Issue #17107: Test client-side SNI support in urllib.request thanks to the new server...

Initial patch by Daniel Black.

diff --git a/Lib/test/ssl_servers.py b/Lib/test/ssl_servers.py
index f4a0bed342d8981467721baee69c8d9d7982fa4c..759b3f487e3246920c84220336586b767e4cfe39 100644 (file)
--- a/Lib/test/ssl_servers.py
+++ b/Lib/test/ssl_servers.py
@@ -147,9 +147,11 @@ class HTTPSServerThread(threading.Thread):
         self.server.shutdown()
 
 
-def make_https_server(case, certfile=CERTFILE, host=HOST, handler_class=None):
-    # we assume the certfile contains both private key and certificate
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+def make_https_server(case, *, context=None, certfile=CERTFILE,
+                      host=HOST, handler_class=None):
+    if context is None:
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    # We assume the certfile contains both private key and certificate
     context.load_cert_chain(certfile)
     server = HTTPSServerThread(context, host, handler_class)
     flag = threading.Event()

diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 0ebd091c796735109b4c42cc98ad7e255796bf44..be2d77160c61c3fd5cde8d6d8e3cd13e02b7764d 100644 (file)
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -703,7 +703,7 @@ class HTTPSTest(TestCase):
 
     def make_server(self, certfile):
         from test.ssl_servers import make_https_server
-        return make_https_server(self, certfile)
+        return make_https_server(self, certfile=certfile)
 
     def test_attributes(self):
         # simple test to check it's storing the timeout

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index febebaf0777f910f06ae80083fa7ae11c6552f7d..32b6131886cfabe938be4d5731e75068e203f0dc 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1637,7 +1637,7 @@ else:
 
         def test_socketserver(self):
             """Using a SocketServer to create and manage SSL connections."""
-            server = make_https_server(self, CERTFILE)
+            server = make_https_server(self, certfile=CERTFILE)
             # try to connect
             if support.verbose:
                 sys.stdout.write('\n')

diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py
index b22954c29468bcc055670891e1910ca57ea7686d..5880b3ab75943d13bb28cafd9c5cf7026a52199e 100644 (file)
--- a/Lib/test/test_urllib2_localnet.py
+++ b/Lib/test/test_urllib2_localnet.py
@@ -9,7 +9,10 @@ import unittest
 import hashlib
 from test import support
 threading = support.import_module('threading')
-
+try:
+    import ssl
+except ImportError:
+    ssl = None
 
 here = os.path.dirname(__file__)
 # Self-signed cert file for 'localhost'
@@ -17,6 +20,7 @@ CERT_localhost = os.path.join(here, 'keycert.pem')
 # Self-signed cert file for 'fakehostname'
 CERT_fakehostname = os.path.join(here, 'keycert2.pem')
 
+
 # Loopback http server infrastructure
 
 class LoopbackHttpServer(http.server.HTTPServer):
@@ -353,12 +357,15 @@ class TestUrlopen(unittest.TestCase):
     def setUp(self):
         super(TestUrlopen, self).setUp()
         # Ignore proxies for localhost tests.
+        self.old_environ = os.environ.copy()
         os.environ['NO_PROXY'] = '*'
         self.server = None
 
     def tearDown(self):
         if self.server is not None:
             self.server.stop()
+        os.environ.clear()
+        os.environ.update(self.old_environ)
         super(TestUrlopen, self).tearDown()
 
     def urlopen(self, url, data=None, **kwargs):
@@ -386,14 +393,14 @@ class TestUrlopen(unittest.TestCase):
         handler.port = port
         return handler
 
-    def start_https_server(self, responses=None, certfile=CERT_localhost):
+    def start_https_server(self, responses=None, **kwargs):
         if not hasattr(urllib.request, 'HTTPSHandler'):
             self.skipTest('ssl support required')
         from test.ssl_servers import make_https_server
         if responses is None:
             responses = [(200, [], b"we care a bit")]
         handler = GetRequestHandler(responses)
-        server = make_https_server(self, certfile=certfile, handler_class=handler)
+        server = make_https_server(self, handler_class=handler, **kwargs)
         handler.port = server.port
         return handler
 
@@ -483,6 +490,21 @@ class TestUrlopen(unittest.TestCase):
             self.urlopen("https://localhost:%s/bizarre" % handler.port,
                          cadefault=True)
 
+    def test_https_sni(self):
+        if ssl is None:
+            self.skipTest("ssl module required")
+        if not ssl.HAS_SNI:
+            self.skipTest("SNI support required in OpenSSL")
+        sni_name = None
+        def cb_sni(ssl_sock, server_name, initial_context):
+            nonlocal sni_name
+            sni_name = server_name
+        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        context.set_servername_callback(cb_sni)
+        handler = self.start_https_server(context=context, certfile=CERT_localhost)
+        self.urlopen("https://localhost:%s" % handler.port)
+        self.assertEqual(sni_name, "localhost")
+
     def test_sending_headers(self):
         handler = self.start_server()
         req = urllib.request.Request("http://localhost:%s/" % handler.port,

diff --git a/Lib/test/test_urllib2net.py b/Lib/test/test_urllib2net.py
index b3c1a68234625e564101bc6d6db151c1e3c36b7f..e276d2ebfca6aeb4b005dbee99a579a48e624477 100644 (file)
--- a/Lib/test/test_urllib2net.py
+++ b/Lib/test/test_urllib2net.py
@@ -330,31 +330,9 @@ class TimeoutTest(unittest.TestCase):
             self.assertEqual(u.fp.fp.raw._sock.gettimeout(), 60)
 
 
-@unittest.skipUnless(ssl, "requires SSL support")
-class HTTPSTests(unittest.TestCase):
-
-    def test_sni(self):
-        self.skipTest("test disabled - test server needed")
-        # Checks that Server Name Indication works, if supported by the
-        # OpenSSL linked to.
-        # The ssl module itself doesn't have server-side support for SNI,
-        # so we rely on a third-party test site.
-        expect_sni = ssl.HAS_SNI
-        with support.transient_internet("XXX"):
-            u = urllib.request.urlopen("XXX")
-            contents = u.readall()
-            if expect_sni:
-                self.assertIn(b"Great", contents)
-                self.assertNotIn(b"Unfortunately", contents)
-            else:
-                self.assertNotIn(b"Great", contents)
-                self.assertIn(b"Unfortunately", contents)
-
-
 def test_main():
     support.requires("network")
     support.run_unittest(AuthTests,
-                         HTTPSTests,
                          OtherNetworkTests,
                          CloseSocketTest,
                          TimeoutTest,

diff --git a/Misc/NEWS b/Misc/NEWS
index 68cb3ec25967f296dd37fd243d172901debb1bf2..6bb65264b635f106ddd74e968cd209ef363312f6 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -754,6 +754,10 @@ Extension Modules
 Tests
 -----
 
+- Issue #17107: Test client-side SNI support in urllib.request thanks to
+  the new server-side SNI support in the ssl module.  Initial patch by
+  Daniel Black.
+
 - Issue #17041: Fix testing when Python is configured with the
   --without-doc-strings.