From c5989b865b49c9892707dc51ab90be5e75d3ea00 Mon Sep 17 00:00:00 2001 From: Gabriel Erzse Date: Tue, 14 May 2024 18:58:28 +0300 Subject: [PATCH] Fix CNs in test certificates (#3226) The CNs in the test certificates (CA, server and client) were all the same, which is not right. Make them different. Cleanup the Jupyter notebook that documents how SSL connections work. Make the code blocks actually run, by using the test certificates from devenv. Simplify a bit the OCSP examples, since they can't run anyway, due to lack of OCSP in our test infrastructure, so they are rather informative. Co-authored-by: Gabriel Erzse --- dockers/stunnel/create_certs.sh | 7 +- dockers/stunnel/keys/ca-cert.pem | 36 ++- dockers/stunnel/keys/ca-key.pem | 55 ++--- dockers/stunnel/keys/client-cert.pem | 34 ++- dockers/stunnel/keys/client-key.pem | 52 ++--- dockers/stunnel/keys/client-req.pem | 28 ++- dockers/stunnel/keys/server-cert.pem | 34 ++- dockers/stunnel/keys/server-key.pem | 52 ++--- dockers/stunnel/keys/server-req.pem | 28 ++- docs/examples/ssl_connection_examples.ipynb | 231 +++++++++----------- tests/test_asyncio/test_cluster.py | 17 +- tests/test_asyncio/test_connect.py | 14 +- tests/test_connect.py | 14 +- tests/test_ssl.py | 54 ++--- 14 files changed, 313 insertions(+), 343 deletions(-) diff --git a/dockers/stunnel/create_certs.sh b/dockers/stunnel/create_certs.sh index f3bcea6f5d..4065562cfb 100755 --- a/dockers/stunnel/create_certs.sh +++ b/dockers/stunnel/create_certs.sh @@ -6,7 +6,6 @@ DESTDIR=`dirname "$0"`/keys test -d ${DESTDIR} || mkdir ${DESTDIR} cd ${DESTDIR} -SSL_SUBJECT="/C=CA/ST=Winnipeg/L=Manitoba/O=Some Corp/OU=IT Department/CN=example.com" which openssl &>/dev/null if [ $? -ne 0 ]; then echo "No openssl binary present, exiting." @@ -18,12 +17,12 @@ openssl genrsa -out ca-key.pem 2048 &>/dev/null openssl req -new -x509 -nodes -days 365000 \ -key ca-key.pem \ -out ca-cert.pem \ - -subj "${SSL_SUBJECT}" &>/dev/null + -subj "/CN=redis-py-ca" &>/dev/null openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout server-key.pem \ -out server-req.pem \ - -subj "${SSL_SUBJECT}" &>/dev/null + -subj "/CN=redis-py-server" &>/dev/null openssl x509 -req -days 365000 -set_serial 01 \ -in server-req.pem \ @@ -34,7 +33,7 @@ openssl x509 -req -days 365000 -set_serial 01 \ openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout client-key.pem \ -out client-req.pem \ - -subj "${SSL_SUBJECT}" &>/dev/null + -subj "/CN=redis-py-client" &>/dev/null openssl x509 -req -days 365000 -set_serial 01 \ -in client-req.pem \ diff --git a/dockers/stunnel/keys/ca-cert.pem b/dockers/stunnel/keys/ca-cert.pem index 460354d9ad..291cf8e23f 100644 --- a/dockers/stunnel/keys/ca-cert.pem +++ b/dockers/stunnel/keys/ca-cert.pem @@ -1,21 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDaDCCAlACCQCui7X/vxmwGjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJD -QTERMA8GA1UECAwIV2lubmlwZWcxETAPBgNVBAcMCE1hbml0b2JhMRIwEAYDVQQK -DAlTb21lIENvcnAxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxFDASBgNVBAMMC2V4 -YW1wbGUuY29tMCAXDTIyMDExMjE0NTQyMVoYDzMwMjEwNTE1MTQ1NDIxWjB1MQsw -CQYDVQQGEwJDQTERMA8GA1UECAwIV2lubmlwZWcxETAPBgNVBAcMCE1hbml0b2Jh -MRIwEAYDVQQKDAlTb21lIENvcnAxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxFDAS -BgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAtSqof5fXyN/Y6GSLBBNA/zhrqw2qcBW4va6+Wc24WTaBXcP0w13njz+j1b5V -9rbpz0i7WUkg3bBPecFFuCFyQnvn2JaE9b7kX1lLmszanrYfWQ9bYQyecox3HuYq -eu330S+bD0liYh5rV7oEanuSCJW+a/dgEl3l/+Qb0zo2ZNEAXRuBv6lNmvBSsdIt -lc5n/P06ntJ6Ia/7rO0ZEiBb6hLFKfiIo/XvDrGNlYulJEcDmC3PkzzJRGnA7R2F -7Vggj4l4pGE/3EtnA4C/rd0Shf9TIPQFA2HOx3oYsrOonuBYM2urciNeojP5XGY/ -Zdau7hzgFBgF8tWsLU6bKyZ3NwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBJwnf3 -FARRxQF1Q2jIXQdyUS/lqq74C+PZF5IKOKb2K3dT1BFJlBgduvj4Ih5KUakImhMB -SdaiwKzgB9APXNVAgrzSCb49PzXzvmaIFhPmBXSITFFfGupxpo0ZStwI03B0KZBs -l3Zd0SzjKqZNVtTnxyDyWnYNFJtuCGanTjyPcCAFvVwzDQyzZ14liyM389WM950a -ANM7H0iv6U/h7lWhnvBOlRfj89JChBvEROlWuYfyyELZpAXsmuwWdh0pwgGpqMI/ -EtLas2sbX5apE8P1S2Uxc+dS4IjoA/TrnP21rXwJ8AWzrntsZalSx9uueb1qhPp8 -EL7asG4+G3BpQrL1 +MIIDDzCCAfegAwIBAgIUZWdrJiIH/w7FJkNbLTYldxOFEpswDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLcmVkaXMtcHktY2EwIBcNMjQwNTA5MDcyMDE4WhgPMzAy +MzA5MTAwNzIwMThaMBYxFDASBgNVBAMMC3JlZGlzLXB5LWNhMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0N9BXLRx3Hxb+ZGuKi5hZabcDWDMEeUGunJG +F1ijxO9XbNWXxYiR127Le2dMkS3TefU3CNiiYJa7eRxMPAS/wGUp6Bb7LrCoeC3F +1bfJSYnzC6SwhMq66m51VhqctjAbJxBBAPYqyNBFB2w2BQZOIkKDNPgPJTDNmF/7 +G/5jmAaOPlhm1GITnT+sSTyfr/JcoRRbV9VTVc9VUaTjk6ytHsW+K2sK+uWrjdig +qdzZDng0gtasTn907QkTDDyR4E/UY9N47aD2Jy5F3XHesy9kEfuppq+A1WYOs8/H +bXgEL53ncayqDNAgjnid5kHvKJ9wTAPSMDqmupHG0l5ADisahwIDAQABo1MwUTAd +BgNVHQ4EFgQUWg70hcbq4zibHXAFlZd8mHVEWzowHwYDVR0jBBgwFoAUWg70hcbq +4zibHXAFlZd8mHVEWzowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC +AQEAe1qupf8GoqCgtzTwFCwmcDygLibX4vI/EfCMOLVZHMgDacDwQbmYPlM+goJT +Pz8WCklopFcMJ6MSdUGy3g4hjKmJpKttTSuhEd3uZWPZYjhRj2SY8531/aAajg9/ +oezyvlgN/DWXAREG31XWyXLzPU7VLbg99mYB+2+lo2cAciAOCBdIOu6WzqnQax82 +aDSqXIHiTGc/5QYZ6ZIzdVRYiVdddKSxTNKZn9x0hu3L8r2e9ryGLLVKJmZfNZDS +tXYwiY3fE0EwYViIPiPlmBEXiBhHlC2kAQMFK8Qd4LgX6rGki4luL15GYxxKPQbF +EtDS9EqM4EdRWZq3SDjOA1zODA== -----END CERTIFICATE----- diff --git a/dockers/stunnel/keys/ca-key.pem b/dockers/stunnel/keys/ca-key.pem index 64db528c48..25989d0817 100644 --- a/dockers/stunnel/keys/ca-key.pem +++ b/dockers/stunnel/keys/ca-key.pem @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAtSqof5fXyN/Y6GSLBBNA/zhrqw2qcBW4va6+Wc24WTaBXcP0 -w13njz+j1b5V9rbpz0i7WUkg3bBPecFFuCFyQnvn2JaE9b7kX1lLmszanrYfWQ9b -YQyecox3HuYqeu330S+bD0liYh5rV7oEanuSCJW+a/dgEl3l/+Qb0zo2ZNEAXRuB -v6lNmvBSsdItlc5n/P06ntJ6Ia/7rO0ZEiBb6hLFKfiIo/XvDrGNlYulJEcDmC3P -kzzJRGnA7R2F7Vggj4l4pGE/3EtnA4C/rd0Shf9TIPQFA2HOx3oYsrOonuBYM2ur -ciNeojP5XGY/Zdau7hzgFBgF8tWsLU6bKyZ3NwIDAQABAoIBACq8mWsgAsNcKusH -bNPVRuvt/1gmrSIrvZzhb/33TZmeBf58j2zW5h0gwiFV+SluFNHVMnzph1tEkDsE -oNHC8hVE7XhmaY8fLPhhNDicQqZWCCcWPFQ0idwzzpX3beX55Q/vzwBYK2FCE8hq -FUiZReXIjVci0AMFK5Cl2vqFLPezAGvaZ4/M1reOF3vCgWl8IXTwYOs4EYd1CJt7 -bMwO9Q6P8V0BVhJO2tdwIe5XL5X086sMMPYXqMuwX9m3vZFQFpsZobmoAyYLVY+h -IMoQZdh4O4sFYPQBPzhZXluFDl8rX6G5A9jUPxDfeVz+799RXi31jTYeH01OwM89 -/0BNryECgYEA15hU0qDAnM7fBiTTGbRUT/QPOmEUOPcnWfLWOyJsovAVLL1X0jmt -GFm+FkTtOlcTVgDHXeHNw81zrgDDuW7fwaKloPeyWhyO6rp2jntAz/OayfA5UYOf -REhXdQH7rMAkGgy1t7zKGHTYAslHjD2dOikCuHH/13otSJS4wNvTaZUCgYEA1x6L -abxYDpR7jn2Yym0CbIiZ6tqShtqLi4eNF7PDVe3rUM7gYU767UFSKPvRpsq+BFwf -LLRFgpggNRDrZWoK0ZekHD1x8pCJF+O4pj/Fhra4uI+hInycRQ4xsj9VU/WftxQ4 -aOojB28F0fBO56T90caQVSR09DGNmElSQFcw4psCgYApf8n8DTNmO6/UV+xGi16b -UUhJHXyuBm0NtF+mXFb6+impRf0Mm0uFX2jmknfzfeVb7aRyns9jvD1jJgSGwh/R -/wPQuz0aeVrNNf0yKels3eBStKnj1eknVKF5BVuzgfyxAvdLmcxw7rTRvHrINOf5 -1QEQDemISZ1D1lTF0sqcDQKBgCmE6rGAuZouzF4nHZtMSOB7yQFMKGXAvpgylGfT -uUrXfch99U6yuLmcFuh0GfXQQbaDtTyimpvnEqhLWLOdMPNdCj6tGVYQ0XT77cKg -olYq5CIzDo2icWLep3bYxHZM/QOP8odFUXd41S287O3GqXqYkXjtbWlIOyT+WdKz -QWsrAoGALnac4Vh2s12Cv3YiQbkPtBRe8oxI0h6DEIdBciPDGq6WXq6O2PXXuBhM -X47mObUsSuzI6hI4/vd4/tXD7TM3fS1YDdZXj7d51ZjT/jmlTVxAHa3DJ8i7o+rH -Fqv/lh6MB6FGkXZ9vAGQe5RwUbDD16QO/1mz7fg0YBA9A8plM8s= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDQ30FctHHcfFv5 +ka4qLmFlptwNYMwR5Qa6ckYXWKPE71ds1ZfFiJHXbst7Z0yRLdN59TcI2KJglrt5 +HEw8BL/AZSnoFvsusKh4LcXVt8lJifMLpLCEyrrqbnVWGpy2MBsnEEEA9irI0EUH +bDYFBk4iQoM0+A8lMM2YX/sb/mOYBo4+WGbUYhOdP6xJPJ+v8lyhFFtX1VNVz1VR +pOOTrK0exb4rawr65auN2KCp3NkOeDSC1qxOf3TtCRMMPJHgT9Rj03jtoPYnLkXd +cd6zL2QR+6mmr4DVZg6zz8dteAQvnedxrKoM0CCOeJ3mQe8on3BMA9IwOqa6kcbS +XkAOKxqHAgMBAAECggEAB16eh28qcUrF/VPsNDrMtEcjOSmdfv14s6K34bepQkKQ +8BsdLsVhzUXF0jB+iBojfbMZjQCvwf6vgKzEl9LcZ8+/Sca9zWjtmMfsqgdrsmI2 +psYvIDr9m1XoYpsFGnyEs2fPE1dG19eusn4D7et0svVr0bZK5SyypFoGmcyWUP/M +kA990HAP7enGzPfpvcpr++Iu3EwWlTY3rjYgh9a7AiFhtj9zDzb9Sg0+4Xl9+8TZ +dsOvyVsiLu09MZ3vScGg5l+46w+rai+R0IxpgI9QM0sMxAS3AYFY666akrJqn6NU +S0Q5Q9gZ5V9hHxU7IHfo3weygPQuBW07nbwtX6+JCQKBgQDp7+smBlstRD+1/ZHJ +KO4Xhi+yrhtkKzViC+gF2vXpZ1GQ+3plRJFzRMFu+LkBgn1jPfg479Tm7CM4W4vM +cTZo45+hhnpwmLGnltTf3Vw23yXzLdUMenaE2u66PWh3DFPkPHwNqb30QGnx131Q +Mjnp+2EsBdiZ1d8TFF815ucG7QKBgQDkkiz7I4JgGGCbd51AseFryHgUepsrgeaA +DIWKEKBOoxOnfWH7JOxtm0oXcpWHLciQ4M6FaTFNv2vNA9Hrz5yApXFwIkKgXVU9 ++zsok4eWdEYmwxZFwjCNYvzsIDGBBwa1PQeps6C5L+nciOE8IZHYW7egAR96prV3 +E4ZQ6aWkwwKBgQCL/nJXIAiiLyx9SVBb9C1/UGLs57ommKDqmrtv/ZeZ5KVwQL3/ +KihstaGYOinkmGVW5XfNAuECjB+Lk2U2pC1uWYFm1SYiiY4O/3lGup57i9CXFT9g +p0yTtryUITmJvIvbksKeHo05RO7hthYczuHPfwqooJr9fHpxXYiYpiRtBQKBgCp0 +kFBRhyzsOj2GWTokEDfh85PyNhI9vZ+5M7CyZ+RTXBo3KtToRdYSCxAR435JXcCz +UQjswhCr5o0dEYfYdzxZ/pkSdAevbl7l5FYkGQI0NLeMcv2gFT6dzVban/dUY8WU +QXEfAVKEeM7SyetOXPWwC4p3yu4QOxKUGNW8oFzbAoGBAK3WKV51jhmMz3dtCkGW +UZxcDp5q/3uV29/UUF3/CNEhLcVuQLtNOPYRG+S9zMvwo0SNsz4mZJH1nFDSWSNL +xGXg/Ret9Li4JQTWD47kcheBCVLoTtX1bc66D2LlXDKzN5DRBACxKkAJPUjouhMB +mPDd05msnfgzPBMHMwsNjg5W +-----END PRIVATE KEY----- diff --git a/dockers/stunnel/keys/client-cert.pem b/dockers/stunnel/keys/client-cert.pem index 5c48eb8b3d..4db466a4f2 100644 --- a/dockers/stunnel/keys/client-cert.pem +++ b/dockers/stunnel/keys/client-cert.pem @@ -1,21 +1,17 @@ -----BEGIN CERTIFICATE----- -MIIDYDCCAkgCAQEwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UEBhMCQ0ExETAPBgNV -BAgMCFdpbm5pcGVnMREwDwYDVQQHDAhNYW5pdG9iYTESMBAGA1UECgwJU29tZSBD -b3JwMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNv -bTAgFw0yMjAxMTIxNDU0MjFaGA8zMDIxMDUxNTE0NTQyMVowdTELMAkGA1UEBhMC -Q0ExETAPBgNVBAgMCFdpbm5pcGVnMREwDwYDVQQHDAhNYW5pdG9iYTESMBAGA1UE -CgwJU29tZSBDb3JwMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtl -eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALwWezv2 -WHf6fCyiLYHmi3+Qf/33VmdNAapWzpOZ0Xmuzf8SSoEep/YotvnmIBe8DqspjzBW -eeg+n7qre+qawGv1AOANlStLKeNvnXhWS0bdoAKMP68Q8jvU+YSmJNZTRkg/39MA -YNqxYABYamoIQ7qX+g91HsCxPSzqIyjLwY4hPHGYfxGhRH5ne2RtsYEcMjOJWs8s -U4x6wpwn9Y4vnG1AqpcwY4xm65g/52BWWM9WfZ++y17MynSdoE29EqXCAGqhh1i1 -IRlKN1vr/792VYzOm2fHScaaCaCmhDIlTw0TlOgnfi7CFtY0z6uizSwG4RWCW+3/ -g47T3q8aCnvlkCkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAGuNzbKtvKsdfQaAV -SmeNAZqyoG2Fbmh/txj6j+UThu3tadk07/SukgsM6yepeq05+wguW43eBtig/LzH -pSHCn4s/w0fvu1GqePWsTdGI3xnJakZIlkOXPStIgZJNewT9rD6WoRfthvTOda8v -NBjW0InACnVvzAivX9xhbUB4K/I8aEGaAZwzIGnQbsxygPVZKe/Y8oWhiks0qYo2 -Wev1Swli4EeqbYvg+3TMy7T1pDkjAmAdsv7yJAYKsM3xCu7K8vA/e+2J2hjUQIfI -Thdjb6FNywihVaAK2BUqL6cMgF8I+nX7ywVOBAz+a3F00sSogapztinzqsjFDeT9 -5V/MSg== +MIICpjCCAY4CAQEwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLcmVkaXMtcHkt +Y2EwIBcNMjQwNTA5MDcyMDE5WhgPMzAyMzA5MTAwNzIwMTlaMBoxGDAWBgNVBAMM +D3JlZGlzLXB5LWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALOL3znn2vpX8+VHOlETymeFpw8wsCeOfr9fNhK2o5APIG1NhrGjlu+T7ri/DfrM +ZmjF+uDSuuUs044o5SFOECNi7yOwpdC9YVWSPQQ5VrsMENqyjIYyq2BC7fLHztAt +VF1jg0D0zijfFg/4meG2tAOnXLa0O9WUcmwsNlxEgyFzcLvCoTaXpUJbLYJZ2IxW +BoKgJ85acLlIFQIex053CqmgG/odM8Ib8s1YO+IXI4JsJlJFd9we+zYgZ2TRSZ8L +v8A8gXM+WTBZpZXNXYv020dW22X7gu+VH4LHcg/6eF0GtkdrFdlQjCEjwGIoVFTu +fNSp3NvSSYrK/qeJtSNaSw0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdA1QqJn/ +d4rcSO8z2L64d3SdO4wLf78Qznh3vTrIlQ/i0sESRQppw1U57PHSyYtAJzc1MV39 +zgn8KvuQToPQl9UoRWD6mVK8L//xplTPxWJB4BqD/kUc+lA9akBNU8Yhx7KbI5zX +z4OgTIeWAtY9R5CH1xbQlVCqAAk+SdDk2raOebNQMpzJrMUdeDTrgoDaBFnHgDbb +XHQCOF9/LrbBlrTlNJh6PHY8YztrJKdDDhSxJ9Tudz7ynUA+NcZ8dF5o/Co+QD5b +gkVdz/nV8LoDeO8QjJXsgsHFD/B+ljWYeEGc5flFe6jWLGOCtgQB5JhImg9lsWFh +X9i921F9Cqox3Q== -----END CERTIFICATE----- diff --git a/dockers/stunnel/keys/client-key.pem b/dockers/stunnel/keys/client-key.pem index 4117706d0e..a53cbce0f2 100644 --- a/dockers/stunnel/keys/client-key.pem +++ b/dockers/stunnel/keys/client-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8Fns79lh3+nws -oi2B5ot/kH/991ZnTQGqVs6TmdF5rs3/EkqBHqf2KLb55iAXvA6rKY8wVnnoPp+6 -q3vqmsBr9QDgDZUrSynjb514VktG3aACjD+vEPI71PmEpiTWU0ZIP9/TAGDasWAA -WGpqCEO6l/oPdR7AsT0s6iMoy8GOITxxmH8RoUR+Z3tkbbGBHDIziVrPLFOMesKc -J/WOL5xtQKqXMGOMZuuYP+dgVljPVn2fvstezMp0naBNvRKlwgBqoYdYtSEZSjdb -6/+/dlWMzptnx0nGmgmgpoQyJU8NE5ToJ34uwhbWNM+ros0sBuEVglvt/4OO096v -Ggp75ZApAgMBAAECggEBAJDXLydJ2W7rMdydNzYld59Qg3/rjFoYbwPhvUrk1O9D -sdaPG1i7ZtSlHeLrWCNu6kzcwCuVLGOwdgimLdLIQQ3hqj7fttOUGjnOphEZQvbb -jHDp19DU1/VDWLLRzuRNVH4m0hIG5I8EsM0TST9GBgIXLrXgl0IEOvvvggvUfMUZ -eGrrVsW56XIc25LZCalf20lcoyKa2hVjtlF2ds41PY6WqytkRJ7zpnBzO4g+Kz3D -iA2rzNn/Ds2CCvuNDA8UF6qG/INbcySaq+qbSYLohWSsz9smIhkWUyF4YfbtziZr -8AbxZKbS8VopSFxF+o35CbEZeTPkFkrBfbD0xUlCeEECgYEA6h1hLodTeQUpQoc3 -6brWvw1gM/tM0RyKbpOEwJGK1MnX99IM5z6qGY+d1htl7cB3RARpaY1HAvRXHhXt -9qaSdhqR1hagZLn2vbelFkbJ0N1agdR6XYgGoxfH2RCluNfZZPOB6urfCLNbMjgb -B1rkvIWiELCzujwsZ6m5sOomP70CgYEAzauggpcqEXQ4P4+y6B/8gOt7chuRczft -1YTj2Y5tfZSTZmh01BUgenDgA1+NFJ9ni33P6+Ij/1D0ZGdea5Lqw2VP1ZDEIYSm -j3ekkge/0AljZgIil2UviBhx5W2BlwnlukIwMvzVRwDulQsV3sDxprZKHYTaRcnC -EB4Y9T6uUt0CgYBjeCojP8IaiDPYnWUHPKgjMoaub1Za/ppekvTzcKMg98V3+Noc -okZZZ+iy4J81HfJOhuVWwHzsZ25gTQb3JhzSa0WNRb3OLikEwHM2/MqgoHvk76cx -+CqBvwfdVTJkT+mA9+k6K6KpqrLTqnzpahgHdWu/VaR3OzvOq5FG9qVbrQKBgF5F -xRUW5RmLBB1eaMstnjgZuEPdjxYZFNNCTo5yUo21hLr0NljgNjrpckUZjzlct8Gg -saWVyppFKUC8gPMeLK3TynxCFySmARLR7IVjN/DL3NvtLp3mq5reWZaoUzZAOyTd -Ieq9KaWaL8HxitzH4/xeoipVsxc6G9H3eckwKgehAoGBAM/E0qLpEXOaLxODY8tt -+qpoNWHZn1M6cVX+tA/6igKfqUY96lefLmEiV1N01qW7+keFMXT12X/edsykG8jd -gcNkNjSNwDSi8ixl0YlQwRJjX93TEip78sisQ3mCUqZUCNbm0Dm66Bqe8rAD5AdF -G4oVbUu1gN0StX85Uw8J0AYS +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzi98559r6V/Pl +RzpRE8pnhacPMLAnjn6/XzYStqOQDyBtTYaxo5bvk+64vw36zGZoxfrg0rrlLNOO +KOUhThAjYu8jsKXQvWFVkj0EOVa7DBDasoyGMqtgQu3yx87QLVRdY4NA9M4o3xYP ++JnhtrQDp1y2tDvVlHJsLDZcRIMhc3C7wqE2l6VCWy2CWdiMVgaCoCfOWnC5SBUC +HsdOdwqpoBv6HTPCG/LNWDviFyOCbCZSRXfcHvs2IGdk0UmfC7/APIFzPlkwWaWV +zV2L9NtHVttl+4LvlR+Cx3IP+nhdBrZHaxXZUIwhI8BiKFRU7nzUqdzb0kmKyv6n +ibUjWksNAgMBAAECggEAEelgSZyRwevITxU+AhyhUpaIxgErcabLijfrYw6JXrPD +nmPfjhUt15TAefnFYUHG7ajikE81ietg54u44AuznHQgO0VCJYLfFPRT1foKZvqb +K9YoIrMnWaETr+azAR2kjvSAgZhqgLVQtCMu5s+dQcgOfcOZPINkrtnySl4jXtDE +SOTaj65VjSIkura17rj7nJNUPmDGFwsxwKpeEcXZTfa//ypT/hHVREkRmbSFk5Kw +rf3T3O1pMVF8+SeacK/oyDUf3ISc8wn9Xmwgpv8I74xWtDy3kAs315tfWPMOHe4b +CYk7GD1fu2rVRhtDCvkljiw2NejfeMzKt5+2wLXRmQKBgQD0KeCv8vdw6JBLH6PI +72yE/GRkjAn4KfhmHK+1GZN6m49DV4XAYaA7T6u2Q3gn9gNsVsHC2FCsCHy63BpA +I6ZJfdm2rcJkqgeKKRQpLBRedDMpQLY1WyXjugpV46KmA0ThtgtZeVKilJWvamHs +t/TwSbf/humg0cIcamEnkKVawwKBgQC8QBS1pfMqlSodylbPG0VaJqgdF/yAthp6 +gunVqpgbTMqGLTCpKUfSgPMpzu8znaCNeZN0EK1p7qZ7VE1VHpVoyQHC9Eu8d6PF +HAENaOUcUoCQNtXLoaN4waSjt7i6vYRldT/qrYB1YdpkkVKdj39w2N+uaxtZzDXu +hHu0eixF7wKBgCR3TLN6mjImycYuh4uvFooWF/hcYfDKc+rsReHKXBhnu1HXdIZz +DjdNgtvJ39w4BfLcUjwDiqjm65oM3W7O5Dr9rNJ3yRy3uECOOhCcIL6qpCl5HL2D +S3ljg7+oK9aXjmYXhkJquEjH4EM+pDlykAaDPBPR1nrKWS9dQ/1gwRF5AoGAd+Uo +S3jiIqDWLhsMpuNrjDtKnx0DyMYynwx5+YepUNnbsxFdCKAuCjfupxYQ6wLdmr1v +2GA20l0Y0zuh9TCBYDeFU7Fb+zEHsSZg1TWVljBFiZQjHopYHzTVsx/0G5tQk33V +s5XFVv13ps2XnJokRK8b5254AP067Cqczxlw0SkCgYEA0ito+l4TOa1/DnsbP1Q0 +kgeTb/9wPHpHVJ0Hz6vIXabaDlvvYwgRh151+9xzMmrs/0QCbI2+SHucAzu4RTjM +MAiytSBQtXA+L9deNNU9QqPKsy6/Xq6SsKLRkL9kiUasiUE0v7c/T7L9D81nTFuS +8htCfXw1/Tf8tLb+Rtvvwtw= -----END PRIVATE KEY----- diff --git a/dockers/stunnel/keys/client-req.pem