Try to SSL-connect using *client_protocol* to *server_protocol*. If *expect_success* is true, assert that the connection succeeds, if it's false, assert that the connection fails. Also, if *expect_success* is a string, assert that it is the protocol version actually used by the
(server_protocol, client_protocol, expect_success,
certsreqs=None, server_options=0, client_options=0)
| 2731 | return stats |
| 2732 | |
| 2733 | def try_protocol_combo(server_protocol, client_protocol, expect_success, |
| 2734 | certsreqs=None, server_options=0, client_options=0): |
| 2735 | """ |
| 2736 | Try to SSL-connect using *client_protocol* to *server_protocol*. |
| 2737 | If *expect_success* is true, assert that the connection succeeds, |
| 2738 | if it's false, assert that the connection fails. |
| 2739 | Also, if *expect_success* is a string, assert that it is the protocol |
| 2740 | version actually used by the connection. |
| 2741 | """ |
| 2742 | if certsreqs is None: |
| 2743 | certsreqs = ssl.CERT_NONE |
| 2744 | certtype = { |
| 2745 | ssl.CERT_NONE: "CERT_NONE", |
| 2746 | ssl.CERT_OPTIONAL: "CERT_OPTIONAL", |
| 2747 | ssl.CERT_REQUIRED: "CERT_REQUIRED", |
| 2748 | }[certsreqs] |
| 2749 | if support.verbose: |
| 2750 | formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n" |
| 2751 | sys.stdout.write(formatstr % |
| 2752 | (ssl.get_protocol_name(client_protocol), |
| 2753 | ssl.get_protocol_name(server_protocol), |
| 2754 | certtype)) |
| 2755 | |
| 2756 | with warnings_helper.check_warnings(): |
| 2757 | # ignore Deprecation warnings |
| 2758 | client_context = ssl.SSLContext(client_protocol) |
| 2759 | client_context.options |= client_options |
| 2760 | server_context = ssl.SSLContext(server_protocol) |
| 2761 | server_context.options |= server_options |
| 2762 | |
| 2763 | min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None) |
| 2764 | if (min_version is not None |
| 2765 | # SSLContext.minimum_version is only available on recent OpenSSL |
| 2766 | # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1) |
| 2767 | and hasattr(server_context, 'minimum_version') |
| 2768 | and server_protocol == ssl.PROTOCOL_TLS |
| 2769 | and server_context.minimum_version > min_version |
| 2770 | ): |
| 2771 | # If OpenSSL configuration is strict and requires more recent TLS |
| 2772 | # version, we have to change the minimum to test old TLS versions. |
| 2773 | with warnings_helper.check_warnings(): |
| 2774 | server_context.minimum_version = min_version |
| 2775 | |
| 2776 | # NOTE: we must enable "ALL" ciphers on the client, otherwise an |
| 2777 | # SSLv23 client will send an SSLv3 hello (rather than SSLv2) |
| 2778 | # starting from OpenSSL 1.0.0 (see issue #8322). |
| 2779 | if client_context.protocol == ssl.PROTOCOL_TLS: |
| 2780 | client_context.set_ciphers("ALL") |
| 2781 | |
| 2782 | seclevel_workaround(server_context, client_context) |
| 2783 | |
| 2784 | for ctx in (client_context, server_context): |
| 2785 | ctx.verify_mode = certsreqs |
| 2786 | ctx.load_cert_chain(SIGNED_CERTFILE) |
| 2787 | ctx.load_verify_locations(SIGNING_CA) |
| 2788 | try: |
| 2789 | stats = server_params_test(client_context, server_context, |
| 2790 | chatty=False, connectionchatty=False) |
no test coverage detected