Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(270320)

Unified Diff: Lib/test/test_httplib.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Lib/ssl.py ('k') | Lib/test/test_ssl.py » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
--- a/Lib/test/test_httplib.py Sun Nov 02 22:19:56 2014 +0200
+++ b/Lib/test/test_httplib.py Mon Nov 03 09:50:32 2014 -0800
@@ -1012,13 +1012,36 @@
self.assertIn('Apache', server_string)
def test_networked(self):
- # Default settings: no cert verification is done
+ # Default settings: requires a valid cert from a trusted CA
+ import ssl
support.requires('network')
- with support.transient_internet('svn.python.org'):
- h = client.HTTPSConnection('svn.python.org', 443)
+ with support.transient_internet('self-signed.pythontest.net'):
+ h = client.HTTPSConnection('self-signed.pythontest.net', 443)
+ with self.assertRaises(ssl.SSLError) as exc_info:
+ h.request('GET', '/')
+ self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
+
+ def test_networked_noverification(self):
+ # Switch off cert verification
+ import ssl
+ support.requires('network')
+ with support.transient_internet('self-signed.pythontest.net'):
+ context = ssl._create_unverified_context()
+ h = client.HTTPSConnection('self-signed.pythontest.net', 443,
+ context=context)
h.request('GET', '/')
resp = h.getresponse()
- self._check_svn_python_org(resp)
+ self.assertIn('nginx', resp.getheader('server'))
+
+ def test_networked_trusted_by_default_cert(self):
+ # Default settings: requires a valid cert from a trusted CA
+ support.requires('network')
+ with support.transient_internet('www.python.org'):
+ h = client.HTTPSConnection('www.python.org', 443)
+ h.request('GET', '/')
+ resp = h.getresponse()
+ content_type = resp.getheader('content-type')
+ self.assertIn('text/html', content_type)
def test_networked_good_cert(self):
# We feed a CA cert that validates the server's cert
@@ -1037,13 +1060,23 @@
# We feed a "CA" cert that is unrelated to the server's cert
import ssl
support.requires('network')
- with support.transient_internet('svn.python.org'):
+ with support.transient_internet('self-signed.pythontest.net'):
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(CERT_localhost)
- h = client.HTTPSConnection('svn.python.org', 443, context=context)
- with self.assertRaises(ssl.SSLError):
+ h = client.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
+ with self.assertRaises(ssl.SSLError) as exc_info:
h.request('GET', '/')
+ self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
+
+ def test_local_unknown_cert(self):
+ # The custom cert isn't known to the default trust bundle
+ import ssl
+ server = self.make_server(CERT_localhost)
+ h = client.HTTPSConnection('localhost', server.port)
+ with self.assertRaises(ssl.SSLError) as exc_info:
+ h.request('GET', '/')
+ self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
def test_local_good_hostname(self):
# The (valid) cert validates the HTTP hostname
@@ -1056,7 +1089,6 @@
h.request('GET', '/nonexistent')
resp = h.getresponse()
self.assertEqual(resp.status, 404)
- del server
def test_local_bad_hostname(self):
# The (valid) cert doesn't validate the HTTP hostname
@@ -1079,7 +1111,6 @@
h.request('GET', '/nonexistent')
resp = h.getresponse()
self.assertEqual(resp.status, 404)
- del server
@unittest.skipIf(not hasattr(client, 'HTTPSConnection'),
'http.client.HTTPSConnection not available')
« no previous file with comments | « Lib/ssl.py ('k') | Lib/test/test_ssl.py » ('j') | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+