[Python-bugs-list] [ python-Bugs-451607 ] SSL support in socket module needs tests (original) (raw)

noreply@sourceforge.net noreply@sourceforge.net
Thu, 11 Oct 2001 12:39:46 -0700

Bugs item #451607, was opened at 2001-08-16 09:00 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=105470&aid=451607&group_id=5470

Category: Extension Modules Group: None Status: Open Resolution: None Priority: 5 Submitted By: Barry Warsaw (bwarsaw) Assigned to: Martin v. L�wis (loewis) Summary: SSL support in socket module needs tests

Initial Comment: SSL support in the socket module should have a regression test, either in test_socket.py or in a separate test_ssl.py file.

Comment By: Martin v. L�wis (loewis) Date: 2001-10-11 12:39

Message: Logged In: YES user_id=21627

  1. When prngd runs on a TCP socket, it still won't accept connections from remote systems.
  2. Sure, but would that simplify testing?
  3. My comment was actually directed at bug #232460, which is Solaris specific: Solaris does not have a /dev/[u]random, so prngd is the only choice. I agree that using /dev/random is better if available. Furthermore, OpenSSL will already make this choice for you at installation time.

Comment By: paul rubin (phr) Date: 2001-10-11 11:44

Message: Logged In: YES user_id=72053

  1. I think it's dangerous to run a prngd on an IP socket instead of a Unix domain socket. It creates the possibility of (either accidentally or by ignorance) running OpenSSL on a separate host from the prngd, making the random numbers vulnerable to network sniffing. That's bad--the numbers are cryptographic secrets and should not be exposed.

  2. It's simple to set up a local SSL server with the command line openssl s_server option.

  3. I'm not crazy about the whole prngd concept. I haven't looked at the CHILL interface yet, but if it's possible to abandon prngd and get random numbers through CHILL, that might be best. On Linux, /dev/urandom should be used.

Comment By: Martin v. L�wis (loewis) Date: 2001-10-11 11:32

Message: Logged In: YES user_id=21627

On PRNG problems, it seems we have two options:

Comment By: Martin v. L�wis (loewis) Date: 2001-09-03 08:12

Message: Logged In: YES user_id=21627

I'd suggest an approach similar to the one in test_socket, i.e. test only if can_fork. As for the certificates: I think they should be generated in advance and included into the test suite.

Comment By: Barry Warsaw (bwarsaw) Date: 2001-08-28 06:53

Message: Logged In: YES user_id=12800

There is currently an extremely minimal test in test_socket_ssl.py, but it is fairly bogus because it requires an outside network connection. The only test there just tries to hit https://sf.net.

Ideally, there would be a set of regression tests that only required local resources. I.e. it would set up a local SSL server, then do connects to it to test the various SSL features in socket module.

Take a look at test_socket_ssl.py in the 2.2 cvs and see if you can improve matters. From what I understand, the tricky part is generating all the necessary certificates, etc.

Also, if you intend to work on this, please log in to SF to continue this dialog so we know who we're talking to! :)

Comment By: Nobody/Anonymous (nobody) Date: 2001-08-27 22:58

Message: Logged In: NO

I may be able to help with this. I'm fairly familiar with SSL in general, though not about the socket module. What's needed?

You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=105470&aid=451607&group_id=5470