Merge pull request #76 from kyle-m/master
Provide debugging information when upstream server certificate fails validation
This commit is contained in:
commit
db6576ca6f
|
@ -412,14 +412,13 @@ class _Connection(object):
|
|||
if options is not None:
|
||||
context.set_options(options)
|
||||
|
||||
# Verify Options (NONE/PEER/PEER|FAIL_IF_... and trusted CAs)
|
||||
if verify_options is not None and verify_options is not SSL.VERIFY_NONE:
|
||||
def verify_cert(conn_, cert_, errno, err_depth, is_cert_verified):
|
||||
if is_cert_verified:
|
||||
return True
|
||||
raise NetLibError(
|
||||
"Upstream certificate validation failed at depth: %s with error number: %s" %
|
||||
(err_depth, errno))
|
||||
# Verify Options (NONE/PEER and trusted CAs)
|
||||
if verify_options is not None:
|
||||
def verify_cert(conn, x509, errno, err_depth, is_cert_verified):
|
||||
if not is_cert_verified:
|
||||
self.ssl_verification_error = dict(errno=errno,
|
||||
depth=err_depth)
|
||||
return is_cert_verified
|
||||
|
||||
context.set_verify(verify_options, verify_cert)
|
||||
context.load_verify_locations(ca_pemfile, ca_path)
|
||||
|
@ -480,6 +479,7 @@ class TCPClient(_Connection):
|
|||
self.connection, self.rfile, self.wfile = None, None, None
|
||||
self.cert = None
|
||||
self.ssl_established = False
|
||||
self.ssl_verification_error = None
|
||||
self.sni = None
|
||||
|
||||
def create_ssl_context(self, cert=None, alpn_protos=None, **sslctx_kwargs):
|
||||
|
@ -578,7 +578,8 @@ class BaseHandler(_Connection):
|
|||
dhparams=None,
|
||||
**sslctx_kwargs):
|
||||
"""
|
||||
cert: A certutils.SSLCert object.
|
||||
cert: A certutils.SSLCert object or the path to a certificate
|
||||
chain file.
|
||||
|
||||
handle_sni: SNI handler, should take a connection object. Server
|
||||
name can be retrieved like this:
|
||||
|
@ -605,7 +606,10 @@ class BaseHandler(_Connection):
|
|||
context = self._create_ssl_context(**sslctx_kwargs)
|
||||
|
||||
context.use_privatekey(key)
|
||||
context.use_certificate(cert.x509)
|
||||
if isinstance(cert, certutils.SSLCert):
|
||||
context.use_certificate(cert.x509)
|
||||
else:
|
||||
context.use_certificate_chain_file(cert)
|
||||
|
||||
if handle_sni:
|
||||
# SNI callback happens during do_handshake()
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICRTCCAa4CCQD/j4qq1h3iCjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJV
|
||||
UzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNvbWVDaXR5MRcwFQYDVQQKEw5Ob3RU
|
||||
aGVSaWdodE9yZzELMAkGA1UECxMCTkExEjAQBgNVBAMTCU5vdFNlcnZlcjAeFw0x
|
||||
NTA2MTMwMTE2MDZaFw0yNTA2MTAwMTE2MDZaMGcxCzAJBgNVBAYTAlVTMQswCQYD
|
||||
VQQIEwJDQTERMA8GA1UEBxMIU29tZUNpdHkxFzAVBgNVBAoTDk5vdFRoZVJpZ2h0
|
||||
T3JnMQswCQYDVQQLEwJOQTESMBAGA1UEAxMJTm90U2VydmVyMIGfMA0GCSqGSIb3
|
||||
DQEBAQUAA4GNADCBiQKBgQDPkJlXAOCMKF0R7aDn5QJ7HtrJgOUDk/LpbhKhRZZR
|
||||
dRGnJ4/HQxYYHh9k/4yZamYcvQPUxvFJt7UJUocf+84LUcIusUk7GvJMgsMVtFMq
|
||||
7UKNXBN5tl3oOtoFDWGMZ8ksaIxS6oW3V/9v2WgU23PfvwE0EZqy+QhMLZZP5GOH
|
||||
RwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJI6UtMKdCS2ghjqhAek2W1rt9u+Wuvx
|
||||
776WYm5VyrJEtBDc/axLh0OteXzy/A31JrYe15fnVWIeFbDF0Ief9/Ezv6Jn+Pk8
|
||||
DErw5IHk2B399O4K3L3Eig06piu7uf3vE4l8ZanY02ZEnw7DyL6kmG9lX98VGenF
|
||||
uXPfu3yxKbR4
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1 @@
|
|||
trusted.pem
|
|
@ -0,0 +1 @@
|
|||
trusted.pem
|
|
@ -0,0 +1,16 @@
|
|||
# Key used to sign trusted-interm.crt and untrusted-interm.crt
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQC1E80qCHhZ1gaZTYB7pN/Yxt3ehpEj+5hCbpop5iTWLuDjULS9
|
||||
WjA1wP+p02kZQ2dqL8pqT1qcc5jKmk2jvMeB/cQ7zNDg1NCmQMqx0KptRByMZ+GN
|
||||
Zcqc7D4jl6vhGP4zAzV/lxvBvxtgeJI+ZdrHN0vT9I1cYADKz9SzCDCRTwIDAQAB
|
||||
AoGAfKHocKnrzEmXuSSy7meI+vfF9kfA1ndxUSg3S+dwK0uQ1mTSQhI1ZIo2bnlo
|
||||
uU6/e0Lxm0KLJ2wZGjoifjSNTC8pcxIfAQY4kM9fqoUcXVSBVSS2kByTunhNSVZQ
|
||||
yQyc+UTq9g1zBnJsZAltn7/PaihU4heWgP/++lposuShqmECQQDaG+7l0qul1xak
|
||||
9kuZgc88BSTfn9iMK2zIQRcVKuidK4dT3QEp0wmWR5Ue8jq8lvTmVTGNGZbHcheh
|
||||
KhoZfLgLAkEA1IjwAw/8z02yV3lbc2QUjIl9m9lvjHBoE2sGuSfq/cZskLKrGat+
|
||||
CVj3spqVAg22tpQwVBuHiipBziWVnEtiTQJAB9FKfchQSLBt6lm9mfHyKJeSm8VR
|
||||
8Kw5yO+0URjpn4CI6DOasBIVXOKR8LsD6fCLNJpHHWSWZ+2p9SfaKaGzwwJBAM31
|
||||
Scld89qca4fzNZkT0goCrvOZeUy6HVE79Q72zPVSFSD/02kT1BaQ3bB5to5/5aD2
|
||||
6AKJjwZoPs7bgykrsD0CQBzU8U/8x2dNQnG0QeqaKQu5kKhZSZ9bsawvrCkxSl6b
|
||||
WAjl/Jehi5bbQ07zQo3cge6qeR38FCWVCHQ/5wNbc54=
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,35 @@
|
|||
# untrusted.crt, signed by trusted-interm.crt
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICYzCCAcwCAhAIMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkFVMRMwEQYD
|
||||
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
|
||||
dGQxFDASBgNVBAsTC0lOVEVSTSBVTklUMSEwHwYDVQQDExhPUkcgV0lUSCBJTlRF
|
||||
Uk1FRElBVEUgQ0EwIBcNMTUwNjIwMDEyMDI1WhgPMjExNTA1MjcwMTIwMjVaMHMx
|
||||
CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRl
|
||||
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAsTCUxFQUYgVU5JVDEYMBYGA1UE
|
||||
AxMPTk9UIFRSVVNURUQgT1JHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf
|
||||
NZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cHsWB+vIdFuDKHxfS2
|
||||
JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZIbcTz8A+BwAcvmmQN
|
||||
7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQABMA0GCSqGSIb3DQEB
|
||||
BQUAA4GBABtmc8zn5efVi3iVIgODadKkTv43elIwNZBqEJ6IaoVXvi5Mp1m4VxML
|
||||
LQGPTNG1lpuVDz2z/Ml78942316ailCTOx48oDnb/yy4jI6hsp+N8p6T28/Wvkbm
|
||||
cCgohk6/Cwat5gf+HwoIe5Z3B3HRJaIcB0OteluuLsHAvverBjc4
|
||||
-----END CERTIFICATE-----
|
||||
# trusted-interm.crt, signed by trusted.pem
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC8jCCAlugAwIBAgICEAcwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQVUx
|
||||
EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
|
||||
UHR5IEx0ZDEQMA4GA1UEAxMHVFJVU1RFRDAgFw0xNTA2MjAwMTE4MjdaGA8yMTE1
|
||||
MDUyNzAxMTgyN1owfjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
|
||||
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UECxMLSU5U
|
||||
