) CERTS_ROOT = TESTS_ROOT / 'client_certs' CLIENT_CERT = str(CERTS_ROOT / 'client.crt') CLIENT_KEY = str(CERTS_ROOT / 'client.key') CLIENT_PEM = str(CERTS_ROOT / 'client.pem') # We test against a local httpbin instance which uses a self-signed cert. # Requests without --verify=<CA_BUNDLE> will fail with a verification error. # See: https://github.com/kevin1024/pytest-httpbin#https-support CA_BUNDLE = pytest_httpbin.certs.where() @pytest.mark.parametrize('ssl_version', AVAILABLE_SSL_VERSION_ARG_MAPPING.keys()) def test_ssl_version(httpbin_secure, ssl_version): try: r = http( '--ssl', ssl_version, httpbin_secure + '/get' ) assert HTTP_OK in r except ssl_errors as e: if ssl_version == 'ssl3': # pytest-httpbin doesn't support ssl3 pass else: raise
# SSL ####################################################################### ssl = parser.add_argument_group(title='SSL') ssl.add_argument('--verify', default='yes', help=''' Set to "no" (or "false") to skip checking the host's SSL certificate. Defaults to "yes" ("true"). You can also pass the path to a CA_BUNDLE file for private certs. (Or you can set the REQUESTS_CA_BUNDLE environment variable instead.) ''') ssl.add_argument( '--ssl', # TODO: Maybe something more general, such as --secure-protocol? dest='ssl_version', choices=list(sorted(AVAILABLE_SSL_VERSION_ARG_MAPPING.keys())), help=''' The desired protocol version to use. This will default to SSL v2.3 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. Available protocols may vary depending on OpenSSL installation (only the supported ones are shown here). ''') ssl.add_argument('--ciphers', help=f''' A string in the OpenSSL cipher list format. By default, the following is used: {DEFAULT_SSL_CIPHERS}