def get_all_cipher_suites(cls,
tls_version: TlsVersionEnum) -> Set[CipherSuite]:
"""Get the list of cipher suites supported by OpenSSL for the given SSL/TLS version.
"""
if tls_version in [
TlsVersionEnum.SSL_2_0,
TlsVersionEnum.SSL_3_0,
TlsVersionEnum.TLS_1_0,
TlsVersionEnum.TLS_1_1,
]:
openssl_cipher_strings = cls._get_all_cipher_suites_with_legacy_openssl(
tls_version)
elif tls_version == TlsVersionEnum.TLS_1_2:
# For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
cipher_suites_from_legacy_openssl = cls._get_all_cipher_suites_with_legacy_openssl(
tls_version)
ssl_client_modern = SslClient(
ssl_version=OpenSslVersionEnum(tls_version.value))
ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
ssl_client_modern.set_ciphersuites(
"") # Disable TLS 1.3 cipher suites
cipher_suites_from_modern_openssl = set(
ssl_client_modern.get_cipher_list())
# Combine the two sets of cipher suites
openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(
cipher_suites_from_modern_openssl)
elif tls_version == TlsVersionEnum.TLS_1_3:
ssl_client_modern = SslClient(
ssl_version=OpenSslVersionEnum(tls_version.value))
ssl_client_modern.set_cipher_list(
"") # Disable NON-TLS-1.3 cipher suites
ssl_client_modern.set_ciphersuites(
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
"TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256"
) # Enable all TLS 1.3 cipher suites
openssl_cipher_strings = set(ssl_client_modern.get_cipher_list())
else:
raise ValueError("Should never happen")
return {
CipherSuite.from_openssl(cipher_str, tls_version)
for cipher_str in openssl_cipher_strings
}
def test_tls_1_3(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
sock.connect(('tls13.crypto.mozilla.org', 443))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3, underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
self.assertTrue(ssl_client)
def __init__(self,
client_certificate_chain_path,
client_key_path,
client_key_type=SSL_FILETYPE_PEM,
client_key_password=''):
# type: (str, str, int, Optional[str]) -> None
"""Create a container for SSL/TLS client authentication settings.
Args:
client_certificate_chain_path (str): Path to the client's certificate chain.
client_key_path (str): Path to the client's private key.
client_key_type (int): SSL_FILETYPE_PEM or SSL_FILETYPE_DER.
client_key_password (Optional[str]): Password needed to decrypt the private key.
"""
self.client_certificate_chain_path = client_certificate_chain_path
if not os.path.isfile(self.client_certificate_chain_path):
raise ValueError('Could not open the client certificate file')
self.client_key_path = client_key_path
if not os.path.isfile(self.client_key_path):
raise ValueError('Could not open the client private key file')
self.client_key_password = client_key_password
self.client_key_type = client_key_type
if self.client_key_type not in [SSL_FILETYPE_ASN1, SSL_FILETYPE_PEM]:
raise ValueError('Invalid certificate format specified')
# Try to load the cert and key in OpenSSL; will raise an exception if something is wrong
SslClient(client_certchain_file=self.client_certificate_chain_path,
client_key_file=self.client_key_path,
client_key_type=self.client_key_type,
client_key_password=self.client_key_password)
def __init__(self,
client_certificate_chain_path,
client_key_path,
client_key_type=OpenSslFileTypeEnum.PEM,
client_key_password=''):
# type: (Text, Text, OpenSslFileTypeEnum, Optional[Text]) -> None
"""
Args:
client_certificate_chain_path (Text): Path to the file containing the client's certificate.
client_key_path (Text): Path to the file containing the client's private key.
client_key_type (OpenSslFileTypeEnum): The format of the key file.
client_key_password (Optional[Text]): The password to decrypt the private key.
