twisted.test.test_sslverify.OpenSSLOptionsTests(OpenSSLOptionsTestsMixin, unittest.TestCase) class documentationtwisted.test.test_sslverify
(View In Hierarchy)
Tests for sslverify.OpenSSLOptions.
| Method | setUp | Same as OpenSSLOptionsTestsMixin.setUp,
but it also patches sslverify._ChooseDiffieHellmanEllipticCurve. |
| Method | test_constructorWithOnlyPrivateKey | privateKey and certificate make only sense if
both are set. |
| Method | test_constructorWithOnlyCertificate | privateKey and certificate make only sense if
both are set. |
| Method | test_constructorWithCertificateAndPrivateKey | Specifying privateKey and certificate
initializes correctly. |
| Method | test_constructorDoesNotAllowVerifyWithoutCACerts | verify must not be True without specifying
caCerts. |
| Method | test_constructorDoesNotAllowLegacyWithTrustRoot | verify, requireCertificate, and
caCerts must not be specified by the caller (to be any
value, even the default!) when specifying trustRoot. |
| Method | test_constructorAllowsCACertsWithoutVerify | It's currently a NOP, but valid. |
| Method | test_constructorWithVerifyAndCACerts | Specifying verify and caCerts initializes
correctly. |
| Method | test_constructorSetsExtraChain | Setting extraCertChain works if certificate
and privateKey are set along with it. |
| Method | test_constructorDoesNotAllowExtraChainWithoutPrivateKey | A extraCertChain without privateKey doesn't
make sense and is thus rejected. |
| Method | test_constructorDoesNotAllowExtraChainWithOutPrivateKey | A extraCertChain without certificate doesn't
make sense and is thus rejected. |
| Method | test_extraChainFilesAreAddedIfSupplied | If extraCertChain is set and all prerequisites are met, the
specified chain certificates are added to Contexts that get
created. |
| Method | test_extraChainDoesNotBreakPyOpenSSL | extraCertChain doesn't break
OpenSSL.SSL.Context creation. |
| Method | test_acceptableCiphersAreAlwaysSet | If the user doesn't supply custom acceptable ciphers, a shipped secure default is used. We can't check directly for it because the effective cipher string we set varies with platforms. |
| Method | test_givesMeaningfulErrorMessageIfNoCipherMatches | If there is no valid cipher that matches the user's wishes, a ValueError
is raised. |
| Method | test_honorsAcceptableCiphersArgument | If acceptable ciphers are passed, they are used. |
| Method | test_basicSecurityOptionsAreSet | Every context must have OP_NO_SSLv2,
OP_NO_COMPRESSION, and
OP_CIPHER_SERVER_PREFERENCE set. |
| Method | test_modeIsSet | Every context must be in MODE_RELEASE_BUFFERS mode. |
| Method | test_singleUseKeys | If singleUseKeys is set, every context must have
OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE set. |
| Method | test_methodIsDeprecated | Passing method to sslverify.OpenSSLCertificateOptions
is deprecated. |
| Method | test_tlsv1ByDefault | sslverify.OpenSSLCertificateOptions
will make the default minimum TLS version v1.0, if no method,
or insecurelyLowerMinimumTo is given. |
| Method | test_tlsProtocolsAtLeastWithMinimum | Passing insecurelyLowerMinimumTo along with
raiseMinimumTo to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception. |
| Method | test_tlsProtocolsNoMethodWithAtLeast | Passing raiseMinimumTo along with method to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception. |
| Method | test_tlsProtocolsNoMethodWithMinimum | Passing insecurelyLowerMinimumTo along with
method to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception. |
| Method | test_tlsProtocolsNoMethodWithMaximum | Passing lowerMaximumSecurityTo along with
method to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception. |
| Method | test_tlsVersionRangeInOrder | Passing out of order TLS versions to
insecurelyLowerMinimumTo and
lowerMaximumSecurityTo will cause it to raise an
exception. |
| Method | test_tlsVersionRangeInOrderAtLeast | Passing out of order TLS versions to raiseMinimumTo and
lowerMaximumSecurityTo will cause it to raise an
exception. |
| Method | test_tlsProtocolsreduceToMaxWithoutMin | No summary |
| Method | test_tlsProtocolsSSLv3Only | When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to SSLv3, it will exclude all
others. |
| Method | test_tlsProtocolsTLSv1Point0Only | When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to v1.0, it will exclude all
others. |
| Method | test_tlsProtocolsTLSv1Point1Only | When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to v1.1, it will exclude all
others. |
| Method | test_tlsProtocolsTLSv1Point2Only | When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to v1.2, it will exclude all
