cheroot: SSL tests fail with uncaught SSL validation
❓ I’m submitting a …
- 🐞 bug report
- 🐣 feature request
- ❓ question about the decisions made in the repository
🐞 Describe the bug. What is the current behavior? Running tests on macOS, two tests fail:
2 failed
- cheroot/test/test_ssl.py:192 test_tls_client_auth[VerifyMode.CERT_OPTIONAL-False-localhost-pyopenssl]
- cheroot/test/test_ssl.py:192 test_tls_client_auth[VerifyMode.CERT_REQUIRED-False-localhost-pyopenssl]
❓ What is the motivation / use case for changing the behavior?
Tests should pass on master.
💡 To Reproduce
Steps to reproduce the behavior:
- Run
tox -ron macOS
💡 Expected behavior
Tests should pass.
📋 Details
Failures look like:
――――――――――――――――――――――――――――――――――――――――――――――――――――――― test_tls_client_auth[VerifyMode.CERT_OPTIONAL-False-localhost-pyopenssl] ――――――――――――――――――――――――――――――――――――――――――――――――――――――――
mocker = <pytest_mock.MockFixture object at 0x103995ba8>, tls_http_server = <generator object tls_http_server.<locals>.start_srv at 0x10392c228>, adapter_type = 'pyopenssl'
ca = <trustme.CA object at 0x103995fd0>, tls_certificate = <trustme.LeafCert object at 0x10396bb70>
tls_certificate_chain_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpg0wjfzji.pem'
tls_certificate_private_key_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpii4yp07w.pem'
tls_ca_certificate_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpyv5h7s8l.pem', is_trusted_cert = False, tls_client_identity = 'localhost'
tls_verify_mode = <VerifyMode.CERT_OPTIONAL: 1>
@pytest.mark.parametrize(
'adapter_type',
(
'builtin',
'pyopenssl',
),
)
@pytest.mark.parametrize(
'is_trusted_cert,tls_client_identity',
(
(True, 'localhost'), (True, '127.0.0.1'),
(True, '*.localhost'), (True, 'not_localhost'),
(False, 'localhost'),
),
)
@pytest.mark.parametrize(
'tls_verify_mode',
(
ssl.CERT_NONE, # server shouldn't validate client cert
ssl.CERT_OPTIONAL, # same as CERT_REQUIRED in client mode, don't use
ssl.CERT_REQUIRED, # server should validate if client cert CA is OK
),
)
def test_tls_client_auth(
# FIXME: remove twisted logic, separate tests
mocker,
tls_http_server, adapter_type,
ca,
tls_certificate,
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
tls_ca_certificate_pem_path,
is_trusted_cert, tls_client_identity,
tls_verify_mode,
):
"""Verify that client TLS certificate auth works correctly."""
test_cert_rejection = (
tls_verify_mode != ssl.CERT_NONE
and not is_trusted_cert
)
interface, _host, port = _get_conn_data(ANY_INTERFACE_IPV4)
client_cert_root_ca = ca if is_trusted_cert else trustme.CA()
with mocker.mock_module.patch(
'idna.core.ulabel',
return_value=ntob(tls_client_identity),
):
client_cert = client_cert_root_ca.issue_server_cert(
# FIXME: change to issue_cert once new trustme is out
ntou(tls_client_identity),
)
del client_cert_root_ca
with client_cert.private_key_and_cert_chain_pem.tempfile() as cl_pem:
tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
tls_adapter = tls_adapter_cls(
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
)
if adapter_type == 'pyopenssl':
tls_adapter.context = tls_adapter.get_context()
tls_adapter.context.set_verify(
_stdlib_to_openssl_verify[tls_verify_mode],
lambda conn, cert, errno, depth, preverify_ok: preverify_ok,
)
else:
tls_adapter.context.verify_mode = tls_verify_mode
ca.configure_trust(tls_adapter.context)
tls_certificate.configure_cert(tls_adapter.context)
tlshttpserver = tls_http_server.send(
(
(interface, port),
tls_adapter,
),
)
interface, _host, port = _get_conn_data(tlshttpserver.bind_addr)
make_https_request = functools.partial(
requests.get,
'https://' + interface + ':' + str(port) + '/',
# Server TLS certificate verification:
verify=tls_ca_certificate_pem_path,
# Client TLS certificate verification:
cert=cl_pem,
)
if not test_cert_rejection:
resp = make_https_request()
assert resp.status_code == 200
assert resp.text == 'Hello world!'