"""
self.client_certificate_chain_path = client_certificate_chain_path
if not os.path.isfile(self.client_certificate_chain_path):
raise ValueError('Could not open the client certificate file')
self.client_key_path = client_key_path
if not os.path.isfile(self.client_key_path):
raise ValueError('Could not open the client private key file')
self.client_key_password = client_key_password
self.client_key_type = client_key_type
if self.client_key_type not in OpenSslFileTypeEnum:
raise ValueError('Invalid certificate format specified')
# Try to load the cert and key in OpenSSL; will raise an exception if something is wrong
SslClient(client_certchain_file=self.client_certificate_chain_path,
client_key_file=self.client_key_path,
client_key_type=self.client_key_type,
client_key_password=self.client_key_password)
def _parse_all_cipher_suites() -> Dict[TlsVersionEnum, Set[CipherSuite]]:
tls_version_to_cipher_suites: Dict[TlsVersionEnum, Set[CipherSuite]] = {}
for tls_version in [
TlsVersionEnum.SSL_2_0,
TlsVersionEnum.SSL_3_0,
TlsVersionEnum.TLS_1_0,
TlsVersionEnum.TLS_1_1,
]:
openssl_cipher_strings = _parse_all_cipher_suites_with_legacy_openssl(tls_version)
tls_version_to_cipher_suites[tls_version] = set()
for cipher_suite_openssl_name in openssl_cipher_strings:
cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[tls_version][cipher_suite_openssl_name]
tls_version_to_cipher_suites[tls_version].add(
CipherSuite(
name=cipher_suite_rfc_name,
openssl_name=cipher_suite_openssl_name,
is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
)
)
# For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
cipher_suites_from_legacy_openssl = _parse_all_cipher_suites_with_legacy_openssl(TlsVersionEnum.TLS_1_2)
ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_2.value))
ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
cipher_suites_from_modern_openssl = set(ssl_client_modern.get_cipher_list())
# Combine the two sets of cipher suites
openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(cipher_suites_from_modern_openssl)
tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2] = set()
for cipher_suite_openssl_name in openssl_cipher_strings:
# Ignore TLS 1.3 cipher suites
if cipher_suite_openssl_name in _TLS_1_3_CIPHER_SUITES:
continue
cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[TlsVersionEnum.TLS_1_2][cipher_suite_openssl_name]
tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2].add(
CipherSuite(
name=cipher_suite_rfc_name,
openssl_name=cipher_suite_openssl_name,
is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
)
)
# TLS 1.3 - the list is just hardcoded
tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_3] = {
CipherSuite(
# For TLS 1.3 OpenSSL started using the official names
name=cipher_suite_name,
openssl_name=cipher_suite_name,
is_anonymous=False,
key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_name],
)
for cipher_suite_name in _TLS_1_3_CIPHER_SUITES
}
return tls_version_to_cipher_suites
def test_get_dh_info_ecdh_x25519(self):
with ModernOpenSslServer(cipher="ECDHE-RSA-AES256-SHA",
groups="X25519") as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
ssl_client = SslClient(
ssl_version=OpenSslVersionEnum.TLSV1_2,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE,
)
try:
ssl_client.do_handshake()
finally:
ssl_client.shutdown()
dh_info = ssl_client.get_ephemeral_key()
assert isinstance(dh_info, EcDhEphemeralKeyInfo)
assert dh_info.type == OpenSslEvpPkeyEnum.X25519
assert dh_info.size == 253
assert dh_info.curve == OpenSslEcNidEnum.X25519
assert len(dh_info.public_bytes) == 32
def __init__(
self,
client_certificate_chain_path: str,
client_key_path: str,
client_key_type: OpenSslFileTypeEnum = OpenSslFileTypeEnum.PEM,
client_key_password: str = "",
) -> None:
"""
Args:
client_certificate_chain_path: Path to the file containing the client's certificate.
client_key_path: Path to the file containing the client's private key.
client_key_type: The format of the key file.
client_key_password: The password to decrypt the private key.