RVJNIFVOSVQxITAfBgNVBAMTGE9SRyBXSVRIIElOVEVSTUVESUFURSBDQTCBnzAN
|
||||
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtRPNKgh4WdYGmU2Ae6Tf2Mbd3oaRI/uY
|
||||
Qm6aKeYk1i7g41C0vVowNcD/qdNpGUNnai/Kak9anHOYyppNo7zHgf3EO8zQ4NTQ
|
||||
pkDKsdCqbUQcjGfhjWXKnOw+I5er4Rj+MwM1f5cbwb8bYHiSPmXaxzdL0/SNXGAA
|
||||
ys/UswgwkU8CAwEAAaOBozCBoDAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTPkPQW
|
||||
DAPOIy8mipuEsZcP1694EDBxBgNVHSMEajBooVukWTBXMQswCQYDVQQGEwJBVTET
|
||||
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
|
||||
dHkgTHRkMRAwDgYDVQQDEwdUUlVTVEVEggkAqNQXaKXXTf0wDQYJKoZIhvcNAQEF
|
||||
BQADgYEApaPbwonY8l+zSxlY2Fw4WNKfl5nwcTW4fuv/0tZLzvsS6P4hTXxbYJNa
|
||||
k3hQ1qlrr8DiWJewF85hYvEI2F/7eqS5dhhPTEUFPpsjhbgiqnASvW+WKQIgoY2r
|
||||
aHgOXi7RNFtTcCgk0UZISWOY7ORLy8Xu6vKrLRjDhyfIbGlqnAs=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,19 @@
|
|||
# trusted-interm.crt, signed by trusted.pem
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC8jCCAlugAwIBAgICEAcwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQVUx
|
||||
EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
|
||||
UHR5IEx0ZDEQMA4GA1UEAxMHVFJVU1RFRDAgFw0xNTA2MjAwMTE4MjdaGA8yMTE1
|
||||
MDUyNzAxMTgyN1owfjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
|
||||
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UECxMLSU5U
|
||||
RVJNIFVOSVQxITAfBgNVBAMTGE9SRyBXSVRIIElOVEVSTUVESUFURSBDQTCBnzAN
|
||||
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtRPNKgh4WdYGmU2Ae6Tf2Mbd3oaRI/uY
|
||||
Qm6aKeYk1i7g41C0vVowNcD/qdNpGUNnai/Kak9anHOYyppNo7zHgf3EO8zQ4NTQ
|
||||
pkDKsdCqbUQcjGfhjWXKnOw+I5er4Rj+MwM1f5cbwb8bYHiSPmXaxzdL0/SNXGAA
|
||||
ys/UswgwkU8CAwEAAaOBozCBoDAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTPkPQW
|
||||
DAPOIy8mipuEsZcP1694EDBxBgNVHSMEajBooVukWTBXMQswCQYDVQQGEwJBVTET
|
||||
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
|
||||
dHkgTHRkMRAwDgYDVQQDEwdUUlVTVEVEggkAqNQXaKXXTf0wDQYJKoZIhvcNAQEF
|
||||
BQADgYEApaPbwonY8l+zSxlY2Fw4WNKfl5nwcTW4fuv/0tZLzvsS6P4hTXxbYJNa
|
||||
k3hQ1qlrr8DiWJewF85hYvEI2F/7eqS5dhhPTEUFPpsjhbgiqnASvW+WKQIgoY2r
|
||||
aHgOXi7RNFtTcCgk0UZISWOY7ORLy8Xu6vKrLRjDhyfIbGlqnAs=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,15 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQC00Jf3KrBAmLQWl+Dz8Qrig8ActB94kv0/Lu03P/2DwOR8kH2h
|
||||
3w4OC3b3CFKX31h7hm/H1PPHq7cIX6IRfwrYCtBE77UbxklSlrwn06j6YSotz0/d
|
||||
wLEQEFDXWITJq7AyntaiafDHazbbXESNm/+I/YEl2wKemEHE//qWbeM9kwIDAQAB
|
||||
AoGAVs2FBs1hi8FDQ01qWvGuzgt94MnACfxWw0xd6RY5OFUT25DqHxmb/7YVSIag
|
||||
T/SS38osQ3zCA2s2FTkD7u5UX5AzJyqYJwmJhe6ZmaVly6IpebMxkX5w/hy15/N4
|
||||
uy+kzdtEBUUTNLL3DM7THkDYUxmeDzCBrHsMvYUqFgsBLOECQQDeNc1pDC++ovg5
|
||||
d9sKqMnEykBfvuvR6ra/343tYxy9zNFBvYjU3BA83MITIbEa/KtlSkIppz/K/jk5
|
||||
IRwSrwsJAkEA0E9aZfjDZbC9Z4oL7T8gtj2ftSh2g37KE5AWW2OxMJwrzoJ/6wjB
|
||||
nG26ATlHEFP9bRzL2O1iovFLalqEjQo+uwJAMjtZXvjZRjATCvK0Onmjeu/5k2tW
|
||||
ZdK4UzGXJOW11pYZa9ILv4qrxQZmfOqt3Zrmp/QcdswPGLVVfDum2/Zj+QJABJO5
|
||||
yMPOh0162+uMl4nrjhWMjM52zCzdA9EGrLtkCU1lKQR1CxUGLAm9LIm1pgYya1NW
|
||||
