tests: replace use of ssl.wrap_socket that throws warnings in Python 3.10

The function ssl.wrap_socket() is deprecated starting Python 3.7 because it does not support hostname matching (which is considered insecure). In Python 3.10, the function now throws warnings at runtime, which makes Ubuntu / Debian autopkgtest fail. The function ssl.SSLContext.wrap_socket comes in as the replacement and has support for SNI and hostname matching. Replaced all uses of ssl.wrap_socket() by equivalent using ssl.SSLContext.wrap_socket(). Signed-off-by: Olivier Gayot <olivier.gayot@canonical.com>
2022-02-07 10:29:02 +01:00 · 2022-02-07 10:29:02 +01:00 · b7fb911428
commit b7fb911428
parent 3cbe805e71
15 changed files with 44 additions and 21 deletions
--- a/test/broker/08-ssl-bridge.py
+++ b/test/broker/08-ssl-bridge.py
@ -34,7 +34,9 @@ publish_packet = mosq_test.gen_publish("bridge/ssl/test", qos=0, payload="messag

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", keyfile="../ssl/server.key", certfile="../ssl/server.crt", server_side=True)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(20)
 ssock.bind(('', port1))
 ssock.listen(5)
--- a/test/broker/08-ssl-connect-cert-auth-crl.py
+++ b/test/broker/08-ssl-connect-cert-auth-crl.py
@ -31,7 +31,9 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    ssock.connect(("localhost", port1))

--- a/test/broker/08-ssl-connect-cert-auth-expired.py
+++ b/test/broker/08-ssl-connect-cert-auth-expired.py
@ -31,7 +31,9 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client-expired.crt", keyfile="../ssl/client-expired.key", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    context.load_cert_chain(certfile="../ssl/client-expired.crt", keyfile="../ssl/client-expired.key")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    try:
        ssock.connect(("localhost", port1))
--- a/test/broker/08-ssl-connect-cert-auth-revoked.py
+++ b/test/broker/08-ssl-connect-cert-auth-revoked.py
@ -30,7 +30,9 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client-revoked.crt", keyfile="../ssl/client-revoked.key", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    context.load_cert_chain(certfile="../ssl/client-revoked.crt", keyfile="../ssl/client-revoked.key")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    try:
        ssock.connect(("localhost", port1))
--- a/test/broker/08-ssl-connect-cert-auth-without.py
+++ b/test/broker/08-ssl-connect-cert-auth-without.py
@ -28,7 +28,8 @@ connect_packet = mosq_test.gen_connect("connect-cert-test", keepalive=keepalive)
 broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2, use_conf=True)

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+ssock = context.wrap_socket(sock, server_hostname="localhost")
 ssock.settimeout(20)
 try:
    ssock.connect(("localhost", port1))
--- a/test/broker/08-ssl-connect-cert-auth.py
+++ b/test/broker/08-ssl-connect-cert-auth.py
@ -32,7 +32,9 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    ssock.connect(("localhost", port1))

--- a/test/broker/08-ssl-connect-identity.py
+++ b/test/broker/08-ssl-connect-identity.py
@ -33,7 +33,9 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    ssock.connect(("localhost", port1))

--- a/test/broker/08-ssl-connect-no-auth-wrong-ca.py
+++ b/test/broker/08-ssl-connect-no-auth-wrong-ca.py
@ -29,7 +29,8 @@ connack_packet = mosq_test.gen_connack(rc=0)
 broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2, use_conf=True)

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-alt-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-alt-ca.crt")
+ssock = context.wrap_socket(sock, server_hostname="localhost")
 ssock.settimeout(20)
 try:
    ssock.connect(("localhost", port1))
--- a/test/broker/08-ssl-connect-no-auth.py
+++ b/test/broker/08-ssl-connect-no-auth.py
@ -32,7 +32,8 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    ssock.connect(("localhost", port1))

--- a/test/broker/08-ssl-connect-no-identity.py
+++ b/test/broker/08-ssl-connect-no-identity.py
@ -32,7 +32,8 @@ broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2,

 try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+    ssock = context.wrap_socket(sock, server_hostname="localhost")
    ssock.settimeout(20)
    ssock.connect(("localhost", port1))

--- a/test/broker/08-ssl-hup-disconnect.py
+++ b/test/broker/08-ssl-hup-disconnect.py
@ -43,7 +43,9 @@ def do_test(option):

    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+        context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+        context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+        ssock = context.wrap_socket(sock, server_hostname="localhost")
        ssock.settimeout(20)
        ssock.connect(("localhost", port))
        mosq_test.do_send_receive(ssock, connect_packet, connack_packet, "connack")
--- a/test/lib/08-ssl-connect-cert-auth-enc.py
+++ b/test/lib/08-ssl-connect-cert-auth-enc.py
@ -26,9 +26,10 @@ disconnect_packet = mosq_test.gen_disconnect()

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt",
-        keyfile="../ssl/server.key", certfile="../ssl/server.crt",
-        server_side=True, cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+context.verify_mode = ssl.CERT_REQUIRED
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)
--- a/test/lib/08-ssl-connect-cert-auth.py
+++ b/test/lib/08-ssl-connect-cert-auth.py
@ -26,9 +26,10 @@ disconnect_packet = mosq_test.gen_disconnect()

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt",
-        keyfile="../ssl/server.key", certfile="../ssl/server.crt",
-        server_side=True, cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+context.verify_mode = ssl.CERT_REQUIRED
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)
--- a/test/lib/08-ssl-connect-no-auth.py
+++ b/test/lib/08-ssl-connect-no-auth.py
@ -25,7 +25,9 @@ disconnect_packet = mosq_test.gen_disconnect()

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", keyfile="../ssl/server.key", certfile="../ssl/server.crt", server_side=True)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)
--- a/test/lib/08-ssl-fake-cacert.py
+++ b/test/lib/08-ssl-fake-cacert.py
@ -10,9 +10,10 @@ if sys.version < '2.7':

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt",
-        keyfile="../ssl/server.key", certfile="../ssl/server.crt",
-        server_side=True, cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+context.verify_mode = ssl.CERT_REQUIRED
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)