Switch default ssl protocol to PROTOCOL_TLS_CLIENT and improve tests #207
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make sure, no errors slip unnoticed in spawned greenlets Mute expected error output in SSL tests Isolate http.client patching to the respective tests Set PROTOCOL_TLS_CLIENT by default instead of outdated gevent default PROTOCOL_SSLv23
|
I wont pretend to understand the implications of this change :) LGTM Maybe have a look at the commit messages and PR title though (so they are focused on the actual code changes instead of the changes to tests) |
|
Yeah, thanks for the hint. I was clearly a bit too short and cryptic with the description and the rationale of the changes. |
|
For the SSL deprecations, see: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_SSLv23 |
|
Maybe the PR title (which will be included in the release notes) could be something like "Switch default ssl protocol to PROTOCOL_TLS_CLIENT and improve tests"? |
ml31415
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TLDR:
In our current test suite, there are lots of cases when a local server is spun up in a separate greenlet. Errors in these greenlets so far only threw output to
std.err, but didn't raise an actual error. This behavior is dangerous, as it can easily hide errors and pretend a passing test suite.One test in
test_ssl.pyhad confusing delayed output tostd.err. This made test runs withpytest -v -slook like some random tests were erroring. This is fixed now. and the output tostd.erris caught cleanly.The current
gevent.ssldefault protocol version for wrapping a SSL socket is stillssl.PROTOCOL_SSLv23. This is outdated since python 3.10 and was replaced withssl.PROTOCOL_TLS_CLIENT. This PR makes use of the new protocol, while the default ingeventunfortunately is still unchanged. In short: This makes sure, our SSL sockets don't negotiate an outdated and possibly less secure connection.Some common code, which was present multiple times in different test modules, was moved to
conftest.py. Makes maintenance easier.The tests now also don't monkey patch
http.clientin general, but only for the tests ofhttplib2andurllib.request, that depend on that patching. As the monkey patching is only required for a small subset of features, this makes sure, that the tests run in the environment, in which they'd be commonly used.