upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-07 15:52:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
certbot/acme/tests
History
Adrien Ferrand 07abe7a8d6
Reimplement tls-alpn-01 in acme (#6886) 
This PR is the first part of work described in #6724.

It reintroduces the tls-alpn-01 challenge in `acme` module, that was introduced by #5894 and reverted by #6100. The reason it was removed in the past is because some tests showed that with `1.0.2` branch of OpenSSL, the self-signed certificate containing the authorization key is sent to the requester even if the ALPN protocol `acme-tls/1` was not declared as supported by the requester during the TLS handshake.

However recent discussions lead to the conclusion that this behavior was not a security issue, because first it is coherent with the behavior with servers that do not support ALPN at all, and second it cannot make a tls-alpn-01 challenge be validated in this kind of corner case.

On top of the original modifications given by #5894, I merged the code to be up-to-date with our `master`, and fixed tests to match recent evolution about not displaying the `keyAuthorization` in the deserialized JSON form of an ACME challenge.

I also move the logic to verify if ALPN is available on the current system, and so that the tls-alpn-01 challenge can be used, to a dedicated static function `is_available` in `acme.challenge.TLSALPN01`. This function is used in the related tests to skip them, and will be used in the future from Certbot plugins to trigger or not the logic related to tls-alpn-01, depending on the OpenSSL version available to Python.

* Reimplement TLS-ALPN-01 challenge and standalone TLS-ALPN server from #5894.

* Setup a class method to check if tls-alpn-01 is supported.

* Add potential missing parameter in validation for tls-alpn

* Improve comments

* Make a class private

* Handle old versions of openssl that do not terminate the handshake when they should do.

* Add changelog

* Explicitly close the TLS connection by the book.

* Remove unused exception

* Fix lint
2020-03-12 13:53:19 -07:00
..
testdata Reimplement tls-alpn-01 in acme (#6886) 2020-03-12 13:53:19 -07:00
challenges_test.py Reimplement tls-alpn-01 in acme (#6886) 2020-03-12 13:53:19 -07:00
client_test.py acme: ignore params in content-type check (#7342) 2020-02-23 21:49:42 +01:00
crypto_util_test.py Reimplement tls-alpn-01 in acme (#6886) 2020-03-12 13:53:19 -07:00
errors_test.py Refactor tests out of packaged module for acme plugin (#7600) 2019-11-26 15:25:41 -08:00
fields_test.py Refactor tests out of packaged module for acme plugin (#7600) 2019-11-26 15:25:41 -08:00
jose_test.py Lint certbot code on Python 3, and update Pylint to the latest version (#7551) 2019-12-10 14:12:50 -08:00
jws_test.py Reorganize imports (#7616) 2019-12-09 15:50:20 -05:00
magic_typing_test.py Refactor tests out of packaged module for acme plugin (#7600) 2019-11-26 15:25:41 -08:00
messages_test.py Lint certbot code on Python 3, and update Pylint to the latest version (#7551) 2019-12-10 14:12:50 -08:00
standalone_test.py Reimplement tls-alpn-01 in acme (#6886) 2020-03-12 13:53:19 -07:00
test_util.py Lint certbot code on Python 3, and update Pylint to the latest version (#7551) 2019-12-10 14:12:50 -08:00
util_test.py Refactor tests out of packaged module for acme plugin (#7600) 2019-11-26 15:25:41 -08:00