p02P/USQA6Y5g1/WQQJBAIwl42Bebgaxl7dUbQX/vF+TryoCkM3B3eSM+P4XKB4f
|
||||
kKSkNxvp59uq+b40gkoqEowhdq97y+pmrCxJHK43NJM=
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,15 @@
|
|||
# Self signed
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICJzCCAZACCQCo1BdopddN/TANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJB
|
||||
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
|
||||
cyBQdHkgTHRkMRAwDgYDVQQDEwdUUlVTVEVEMCAXDTE1MDYxOTE4MDEzMVoYDzIx
|
||||
MTUwNTI2MTgwMTMxWjBXMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0
|
||||
ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQDEwdU
|
||||
UlVTVEVEMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC00Jf3KrBAmLQWl+Dz
|
||||
8Qrig8ActB94kv0/Lu03P/2DwOR8kH2h3w4OC3b3CFKX31h7hm/H1PPHq7cIX6IR
|
||||
fwrYCtBE77UbxklSlrwn06j6YSotz0/dwLEQEFDXWITJq7AyntaiafDHazbbXESN
|
||||
m/+I/YEl2wKemEHE//qWbeM9kwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF0NREP3
|
||||
X+fTebzJGttzrFkDhGVFKRNyLXblXRVanlGOYF+q8grgZY2ufC/55gqf+ub6FRT5
|
||||
gKPhL4V2rqL8UAvCE7jq8ujpVfTB8kRAKC675W2DBZk2EJX9mjlr89t7qXGsI5nF
|
||||
onpfJ1UtiJshNoV7h/NFHeoag91kx628807n
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,33 @@
|
|||
# untrusted.crt, signed by trusted-interm.crt
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICYzCCAcwCAhAIMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkFVMRMwEQYD
|
||||
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
|
||||
dGQxFDASBgNVBAsTC0lOVEVSTSBVTklUMSEwHwYDVQQDExhPUkcgV0lUSCBJTlRF
|
||||
Uk1FRElBVEUgQ0EwIBcNMTUwNjIwMDEyMDI1WhgPMjExNTA1MjcwMTIwMjVaMHMx
|
||||
CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRl
|
||||
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAsTCUxFQUYgVU5JVDEYMBYGA1UE
|
||||
AxMPTk9UIFRSVVNURUQgT1JHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf
|
||||
NZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cHsWB+vIdFuDKHxfS2
|
||||
JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZIbcTz8A+BwAcvmmQN
|
||||
7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQABMA0GCSqGSIb3DQEB
|
||||
BQUAA4GBABtmc8zn5efVi3iVIgODadKkTv43elIwNZBqEJ6IaoVXvi5Mp1m4VxML
|
||||
LQGPTNG1lpuVDz2z/Ml78942316ailCTOx48oDnb/yy4jI6hsp+N8p6T28/Wvkbm
|
||||
cCgohk6/Cwat5gf+HwoIe5Z3B3HRJaIcB0OteluuLsHAvverBjc4
|
||||
-----END CERTIFICATE-----
|
||||
# untrusted-interm.crt, self-signed
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICdTCCAd4CCQDRSKOnIMbTgDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJB
|
||||
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
|
||||
cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5JVDEhMB8GA1UEAxMYT1JHIFdJ
|
||||
VEggSU5URVJNRURJQVRFIENBMCAXDTE1MDYyMDAxMzY0M1oYDzIxMTUwNTI3MDEz
|
||||
NjQzWjB+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE
|
||||
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5J
|
||||
VDEhMB8GA1UEAxMYT1JHIFdJVEggSU5URVJNRURJQVRFIENBMIGfMA0GCSqGSIb3
|
||||
DQEBAQUAA4GNADCBiQKBgQC1E80qCHhZ1gaZTYB7pN/Yxt3ehpEj+5hCbpop5iTW
|
||||
LuDjULS9WjA1wP+p02kZQ2dqL8pqT1qcc5jKmk2jvMeB/cQ7zNDg1NCmQMqx0Kpt
