# SPDX-License-Identifier: GPL-3.0-or-later
"""TLS-specific tests"""
-import itertools
-import os
-from socket import AF_INET, AF_INET6
import ssl
-import sys
-
import pytest
-
-from kresd import make_kresd
import utils
with pytest.raises(ssl.CertificateError):
ssock.connect(dest)
-
-
-@pytest.mark.skipif(sys.version_info < (3, 6),
- reason="requires python3.6 or higher")
-@pytest.mark.parametrize('sf1, sf2, sf3', itertools.product(
- [AF_INET, AF_INET6], [AF_INET, AF_INET6], [AF_INET, AF_INET6]))
-def test_tls_session_resumption(tmpdir, sf1, sf2, sf3):
- """Attempt TLS session resumption against the same kresd instance and a different one."""
- # TODO ensure that session can't be resumed after session ticket key regeneration
- # at the first kresd instance
-
- # NOTE TLS 1.3 is intentionally disabled for session resumption tests,
- # because python's SSLSocket.session isn't compatible with TLS 1.3
- # https://docs.python.org/3/library/ssl.html?highlight=ssl%20ticket#tls-1-3
-
- def connect(kresd, ctx, sf, session=None):
- sock, dest = kresd.stream_socket(sf, tls=True)
- ssock = ctx.wrap_socket(
- sock, server_hostname='transport-test-server.com', session=session)
- ssock.connect(dest)
- new_session = ssock.session
- assert new_session.has_ticket
- assert ssock.session_reused == (session is not None)
- utils.ping_alive(ssock)
- ssock.close()
- return new_session
-
- workdir = os.path.join(str(tmpdir), 'kresd')
- os.makedirs(workdir)
-
- with make_kresd(workdir, 'tt') as kresd:
- ctx = utils.make_ssl_context(
- verify_location=kresd.tls_cert_path, maximum_tls=ssl.TLSVersion.TLSv1_2)
- session = connect(kresd, ctx, sf1) # initial conn
- connect(kresd, ctx, sf2, session) # resume session on the same instance
-
- workdir2 = os.path.join(str(tmpdir), 'kresd2')
- os.makedirs(workdir2)
- with make_kresd(workdir2, 'tt') as kresd2:
- connect(kresd2, ctx, sf3, session) # resume session on a different instance
projects / thirdparty / knot-resolver.git / commitdiff
