Wire TLS keys in Python for cross-tests
Configure Python test client/server to use shared test keys and CA for SSL.
Remove Python SSL entries from known failures to re-enable SSL coverage.
diff --git a/test/py/TestClient.py b/test/py/TestClient.py
index d80ddf4..9971e42 100755
--- a/test/py/TestClient.py
+++ b/test/py/TestClient.py
@@ -20,6 +20,7 @@
#
import os
+import ssl
import sys
import time
import unittest
@@ -40,7 +41,7 @@
options.port,
(options.http_path if options.http_path else '/'))
if options.ssl:
- __cafile = os.path.join(os.path.dirname(SCRIPT_DIR), "keys", "CA.pem")
+ __cafile = os.path.join(os.path.dirname(SCRIPT_DIR), "keys", "server.pem")
__certfile = os.path.join(os.path.dirname(SCRIPT_DIR), "keys", "client.crt")
__keyfile = os.path.join(os.path.dirname(SCRIPT_DIR), "keys", "client.key")
self.transport = THttpClient.THttpClient(uri, cafile=__cafile, cert_file=__certfile, key_file=__keyfile)
@@ -49,7 +50,20 @@
else:
if options.ssl:
from thrift.transport import TSSLSocket
- socket = TSSLSocket.TSSLSocket(options.host, options.port, validate=False)
+ keys_dir = os.path.join(os.path.dirname(SCRIPT_DIR), "keys")
+ ca_certs = os.path.join(keys_dir, "server.pem")
+ certfile = os.path.join(keys_dir, "client.crt")
+ keyfile = os.path.join(keys_dir, "client.key")
+ ssl_version = getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_TLSv1)
+ socket = TSSLSocket.TSSLSocket(
+ options.host,
+ options.port,
+ certfile=certfile,
+ keyfile=keyfile,
+ ca_certs=ca_certs,
+ cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=ssl_version,
+ )
else:
socket = TSocket.TSocket(options.host, options.port, options.domain_socket)
# frame or buffer depending upon args