return
with pytest.raises(requests.exceptions.SSLError) as ssl_err:
> make_https_request()
cheroot/test/test_ssl.py:290:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
.tox/python/lib/python3.7/site-packages/requests/api.py:75: in get
return request('get', url, params=params, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/api.py:60: in request
return session.request(method=method, url=url, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:533: in request
resp = self.send(prep, **send_kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:646: in send
r = adapter.send(request, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/adapters.py:449: in send
timeout=timeout
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:600: in urlopen
chunked=chunked)
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:384: in _make_request
six.raise_from(e, None)
<string>:2: in raise_from
???
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:380: in _make_request
httplib_response = conn.getresponse()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:1321: in getresponse
response.begin()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:296: in begin
version, status, reason = self._read_status()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:257: in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py:589: in readinto
return self._sock.recv_into(b)
.tox/python/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py:294: in recv_into
return self.connection.recv_into(*args, **kwargs)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1822: in recv_into
self._raise_ssl_error(self._ssl, result)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1647: in _raise_ssl_error
_raise_current_error()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
exception_type = <class 'OpenSSL.SSL.Error'>
def exception_from_error_queue(exception_type):
"""
Convert an OpenSSL library failure into a Python exception.
When a call to the native OpenSSL library fails, this is usually signalled
by the return value, and an error code is stored in an error queue
associated with the current thread. The err library provides functions to
obtain these error codes and textual error messages.
"""
errors = []
while True:
error = lib.ERR_get_error()
if error == 0:
break
errors.append((
text(lib.ERR_lib_error_string(error)),
text(lib.ERR_func_error_string(error)),
text(lib.ERR_reason_error_string(error))))
> raise exception_type(errors)
E OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert unknown ca')]
.tox/python/lib/python3.7/site-packages/OpenSSL/_util.py:54: Error
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_OPTIONAL-False-localhost-pyopenssl] ⨯ 84% ████████▍
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-localhost-builtin] ✓ 85% ████████▌
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-localhost-pyopenssl] ✓ 86% ████████▋
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-127.0.0.1-builtin] ✓ 87% ████████▋
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-127.0.0.1-pyopenssl] ✓ 88% ████████▊
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-*.localhost-builtin] ✓ 89% ████████▉
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-*.localhost-pyopenssl] ✓ 90% ████████▉
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-not_localhost-builtin] ✓ 90% █████████▏
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-not_localhost-pyopenssl] ✓ 91% █████████▎
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-False-localhost-builtin] ✓ 92% █████████▎
――――――――――――――――――――――――――――――――――――――――――――――――――――――― test_tls_client_auth[VerifyMode.CERT_REQUIRED-False-localhost-pyopenssl] ――――――――――――――――――――――――――――――――――――――――――――――――――――――――
mocker = <pytest_mock.MockFixture object at 0x10395c6d8>, tls_http_server = <generator object tls_http_server.<locals>.start_srv at 0x103a1ae58>, adapter_type = 'pyopenssl'
ca = <trustme.CA object at 0x103ee1160>, tls_certificate = <trustme.LeafCert object at 0x103c2f630>
tls_certificate_chain_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmp78479eyf.pem'
tls_certificate_private_key_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpwdexlrl7.pem'
tls_ca_certificate_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpf3obdeu1.pem', is_trusted_cert = False, tls_client_identity = 'localhost'
tls_verify_mode = <VerifyMode.CERT_REQUIRED: 2>
@pytest.mark.parametrize(
'adapter_type',
(
'builtin',
'pyopenssl',
),
)
@pytest.mark.parametrize(
'is_trusted_cert,tls_client_identity',
(
(True, 'localhost'), (True, '127.0.0.1'),
(True, '*.localhost'), (True, 'not_localhost'),
(False, 'localhost'),
),
)
@pytest.mark.parametrize(
'tls_verify_mode',
(
ssl.CERT_NONE, # server shouldn't validate client cert
ssl.CERT_OPTIONAL, # same as CERT_REQUIRED in client mode, don't use
ssl.CERT_REQUIRED, # server should validate if client cert CA is OK
),
)
def test_tls_client_auth(
# FIXME: remove twisted logic, separate tests
mocker,
tls_http_server, adapter_type,
ca,
tls_certificate,
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
tls_ca_certificate_pem_path,
is_trusted_cert, tls_client_identity,
tls_verify_mode,
):
"""Verify that client TLS certificate auth works correctly."""