"""
self.client_certificate_chain_path = client_certificate_chain_path
if not os.path.isfile(self.client_certificate_chain_path):
raise ValueError("Could not open the client certificate file")
self.client_key_path = client_key_path
if not os.path.isfile(self.client_key_path):
raise ValueError("Could not open the client private key file")
self.client_key_password = client_key_password
self.client_key_type = client_key_type
if self.client_key_type not in OpenSslFileTypeEnum:
raise ValueError("Invalid certificate format specified")
# Try to load the cert and key in OpenSSL; will raise an exception if something is wrong
SslClient(
client_certchain_file=self.client_certificate_chain_path,
client_key_file=self.client_key_path,
client_key_type=self.client_key_type,
client_key_password=self.client_key_password,
)
def test_get_dh_info_ecdh_p256(self):
with ModernOpenSslServer(cipher="ECDHE-RSA-AES256-SHA",
groups="P-256") as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_2,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
try:
ssl_client.do_handshake()
finally:
ssl_client.shutdown()
dh_info = ssl_client.get_dh_info()
assert isinstance(dh_info, NistEcDhKeyExchangeInfo)
assert dh_info.key_type == OpenSslEvpPkeyEnum.EC
assert dh_info.key_size == 256
assert dh_info.curve == OpenSslEcNidEnum.PRIME256V1
assert len(dh_info.public_key) == 65
assert len(dh_info.x) == 32
assert len(dh_info.y) == 32
def test_tls_1_3_write_early_data_fail_when_trying_to_send_more_than_max_early_data(self):
# Given a server that supports TLS 1.3 and early data
with ModernOpenSslServer(max_early_data=1) as server:
# That has a previous TLS 1.3 session with the server
session = self._create_tls_1_3_session(server.hostname, server.port)
assert session
# And the server only accepts 1 byte of early data
max_early = session.get_max_early_data()
assert 1 == max_early
# When creating a new connection
sock_early_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_early_data.settimeout(5)
sock_early_data.connect((server.hostname, server.port))
ssl_client_early_data = SslClient(
ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock_early_data,
ssl_verify=OpenSslVerifyEnum.NONE
)
# That re-uses the previous TLS 1.3 session
ssl_client_early_data.set_session(session)
assert OpenSslEarlyDataStatusEnum.NOT_SENT == ssl_client_early_data.get_early_data_status()
# When sending too much early data
# It fails
with pytest.raises(OpenSSLError, match='too much early data'):
ssl_client_early_data.write_early_data(
'GET / HTTP/1.1\r\nData: {}\r\n\r\n'.format('*' * max_early).encode('ascii')
)
ssl_client_early_data.shutdown()
def _init(self, dest='localhost', port=443, timeout=5):
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.settimeout(timeout)
self.socket.connect((dest, port))
self.client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=self.socket,
ssl_verify_locations=u'mozilla.pem')
def test_set_groups_curve_x448(self):
# Given a server that supports a bunch of curves
with ModernOpenSslServer(
cipher="ECDHE-RSA-AES256-SHA",
groups="X25519:prime256v1:X448:secp384r1:secp192k1") as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
# And a client that only supports a specific curve: X448
ssl_client = SslClient(
ssl_version=OpenSslVersionEnum.TLSV1_2,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE,
)
configured_curve = OpenSslEcNidEnum.X448
ssl_client.set_groups([configured_curve])
# When the client connects to the server
try:
ssl_client.do_handshake()
finally:
ssl_client.shutdown()
# The curve enabled in the client is the one that was used
dh_info = ssl_client.get_ephemeral_key()
assert isinstance(dh_info, EcDhEphemeralKeyInfo)
assert dh_info.curve == configured_curve
assert dh_info.type == OpenSslEvpPkeyEnum.X448
assert dh_info.size == 448
assert len(dh_info.public_bytes) == 56
def __post_init__(self) -> None:
# Try to load the cert and key in OpenSSL; will raise an exception if something is wrong
SslClient(
client_certificate_chain=self.certificate_chain_path,
client_key=self.key_path,
client_key_type=self.key_type,
client_key_password=self.key_password,
)
def setUp(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("www.google.com", 443))
ssl_client = SslClient(sock=sock, ssl_verify=SSL_VERIFY_NONE)
ssl_client.do_handshake()
self.cert = ssl_client.get_peer_certificate()._x509
def get_cipher_list(self, ssl_protocol):
"""Returns list of cipher suites available for protocol version, saves in parameter ssl_protocol.
