tests: replace use of ssl.wrap_socket that throws warnings in Python …

…3.10

The function ssl.wrap_socket() is deprecated starting Python 3.7 because
it does not support hostname matching (which is considered insecure). In
Python 3.10, the function now throws warnings at runtime, which makes
Ubuntu / Debian autopkgtest fail.

The function ssl.SSLContext.wrap_socket comes in as the replacement and
has support for SNI and hostname matching.

Replaced all uses of ssl.wrap_socket() by equivalent using
ssl.SSLContext.wrap_socket().

Signed-off-by: Olivier Gayot <[email protected]>

test/broker/08-ssl-bridge.py

@@ -34,7 +34,9 @@ def write_config(filename, port1, port2):
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", keyfile="../ssl/server.key", certfile="../ssl/server.crt", server_side=True)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(20)
 ssock.bind(('', port1))
 ssock.listen(5)

test/broker/08-ssl-connect-cert-auth-crl.py

@@ -31,7 +31,9 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  ssock.connect(("localhost", port1))
 

test/broker/08-ssl-connect-cert-auth-expired.py

@@ -31,7 +31,9 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client-expired.crt", keyfile="../ssl/client-expired.key", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ context.load_cert_chain(certfile="../ssl/client-expired.crt", keyfile="../ssl/client-expired.key")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  try:
  ssock.connect(("localhost", port1))

test/broker/08-ssl-connect-cert-auth-revoked.py

@@ -30,7 +30,9 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client-revoked.crt", keyfile="../ssl/client-revoked.key", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ context.load_cert_chain(certfile="../ssl/client-revoked.crt", keyfile="../ssl/client-revoked.key")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  try:
  ssock.connect(("localhost", port1))

test/broker/08-ssl-connect-cert-auth-without.py

@@ -28,7 +28,8 @@ def write_config(filename, port1, port2):
 broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2, use_conf=True)
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+ssock = context.wrap_socket(sock, server_hostname="localhost")
 ssock.settimeout(20)
 try:
  ssock.connect(("localhost", port1))

test/broker/08-ssl-connect-cert-auth.py

@@ -32,7 +32,9 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  ssock.connect(("localhost", port1))
 

test/broker/08-ssl-connect-identity.py

@@ -33,7 +33,9 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  ssock.connect(("localhost", port1))
 

test/broker/08-ssl-connect-no-auth-wrong-ca.py

@@ -29,7 +29,8 @@ def write_config(filename, port1, port2):
 broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port2, use_conf=True)
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-alt-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-alt-ca.crt")
+ssock = context.wrap_socket(sock, server_hostname="localhost")
 ssock.settimeout(20)
 try:
  ssock.connect(("localhost", port1))

test/broker/08-ssl-connect-no-auth.py

@@ -32,7 +32,8 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  ssock.connect(("localhost", port1))
 

test/broker/08-ssl-connect-no-identity.py

@@ -32,7 +32,8 @@ def write_config(filename, port1, port2):
 
 try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  ssock.connect(("localhost", port1))
 

test/broker/08-ssl-hup-disconnect.py

@@ -43,7 +43,9 @@ def do_test(option):
 
  try:
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- ssock = ssl.wrap_socket(sock, ca_certs="../ssl/test-root-ca.crt", certfile="../ssl/client.crt", keyfile="../ssl/client.key", cert_reqs=ssl.CERT_REQUIRED)
+ context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile="../ssl/test-root-ca.crt")
+ context.load_cert_chain(certfile="../ssl/client.crt", keyfile="../ssl/client.key")
+ ssock = context.wrap_socket(sock, server_hostname="localhost")
  ssock.settimeout(20)
  ssock.connect(("localhost", port))
  mosq_test.do_send_receive(ssock, connect_packet, connack_packet, "connack")

test/lib/08-ssl-connect-cert-auth-enc.py

@@ -26,9 +26,10 @@
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt",
- keyfile="../ssl/server.key", certfile="../ssl/server.crt",
- server_side=True, cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+context.verify_mode = ssl.CERT_REQUIRED
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)

test/lib/08-ssl-connect-cert-auth.py

@@ -26,9 +26,10 @@
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt",
- keyfile="../ssl/server.key", certfile="../ssl/server.crt",
- server_side=True, cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+context.verify_mode = ssl.CERT_REQUIRED
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)

test/lib/08-ssl-connect-no-auth.py

@@ -25,7 +25,9 @@
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt", keyfile="../ssl/server.key", certfile="../ssl/server.crt", server_side=True)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)

test/lib/08-ssl-fake-cacert.py

@@ -10,9 +10,10 @@
 
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-ssock = ssl.wrap_socket(sock, ca_certs="../ssl/all-ca.crt",
- keyfile="../ssl/server.key", certfile="../ssl/server.crt",
- server_side=True, cert_reqs=ssl.CERT_REQUIRED)
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile="../ssl/all-ca.crt")
+context.load_cert_chain(certfile="../ssl/server.crt", keyfile="../ssl/server.key")
+context.verify_mode = ssl.CERT_REQUIRED
+ssock = context.wrap_socket(sock, server_side=True)
 ssock.settimeout(10)
 ssock.bind(('', port))
 ssock.listen(5)