From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 11 Aug 2019 02:00:41 +0000 (-0400)
Subject: test: Disable TLS 1.3 in one test
X-Git-Tag: v6.1.0b1~60^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2725%2Fhead;p=thirdparty%2Ftornado.git

test: Disable TLS 1.3 in one test

This test started failing on windows CI with an upgrade to python
3.7.4 (which bundles a newer version of openssl). Disable tls 1.3 for
now.

Possibly related to #2536
---

diff --git a/tornado/test/iostream_test.py b/tornado/test/iostream_test.py
index 304146ce9..5c1f73eab 100644
--- a/tornado/test/iostream_test.py
+++ b/tornado/test/iostream_test.py
@@ -973,9 +973,16 @@ class WaitForHandshakeTest(AsyncTestCase):
             server = server_cls(ssl_options=_server_ssl_options())
             server.add_socket(sock)
 
-            client = SSLIOStream(
-                socket.socket(), ssl_options=dict(cert_reqs=ssl.CERT_NONE)
-            )
+            ssl_ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+            ssl_ctx.check_hostname = False
+            ssl_ctx.verify_mode = ssl.CERT_NONE
+            # These tests fail with ConnectionAbortedErrors with TLS
+            # 1.3 on windows python 3.7.4 (which includes an upgrade
+            # to openssl 1.1.c. Other platforms might be affected with
+            # newer openssl too). Disable it until we figure out
+            # what's up.
+            ssl_ctx.options |= getattr(ssl, "OP_NO_TLSv1_3", 0)
+            client = SSLIOStream(socket.socket(), ssl_options=ssl_ctx)
             yield client.connect(("127.0.0.1", port))
             self.assertIsNotNone(client.socket.cipher())
         finally: