author | Maximiliano Curia
<maxy@gnuservers.com.ar> 2015-03-20 13:56:26 UTC |
committer | Maximiliano Curia
<maxy@gnuservers.com.ar> 2015-03-20 13:57:22 UTC |
parent | f6204ef51c68ff78e79bf72335a7adc4f8d33c6c |
debian/changelog | +1 | -1 |
debian/patches/series | +1 | -0 |
debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky | +68 | -0 |
diff --git a/debian/changelog b/debian/changelog index f5be6d7..8fced7b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ kxd (0.12-4~) UNRELEASED; urgency=medium - * + * New upstream patch: upstream_tests_fix_ssl_validation_in_test_tricky -- Maximiliano Curia <maxy@debian.org> Thu, 19 Mar 2015 21:45:37 +0100 diff --git a/debian/patches/series b/debian/patches/series index ab007b7..d1abcc2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ upstream_scripts-Fix-kxd-add-client-key-missing-fi-and-wrong-.patch upstream_tests-Use-LOGNAME-instead-of-os.getlogin.patch upstream_tests-assert-negociated +upstream_tests_fix_ssl_validation_in_test_tricky diff --git a/debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky b/debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky new file mode 100644 index 0000000..4204000 --- /dev/null +++ b/debian/patches/upstream_tests_fix_ssl_validation_in_test_tricky @@ -0,0 +1,68 @@ +commit e0d577c780ce7591040dc6b68b270cb80bc556b8 +Author: Alberto Bertogli <albertito@blitiri.com.ar> +Date: Thu Mar 12 20:08:30 2015 +0000 + + tests: Fix SSL validation in test_tricky + + test_tricky uses httplib to create a client, which used to not validate the + server certificate. + + Python 2.7.9 changes that, and now the test fail because the client cannot + validate the server. + + The problem is that to fix this, we need to use the new "context" parameter + which is not backwards-compatible. So we have to add a little version-specific + code to work around this. + + Signed-off-by: Alberto Bertogli <albertito@blitiri.com.ar> + +diff --git a/tests/run_tests b/tests/run_tests +index 85531ee..81de253 100755 +--- a/tests/run_tests ++++ b/tests/run_tests +@@ -24,6 +24,7 @@ import shutil + import socket + import ssl + import subprocess ++import sys + import tempfile + import time + import unittest +@@ -376,9 +377,23 @@ class Multiples(TestCase): + class TrickyRequests(TestCase): + """Tests for tricky requests.""" + ++ def HTTPSConnection(self, host, port, key_file=None, cert_file=None): ++ # httplib.HTTPSConnection() wrapper that works with versions before ++ # and after Python 2.7.9, which introduced default server validation ++ # with no backwards-compatible way of turning it off. ++ if sys.hexversion < 0x2070900: ++ return httplib.HTTPSConnection( ++ host, port, key_file=key_file, cert_file=cert_file) ++ ++ # Get an SSL context that can validate our server certificate. ++ context = ssl.create_default_context(cafile=self.server.cert_path()) ++ return httplib.HTTPSConnection( ++ host, port, key_file=key_file, cert_file=cert_file, ++ context=context) ++ + def test_tricky(self): + # No local certificate. +- conn = httplib.HTTPSConnection("localhost", 19840) ++ conn = self.HTTPSConnection("localhost", 19840) + try: + conn.request("GET", "/v1/") + except ssl.SSLError as err: +@@ -387,9 +402,9 @@ class TrickyRequests(TestCase): + self.fail("Client call did not fail as expected") + + # Requests with '..'. +- conn = httplib.HTTPSConnection("localhost", 19840, +- key_file=self.client.key_path(), +- cert_file=self.client.cert_path()) ++ conn = self.HTTPSConnection("localhost", 19840, ++ key_file=self.client.key_path(), ++ cert_file=self.client.cert_path()) + conn.request("GET", "/v1/a/../b") + response = conn.getresponse() +