|
||||
RByMZ+GNZcqc7D4jl6vhGP4zAzV/lxvBvxtgeJI+ZdrHN0vT9I1cYADKz9SzCDCR
|
||||
TwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGbObAMEajCz4kj7OP2/DB5SRy2+H/G3
|
||||
8Qvc43xlMMNQyYxsDuLOFL0UMRzoKgntrrm2nni8jND+tuMt+hv3ZlBcJlYJ6ynR
|
||||
sC1ITTC/1SwwwO0AFIyduUEIJYr/B3sgcVYPLcEfeDZgmEQc9Tnc01aEu3lx2+l9
|
||||
0JTSPL2L9LdA
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,17 @@
|
|||
# untrusted-interm.crt, self-signed
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICdTCCAd4CCQDRSKOnIMbTgDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJB
|
||||
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
|
||||
cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5JVDEhMB8GA1UEAxMYT1JHIFdJ
|
||||
VEggSU5URVJNRURJQVRFIENBMCAXDTE1MDYyMDAxMzY0M1oYDzIxMTUwNTI3MDEz
|
||||
NjQzWjB+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UE
|
||||
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRQwEgYDVQQLEwtJTlRFUk0gVU5J
|
||||
VDEhMB8GA1UEAxMYT1JHIFdJVEggSU5URVJNRURJQVRFIENBMIGfMA0GCSqGSIb3
|
||||
DQEBAQUAA4GNADCBiQKBgQC1E80qCHhZ1gaZTYB7pN/Yxt3ehpEj+5hCbpop5iTW
|
||||
LuDjULS9WjA1wP+p02kZQ2dqL8pqT1qcc5jKmk2jvMeB/cQ7zNDg1NCmQMqx0Kpt
|
||||
RByMZ+GNZcqc7D4jl6vhGP4zAzV/lxvBvxtgeJI+ZdrHN0vT9I1cYADKz9SzCDCR
|
||||
TwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGbObAMEajCz4kj7OP2/DB5SRy2+H/G3
|
||||
8Qvc43xlMMNQyYxsDuLOFL0UMRzoKgntrrm2nni8jND+tuMt+hv3ZlBcJlYJ6ynR
|
||||
sC1ITTC/1SwwwO0AFIyduUEIJYr/B3sgcVYPLcEfeDZgmEQc9Tnc01aEu3lx2+l9
|
||||
0JTSPL2L9LdA
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,16 @@
|
|||
# untrusted.crt, signed by trusted-interm.crt
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICYzCCAcwCAhAIMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkFVMRMwEQYD
|
||||
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
|
||||
dGQxFDASBgNVBAsTC0lOVEVSTSBVTklUMSEwHwYDVQQDExhPUkcgV0lUSCBJTlRF
|
||||
Uk1FRElBVEUgQ0EwIBcNMTUwNjIwMDEyMDI1WhgPMjExNTA1MjcwMTIwMjVaMHMx
|
||||
CzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRl
|
||||
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAsTCUxFQUYgVU5JVDEYMBYGA1UE
|
||||
AxMPTk9UIFRSVVNURUQgT1JHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf
|
||||
NZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cHsWB+vIdFuDKHxfS2
|
||||
JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZIbcTz8A+BwAcvmmQN
|
||||
7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQABMA0GCSqGSIb3DQEB
|
||||
BQUAA4GBABtmc8zn5efVi3iVIgODadKkTv43elIwNZBqEJ6IaoVXvi5Mp1m4VxML
|
||||
LQGPTNG1lpuVDz2z/Ml78942316ailCTOx48oDnb/yy4jI6hsp+N8p6T28/Wvkbm
|
||||
cCgohk6/Cwat5gf+HwoIe5Z3B3HRJaIcB0OteluuLsHAvverBjc4
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,16 @@
|
|||
# Key used for untrusted.crt, untrusted-chain.crt and trusted-chain.crt
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXQIBAAKBgQDfNZx/tugICrWGcpP8sa+EBX9WhazCsYIm8YgQrQO9B19dK7cH
|
||||
sWB+vIdFuDKHxfS2JBIeVSaZ6H4onWGnZRAMpi5xnitVhBQKCZP1yOewtrg2umZI
|
||||
bcTz8A+BwAcvmmQN7RZMfpxN9PMccWDfgtAXsjZ2E47o9EfhpGvxfcFc0wIDAQAB
