| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 1 | From 0c9354362bfa5f90fbea8ff8237a1f1f5dba686f Mon Sep 17 00:00:00 2001 |
| 2 | From: Christian Heimes <christian@python.org> |
| 3 | Date: Wed, 12 Sep 2018 15:20:31 +0800 |
| 4 | Subject: [PATCH] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) |
| 5 | |
| 6 | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL |
| 7 | 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by |
| 8 | default. |
| 9 | |
| 10 | Also update multissltests and Travis config to test with latest OpenSSL. |
| 11 | |
| 12 | Signed-off-by: Christian Heimes <christian@python.org> |
| 13 | (cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3) |
| 14 | |
| 15 | Co-authored-by: Christian Heimes <christian@python.org |
| 16 | |
| 17 | Upstream-Status: Backport |
| 18 | [https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71] |
| 19 | |
| 20 | Tweaked patch to not take changes for multissltests and Travis config. |
| 21 | |
| 22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| 23 | --- |
| 24 | Lib/test/test_ssl.py | 51 ++++++++++++++++++++++---------------------- |
| 25 | 1 file changed, 26 insertions(+), 25 deletions(-) |
| 26 | |
| 27 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py |
| 28 | index a2e1d32a62..c484ead5ff 100644 |
| 29 | --- a/Lib/test/test_ssl.py |
| 30 | +++ b/Lib/test/test_ssl.py |
| 31 | @@ -3024,17 +3024,21 @@ else: |
| 32 | sock.do_handshake() |
| 33 | self.assertEqual(cm.exception.errno, errno.ENOTCONN) |
| 34 | |
| 35 | - def test_default_ciphers(self): |
| 36 | - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
| 37 | - try: |
| 38 | - # Force a set of weak ciphers on our client context |
| 39 | - context.set_ciphers("DES") |
| 40 | - except ssl.SSLError: |
| 41 | - self.skipTest("no DES cipher available") |
| 42 | - with ThreadedEchoServer(CERTFILE, |
| 43 | - ssl_version=ssl.PROTOCOL_SSLv23, |
| 44 | - chatty=False) as server: |
| 45 | - with context.wrap_socket(socket.socket()) as s: |
| 46 | + def test_no_shared_ciphers(self): |
| 47 | + server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
| 48 | + server_context.load_cert_chain(SIGNED_CERTFILE) |
| 49 | + client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
| 50 | + client_context.verify_mode = ssl.CERT_REQUIRED |
| 51 | + client_context.check_hostname = True |
| 52 | + |
| 53 | + client_context.set_ciphers("AES128") |
| 54 | + server_context.set_ciphers("AES256") |
| 55 | + # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test |
| 56 | + client_context.options |= ssl.OP_NO_TLSv1_3 |
| 57 | + with ThreadedEchoServer(context=server_context) as server: |
| 58 | + with client_context.wrap_socket( |
| 59 | + socket.socket(), |
| 60 | + server_hostname="localhost") as s: |
| 61 | with self.assertRaises(OSError): |
| 62 | s.connect((HOST, server.port)) |
| 63 | self.assertIn("no shared cipher", str(server.conn_errors[0])) |
| 64 | @@ -3067,9 +3071,9 @@ else: |
| 65 | with context.wrap_socket(socket.socket()) as s: |
| 66 | s.connect((HOST, server.port)) |
| 67 | self.assertIn(s.cipher()[0], [ |
| 68 | - 'TLS13-AES-256-GCM-SHA384', |
| 69 | - 'TLS13-CHACHA20-POLY1305-SHA256', |
| 70 | - 'TLS13-AES-128-GCM-SHA256', |
| 71 | + 'TLS_AES_256_GCM_SHA384', |
| 72 | + 'TLS_CHACHA20_POLY1305_SHA256', |
| 73 | + 'TLS_AES_128_GCM_SHA256', |
| 74 | ]) |
| 75 | |
| 76 | @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") |
| 77 | @@ -3391,22 +3395,19 @@ else: |
| 78 | client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
| 79 | client_context.verify_mode = ssl.CERT_REQUIRED |
| 80 | client_context.load_verify_locations(SIGNING_CA) |
| 81 | - if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2): |
| 82 | - client_context.set_ciphers("AES128:AES256") |
| 83 | - server_context.set_ciphers("AES256") |
| 84 | - alg1 = "AES256" |
| 85 | - alg2 = "AES-256" |
| 86 | - else: |
| 87 | - client_context.set_ciphers("AES:3DES") |
| 88 | - server_context.set_ciphers("3DES") |
| 89 | - alg1 = "3DES" |
| 90 | - alg2 = "DES-CBC3" |
| 91 | + client_context.set_ciphers("AES128:AES256") |
| 92 | + server_context.set_ciphers("AES256") |
| 93 | + expected_algs = [ |
| 94 | + "AES256", "AES-256", |
| 95 | + # TLS 1.3 ciphers are always enabled |
| 96 | + "TLS_CHACHA20", "TLS_AES", |
| 97 | + ] |
| 98 | |
| 99 | stats = server_params_test(client_context, server_context) |
| 100 | ciphers = stats['server_shared_ciphers'][0] |
| 101 | self.assertGreater(len(ciphers), 0) |
| 102 | for name, tls_version, bits in ciphers: |
| 103 | - if not alg1 in name.split("-") and alg2 not in name: |
| 104 | + if not any (alg in name for alg in expected_algs): |
| 105 | self.fail(name) |
| 106 | |
| 107 | def test_read_write_after_close_raises_valuerror(self): |
| 108 | -- |
| 109 | 2.17.1 |
| 110 | |