3838HOST = support .HOST
3939IS_LIBRESSL = ssl .OPENSSL_VERSION .startswith ('LibreSSL' )
4040IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl .OPENSSL_VERSION_INFO >= (1 , 1 , 0 )
41+ IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl .OPENSSL_VERSION_INFO >= (3 , 0 , 0 )
4142PY_SSL_DEFAULT_CIPHERS = sysconfig .get_config_var ('PY_SSL_DEFAULT_CIPHERS' )
4243
4344def data_file (* name ):
@@ -148,8 +149,8 @@ def f(*args, **kwargs):
148149 else :
149150 return func
150151
151- def skip_if_openssl_cnf_minprotocol_gt_tls1 (func ):
152- """Skip a test if the OpenSSL config MinProtocol is > TLSv1.
152+ def skip_if_openssl_cnf_minprotocol_gt_tls11 (func ):
153+ """Skip a test if the OpenSSL config MinProtocol is > TLSv1.1.
153154
154155 OS distros with an /etc/ssl/openssl.cnf and MinProtocol set often do so to
155156 require TLSv1.2 or higher (Debian Buster). Some of our tests for older
@@ -160,14 +161,16 @@ def skip_if_openssl_cnf_minprotocol_gt_tls1(func):
160161 """
161162 @functools .wraps (func )
162163 def f (* args , ** kwargs ):
164+ if IS_OPENSSL_3_0_0 :
165+ raise unittest .SkipTest ('OpenSSL 3 effectively disables TLS < 1.2' )
163166 openssl_cnf = os .environ .get ("OPENSSL_CONF" , "/etc/ssl/openssl.cnf" )
164167 try :
165168 with open (openssl_cnf , "r" ) as config :
166169 for line in config :
167170 match = re .match (r"MinProtocol\s*=\s*(TLSv\d+\S*)" , line )
168171 if match :
169172 tls_ver = match .group (1 )
170- if tls_ver > "TLSv1" :
173+ if tls_ver > "TLSv1.1 " :
171174 raise unittest .SkipTest (
172175 "%s has MinProtocol = %s which is > TLSv1." %
173176 (openssl_cnf , tls_ver ))
@@ -1421,7 +1424,7 @@ def test__create_stdlib_context(self):
14211424 self ._assert_context_options (ctx )
14221425
14231426 def test_check_hostname (self ):
1424- ctx = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
1427+ ctx = ssl .SSLContext (ssl .PROTOCOL_TLS )
14251428 self .assertFalse (ctx .check_hostname )
14261429
14271430 # Requires CERT_REQUIRED or CERT_OPTIONAL
@@ -1479,7 +1482,7 @@ def test_lib_reason(self):
14791482 def test_subclass (self ):
14801483 # Check that the appropriate SSLError subclass is raised
14811484 # (this only tests one of them)
1482- ctx = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
1485+ ctx = ssl .SSLContext (ssl .PROTOCOL_TLS )
14831486 with socket .socket () as s :
14841487 s .bind (("127.0.0.1" , 0 ))
14851488 s .listen ()
@@ -2422,7 +2425,8 @@ def test_echo(self):
24222425 if support .verbose :
24232426 sys .stdout .write ("\n " )
24242427 for protocol in PROTOCOLS :
2425- if protocol in {ssl .PROTOCOL_TLS_CLIENT , ssl .PROTOCOL_TLS_SERVER }:
2428+ if protocol in {ssl .PROTOCOL_TLS_CLIENT , ssl .PROTOCOL_TLS_SERVER ,
2429+ ssl .PROTOCOL_TLSv1 , ssl .PROTOCOL_TLSv1_1 }:
24262430 continue
24272431 with self .subTest (protocol = ssl ._PROTOCOL_NAMES [protocol ]):
24282432 context = ssl .SSLContext (protocol )
@@ -2513,10 +2517,10 @@ def test_crl_check(self):
25132517 if support .verbose :
25142518 sys .stdout .write ("\n " )
25152519
2516- server_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
2520+ server_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
25172521 server_context .load_cert_chain (SIGNED_CERTFILE )
25182522
2519- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
2523+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
25202524 context .verify_mode = ssl .CERT_REQUIRED
25212525 context .load_verify_locations (SIGNING_CA )
25222526 tf = getattr (ssl , "VERIFY_X509_TRUSTED_FIRST" , 0 )
@@ -2554,10 +2558,10 @@ def test_check_hostname(self):
25542558 if support .verbose :
25552559 sys .stdout .write ("\n " )
25562560
2557- server_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
2561+ server_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
