(original) (raw)

changeset: 69673:d3166c359714 user: Antoine Pitrou solipsis@pitrou.net date: Thu Apr 28 19:23:55 2011 +0200 files: Doc/library/ssl.rst Lib/ssl.py Lib/test/test_ssl.py Misc/NEWS description: Issue #11811: ssl.get_server_certificate() is now IPv6-compatible. Patch by Charles-François Natali. diff -r 0518f32cb747 -r d3166c359714 Doc/library/ssl.rst --- a/Doc/library/ssl.rst Thu Apr 28 19🔞10 2011 +0200 +++ b/Doc/library/ssl.rst Thu Apr 28 19:23:55 2011 +0200 @@ -239,6 +239,9 @@ will attempt to validate the server certificate against that set of root certificates, and will fail if the validation attempt fails. + .. versionchanged:: 3.3 + This function is now IPv6-compatible. + .. function:: DER_cert_to_PEM_cert(DER_cert_bytes) Given a certificate as a DER-encoded blob of bytes, returns a PEM-encoded diff -r 0518f32cb747 -r d3166c359714 Lib/ssl.py --- a/Lib/ssl.py Thu Apr 28 19🔞10 2011 +0200 +++ b/Lib/ssl.py Thu Apr 28 19:23:55 2011 +0200 @@ -81,7 +81,7 @@ from socket import getnameinfo as _getnameinfo from socket import error as socket_error -from socket import socket, AF_INET, SOCK_STREAM +from socket import socket, AF_INET, SOCK_STREAM, create_connection import base64 # for DER-to-PEM translation import traceback import errno @@ -543,9 +543,9 @@ cert_reqs = CERT_REQUIRED else: cert_reqs = CERT_NONE - s = wrap_socket(socket(), ssl_version=ssl_version, + s = create_connection(addr) + s = wrap_socket(s, ssl_version=ssl_version, cert_reqs=cert_reqs, ca_certs=ca_certs) - s.connect(addr) dercert = s.getpeercert(True) s.close() return DER_cert_to_PEM_cert(dercert) diff -r 0518f32cb747 -r d3166c359714 Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Thu Apr 28 19🔞10 2011 +0200 +++ b/Lib/test/test_ssl.py Thu Apr 28 19:23:55 2011 +0200 @@ -604,25 +604,30 @@ sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count) def test_get_server_certificate(self): - with support.transient_internet("svn.python.org"): - pem = ssl.get_server_certificate(("svn.python.org", 443)) - if not pem: - self.fail("No server certificate on svn.python.org:443!") - - try: - pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE) - except ssl.SSLError as x: - #should fail + def _test_get_server_certificate(host, port, cert=None): + with support.transient_internet(host): + pem = ssl.get_server_certificate((host, port)) + if not pem: + self.fail("No server certificate on %s:%s!" % (host, port)) + + try: + pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE) + except ssl.SSLError as x: + #should fail + if support.verbose: + sys.stdout.write("%s\n" % x) + else: + self.fail("Got server certificate %s for %s:%s!" % (pem, host, port)) + + pem = ssl.get_server_certificate((host, port), ca_certs=cert) + if not pem: + self.fail("No server certificate on %s:%s!" % (host, port)) if support.verbose: - sys.stdout.write("%s\n" % x) - else: - self.fail("Got server certificate %s for svn.python.org!" % pem) + sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem)) - pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT) - if not pem: - self.fail("No server certificate on svn.python.org:443!") - if support.verbose: - sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem) + _test_get_server_certificate('svn.python.org', 443, SVN_PYTHON_ORG_ROOT_CERT) + if support.IPV6_ENABLED: + _test_get_server_certificate('ipv6.google.com', 443) def test_ciphers(self): remote = ("svn.python.org", 443) diff -r 0518f32cb747 -r d3166c359714 Misc/NEWS --- a/Misc/NEWS Thu Apr 28 19🔞10 2011 +0200 +++ b/Misc/NEWS Thu Apr 28 19:23:55 2011 +0200 @@ -127,6 +127,9 @@ Library ------- +- Issue #11811: ssl.get_server_certificate() is now IPv6-compatible. Patch + by Charles-François Natali. + - Issue #11763: don't use difflib in TestCase.assertMultiLineEqual if the strings are too long. /solipsis@pitrou.net