Skip to content

bpo-28414: ssl module idna test #5395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tiran merged 1 commit into from
Jan 29, 2018
Merged

bpo-28414: ssl module idna test #5395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 65 additions & 1 deletion Lib/test/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ def data_file(*name):
SIGNING_CA = data_file("capath", "ceff1710.0")
# cert with all kinds of subject alt names
ALLSANFILE = data_file("allsans.pem")
IDNSANSFILE = data_file("idnsans.pem")

REMOTE_HOST = "self-signed.pythontest.net"

Expand Down Expand Up @@ -1598,7 +1599,6 @@ def test_error_types(self):


class SimpleBackgroundTests(unittest.TestCase):

"""Tests that connect to a simple server running in the background"""

def setUp(self):
Expand Down Expand Up @@ -2616,6 +2616,70 @@ def test_dual_rsa_ecc(self):
cipher = s.cipher()[0].split('-')
self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))

def test_check_hostname_idn(self):
if support.verbose:
sys.stdout.write("\n")

server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
server_context.load_cert_chain(IDNSANSFILE)

context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
context.load_verify_locations(SIGNING_CA)

# correct hostname should verify, when specified in several
# different ways
idn_hostnames = [
('könig.idn.pythontest.net',
'könig.idn.pythontest.net',),
('xn--knig-5qa.idn.pythontest.net',
'xn--knig-5qa.idn.pythontest.net'),
(b'xn--knig-5qa.idn.pythontest.net',
b'xn--knig-5qa.idn.pythontest.net'),

('königsgäßchen.idna2003.pythontest.net',
'königsgäßchen.idna2003.pythontest.net'),
('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
(b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
]
for server_hostname, expected_hostname in idn_hostnames:
server = ThreadedEchoServer(context=server_context, chatty=True)
with server:
with context.wrap_socket(socket.socket(),
server_hostname=server_hostname) as s:
self.assertEqual(s.server_hostname, expected_hostname)
s.connect((HOST, server.port))
cert = s.getpeercert()
self.assertEqual(s.server_hostname, expected_hostname)
self.assertTrue(cert, "Can't get peer certificate.")

with ssl.SSLSocket(socket.socket(),
server_hostname=server_hostname) as s:
s.connect((HOST, server.port))
s.getpeercert()
self.assertEqual(s.server_hostname, expected_hostname)

# bug https://bugs.python.org/issue28414
# IDNA 2008 deviations are broken
idna2008 = 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'
server = ThreadedEchoServer(context=server_context, chatty=True)
with server:
with self.assertRaises(UnicodeError):
with context.wrap_socket(socket.socket(),
server_hostname=idna2008) as s:
s.connect((HOST, server.port))

# incorrect hostname should raise an exception
server = ThreadedEchoServer(context=server_context, chatty=True)
with server:
with context.wrap_socket(socket.socket(),
server_hostname="python.example.org") as s:
with self.assertRaises(ssl.CertificateError):
s.connect((HOST, server.port))

def test_wrong_cert(self):
"""Connecting when the server rejects the client's certificate

Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Add test cases for IDNA 2003 and 2008 host names. IDNA 2003
internationalized host names are working since bpo-31399 has landed. IDNA
2008 are still broken.