25582562 server_context .load_cert_chain (SIGNED_CERTFILE )
25592563
2560- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
2564+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
25612565 context .verify_mode = ssl .CERT_REQUIRED
25622566 context .check_hostname = True
25632567 context .load_verify_locations (SIGNING_CA )
@@ -2687,7 +2691,7 @@ def test_protocol_sslv2(self):
26872691 client_options = ssl .OP_NO_TLSv1 )
26882692
26892693 @skip_if_broken_ubuntu_ssl
2690- @skip_if_openssl_cnf_minprotocol_gt_tls1
2694+ @skip_if_openssl_cnf_minprotocol_gt_tls11
26912695 def test_protocol_sslv23 (self ):
26922696 """Connecting to an SSLv23 server with various client options"""
26932697 if support .verbose :
@@ -2748,6 +2752,7 @@ def test_protocol_sslv3(self):
27482752 False , client_options = ssl .OP_NO_SSLv2 )
27492753
27502754 @skip_if_broken_ubuntu_ssl
2755+ @skip_if_openssl_cnf_minprotocol_gt_tls11
27512756 def test_protocol_tlsv1 (self ):
27522757 """Connecting to a TLSv1 server with various client options"""
27532758 if support .verbose :
@@ -2765,7 +2770,7 @@ def test_protocol_tlsv1(self):
27652770 @skip_if_broken_ubuntu_ssl
27662771 @unittest .skipUnless (hasattr (ssl , "PROTOCOL_TLSv1_1" ),
27672772 "TLS version 1.1 not supported." )
2768- @skip_if_openssl_cnf_minprotocol_gt_tls1
2773+ @skip_if_openssl_cnf_minprotocol_gt_tls11
27692774 def test_protocol_tlsv1_1 (self ):
27702775 """Connecting to a TLSv1.1 server with various client options.
27712776 Testing against older TLS versions."""
@@ -2813,7 +2818,7 @@ def test_starttls(self):
28132818 msgs = (b"msg 1" , b"MSG 2" , b"STARTTLS" , b"MSG 3" , b"msg 4" , b"ENDTLS" , b"msg 5" , b"msg 6" )
28142819
28152820 server = ThreadedEchoServer (CERTFILE ,
2816- ssl_version = ssl .PROTOCOL_TLSv1 ,
2821+ ssl_version = ssl .PROTOCOL_TLS ,
28172822 starttls_server = True ,
28182823 chatty = True ,
28192824 connectionchatty = True )
@@ -2841,7 +2846,7 @@ def test_starttls(self):
28412846 sys .stdout .write (
28422847 " client: read %r from server, starting TLS...\n "
28432848 % msg )
2844- conn = test_wrap_socket (s , ssl_version = ssl .PROTOCOL_TLSv1 )
2849+ conn = test_wrap_socket (s , ssl_version = ssl .PROTOCOL_TLS )
28452850 wrapped = True
28462851 elif indata == b"ENDTLS" and msg .startswith (b"ok" ):
28472852 # ENDTLS ok, switch back to clear text
@@ -2928,7 +2933,7 @@ def test_recv_send(self):
29282933
29292934 server = ThreadedEchoServer (CERTFILE ,
29302935 certreqs = ssl .CERT_NONE ,
2931- ssl_version = ssl .PROTOCOL_TLSv1 ,
2936+ ssl_version = ssl .PROTOCOL_TLS ,
29322937 cacerts = CERTFILE ,
29332938 chatty = True ,
29342939 connectionchatty = False )
@@ -2938,7 +2943,7 @@ def test_recv_send(self):
29382943 certfile = CERTFILE ,
29392944 ca_certs = CERTFILE ,
29402945 cert_reqs = ssl .CERT_NONE ,
2941- ssl_version = ssl .PROTOCOL_TLSv1 )
2946+ ssl_version = ssl .PROTOCOL_TLS )
29422947 s .connect ((HOST , server .port ))
29432948 # helper methods for standardising recv* method signatures
29442949 def _recv_into ():
@@ -3080,7 +3085,7 @@ def test_recv_zero(self):
30803085 def test_nonblocking_send (self ):
30813086 server = ThreadedEchoServer (CERTFILE ,
30823087 certreqs = ssl .CERT_NONE ,
3083- ssl_version = ssl .PROTOCOL_TLSv1 ,
3088+ ssl_version = ssl .PROTOCOL_TLS ,
30843089 cacerts = CERTFILE ,
30853090 chatty = True ,
30863091 connectionchatty = False )
@@ -3090,7 +3095,7 @@ def test_nonblocking_send(self):
30903095 certfile = CERTFILE ,
30913096 ca_certs = CERTFILE ,
30923097 cert_reqs = ssl .CERT_NONE ,
3093- ssl_version = ssl .PROTOCOL_TLSv1 )
3098+ ssl_version = ssl .PROTOCOL_TLS )
30943099 s .connect ((HOST , server .port ))
30953100 s .setblocking (False )
30963101
@@ -3236,14 +3241,14 @@ def test_version_basic(self):
