(self)
| 3072 | @unittest.skipUnless(IS_OPENSSL_3_0_0, |
| 3073 | "test requires RFC 5280 check added in OpenSSL 3.0+") |
| 3074 | def test_verify_strict(self): |
| 3075 | # verification fails by default, since the server cert is non-conforming |
| 3076 | client_context = ssl.create_default_context() |
| 3077 | client_context.load_verify_locations(LEAF_MISSING_AKI_CA) |
| 3078 | hostname = LEAF_MISSING_AKI_CERTFILE_HOSTNAME |
| 3079 | |
| 3080 | server_context = ssl.create_default_context(purpose=Purpose.CLIENT_AUTH) |
| 3081 | server_context.load_cert_chain(LEAF_MISSING_AKI_CERTFILE) |
| 3082 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3083 | with server: |
| 3084 | with client_context.wrap_socket(socket.socket(), |
| 3085 | server_hostname=hostname) as s: |
| 3086 | with self.assertRaises(ssl.SSLError): |
| 3087 | s.connect((HOST, server.port)) |
| 3088 | |
| 3089 | # explicitly disabling VERIFY_X509_STRICT allows it to succeed |
| 3090 | client_context = ssl.create_default_context() |
| 3091 | client_context.load_verify_locations(LEAF_MISSING_AKI_CA) |
| 3092 | client_context.verify_flags &= ~ssl.VERIFY_X509_STRICT |
| 3093 | |
| 3094 | server_context = ssl.create_default_context(purpose=Purpose.CLIENT_AUTH) |
| 3095 | server_context.load_cert_chain(LEAF_MISSING_AKI_CERTFILE) |
| 3096 | server = ThreadedEchoServer(context=server_context, chatty=True) |
| 3097 | with server: |
| 3098 | with client_context.wrap_socket(socket.socket(), |
| 3099 | server_hostname=hostname) as s: |
| 3100 | s.connect((HOST, server.port)) |
| 3101 | cert = s.getpeercert() |
| 3102 | self.assertTrue(cert, "Can't get peer certificate.") |
| 3103 | |
| 3104 | def test_dual_rsa_ecc(self): |
| 3105 | client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) |
nothing calls this directly
no test coverage detected