test_cert_rejection = (
tls_verify_mode != ssl.CERT_NONE
and not is_trusted_cert
)
interface, _host, port = _get_conn_data(ANY_INTERFACE_IPV4)
client_cert_root_ca = ca if is_trusted_cert else trustme.CA()
with mocker.mock_module.patch(
'idna.core.ulabel',
return_value=ntob(tls_client_identity),
):
client_cert = client_cert_root_ca.issue_server_cert(
# FIXME: change to issue_cert once new trustme is out
ntou(tls_client_identity),
)
del client_cert_root_ca
with client_cert.private_key_and_cert_chain_pem.tempfile() as cl_pem:
tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
tls_adapter = tls_adapter_cls(
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
)
if adapter_type == 'pyopenssl':
tls_adapter.context = tls_adapter.get_context()
tls_adapter.context.set_verify(
_stdlib_to_openssl_verify[tls_verify_mode],
lambda conn, cert, errno, depth, preverify_ok: preverify_ok,
)
else:
tls_adapter.context.verify_mode = tls_verify_mode
ca.configure_trust(tls_adapter.context)
tls_certificate.configure_cert(tls_adapter.context)
tlshttpserver = tls_http_server.send(
(
(interface, port),
tls_adapter,
),
)
interface, _host, port = _get_conn_data(tlshttpserver.bind_addr)
make_https_request = functools.partial(
requests.get,
'https://' + interface + ':' + str(port) + '/',
# Server TLS certificate verification:
verify=tls_ca_certificate_pem_path,
# Client TLS certificate verification:
cert=cl_pem,
)
if not test_cert_rejection:
resp = make_https_request()
assert resp.status_code == 200
assert resp.text == 'Hello world!'
return
with pytest.raises(requests.exceptions.SSLError) as ssl_err:
> make_https_request()
cheroot/test/test_ssl.py:290:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
.tox/python/lib/python3.7/site-packages/requests/api.py:75: in get
return request('get', url, params=params, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/api.py:60: in request
return session.request(method=method, url=url, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:533: in request
resp = self.send(prep, **send_kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:646: in send
r = adapter.send(request, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/adapters.py:449: in send
timeout=timeout
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:600: in urlopen
chunked=chunked)
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:384: in _make_request
six.raise_from(e, None)
<string>:2: in raise_from
???
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:380: in _make_request
httplib_response = conn.getresponse()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:1321: in getresponse
response.begin()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:296: in begin
version, status, reason = self._read_status()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:257: in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py:589: in readinto
return self._sock.recv_into(b)
.tox/python/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py:294: in recv_into
return self.connection.recv_into(*args, **kwargs)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1822: in recv_into
self._raise_ssl_error(self._ssl, result)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1647: in _raise_ssl_error
_raise_current_error()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
exception_type = <class 'OpenSSL.SSL.Error'>
def exception_from_error_queue(exception_type):
"""
Convert an OpenSSL library failure into a Python exception.
When a call to the native OpenSSL library fails, this is usually signalled
by the return value, and an error code is stored in an error queue
associated with the current thread. The err library provides functions to
obtain these error codes and textual error messages.
"""
errors = []
while True:
error = lib.ERR_get_error()
if error == 0:
break
errors.append((
text(lib.ERR_lib_error_string(error)),
text(lib.ERR_func_error_string(error)),
text(lib.ERR_reason_error_string(error))))
> raise exception_type(errors)
E OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert unknown ca')]
.tox/python/lib/python3.7/site-packages/OpenSSL/_util.py:54: Error
📋 Environment
- Cheroot version: master (e616c254)
- CherryPy version: n/a
- Python version: 3.7.2
- OS: macOS 10.14.3
- Browser: n/a
📋 Additional context
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 25 (24 by maintainers)
Commits related to this issue
- Pin cryptography to <2.5. Temporary workaround for #173. — committed to cherrypy/cheroot by jaraco 5 years ago
- xfail when encountering #173 — committed to cherrypy/cheroot by jaraco 5 years ago
- Merge pull request #175 from cherrypy/bugfix/173-xfail-client-ssl-fails xfail when encountering #173 — committed to cherrypy/cheroot by jaraco 5 years ago
I’ve actually made CI print it a while back: