[3.6] bpo-41183: Skip ssl tests for disabled versions (GH-16427) #21882
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto policy and run-time settings are recognized and tests for disabled versions are skipped. Signed-off-by: Christian Heimes <[email protected]> https://bugs.python.org/issue38275 (cherry picked from commit df6ac7e)
hroncok
commented
Aug 14, 2020
| return False | ||
|
|
||
| if isinstance(version, str): | ||
| version = ssl.TLSVersion.__members__[version] |
There was a problem hiding this comment.
So this entire thing does not exist on 3.6 yet.
| version = ssl.TLSVersion.__members__[version] | ||
|
|
||
| # check compile time flags like ssl.HAS_TLSv1_2 | ||
| if not getattr(ssl, f'HAS_{version.name}'): |
| ctx = ssl.SSLContext() | ||
| if ( | ||
| hasattr(ctx, 'minimum_version') and | ||
| ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and |
There was a problem hiding this comment.
Yet the most importantly, and that I believe is what is problematic on newer systems is that this (and MAXIMUM_SUPPORTED) is also not here yet.
There was a problem hiding this comment.
This change requires #5259 to be backported. However even if we backport that, it relies on some features from #5128 . So in general I don't think it's possible to pull this off with this approach. And it's easy to figure out the baked/compiled in versions of supported protocols in openssl but no easy way, without those features, to determine the runtime config.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
policy and run-time settings are recognized and tests for disabled versions
are skipped.
Signed-off-by: Christian Heimes [email protected]
https://bugs.python.org/issue38275
(cherry picked from commit df6ac7e)
cc @larryhastings @tiran
https://bugs.python.org/issue41183