diff options
Diffstat (limited to 'tests/test_ssl.py')
-rw-r--r-- | tests/test_ssl.py | 72 |
1 files changed, 66 insertions, 6 deletions
diff --git a/tests/test_ssl.py b/tests/test_ssl.py index a2f66b2..0ae7440 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -28,6 +28,9 @@ class TestSSL: if not os.path.isdir(CERT_DIR): raise IOError(f"No SSL certificates found. They should be in {CERT_DIR}") + SERVER_CERT = os.path.join(CERT_DIR, "server-cert.pem") + SERVER_KEY = os.path.join(CERT_DIR, "server-key.pem") + def test_ssl_with_invalid_cert(self, request): ssl_url = request.config.option.redis_ssl_url sslclient = redis.from_url(ssl_url) @@ -57,10 +60,10 @@ class TestSSL: host=p[0], port=p[1], ssl=True, - ssl_certfile=os.path.join(self.CERT_DIR, "server-cert.pem"), - ssl_keyfile=os.path.join(self.CERT_DIR, "server-key.pem"), + ssl_certfile=self.SERVER_CERT, + ssl_keyfile=self.SERVER_KEY, ssl_cert_reqs="required", - ssl_ca_certs=os.path.join(self.CERT_DIR, "server-cert.pem"), + ssl_ca_certs=self.SERVER_CERT, ) assert r.ping() @@ -71,10 +74,10 @@ class TestSSL: host=p[0], port=p[1], ssl=True, - ssl_certfile=os.path.join(self.CERT_DIR, "server-cert.pem"), - ssl_keyfile=os.path.join(self.CERT_DIR, "server-key.pem"), + ssl_certfile=self.SERVER_CERT, + ssl_keyfile=self.SERVER_KEY, ssl_cert_reqs="required", - ssl_ca_certs=os.path.join(self.CERT_DIR, "server-cert.pem"), + ssl_ca_certs=self.SERVER_CERT, ssl_validate_ocsp=True, ) return r @@ -159,3 +162,60 @@ class TestSSL: with context.wrap_socket(sock, server_hostname=hostname) as wrapped: ocsp = OCSPVerifier(wrapped, hostname, 443) assert ocsp.is_valid() + + @skip_if_nocryptography() + def test_mock_ocsp_staple(self, request): + import OpenSSL + + ssl_url = request.config.option.redis_ssl_url + p = urlparse(ssl_url)[1].split(":") + r = redis.Redis( + host=p[0], + port=p[1], + ssl=True, + ssl_certfile=self.SERVER_CERT, + ssl_keyfile=self.SERVER_KEY, + ssl_cert_reqs="required", + ssl_ca_certs=self.SERVER_CERT, + ssl_validate_ocsp=True, + ssl_ocsp_context=p, # just needs to not be none + ) + + with pytest.raises(RedisError): + r.ping() + + ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD) + ctx.use_certificate_file(self.SERVER_CERT) + ctx.use_privatekey_file(self.SERVER_KEY) + + r = redis.Redis( + host=p[0], + port=p[1], + ssl=True, + ssl_certfile=self.SERVER_CERT, + ssl_keyfile=self.SERVER_KEY, + ssl_cert_reqs="required", + ssl_ca_certs=self.SERVER_CERT, + ssl_ocsp_context=ctx, + ssl_ocsp_expected_cert=open(self.SERVER_KEY, "rb").read(), + ssl_validate_ocsp_stapled=True, + ) + + with pytest.raises(ConnectionError) as e: + r.ping() + assert "no ocsp response present" in str(e) + + r = redis.Redis( + host=p[0], + port=p[1], + ssl=True, + ssl_certfile=self.SERVER_CERT, + ssl_keyfile=self.SERVER_KEY, + ssl_cert_reqs="required", + ssl_ca_certs=self.SERVER_CERT, + ssl_validate_ocsp_stapled=True, + ) + + with pytest.raises(ConnectionError) as e: + r.ping() + assert "no ocsp response present" in str(e) |