Args:
ssl_protocol (str):.
"""
ssl_client = SslClient(ssl_version=PROTOCOL_VERSION[ssl_protocol])
ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
return ssl_client.get_cipher_list()
def setUp(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
#sock.connect(('tls13.crypto.mozilla.org', 443))
sock.connect(('tls13.baishancloud.com', 44344))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
self.ssl_client = ssl_client
def process_task(self,
server_connectivity_info,
plugin_command,
options_dict=None):
ssl_version = self.SSL_VERSIONS_MAPPING[plugin_command]
# Get the list of available cipher suites for the given ssl version
ssl_client = SslClient(ssl_version=ssl_version)
ssl_client.set_cipher_list('ALL:COMPLEMENTOFALL')
cipher_list = ssl_client.get_cipher_list()
# Scan for every available cipher suite
thread_pool = ThreadPool()
for cipher in cipher_list:
thread_pool.add_job(
(self._test_cipher_suite, (server_connectivity_info,
ssl_version, cipher)))
# Start processing the jobs; One thread per cipher
thread_pool.start(nb_threads=min(len(cipher_list), self.MAX_THREADS))
accepted_cipher_list = []
rejected_cipher_list = []
errored_cipher_list = []
# Store the results as they come
for completed_job in thread_pool.get_result():
(job, cipher_result) = completed_job
if isinstance(cipher_result, AcceptedCipherSuite):
accepted_cipher_list.append(cipher_result)
elif isinstance(cipher_result, RejectedCipherSuite):
rejected_cipher_list.append(cipher_result)
elif isinstance(cipher_result, ErroredCipherSuite):
errored_cipher_list.append(cipher_result)
else:
raise ValueError('Unexpected result')
# Store thread pool errors; only something completely unexpected would trigger an error
for failed_job in thread_pool.get_error():
(_, exception) = failed_job
raise exception
thread_pool.join()
# Test for the cipher suite preference
preferred_cipher = self._get_preferred_cipher_suite(
server_connectivity_info, ssl_version, accepted_cipher_list)
# Generate the results
plugin_result = OpenSSLCipherSuitesResult(server_connectivity_info,
plugin_command, options_dict,
preferred_cipher,
accepted_cipher_list,
rejected_cipher_list,
errored_cipher_list)
return plugin_result
def setUp(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("login.live.com", 443))
ssl_client = SslClient(sock=sock, ssl_verify=SSL_VERIFY_NONE)
ssl_client.set_tlsext_status_ocsp()
ssl_client.do_handshake()
self.ocsp_response = ssl_client.get_tlsext_status_ocsp_resp(
)._ocsp_response
def setUp(self):
# Requires being online :(
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("www.google.fr", 443))
ssl_client = SslClient(ssl_version=SSLV23,
sock=sock,
ssl_verify=SSL_VERIFY_NONE)
ssl_client.do_handshake()
self.ssl_client = ssl_client
self.cert = ssl_client.get_peer_certificate()
def test(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("www.google.com", 443))
ssl_client = SslClient(sock=sock, ssl_verify=SSL_VERIFY_NONE)
ssl_client.do_handshake()
self.name_entry = ssl_client.get_peer_certificate(
)._x509.get_subject_name_entries()[0]
self.assertIsNotNone(self.name_entry.get_data())
self.assertIsNotNone(self.name_entry.get_object())
def test(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(('www.google.com', 443))
sslClient = SslClient(sock=sock, ssl_verify=OpenSslVerifyEnum.NONE)
sslClient.do_handshake()
self.x509ext = sslClient.get_peer_certificate()._x509.get_extensions()[0]
self.assertIsNotNone(self.x509ext.get_data())
self.assertIsNotNone(self.x509ext.get_object())
self.assertIsNotNone(self.x509ext.get_critical())
def get_certificate_chain(host: str, port: int) -> List[str]:
""" Connect to the host on the port and obtain certificate chain.
