(self)
| 3226 | self.assertLess(before, after) |
| 3227 | |
| 3228 | def test_crl_check(self): |
| 3229 | if support.verbose: |
| 3230 | sys.stdout.write("\n") |
| 3231 | |
| 3232 | client_context, server_context, hostname = testing_context() |
| 3233 | |
| 3234 | tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0) |
| 3235 | self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf) |
| 3236 | |
| 3237 | # VERIFY_DEFAULT should pass |
| 3238 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3239 | with server: |
| 3240 | with client_context.wrap_socket(socket.socket(), |
| 3241 | server_hostname=hostname) as s: |
| 3242 | s.connect((HOST, server.port)) |
| 3243 | cert = s.getpeercert() |
| 3244 | self.assertTrue(cert, "Can't get peer certificate.") |
| 3245 | |
| 3246 | # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails |
| 3247 | client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF |
| 3248 | |
| 3249 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3250 | # Allow for flexible libssl error messages. |
| 3251 | regex = re.compile(r"""( |
| 3252 | certificate verify failed # OpenSSL |
| 3253 | | |
| 3254 | CERTIFICATE_VERIFY_FAILED # AWS-LC |
| 3255 | )""", re.X) |
| 3256 | with server: |
| 3257 | with client_context.wrap_socket(socket.socket(), |
| 3258 | server_hostname=hostname) as s: |
| 3259 | with self.assertRaisesRegex(ssl.SSLError, regex): |
| 3260 | s.connect((HOST, server.port)) |
| 3261 | |
| 3262 | # now load a CRL file. The CRL file is signed by the CA. |
| 3263 | client_context.load_verify_locations(CRLFILE) |
| 3264 | |
| 3265 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3266 | with server: |
| 3267 | with client_context.wrap_socket(socket.socket(), |
| 3268 | server_hostname=hostname) as s: |
| 3269 | s.connect((HOST, server.port)) |
| 3270 | cert = s.getpeercert() |
| 3271 | self.assertTrue(cert, "Can't get peer certificate.") |
| 3272 | |
| 3273 | def test_check_hostname(self): |
| 3274 | if support.verbose: |
nothing calls this directly
no test coverage detected