Ensure load_verify_locations raises SSLError for all backends (urllib…

…3#1812) * Ensure load_verify_locations raises SSLError for all backends This also adds TestSSL to the classes tested in SecureTransport and PyOpenSSL, since: 1. TestSSL was the most natural place for this test. 2. The test only makes sense when run against all SSL backends. Co-authored-by: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr> * Remove redundant check in test pytest.raises() already checks this. * Update test_socketlevel.py Co-authored-by: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr> Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
Dobatymo · Mar 16, 2020 · c7147f1 · c7147f1
1 parent 10d7d26
commit c7147f1
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 3 deletions.
diff --git a/src/urllib3/contrib/pyopenssl.py b/src/urllib3/contrib/pyopenssl.py
@@ -450,9 +450,12 @@ def load_verify_locations(self, cafile=None, capath=None, cadata=None):
             cafile = cafile.encode("utf-8")
         if capath is not None:
             capath = capath.encode("utf-8")
-        self._ctx.load_verify_locations(cafile, capath)
-        if cadata is not None:
-            self._ctx.load_verify_locations(BytesIO(cadata))
+        try:
+            self._ctx.load_verify_locations(cafile, capath)
+            if cadata is not None:
+                self._ctx.load_verify_locations(BytesIO(cadata))
+        except OpenSSL.SSL.Error as e:
+            raise ssl.SSLError("unable to load trusted certificates: %r" % e)
 
     def load_cert_chain(self, certfile, keyfile=None, password=None):
         self._ctx.use_certificate_chain_file(certfile)

diff --git a/test/contrib/test_pyopenssl.py b/test/contrib/test_pyopenssl.py
@@ -45,6 +45,7 @@ def teardown_module():
     TestSNI,
     TestSocketClosing,
     TestClientCerts,
+    TestSSL,
 )
 
 

diff --git a/test/contrib/test_securetransport.py b/test/contrib/test_securetransport.py
@@ -43,6 +43,7 @@ def teardown_module():
     TestSNI,
     TestSocketClosing,
     TestClientCerts,
+    TestSSL,
 )
 
 

diff --git a/test/with_dummyserver/test_socketlevel.py b/test/with_dummyserver/test_socketlevel.py
@@ -10,6 +10,7 @@
     ProtocolError,
 )
 from urllib3.response import httplib
+from urllib3.util import ssl_wrap_socket
 from urllib3.util.ssl_ import HAS_SNI
 from urllib3.util import ssl_
 from urllib3.util.timeout import Timeout
@@ -37,6 +38,7 @@ class MimeToolMessage(object):
 from collections import OrderedDict
 import os.path
 from threading import Event
+import os
 import select
 import socket
 import shutil
@@ -1387,6 +1389,13 @@ def socket_handler(listener):
                         pool.request("GET", "/", timeout=SHORT_TIMEOUT)
                     context.load_default_certs.assert_not_called()
 
+    def test_load_verify_locations_exception(self):
+        """
+        Ensure that load_verify_locations raises SSLError for all backends
+        """
+        with pytest.raises(SSLError):
+            ssl_wrap_socket(None, ca_certs=os.devnull)
+
 
 class TestErrorWrapping(SocketDummyServerTestCase):
     def test_bad_statusline(self):