|
||||
AoGAE4B9ofL7Jui4n3yXTXbA3QoV7BtV0tTriDeGKd7T+soQHPXa0gM/aRNTxlWn
|
||||
pJE5JkjUhG3wJ3ZWv3mwtI1x718y0yL9uEgQJYsrNN+VJQwbGxXPio5SaG39gs+y
|
||||
/8xklytMIgvuCXxmcfljemW9+PGT8otYlHeIU3wvHQennDECQQD2vWAEU9k02R9w
|
||||
EkCM7mZEaW+WwrzyAD1NqatsVWErbNeXFPcHwU6y+DiDg2s5iEk89+xN2rX5mW2S
|
||||
PF/2RpaNAkEA55YpZN5nN4P8yCYNz5mWN0kuSPytSgJ3fQY3BY2GkdIft/KcAuDV
|
||||
1pf6jxubwP4vlamnZpqLfylbGdlRBoMY3wJBALQVE3cVG3qO3XsWVzaE6O8VZPRL
|
||||
vUuDETsVkp/G0Ny428DQ9FscoyvMLrMNv7yF065D5JwN/LLnYClTF1bPviECQQCo
|
||||
1BavO1eh6C3DN8K/wmb5PPdqLBKkrrGvSnWYLbmZ2sZW0p4blw8tVzRJWcYtZuEH
|
||||
yVuJeEcT1/FbIcto5O+fAkASbZXZka3nm41wWNYg479Sl8I+qvtScfJgpyByYhCx
|
||||
QaUAtZ791U+WNNHLqfZhSzP9lFZNRI0WNBSAy3SBR2Ur
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -183,52 +183,115 @@ class TestSSLv3Only(tservers.ServerTestBase):
|
|||
tutils.raises(tcp.NetLibError, c.convert_to_ssl, sni="foo.com")
|
||||
|
||||
|
||||
class TestSSLUpstreamCertVerification(tservers.ServerTestBase):
|
||||
class TestSSLUpstreamCertVerificationWBadServerCert(tservers.ServerTestBase):
|
||||
handler = EchoHandler
|
||||
|
||||
ssl = dict(
|
||||
cert=tutils.test_data.path("data/server.crt")
|
||||
)
|
||||
cert=tutils.test_data.path("data/verificationcerts/untrusted.crt"),
|
||||
key=tutils.test_data.path("data/verificationcerts/verification-server.key"))
|
||||
|
||||
def test_mode_default(self):
|
||||
def test_mode_default_should_pass(self):
|
||||
c = tcp.TCPClient(("127.0.0.1", self.port))
|
||||
c.connect()
|
||||
|
||||
c.convert_to_ssl()
|
||||
|
||||
# Verification errors should be saved even if connection isn't aborted
|
||||
# aborted
|
||||
assert c.ssl_verification_error is not None
|
||||
|
||||
testval = "echo!\n"
|
||||
c.wfile.write(testval)
|
||||
c.wfile.flush()
|
||||
assert c.rfile.readline() == testval
|
||||
|
||||
def test_mode_none(self):
|
||||
def test_mode_none_should_pass(self):
|
||||
c = tcp.TCPClient(("127.0.0.1", self.port))
|
||||
c.connect()
|
||||
|
||||
c.convert_to_ssl(verify_options=SSL.VERIFY_NONE)
|
||||
|
||||
# Verification errors should be saved even if connection isn't aborted
|
||||
assert c.ssl_verification_error is not None
|
||||
|
||||
testval = "echo!\n"
|
||||
c.wfile.write(testval)
|
||||
c.wfile.flush()
|
||||
assert c.rfile.readline() == testval
|
||||
|
||||
def test_mode_strict_w_bad_cert(self):
|
||||
def test_mode_strict_should_fail(self):
|
||||
c = tcp.TCPClient(("127.0.0.1", self.port))
|
||||
c.connect()
|
||||
|
||||
tutils.raises(
|
||||
tcp.NetLibError,
|
||||
c.convert_to_ssl,
|
||||
verify_options=SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
|
||||
ca_pemfile=tutils.test_data.path("data/not-server.crt"))
|
||||
verify_options=SSL.VERIFY_PEER,
|
||||
ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))
|
||||
|
||||
def test_mode_strict_w_cert(self):
|
||||
assert c.ssl_verification_error is not None
|
||||
|
||||
# Unknown issuing certificate authority for first certificate
|
||||
assert c.ssl_verification_error['errno'] == 20
|
||||