others. |
| Method | test_tlsProtocolsAllModernTLS | No summary |
| Method | test_tlsProtocolsAtLeastAllSecureTLS | When calling sslverify.OpenSSLCertificateOptions
with raiseMinimumTo set to TLSv1.2, it will ignore all TLSs
below 1.2 and SSL. |
| Method | test_tlsProtocolsAtLeastWillAcceptHigherDefault | When calling sslverify.OpenSSLCertificateOptions
with raiseMinimumTo set to a value lower than Twisted's
default will cause it to use the more secure default. |
| Method | test_tlsProtocolsAllSecureTLS | When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo set to TLSv1.2, it will ignore
all TLSs below 1.2 and SSL. |
| Method | test_dhParams | If dhParams is set, they are loaded into each new
context. |
| Method | test_abbreviatingDistinguishedNames | Check that abbreviations used in certificates correctly map to complete names. |
| Method | testInspectDistinguishedName | Undocumented |
| Method | testInspectDistinguishedNameWithoutAllFields | Undocumented |
| Method | test_inspectCertificate | Test that the inspect method of sslverify.Certificate
returns a human-readable string containing some basic information about the
certificate. |
| Method | test_publicKeyMatching | PublicKey.matches
returns True
for keys from certificates with the same key, and False
for keys from certificates with different keys. |
| Method | test_certificateOptionsSerialization | Test that __setstate__(__getstate__()) round-trips properly. |
| Method | test_certificateOptionsSessionTickets | Enabling session tickets should not set the OP_NO_TICKET option. |
| Method | test_certificateOptionsSessionTicketsDisabled | Enabling session tickets should set the OP_NO_TICKET option. |
| Method | test_allowedAnonymousClientConnection | Check that anonymous connections are allowed when certificates aren't required on the server. |
| Method | test_refusedAnonymousClientConnection | Check that anonymous connections are refused when certificates are required on the server. |
| Method | test_failedCertificateVerification | Check that connecting with a certificate not accepted by the server CA fails. |
| Method | test_successfulCertificateVerification | Test a successful connection with client certificate validation on server side. |
| Method | test_successfulSymmetricSelfSignedCertificateVerification | Test a successful connection with validation on both server and client sides. |
| Method | test_verification | Check certificates verification building custom certificates data. |
Inherited from OpenSSLOptionsTestsMixin:
| Method | tearDown | Undocumented |
| Method | loopback | Undocumented |
Inherited from TestCase:
| Instance Variable | timeout | A real number of seconds. If set, the test will raise an error if it takes
longer than timeout seconds. If not set,
util.DEFAULT_TIMEOUT_DURATION is used. |
| Method | __init__ | Construct an asynchronous test case for methodName. |
| Method | assertFailure | Fail if deferred does not errback with one of
expectedFailures. Returns the original Deferred with callbacks
added. You will need to return this Deferred from your test case. |
| Method | __call__ | Run the test. Should always do exactly the same thing as run(). |
| Method | deferSetUp | Undocumented |
| Method | deferTestMethod | Undocumented |
| Method | deferTearDown | Undocumented |
| Method | deferRunCleanups | Run any scheduled cleanups and report errors (if any to the result object. |
| Method | addCleanup | Extend the base cleanup feature with support for cleanup functions which return Deferreds. |
| Method | getSuppress | Undocumented |
| Method | getTimeout | No summary |
| Method | _run | Run a single method, either a test method or fixture. |
| Method | _ebDeferSetUp | Undocumented |
| Method | _cbDeferTestMethod | Undocumented |
| Method | _ebDeferTestMethod | Undocumented |
| Method | _ebDeferTearDown | Undocumented |
| Method | _cbDeferRunCleanups | Undocumented |
| Method | _cleanUp | Undocumented |
| Method | _classCleanUp | Undocumented |
| Method | _makeReactorMethod | Create a method which wraps the reactor method name. The
new method issues a deprecation warning and calls the original. |
| Method | _deprecateReactor | Deprecate iterate, crash and stop
on reactor. That is, each method is wrapped in a function that
issues a deprecation warning, then calls the original. |
| Method | _undeprecateReactor | Restore the deprecated reactor methods. Undoes what _deprecateReactor
did. |
| Method | _runCleanups | Run the cleanups added with addCleanup
in order. |
| Method | _runFixturesAndTest | Really run setUp, the test method, and
tearDown. Any of these may return defer.Deferreds.