32363241 Basic tests for SSLSocket.version().
32373242 More tests are done in the test_protocol_*() methods.
32383243 """
3239- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3244+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
32403245 with ThreadedEchoServer (CERTFILE ,
3241- ssl_version = ssl .PROTOCOL_TLSv1 ,
3246+ ssl_version = ssl .PROTOCOL_TLS ,
32423247 chatty = False ) as server :
32433248 with context .wrap_socket (socket .socket ()) as s :
32443249 self .assertIs (s .version (), None )
32453250 s .connect ((HOST , server .port ))
3246- self .assertEqual (s .version (), 'TLSv1' )
3251+ self .assertEqual (s .version (), 'TLSv1.3 ' )
32473252 self .assertIs (s .version (), None )
32483253
32493254 @unittest .skipUnless (ssl .HAS_TLSv1_3 ,
@@ -3293,7 +3298,7 @@ def test_tls_unique_channel_binding(self):
32933298
32943299 server = ThreadedEchoServer (CERTFILE ,
32953300 certreqs = ssl .CERT_NONE ,
3296- ssl_version = ssl .PROTOCOL_TLSv1 ,
3301+ ssl_version = ssl .PROTOCOL_TLS ,
32973302 cacerts = CERTFILE ,
32983303 chatty = True ,
32993304 connectionchatty = False )
@@ -3303,7 +3308,7 @@ def test_tls_unique_channel_binding(self):
33033308 certfile = CERTFILE ,
33043309 ca_certs = CERTFILE ,
33053310 cert_reqs = ssl .CERT_NONE ,
3306- ssl_version = ssl .PROTOCOL_TLSv1 )
3311+ ssl_version = ssl .PROTOCOL_TLS )
33073312 s .connect ((HOST , server .port ))
33083313 # get the data
33093314 cb_data = s .get_channel_binding ("tls-unique" )
@@ -3313,7 +3318,10 @@ def test_tls_unique_channel_binding(self):
33133318
33143319 # check if it is sane
33153320 self .assertIsNotNone (cb_data )
3316- self .assertEqual (len (cb_data ), 12 ) # True for TLSv1
3321+ if s .version () == 'TLSv1.3' :
3322+ self .assertEqual (len (cb_data ), 48 )
3323+ else :
3324+ self .assertEqual (len (cb_data ), 12 ) # True for TLSv1
33173325
33183326 # and compare with the peers version
33193327 s .write (b"CB tls-unique\n " )
@@ -3328,7 +3336,7 @@ def test_tls_unique_channel_binding(self):
33283336 certfile = CERTFILE ,
33293337 ca_certs = CERTFILE ,
33303338 cert_reqs = ssl .CERT_NONE ,
3331- ssl_version = ssl .PROTOCOL_TLSv1 )
3339+ ssl_version = ssl .PROTOCOL_TLS )
33323340 s .connect ((HOST , server .port ))
33333341 new_cb_data = s .get_channel_binding ("tls-unique" )
33343342 if support .verbose :
@@ -3337,15 +3345,18 @@ def test_tls_unique_channel_binding(self):
33373345 # is it really unique
33383346 self .assertNotEqual (cb_data , new_cb_data )
33393347 self .assertIsNotNone (cb_data )
3340- self .assertEqual (len (cb_data ), 12 ) # True for TLSv1
3348+ if s .version () == 'TLSv1.3' :
3349+ self .assertEqual (len (cb_data ), 48 )
3350+ else :
3351+ self .assertEqual (len (cb_data ), 12 ) # True for TLSv1
33413352 s .write (b"CB tls-unique\n " )
33423353 peer_data_repr = s .read ().strip ()
33433354 self .assertEqual (peer_data_repr ,
33443355 repr (new_cb_data ).encode ("us-ascii" ))
33453356 s .close ()
33463357
33473358 def test_compression (self ):
3348- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3359+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
33493360 context .load_cert_chain (CERTFILE )
33503361 stats = server_params_test (context , context ,
33513362 chatty = True , connectionchatty = True )
@@ -3356,7 +3367,7 @@ def test_compression(self):
33563367 @unittest .skipUnless (hasattr (ssl , 'OP_NO_COMPRESSION' ),
33573368 "ssl.OP_NO_COMPRESSION needed for this test" )
33583369 def test_compression_disabled (self ):
3359- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3370+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
33603371 context .load_cert_chain (CERTFILE )
33613372 context .options |= ssl .OP_NO_COMPRESSION
33623373 stats = server_params_test (context , context ,
@@ -3365,7 +3376,7 @@ def test_compression_disabled(self):
33653376
33663377 def test_dh_params (self ):
33673378 # Check we can get a connection with ephemeral Diffie-Hellman
3368- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3379+ context = ssl .SSLContext (ssl .PROTOCOL_TLSv1_2 )
33693380 context .load_cert_chain (CERTFILE )
33703381 context .load_dh_params (DHFILE )
33713382 context .set_ciphers ("kEDH" )
@@ -3378,7 +3389,7 @@ def test_dh_params(self):
33783389
33793390 def test_selected_alpn_protocol (self ):
33803391 # selected_alpn_protocol() is None unless ALPN is used.
3381- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3392+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
33823393 context .load_cert_chain (CERTFILE )
33833394 stats = server_params_test (context , context ,
33843395 chatty = True , connectionchatty = True )
@@ -3387,9 +3398,9 @@ def test_selected_alpn_protocol(self):
33873398 @unittest .skipUnless (ssl .HAS_ALPN , "ALPN support required" )
33883399 def test_selected_alpn_protocol_if_server_uses_alpn (self ):
33893400 # selected_alpn_protocol() is None unless ALPN is used by the client.
3390- client_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3401+ client_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
33913402 client_context .load_verify_locations (CERTFILE )
3392- server_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3403+ server_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
33933404 server_context .load_cert_chain (CERTFILE )
33943405 server_context .set_alpn_protocols (['foo' , 'bar' ])
33953406 stats = server_params_test (client_context , server_context ,
@@ -3440,7 +3451,7 @@ def test_alpn_protocols(self):
34403451
34413452 def test_selected_npn_protocol (self ):
34423453 # selected_npn_protocol() is None unless NPN is used
3443- context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3454+ context = ssl .SSLContext (ssl .PROTOCOL_TLS )
34443455 context .load_cert_chain (CERTFILE )
34453456 stats = server_params_test (context , context ,
34463457 chatty = True , connectionchatty = True )
@@ -3476,11 +3487,11 @@ def test_npn_protocols(self):
34763487 self .assertEqual (server_result , expected , msg % (server_result , "server" ))
34773488
34783489 def sni_contexts (self ):
3479- server_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3490+ server_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
34803491 server_context .load_cert_chain (SIGNED_CERTFILE )
3481- other_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3492+ other_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
34823493 other_context .load_cert_chain (SIGNED_CERTFILE2 )
3483- client_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3494+ client_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
34843495 client_context .verify_mode = ssl .CERT_REQUIRED
34853496 client_context .load_verify_locations (SIGNING_CA )
34863497 return server_context , other_context , client_context
@@ -3579,9 +3590,9 @@ def cb_wrong_return_type(ssl_sock, server_name, initial_context):
35793590 self .assertIn ("TypeError" , stderr .getvalue ())
35803591
35813592 def test_shared_ciphers (self ):
3582- server_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3593+ server_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
35833594 server_context .load_cert_chain (SIGNED_CERTFILE )
3584- client_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3595+ client_context = ssl .SSLContext (ssl .PROTOCOL_TLS )
35853596 client_context .verify_mode = ssl .CERT_REQUIRED
35863597 client_context .load_verify_locations (SIGNING_CA )
35873598 if ssl .OPENSSL_VERSION_INFO >= (1 , 0 , 2 ):
@@ -3641,9 +3652,9 @@ def test_sendfile(self):
36413652 self .assertEqual (s .recv (1024 ), TEST_DATA )
36423653
36433654 def test_session (self ):
3644- server_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3655+ server_context = ssl .SSLContext (ssl .PROTOCOL_TLS_SERVER )
36453656 server_context .load_cert_chain (SIGNED_CERTFILE )
3646- client_context = ssl .SSLContext (ssl .PROTOCOL_TLSv1 )
3657+ client_context = ssl .SSLContext (ssl .PROTOCOL_TLS_CLIENT )
36473658 client_context .verify_mode = ssl .CERT_REQUIRED
36483659 client_context .load_verify_locations (SIGNING_CA )
36493660
0 commit comments