From: Christian Heimes Date: Mon, 29 Jan 2018 13:25:13 +0000 (+0100) Subject: bpo-28414: ssl module idna test (#5395) X-Git-Tag: v3.7.0b1~30 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=66e5742becce38e69a8f09e5f7051445fc57e92e;p=python bpo-28414: ssl module idna test (#5395) Add test cases for IDNA 2003 and 2008 host names. IDNA 2003 internationalized host names are working since bpo-31399 has landed. IDNA 2008 deviations are still broken and will be fixed in another patch. Signed-off-by: Christian Heimes --- diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 6a8bf0ef7b..a253f51d2a 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -105,6 +105,7 @@ SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc' SIGNING_CA = data_file("capath", "ceff1710.0") # cert with all kinds of subject alt names ALLSANFILE = data_file("allsans.pem") +IDNSANSFILE = data_file("idnsans.pem") REMOTE_HOST = "self-signed.pythontest.net" @@ -1612,7 +1613,6 @@ class MemoryBIOTests(unittest.TestCase): class SimpleBackgroundTests(unittest.TestCase): - """Tests that connect to a simple server running in the background""" def setUp(self): @@ -2630,6 +2630,70 @@ class ThreadedTests(unittest.TestCase): cipher = s.cipher()[0].split('-') self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA')) + def test_check_hostname_idn(self): + if support.verbose: + sys.stdout.write("\n") + + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + server_context.load_cert_chain(IDNSANSFILE) + + context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = True + context.load_verify_locations(SIGNING_CA) + + # correct hostname should verify, when specified in several + # different ways + idn_hostnames = [ + ('könig.idn.pythontest.net', + 'könig.idn.pythontest.net',), + ('xn--knig-5qa.idn.pythontest.net', + 'xn--knig-5qa.idn.pythontest.net'), + (b'xn--knig-5qa.idn.pythontest.net', + b'xn--knig-5qa.idn.pythontest.net'), + + ('königsgäßchen.idna2003.pythontest.net', + 'königsgäßchen.idna2003.pythontest.net'), + ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net', + 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'), + (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net', + b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'), + ] + for server_hostname, expected_hostname in idn_hostnames: + server = ThreadedEchoServer(context=server_context, chatty=True) + with server: + with context.wrap_socket(socket.socket(), + server_hostname=server_hostname) as s: + self.assertEqual(s.server_hostname, expected_hostname) + s.connect((HOST, server.port)) + cert = s.getpeercert() + self.assertEqual(s.server_hostname, expected_hostname) + self.assertTrue(cert, "Can't get peer certificate.") + + with ssl.SSLSocket(socket.socket(), + server_hostname=server_hostname) as s: + s.connect((HOST, server.port)) + s.getpeercert() + self.assertEqual(s.server_hostname, expected_hostname) + + # bug https://bugs.python.org/issue28414 + # IDNA 2008 deviations are broken + idna2008 = 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net' + server = ThreadedEchoServer(context=server_context, chatty=True) + with server: + with self.assertRaises(UnicodeError): + with context.wrap_socket(socket.socket(), + server_hostname=idna2008) as s: + s.connect((HOST, server.port)) + + # incorrect hostname should raise an exception + server = ThreadedEchoServer(context=server_context, chatty=True) + with server: + with context.wrap_socket(socket.socket(), + server_hostname="python.example.org") as s: + with self.assertRaises(ssl.CertificateError): + s.connect((HOST, server.port)) + def test_wrong_cert(self): """Connecting when the server rejects the client's certificate diff --git a/Misc/NEWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst b/Misc/NEWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst new file mode 100644 index 0000000000..c64bc55bb8 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2018-01-28-21-19-13.bpo-28414.a6Onzt.rst @@ -0,0 +1,3 @@ +Add test cases for IDNA 2003 and 2008 host names. IDNA 2003 +internationalized host names are working since bpo-31399 has landed. IDNA +2008 are still broken.