After they complete, do some reactor cleanup. |
| Method | _wait | Take a Deferred that only ever callbacks. Block until it happens. |
Inherited from SynchronousTestCase (via TestCase):
| Instance Variable | failureException | An exception class, defaulting to FailTest. If the test method
raises this exception, it will be reported as a failure, rather than an
exception. All of the assertion methods raise this if the assertion fails. |
| Instance Variable | skip | None
or a string explaining why this test is to be skipped. If defined, the test
will not be run. Instead, it will be reported to the result object as
'skipped' (if the TestResult supports skipping). |
| Instance Variable | todo | None,
a string or a tuple of (errors, reason) where
errors is either an exception class or an iterable of
exception classes, and reason is a string. See Todo or makeTodo for
more information. |
| Instance Variable | suppress | None
or a list of tuples of (args, kwargs) to be passed to
warnings.filterwarnings. Use these to suppress warnings raised
in a test. Useful for testing deprecated code. See also util.suppress. |
| Method | __eq__ | No summary |
| Method | __ne__ | Undocumented |
| Method | __hash__ | Undocumented |
| Method | shortDescription | Undocumented |
| Method | getSkip | No summary |
| Method | getTodo | No summary |
| Method | runTest | If no methodName argument is passed to the constructor, run
will treat this method as the thing with the actual test inside. |
| Method | run | Run the test case, storing the results in result. |
| Method | patch | Monkey patch an object for the duration of the test. |
| Method | flushLoggedErrors | Remove stored errors received from the log. |
| Method | flushWarnings | Remove stored warnings from the list of captured warnings and return them. |
| Method | callDeprecated | Call a function that should have been deprecated at a specific version and in favor of a specific alternative, and assert that it was thusly deprecated. |
| Method | mktemp | Create a new path name which can be used for a new file or directory. |
| Method | _getSuppress | No summary |
| Method | _getSkipReason | Return the reason to use for skipping a test method. |
| Method | _installObserver | Undocumented |
| Method | _removeObserver | Undocumented |
Inherited from _Assertions (via TestCase, SynchronousTestCase):
| Method | fail | Absolutely fail the test. Do not pass go, do not collect $200. |
| Method | assertFalse | Fail the test if condition evaluates to True. |
| Method | assertTrue | Fail the test if condition evaluates to False. |
| Method | assertRaises | Fail the test unless calling the function f with the given
args and kwargs raises exception.
The failure will report the traceback and call stack of the unexpected
exception. |
| Method | assertEqual | Fail the test if first and second are not
equal. |
| Method | assertIs | Fail the test if first is not second. This is
an obect-identity-equality test, not an object equality (i.e.
__eq__) test. |
| Method | assertIsNot | Fail the test if first is second. This is an
obect-identity-equality test, not an object equality (i.e.
__eq__) test. |
| Method | assertNotEqual | Fail the test if first == second. |
| Method | assertIn | Fail the test if containee is not found in
container. |
| Method | assertNotIn | Fail the test if containee is found in
container. |
| Method | assertNotAlmostEqual | Fail if the two objects are equal as determined by their difference rounded to the given number of decimal places (default 7) and comparing to zero. |
| Method | assertAlmostEqual | Fail if the two objects are unequal as determined by their difference rounded to the given number of decimal places (default 7) and comparing to zero. |
| Method | assertApproximates | Fail if first - second >
tolerance |
| Method | assertSubstring | Fail if substring does not exist within
astring. |
| Method | assertNotSubstring | Fail if astring contains substring. |
| Method | assertWarns | Fail if the given function doesn't generate the specified warning when called. It calls the function, checks the warning, and forwards the result of the function if everything is fine. |
| Method | assertIsInstance | Fail if instance is not an instance of the given class or
of one of the given classes. |
| Method | assertNotIsInstance | Fail if instance is an instance of the given class or of
one of the given classes. |
| Method | successResultOf | Return the current success result of deferred or raise
self.failureException. |
| Method | failureResultOf | Return the current failure result of deferred or raise
self.failureException. |
| Method | assertNoResult | Assert that deferred does not have a result at this
point. |
| Method | assertRegex | Fail the test if a regexp search of text
fails. |
Same as OpenSSLOptionsTestsMixin.setUp,
but it also patches sslverify._ChooseDiffieHellmanEllipticCurve.
privateKey and certificate make only sense if
both are set.
privateKey and certificate make only sense if
both are set.
