Try to SSL-connect using *client_protocol* to *server_protocol*. If *expect_success* is true, assert that the connection succeeds, if it's false, assert that the connection fails. Also, if *expect_success* is a string, assert that it is the protocol version actually used by the
(server_protocol, client_protocol, expect_success,
certsreqs=None, server_options=0, client_options=0)
| 3015 | return stats |
| 3016 | |
| 3017 | def try_protocol_combo(server_protocol, client_protocol, expect_success, |
| 3018 | certsreqs=None, server_options=0, client_options=0): |
| 3019 | """ |
| 3020 | Try to SSL-connect using *client_protocol* to *server_protocol*. |
| 3021 | If *expect_success* is true, assert that the connection succeeds, |
| 3022 | if it's false, assert that the connection fails. |
| 3023 | Also, if *expect_success* is a string, assert that it is the protocol |
| 3024 | version actually used by the connection. |
| 3025 | """ |
| 3026 | if certsreqs is None: |
| 3027 | certsreqs = ssl.CERT_NONE |
| 3028 | certtype = { |
| 3029 | ssl.CERT_NONE: "CERT_NONE", |
| 3030 | ssl.CERT_OPTIONAL: "CERT_OPTIONAL", |
| 3031 | ssl.CERT_REQUIRED: "CERT_REQUIRED", |
| 3032 | }[certsreqs] |
| 3033 | if support.verbose: |
| 3034 | formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n" |
| 3035 | sys.stdout.write(formatstr % |
| 3036 | (ssl.get_protocol_name(client_protocol), |
| 3037 | ssl.get_protocol_name(server_protocol), |
| 3038 | certtype)) |
| 3039 | |
| 3040 | with warnings_helper.check_warnings(): |
| 3041 | # ignore Deprecation warnings |
| 3042 | client_context = ssl.SSLContext(client_protocol) |
| 3043 | client_context.options |= client_options |
| 3044 | server_context = ssl.SSLContext(server_protocol) |
| 3045 | server_context.options |= server_options |
| 3046 | |
| 3047 | min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None) |
| 3048 | if (min_version is not None |
| 3049 | # SSLContext.minimum_version is only available on recent OpenSSL |
| 3050 | # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1) |
| 3051 | and hasattr(server_context, 'minimum_version') |
| 3052 | and server_protocol == ssl.PROTOCOL_TLS |
| 3053 | and server_context.minimum_version > min_version |
| 3054 | ): |
| 3055 | # If OpenSSL configuration is strict and requires more recent TLS |
| 3056 | # version, we have to change the minimum to test old TLS versions. |
| 3057 | with warnings_helper.check_warnings(): |
| 3058 | server_context.minimum_version = min_version |
| 3059 | |
| 3060 | # NOTE: we must enable "ALL" ciphers on the client, otherwise an |
| 3061 | # SSLv23 client will send an SSLv3 hello (rather than SSLv2) |
| 3062 | # starting from OpenSSL 1.0.0 (see issue #8322). |
| 3063 | if client_context.protocol == ssl.PROTOCOL_TLS: |
| 3064 | client_context.set_ciphers("ALL") |
| 3065 | |
| 3066 | seclevel_workaround(server_context, client_context) |
| 3067 | |
| 3068 | for ctx in (client_context, server_context): |
| 3069 | ctx.verify_mode = certsreqs |
| 3070 | ctx.load_cert_chain(SIGNED_CERTFILE) |
| 3071 | ctx.load_verify_locations(SIGNING_CA) |
| 3072 | try: |
| 3073 | stats = server_params_test(client_context, server_context, |
| 3074 | chatty=False, connectionchatty=False) |
no test coverage detected
searching dependent graphs…