(self)
| 3355 | @unittest.skipUnless(IS_OPENSSL_3_0_0, |
| 3356 | "test requires RFC 5280 check added in OpenSSL 3.0+") |
| 3357 | def test_verify_strict(self): |
| 3358 | # verification fails by default, since the server cert is non-conforming |
| 3359 | client_context = ssl.create_default_context() |
| 3360 | client_context.load_verify_locations(LEAF_MISSING_AKI_CA) |
| 3361 | hostname = LEAF_MISSING_AKI_CERTFILE_HOSTNAME |
| 3362 | |
| 3363 | server_context = ssl.create_default_context(purpose=Purpose.CLIENT_AUTH) |
| 3364 | server_context.load_cert_chain(LEAF_MISSING_AKI_CERTFILE) |
| 3365 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3366 | with server: |
| 3367 | with client_context.wrap_socket(socket.socket(), |
| 3368 | server_hostname=hostname) as s: |
| 3369 | with self.assertRaises(ssl.SSLError): |
| 3370 | s.connect((HOST, server.port)) |
| 3371 | |
| 3372 | # explicitly disabling VERIFY_X509_STRICT allows it to succeed |
| 3373 | client_context = ssl.create_default_context() |
| 3374 | client_context.load_verify_locations(LEAF_MISSING_AKI_CA) |
| 3375 | client_context.verify_flags &= ~ssl.VERIFY_X509_STRICT |
| 3376 | |
| 3377 | server_context = ssl.create_default_context(purpose=Purpose.CLIENT_AUTH) |
| 3378 | server_context.load_cert_chain(LEAF_MISSING_AKI_CERTFILE) |
| 3379 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3380 | with server: |
| 3381 | with client_context.wrap_socket(socket.socket(), |
| 3382 | server_hostname=hostname) as s: |
| 3383 | s.connect((HOST, server.port)) |
| 3384 | cert = s.getpeercert() |
| 3385 | self.assertTrue(cert, "Can't get peer certificate.") |
| 3386 | |
| 3387 | def test_dual_rsa_ecc(self): |
| 3388 | client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) |
nothing calls this directly
no test coverage detected