Specifying privateKey and certificate
initializes correctly.
verify must not be True without specifying
caCerts.
verify, requireCertificate, and
caCerts must not be specified by the caller (to be any
value, even the default!) when specifying trustRoot.
Specifying verify and caCerts initializes
correctly.
Setting extraCertChain works if certificate
and privateKey are set along with it.
A extraCertChain without privateKey doesn't
make sense and is thus rejected.
A extraCertChain without certificate doesn't
make sense and is thus rejected.
If extraCertChain is set and all prerequisites are met, the
specified chain certificates are added to Contexts that get
created.
extraCertChain doesn't break
OpenSSL.SSL.Context creation.
If the user doesn't supply custom acceptable ciphers, a shipped secure default is used. We can't check directly for it because the effective cipher string we set varies with platforms.
If there is no valid cipher that matches the user's wishes, a ValueError
is raised.
Every context must have OP_NO_SSLv2,
OP_NO_COMPRESSION, and
OP_CIPHER_SERVER_PREFERENCE set.
If singleUseKeys is set, every context must have
OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE set.
Passing method to sslverify.OpenSSLCertificateOptions
is deprecated.
sslverify.OpenSSLCertificateOptions
will make the default minimum TLS version v1.0, if no method,
or insecurelyLowerMinimumTo is given.
Passing insecurelyLowerMinimumTo along with
raiseMinimumTo to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception.
Passing raiseMinimumTo along with method to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception.
Passing insecurelyLowerMinimumTo along with
method to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception.
Passing lowerMaximumSecurityTo along with
method to sslverify.OpenSSLCertificateOptions
will cause it to raise an exception.
Passing out of order TLS versions to
insecurelyLowerMinimumTo and
lowerMaximumSecurityTo will cause it to raise an
exception.
Passing out of order TLS versions to raiseMinimumTo and
lowerMaximumSecurityTo will cause it to raise an
exception.
When calling sslverify.OpenSSLCertificateOptions
with lowerMaximumSecurityTo but no raiseMinimumTo
or insecurelyLowerMinimumTo set, and
lowerMaximumSecurityTo is below the minimum default, the
minimum will be made the new maximum.
When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to SSLv3, it will exclude all
others.
When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to v1.0, it will exclude all
others.
When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to v1.1, it will exclude all
others.
When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo and
lowerMaximumSecurityTo set to v1.2, it will exclude all
others.
When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo set to TLSv1.0 and
lowerMaximumSecurityTo to TLSv1.2, it will exclude both SSLs
and the (unreleased) TLSv1.3.
When calling sslverify.OpenSSLCertificateOptions
with raiseMinimumTo set to TLSv1.2, it will ignore all TLSs
below 1.2 and SSL.
When calling sslverify.OpenSSLCertificateOptions
with raiseMinimumTo set to a value lower than Twisted's
default will cause it to use the more secure default.
When calling sslverify.OpenSSLCertificateOptions
with insecurelyLowerMinimumTo set to TLSv1.2, it will ignore
all TLSs below 1.2 and SSL.
Check that abbreviations used in certificates correctly map to complete names.
Test that the inspect method of sslverify.Certificate
returns a human-readable string containing some basic information about the
certificate.
PublicKey.matches
returns True
for keys from certificates with the same key, and False
for keys from certificates with different keys.
Test that __setstate__(__getstate__()) round-trips properly.
Enabling session tickets should not set the OP_NO_TICKET option.
Enabling session tickets should set the OP_NO_TICKET option.
Check that anonymous connections are allowed when certificates aren't required on the server.
Check that anonymous connections are refused when certificates are required on the server.
Check that connecting with a certificate not accepted by the server CA fails.
Test a successful connection with client certificate validation on server side.