTTPSConnection('svn.python.org', 443, context=context)
1032 h.request('GET', '/') 1055 h.request('GET', '/')
1033 resp = h.getresponse() 1056 resp = h.getresponse()
1034 self._check_svn_python_org(resp) 1057 self._check_svn_python_org(resp)
1035 1058
1036 def test_networked_bad_cert(self): 1059 def test_networked_bad_cert(self):
1037 # We feed a "CA" cert that is unrelated to the server's cert 1060 # We feed a "CA" cert that is unrelated to the server's cert
1038 import ssl 1061 import ssl
1039 support.requires('network') 1062 support.requires('network')
1040 with support.transient_internet('svn.python.org'): 1063 with support.transient_internet('self-signed.pythontest.net'):
1041 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1064 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1042 context.verify_mode = ssl.CERT_REQUIRED 1065 context.verify_mode = ssl.CERT_REQUIRED
1043 context.load_verify_locations(CERT_localhost) 1066 context.load_verify_locations(CERT_localhost)
1044 h = client.HTTPSConnection('svn.python.org', 443, context=context) 1067 h = client.HTTPSConnection('self-signed.pythontest.net', 443, contex t=context)
1045 with self.assertRaises(ssl.SSLError): 1068 with self.assertRaises(ssl.SSLError) as exc_info:
1046 h.request('GET', '/') 1069 h.request('GET', '/')
1070 self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAIL ED')
1071
1072 def test_local_unknown_cert(self):
1073 # The custom cert isn't known to the default trust bundle
1074 import ssl
1075 server = self.make_server(CERT_localhost)
1076 h = client.HTTPSConnection('localhost', server.port)
1077 with self.assertRaises(ssl.SSLError) as exc_info:
1078 h.request('GET', '/')
1079 self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
1047 1080
1048 def test_local_good_hostname(self): 1081 def test_local_good_hostname(self):
1049 # The (valid) cert validates the HTTP hostname 1082 # The (valid) cert validates the HTTP hostname
1050 import ssl 1083 import ssl
1051 server = self.make_server(CERT_localhost) 1084 server = self.make_server(CERT_localhost)
1052 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1085 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1053 context.verify_mode = ssl.CERT_REQUIRED 1086 context.verify_mode = ssl.CERT_REQUIRED
1054 context.load_verify_locations(CERT_localhost) 1087 context.load_verify_locations(CERT_localhost)
1055 h = client.HTTPSConnection('localhost', server.port, context=context) 1088 h = client.HTTPSConnection('localhost', server.port, context=context)
1056 h.request('GET', '/nonexistent') 1089 h.request('GET', '/nonexistent')
1057 resp = h.getresponse() 1090 resp = h.getresponse()
1058 self.assertEqual(resp.status, 404) 1091 self.assertEqual(resp.status, 404)
1059 del server
1060 1092
1061 def test_local_bad_hostname(self): 1093 def test_local_bad_hostname(self):
1062 # The (valid) cert doesn't validate the HTTP hostname 1094 # The (valid) cert doesn't validate the HTTP hostname
1063 import ssl 1095 import ssl
1064 server = self.make_server(CERT_fakehostname) 1096 server = self.make_server(CERT_fakehostname)
1065 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1097 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1066 context.verify_mode = ssl.CERT_REQUIRED 1098 context.verify_mode = ssl.CERT_REQUIRED
1067 context.load_verify_locations(CERT_fakehostname) 1099 context.load_verify_locations(CERT_fakehostname)
1068 h = client.HTTPSConnection('localhost', server.port, context=context) 1100 h = client.HTTPSConnection('localhost', server.port, context=context)
1069 with self.assertRaises(ssl.CertificateError): 1101 with self.assertRaises(ssl.CertificateError):
1070 h.request('GET', '/') 1102 h.request('GET', '/')
1071 # Same with explicit check_hostname=True 1103 # Same with explicit check_hostname=True
1072 h = client.HTTPSConnection('localhost', server.port, context=context, 1104 h = client.HTTPSConnection('localhost', server.port, context=context,
1073 check_hostname=True) 1105 check_hostname=True)
1074 with self.assertRaises(ssl.CertificateError): 1106 with self.assertRaises(ssl.CertificateError):
1075 h.request('GET', '/') 1107 h.request('GET', '/')
1076 # With check_hostname=False, the mismatching is ignored 1108 # With check_hostname=False, the mismatching is ignored
1077 h = client.HTTPSConnection('localhost', server.port, context=context, 1109 h = client.HTTPSConnection('localhost', server.port, context=context,
1078 check_hostname=False) 1110 check_hostname=False)
1079 h.request('GET', '/nonexistent') 1111 h.request('GET', '/nonexistent')
1080 resp = h.getresponse() 1112 resp = h.getresponse()
1081 self.assertEqual(resp.status, 404) 1113 self.assertEqual(resp.status, 404)
1082 del server
1083 1114
1084 @unittest.skipIf(not hasattr(client, 'HTTPSConnection'), 1115 @unittest.skipIf(not hasattr(client, 'HTTPSConnection'),
1085 'http.client.HTTPSConnection not available') 1116 'http.client.HTTPSConnection not available')
1086 def test_host_port(self): 1117 def test_host_port(self):
1087 # Check invalid host_port 1118 # Check invalid host_port
1088 1119
1089 for hp in ("www.python.org:abc", "user:password@www.python.org"): 1120 for hp in ("www.python.org:abc", "user:password@www.python.org"):
1090 self.assertRaises(client.InvalidURL, client.HTTPSConnection, hp) 1121 self.assertRaises(client.InvalidURL, client.HTTPSConnection, hp)
1091 1122
1092 for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000", 1123 for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000",
(...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after
1251 self.assertTrue(b'Host: destination.com' in conn.sock.data) 1282 self.assertTrue(b'Host: destination.com' in conn.sock.data)
1252 1283
1253 def test_main(verbose=None): 1284 def test_main(verbose=None):
1254 support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, 1285 support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
1255 HTTPSTest, RequestBodyTest, SourceAddressTest, 1286 HTTPSTest, RequestBodyTest, SourceAddressTest,
1256 HTTPResponseTest, ExtendedReadTest, 1287 HTTPResponseTest, ExtendedReadTest,
1257 ExtendedReadTestChunked, TunnelTests) 1288 ExtendedReadTestChunked, TunnelTests)
1258 1289
1259 if __name__ == '__main__': 1290 if __name__ == '__main__':
1260 test_main() 1291 test_main()
OLDNEW
« no previous file with comments | « Lib/ssl.py ('k') | Lib/test/test_ssl.py » ('j') | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+