TODO: Tests against WantReadError and WantX509LookupError needed. """
cert_chain = []
soc = socket(AF_INET, SOCK_STREAM, proto=0)
soc.settimeout(3)
try:
soc.connect((host, port))
except gaierror:
raise Exception(f"{host}:{port} is invalid or not known.") from None
except timeout:
raise Exception(f"Connection to {host}:{port} timed out.") from None
except OverflowError:
raise Exception(f"Illegal port: {port}. Port must be between 0-65535.") from None
except TypeError:
raise Exception(f"Illegal port: {port}. Port must be between 0-65535.") from None
ssl_client = SslClient(
ssl_version=OpenSslVersionEnum.SSLV23,
underlying_socket=soc,
ssl_verify=OpenSslVerifyEnum.NONE
)
# Add Server Name Indication (SNI) extension to the CLIENT HELLO
ssl_client.set_tlsext_host_name(host)
try:
ssl_client.do_handshake()
cert_chain = ssl_client.get_received_chain()
except WantReadError as err:
raise ValueError(err.strerror) from None
except WantX509LookupError as err:
raise ValueError(err.strerror) from None
except OpenSSLError as err:
raise ValueError(err) from None
finally:
ssl_client.shutdown()
soc = None
return cert_chain
def test_sct_parsing(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(('sslanalyzer.comodoca.com', 443))
ssl_client = SslClient(underlying_socket=sock, ssl_verify=OpenSslVerifyEnum.NONE)
ssl_client.set_tlsext_status_ocsp()
ssl_client.do_handshake()
ocsp_response = ssl_client.get_tlsext_status_ocsp_resp()
ssl_client.shutdown()
sock.close()
self.assertIsNotNone(ocsp_response.as_dict()['responses'][0]['singleExtensions']['ctCertificateScts'])
def test_tls_1_3(self):
# Given a server that supports TLS 1.3
with ModernOpenSslServer() as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
# When doing the TLS 1.3 handshake, it succeeds
try:
ssl_client.do_handshake()
finally:
ssl_client.shutdown()
def test_hostname_validation(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(('www.google.fr', 443))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.SSLV23,
sock=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
ssl_client.do_handshake()
self.ssl_client = ssl_client
self.cert = ssl_client.get_peer_certificate()
self.assertEqual(HostnameValidationResultEnum.NAME_MATCHES_SAN,
self.cert.matches_hostname('www.google.fr'))
self.assertEqual(HostnameValidationResultEnum.NAME_DOES_NOT_MATCH,
self.cert.matches_hostname('www.tests.com'))
def test_client_authentication_tls_1_3(self):
# Given a server that requires client authentication
with ModernOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client provides an invalid client certificate (actually the server cert)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
# When doing the handshake the right error is returned
with pytest.raises(ClientCertificateRequested):
ssl_client.do_handshake()
def test_set_ciphersuites(self):
# Given an SslClient for TLS 1.3
ssl_client = SslClient(
ssl_version=OpenSslVersionEnum.TLSV1_3,
ssl_verify=OpenSslVerifyEnum.NONE,
ignore_client_authentication_requests=True,
)
# With the default list of cipher disabled
ssl_client.set_cipher_list("")
# When setting a specific TLS 1.3 cipher suite as the list of supported ciphers
ssl_client.set_ciphersuites("TLS_CHACHA20_POLY1305_SHA256")
# That one cipher suite is the only one enabled
ciphers = ssl_client.get_cipher_list()
assert ["TLS_CHACHA20_POLY1305_SHA256"] == ciphers
def test(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(('www.cloudflare.com', 443))
