# TODO ensure that session can't be resumed after session ticket key regeneration
# at the first kresd instance
+ # NOTE TLS 1.3 is intentionally disabled for session resumption tests,
+ # becuase python's SSLSocket.session isn't compatible with TLS 1.3
+ # https://docs.python.org/3/library/ssl.html?highlight=ssl%20ticket#tls-1-3
+
def connect(kresd, ctx, sf, session=None):
sock, dest = kresd.stream_socket(sf, tls=True)
ssock = ctx.wrap_socket(
os.makedirs(workdir)
with make_kresd(workdir, 'tt') as kresd:
- ctx = utils.make_ssl_context(verify_location=kresd.tls_cert_path)
+ ctx = utils.make_ssl_context(
+ verify_location=kresd.tls_cert_path, extra_options=[ssl.OP_NO_TLSv1_3])
session = connect(kresd, ctx, sf1) # initial conn
connect(kresd, ctx, sf2, session) # resume session on the same instance
pytest.skip("kresd closed connection with TCP RST")
-def make_ssl_context(insecure=False, verify_location=None):
+def make_ssl_context(insecure=False, verify_location=None, extra_options=None):
# set TLS v1.2+
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_TLSv1
context.options |= ssl.OP_NO_TLSv1_1
+ if extra_options is not None:
+ for option in extra_options:
+ context.options |= option
+
if insecure:
# turn off certificate verification
context.check_hostname = False
projects / thirdparty / knot-resolver.git / commitdiff