assert c.ssl_verification_error['depth'] == 0
|
||||
|
||||
|
||||
class TestSSLUpstreamCertVerificationWBadCertChain(tservers.ServerTestBase):
|
||||
handler = EchoHandler
|
||||
|
||||
ssl = dict(
|
||||
cert=tutils.test_data.path("data/verificationcerts/untrusted-chain.crt"),
|
||||
key=tutils.test_data.path("data/verificationcerts/verification-server.key"))
|
||||
|
||||
def test_mode_strict_should_fail(self):
|
||||
c = tcp.TCPClient(("127.0.0.1", self.port))
|
||||
c.connect()
|
||||
|
||||
tutils.raises(
|
||||
"certificate verify failed",
|
||||
c.convert_to_ssl,
|
||||
verify_options=SSL.VERIFY_PEER,
|
||||
ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))
|
||||
|
||||
assert c.ssl_verification_error is not None
|
||||
|
||||
# Untrusted self-signed certificate at second position in certificate
|
||||
# chain
|
||||
assert c.ssl_verification_error['errno'] == 19
|
||||
assert c.ssl_verification_error['depth'] == 1
|
||||
|
||||
|
||||
class TestSSLUpstreamCertVerificationWValidCertChain(tservers.ServerTestBase):
|
||||
handler = EchoHandler
|
||||
|
||||
ssl = dict(
|
||||
cert=tutils.test_data.path("data/verificationcerts/trusted-chain.crt"),
|
||||
key=tutils.test_data.path("data/verificationcerts/verification-server.key"))
|
||||
|
||||
def test_mode_strict_w_pemfile_should_pass(self):
|
||||
c = tcp.TCPClient(("127.0.0.1", self.port))
|
||||
c.connect()
|
||||
|
||||
c.convert_to_ssl(
|
||||
verify_options=SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
|
||||
ca_pemfile=tutils.test_data.path("data/server.crt"))
|
||||
verify_options=SSL.VERIFY_PEER,
|
||||
ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))
|
||||
|
||||
assert c.ssl_verification_error is None
|
||||
|
||||
testval = "echo!\n"
|
||||
c.wfile.write(testval)
|
||||
c.wfile.flush()
|
||||
assert c.rfile.readline() == testval
|
||||
|
||||
def test_mode_strict_w_cadir_should_pass(self):
|
||||
c = tcp.TCPClient(("127.0.0.1", self.port))
|
||||
c.connect()
|
||||
|
||||
c.convert_to_ssl(
|
||||
verify_options=SSL.VERIFY_PEER,
|
||||
ca_path=tutils.test_data.path("data/verificationcerts/"))
|
||||
|
||||
assert c.ssl_verification_error is None
|
||||
|
||||
testval = "echo!\n"
|
||||
c.wfile.write(testval)
|
||||
|
@ -457,6 +520,7 @@ class TestALPNClient(tservers.ServerTestBase):
|
|||
assert c.get_alpn_proto_negotiated() == ""
|
||||
assert c.rfile.readline() == "NONE"
|
||||
|
||||
|
||||
class TestNoSSLNoALPNClient(tservers.ServerTestBase):
|
||||
handler = ALPNHandler
|
||||
|
||||
|
|
|
@ -72,10 +72,9 @@ class TServer(tcp.TCPServer):
|
|||
h = self.handler_klass(request, client_address, self)
|
||||
self.last_handler = h
|
||||
if self.ssl is not None:
|
||||
raw_cert = self.ssl.get(
|
||||
cert = self.ssl.get(
|
||||
"cert",
|
||||
tutils.test_data.path("data/server.crt"))
|
||||
cert = certutils.SSLCert.from_pem(open(raw_cert, "rb").read())
|
||||
raw_key = self.ssl.get(
|
||||
"key",
|
||||
tutils.test_data.path("data/server.key"))
|
||||
|
|
Loading…
Reference in New Issue