ssl_client = SslClient(underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
ssl_client.set_tlsext_status_ocsp()
ssl_client.do_handshake()
ocsp_response = ssl_client.get_tlsext_status_ocsp_resp()
ssl_client.shutdown()
self.assertEqual(ocsp_response.status,
OcspResponseStatusEnum.SUCCESSFUL)
# Test as_text()
self.assertIsNotNone(ocsp_response.as_text())
# Test verify with a wrong certificate
test_file = tempfile.NamedTemporaryFile(delete=False, mode='wt')
test_file.write("""-----BEGIN CERTIFICATE-----
MIIDCjCCAnOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCRlIx
DjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQHDAVQYXJpczEWMBQGA1UECgwNRGFzdGFy
ZGx5IEluYzEMMAoGA1UECwwDMTIzMQ8wDQYDVQQDDAZBbCBCYW4xGjAYBgkqhkiG
9w0BCQEWC2xvbEBsb2wuY29tMB4XDTEzMDEyNzAwMDM1OFoXDTE0MDEyNzAwMDM1
OFowgZcxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDAMxMjMxDTALBgNVBAcMBFRlc3Qx
IjAgBgNVBAoMGUludHJvc3B5IFRlc3QgQ2xpZW50IENlcnQxCzAJBgNVBAsMAjEy
MRUwEwYDVQQDDAxBbGJhbiBEaXF1ZXQxIzAhBgkqhkiG9w0BCQEWFG5hYmxhLWMw
ZDNAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlnvP1ltVO
8JDNT3AA99QqtiqCi/7BeEcFDm2al46mv7looz6CmB84osrusNVFsS5ICLbrCmeo
w5sxW7VVveGueBQyWynngl2PmmufA5Mhwq0ZY8CvwV+O7m0hEXxzwbyGa23ai16O
zIiaNlBAb0mC2vwJbsc3MTMovE6dHUgmzQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUYR45okpFsqTYB1wlQQblLH9cRdgwHwYDVR0jBBgwFoAUP0X2HQlaca7D
NBzVbsjsdhzOqUQwDQYJKoZIhvcNAQEFBQADgYEAWEOxpRjvKvTurDXK/sEUw2KY
gmbbGP3tF+fQ/6JS1VdCdtLxxJAHHTW62ugVTlmJZtpsEGlg49BXAEMblLY/K7nm
dWN8oZL+754GaBlJ+wK6/Nz4YcuByJAnN8OeTY4Acxjhks8PrAbZgcf0FdpJaAlk
Pd2eQ9+DkopOz3UGU7c=
-----END CERTIFICATE-----""")
test_file.close()
self.assertRaises(OcspResponseNotTrustedError, ocsp_response.verify,
test_file.name)
# No SCT extension
self.assertFalse('singleExtensions' in ocsp_response.as_dict()
['responses'][0].keys())
def test_tls_1_3_write_early_data_fail_when_used_on_non_reused_session(
self):
# Given a server that supports TLS 1.3 and early data
with ModernOpenSslServer(max_early_data=512) as server:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server.hostname, server.port))
# That does NOT have a previous session with the server
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
# When sending early data
# It fails
with pytest.raises(OpenSSLError, match="you should not call"):
ssl_client.write_early_data(b"EARLY DATA")
ssl_client.shutdown()
def _create_tls_1_3_session(server_host: str,
server_port: int) -> _nassl.SSL_SESSION:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((server_host, server_port))
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
try:
ssl_client.do_handshake()
ssl_client.write(ModernOpenSslServer.HELLO_MSG)
ssl_client.read(2048)
session = ssl_client.get_session()
finally:
ssl_client.shutdown()
return session
def test_tls_1_3_write_early_data_fail_when_used_on_non_reused_session(
self):
# Given a server that supports TLS 1.3
with ModernOpenSslServer() as server:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.settimeout(5)
sock.connect((server.hostname, server.port))
# That does NOT have a previous session with the server
ssl_client = SslClient(ssl_version=OpenSslVersionEnum.TLSV1_3,
underlying_socket=sock,
ssl_verify=OpenSslVerifyEnum.NONE)
# When sending early data
# It fails
self.assertRaisesRegex(OpenSSLError,
'function you should not call',
ssl_client.write_early_data,
b'EARLY DATA')