b/dockers/stunnel/keys/client-req.pem index ecf83f4daa..62828e1950 100644 --- a/dockers/stunnel/keys/client-req.pem +++ b/dockers/stunnel/keys/client-req.pem @@ -1,17 +1,15 @@ -----BEGIN CERTIFICATE REQUEST----- -MIICujCCAaICAQAwdTELMAkGA1UEBhMCQ0ExETAPBgNVBAgMCFdpbm5pcGVnMREw -DwYDVQQHDAhNYW5pdG9iYTESMBAGA1UECgwJU29tZSBDb3JwMRYwFAYDVQQLDA1J -VCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBALwWezv2WHf6fCyiLYHmi3+Qf/33VmdNAapWzpOZ -0Xmuzf8SSoEep/YotvnmIBe8DqspjzBWeeg+n7qre+qawGv1AOANlStLKeNvnXhW -S0bdoAKMP68Q8jvU+YSmJNZTRkg/39MAYNqxYABYamoIQ7qX+g91HsCxPSzqIyjL -wY4hPHGYfxGhRH5ne2RtsYEcMjOJWs8sU4x6wpwn9Y4vnG1AqpcwY4xm65g/52BW -WM9WfZ++y17MynSdoE29EqXCAGqhh1i1IRlKN1vr/792VYzOm2fHScaaCaCmhDIl -Tw0TlOgnfi7CFtY0z6uizSwG4RWCW+3/g47T3q8aCnvlkCkCAwEAAaAAMA0GCSqG -SIb3DQEBCwUAA4IBAQAqLgfkWWIE1RV1TENnr9jT+SK8u3F2nX4mUzNmy8azq52I -fO8qPKmvV2amt5y961jNpR+rRpARncONuf6NQR5qCMu/EKjVi9BhOkoIOK0RjgtK -AkCTON1J8022JDQpN5/H5ZpLDkIlBtpwDvEaR/PnTaJxtGwLY8HxY6h20PDjP3J9 -Xu3w3m/s3uVjFG07RDvbwK02vYskePnlsKVw+uu5C2blOQRlRVvdCCkwN0y6IiWW -uRGRSzwufgejrfDUJG4VZuNpvWjFfzjHW105g1AxaTW3anRqBSNxYF+iawfbGdf4 -bGT4Wazbwq5uU3uixxOzxPMI5ZP/gn0ywz9S1RRK +MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPcmVkaXMtcHktY2xpZW50MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs4vfOefa+lfz5Uc6URPKZ4WnDzCwJ45+ +v182ErajkA8gbU2GsaOW75PuuL8N+sxmaMX64NK65SzTjijlIU4QI2LvI7Cl0L1h +VZI9BDlWuwwQ2rKMhjKrYELt8sfO0C1UXWODQPTOKN8WD/iZ4ba0A6dctrQ71ZRy +bCw2XESDIXNwu8KhNpelQlstglnYjFYGgqAnzlpwuUgVAh7HTncKqaAb+h0zwhvy +zVg74hcjgmwmUkV33B77NiBnZNFJnwu/wDyBcz5ZMFmllc1di/TbR1bbZfuC75Uf +gsdyD/p4XQa2R2sV2VCMISPAYihUVO581Knc29JJisr+p4m1I1pLDQIDAQABoAAw +DQYJKoZIhvcNAQELBQADggEBAD3H8McA7SmTrswSp0lw1C1UFmtazhKbFYY3/+Ld +ntZimzTy4Y5Ai1UW/blgwVLZxWWzazfkfWPMsRXtWcttuW/pxFGkLlyzFm4OsUQA +hpxtUNlmEwzcYZAin3qNnCA9bQfGL/z+zUcuMuf6HGplAUhtPhTUnvGZ2B7rJ+aC +syyt+/T/JJdnnnY0o4s4OzQa9ow6P7mC6egefHgLrtFbbuB4L/L/NdVj5NBzkXso +kmHLTUwkEtKOiG4gFLRDXsgXCy+sfEEqqWapeFhOQdagENYg+LXSN0jpxGWeR1J/ +vZHMSJT4GK4SgyNpZFu5To2lf7ucw6ywCFfg6jH2EWQeCjk= -----END CERTIFICATE REQUEST----- diff --git a/dockers/stunnel/keys/server-cert.pem b/dockers/stunnel/keys/server-cert.pem index 3a1bf72011..c17bf9ca0f 100644 --- a/dockers/stunnel/keys/server-cert.pem +++ b/dockers/stunnel/keys/server-cert.pem @@ -1,21 +1,17 @@ -----BEGIN CERTIFICATE----- -MIIDYDCCAkgCAQEwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UEBhMCQ0ExETAPBgNV -BAgMCFdpbm5pcGVnMREwDwYDVQQHDAhNYW5pdG9iYTESMBAGA1UECgwJU29tZSBD -b3JwMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNv -bTAgFw0yMjAxMTIxNDU0MjFaGA8zMDIxMDUxNTE0NTQyMVowdTELMAkGA1UEBhMC -Q0ExETAPBgNVBAgMCFdpbm5pcGVnMREwDwYDVQQHDAhNYW5pdG9iYTESMBAGA1UE -CgwJU29tZSBDb3JwMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtl -eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxZETTb -dxqFsNjUIJbpS6ZT9RkH/dWYTVk1uRUMh6Cr6920g/7pSaRLIx8guTDHa1jhPIlX -lax7oZyX9coLjhSc6cy0ZmoH0zrp8ZbRc/qOawuO62arKP89pO/18MB3r9zPb1PJ -evTP203+2a8ly25cscMTUge+rHMFAUW+/01hc90CY9ial9oCl9wtoPdPGA8XlX3u -RswOAM79fM+Szvv+bX0VvFakkfHIE8oIK5/rJYDswBKAshw5CjW/OEjD6FbCb84c -1E7jJhwwd6X70yDMOrJ8iVkA/lpzfoosiuYm/okgbPPXWEo8aa//MrSH90l2+M9q -Vvn8hbmwlJl+2IMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAEcTps0CUnBZJBH/w -8oJo8kAvsHhFTLJpTtiztut5qI+FMgC6sPcVUKi95gie2pdJ91y6sFzqLpghAciR -ocYBy/jxK0M7OGJHLpUPeCS1yxeEyeZXpMPS90bUo1tPh7QDAojoRrFYo6M6DbL3 -dcErTJlvKnBBT9/DmENx75R+1nSB86vq0je+X0IqbZXeJyWju6ybjbwo1NPpnu+f -jnXTG0+ZIsepms0VTXwcTy3dthIE+uw4XqTQ1qYg2stQAOUJ0nmb68NExi5zom5G -0nh7tZnL0N+Z+XeNo7gaVatxfmgyk/HO2Vl4Wk4NA0PkR0yk2vNUwS0rKAb2mYc6 -T2gHdQ== +MIICpjCCAY4CAQEwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLcmVkaXMtcHkt +Y2EwIBcNMjQwNTA5MDcyMDE5WhgPMzAyMzA5MTAwNzIwMTlaMBoxGDAWBgNVBAMM +D3JlZGlzLXB5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOg14yTsgmakeSFuqtvy4fV1rcSgLiGdGKzOBsoytmCZzV++5Jljj7utSpJiYMYk +HOTZtyqAVwmF/0yyZ25lbEHR/N3S3Jj/al4EG9u+K7O3eNZrTQkg4+ifwcT+V1Xo +s6f+L6BRld4y78QVZwdEsTy4SIeSAwGygACymEWYZ6NZBgM2xgp8SInHYxHP3gXh +02wioB79B62DExFVUKwUXjbUhPooyvGf9MMpUrmdFmQFfcosW/urCQF9YI6ZcPnr +ybXJ6kiplmNKeVD4dEyQLYNp09alnT6q+pcJa+NwW6O0eyqEsHQxCJyo9ZA3IW5I +SH+oftVxnZJIIPcsXABuH10CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdWY0UeR4 +/9hpK3Mhl8VVz0zQwwEfnxCmI/TxpqNw+5lvpit/WvriIAEP9MToWHwYvG24zRrp +zv/LDHNh8UtnX3GILGs0CY/oFDevAEU1tixbmFJPceuMwKsrMtkp/6NyWF4p62o2 +fiQK68l1HSGgaH7kJ6BKYgV4JQK3Fgk9J4KrejwmYXzCFKcEvNtKMG7i0WN+AmK2 +vnxxZ3xx4HPH3OJ5ss6T2gGlvjFnOS7Z0kHtbkzPzxaC9ZVqMySwPRggf84tUUdk +vCwDHiJcbk5BMLug3yI9xTfSG3lMnwgZAWXMOqm/w6c1IIM8R/nKwNfwbG+4eUK0 +t2F8EBCShzAJGg== -----END CERTIFICATE----- diff --git a/dockers/stunnel/keys/server-key.pem b/dockers/stunnel/keys/server-key.pem index 62595e017c..8dd9a1e21a 100644 --- a/dockers/stunnel/keys/server-key.pem +++ b/dockers/stunnel/keys/server-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDMWRE023cahbDY -1CCW6UumU/UZB/3VmE1ZNbkVDIegq+vdtIP+6UmkSyMfILkwx2tY4TyJV5Wse6Gc -l/XKC44UnOnMtGZqB9M66fGW0XP6jmsLjutmqyj/PaTv9fDAd6/cz29TyXr0z9tN -/tmvJctuXLHDE1IHvqxzBQFFvv9NYXPdAmPYmpfaApfcLaD3TxgPF5V97kbMDgDO -/XzPks77/m19FbxWpJHxyBPKCCuf6yWA7MASgLIcOQo1vzhIw+hWwm/OHNRO4yYc -MHel+9MgzDqyfIlZAP5ac36KLIrmJv6JIGzz11hKPGmv/zK0h/dJdvjPalb5/IW5 -sJSZftiDAgMBAAECggEAct5+daAIy7frOXfE+hAanl0DohaD8dWzZTp12Ac7Fm6O -IAqhSGILK3exPoY+k9UF2uiCBxJc6KB2sHgbioAEVkH+izu9dkz/yFZJn+YNtALq -2Yx1dzkvyor0dI9jzk15Zj6U7hyMKaHOPYHNDE/Kkzc4Fdh+fCwK9H0TwgkjqnLj -hfRK32+SqaftkhZnCxaFfdVVzhonWsaB7VcyUPdIHAMG0xUQ9oNTM0WLPotU/uh0 -XDCemwXhkqfKaAlnj0YBsu65WOTTiPixOPigDe745CHFBXwvCF28kxjSbCAVlHIv -JcTtq1EA+fNHRTeHgNGSpqOdfuVrBMyp3KiztLBfQQKBgQD47MFmQphXVQWRmKoU -gCFf28notV8J0VGyG7E0tFMS3GgyAAl8H8I6fB9UYOmD95PrHTROxKpc7jYtZRW3 -KcYJP5zKa+DqSSks8I5dLwFkKYVC0GiEJWuRwS9aHaD7ja65NtXJO+2iZ598s39w -iSx0OAvaf9cFUrsAmHAE84c+/QKBgQDSJ/VE1CS0Tv2kL5Wbr/RmgYBZbXHnRz6j -LFA7JwX3seHtuo+WBe8BMOMS4YqW6K2YTqwU8NtN1oATWg72TcLhwJZ3sKGPiMhM -/cHW0dJqYsXujIOd/dlSr+j9Mouoxm6Spl+hGpj2IPUV9Dlm8N4SqPk83m0O+8Hy -P088HK7NfwKBgQC3D0XbMjZeY0RJIoBRuzjQCg6eeGOAENOHrB3RqJs/T5/AxY40 -Hhb0c7uGjg6s4jGBwmRpWPAAj56AG8qwfKQKwSFJK7SoF02UowPPO3ZGdtJtpF54 -cBx/gBaWqxtsY3GO++iUqOHFgXckeczKsdZjUaRF96XlYEXt1izrNzzK8QKBgQCP -OsCE6nkhknx3/B5g/2j4u+Y4DMmGsR3VpAwCZLRCfq/WkEHwI5cjHqiEY8dK1sYJ -egT6OLWetUSQ694qrBDYP6PNa0qRQs4Q+xmzSUm5TBxOWuIROcN2AYIvntVkb+lI -da/TYwdBKHEhR1Qf/qW73gIQJB/8CEXEzrU36OySDQKBgQD35khRdiU+1bPt/DpW -+8A+88BuxXMFxKYtEoMuTJnb7enarwp7+FtY6WhNgOgxELTpRbYw9496mOmNbJKL -PmTXzs3aS5bv/2JTtc5+CHzf9PJ+jAYWnh9hCq9x/mA0QRMQAZEi8vhhYFaWiiV3 -wUYnDFnnAKia1VILt9jZ7I4T7Q== +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDoNeMk7IJmpHkh +bqrb8uH1da3EoC4hnRiszgbKMrZgmc1fvuSZY4+7rUqSYmDGJBzk2bcqgFcJhf9M +smduZWxB0fzd0tyY/2peBBvbviuzt3jWa00JIOPon8HE/ldV6LOn/i+gUZXeMu/E +FWcHRLE8uEiHkgMBsoAAsphFmGejWQYDNsYKfEiJx2MRz94F4dNsIqAe/QetgxMR +VVCsFF421IT6KMrxn/TDKVK5nRZkBX3KLFv7qwkBfWCOmXD568m1yepIqZZjSnlQ ++HRMkC2DadPWpZ0+qvqXCWvjcFujtHsqhLB0MQicqPWQNyFuSEh/qH7VcZ2SSCD3 +LFwAbh9dAgMBAAECggEAI0llDgxeuIhP2/O8RRZAnhNW56VLvVHpGQFp6LoSGtXk +bqNMi76kbemkhmAqwpFkTqaC/hNoporVQ+tsaktBSzNE0NSlLx7JJCZNsXPRokrE +Mxk1KKj12TjFslDQJr7o5iNrS1p6gryM0OhLssAOiuKaKvfWOyDL8M8y8oh5X0ny +1M6IAJMkbpwiWU2OHIH7irkS8fYyCeOz0JMovCwMPwYkovHD7uHKbV4qGKzdOKN1 +QD8qMWAF1lCv/57juuwpzulGY3sSyU7yRZMMxJQ7nbIRj5iuj6+e2m6JhVghIiYG +IObIkGyubCr9QH315byiSS9ma1xzml3EqyM3XQkEhQKBgQDyxGY+60/dkUW9vAAm +g20eVZnflhE8+ooEpX9VPIliL7ADy3HU2poV2oXif8pVauMvRaYla8BHIOPV2qGI +tHTYNvubs6lxEq2Z7gM+8c5qOElXjup8Ch9/XCHXZavW8caWEcA9Z84Z4dCxbaku +EhEL0SduCn7j1tU1+Z9jBs08ewKBgQD03i29kCUeCnW+zEo+aO2Spn6HpdyZkuzG +2az5XurHGUFAgWYLOpShatjD4BY1GONvJTlD/gH2vqEkfY2OGgZ2pbjCFSfhIma/ +cnMuhsO2IlcuETqzlod1HGHcn6gGRM5LvYP343UIdv9nmJaT31nckueWv+yBd8HO +kAx1W2boBwKBgBtM7tqgh8i474jYvYOXQAwrQDSeoa2j1yWSnvEs7541Eqw6ksCH +HNDcVDYWfOCCNq44POj0ZxkYn8aK4aOH96Pg+waVe7aVjSREWeUYOEhFsCnCjqgI +U2Z1K/EXI+32Hoj90gqVw92xQVDSrjXaHkSf7rk3QPHKVQvO2JfAShBFAoGAW5ic +nZNE/ybEgrmicBQKAlh7bjxx95SJM50LYkDKK+3bhcihpkOkg3kXWrYBOJ11vga7 +lB55F5aZaq/4epZroog9Q4RsZX/b1XN3eIj6vq+70sSpI7KEOx+Bz+h9DtNAI/7h +VaHlDmSNB3CBqxDaaXMeZDqouolUmvMxZdjp9pMCgYEA1Y7vhCvMZA62OJwFJ4X8 +9Xg7bPE3jZQ6Tj3FbVCMy+RQdlo8GzYeoNZDjhpSxjJe/1lyk//EBwVNs3E4rRNl ++GcaEOo0X/J7SkPFqM6aFITypIIGeJpFyz/S99i/5tkfsNt9BQtiTS+x1Kj1iREV +bXIoNJRac5m/LLZKtDtHv18= -----END PRIVATE KEY----- diff --git a/dockers/stunnel/keys/server-req.pem b/dockers/stunnel/keys/server-req.pem index 361891d1c8..6d853693fb 100644 --- a/dockers/stunnel/keys/server-req.pem +++ b/dockers/stunnel/keys/server-req.pem @@ -1,17 +1,15 @@ -----BEGIN CERTIFICATE REQUEST----- -MIICujCCAaICAQAwdTELMAkGA1UEBhMCQ0ExETAPBgNVBAgMCFdpbm5pcGVnMREw -DwYDVQQHDAhNYW5pdG9iYTESMBAGA1UECgwJU29tZSBDb3JwMRYwFAYDVQQLDA1J -VCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMxZETTbdxqFsNjUIJbpS6ZT9RkH/dWYTVk1uRUM -h6Cr6920g/7pSaRLIx8guTDHa1jhPIlXlax7oZyX9coLjhSc6cy0ZmoH0zrp8ZbR -c/qOawuO62arKP89pO/18MB3r9zPb1PJevTP203+2a8ly25cscMTUge+rHMFAUW+ -/01hc90CY9ial9oCl9wtoPdPGA8XlX3uRswOAM79fM+Szvv+bX0VvFakkfHIE8oI -K5/rJYDswBKAshw5CjW/OEjD6FbCb84c1E7jJhwwd6X70yDMOrJ8iVkA/lpzfoos -iuYm/okgbPPXWEo8aa//MrSH90l2+M9qVvn8hbmwlJl+2IMCAwEAAaAAMA0GCSqG -SIb3DQEBCwUAA4IBAQCljqLOTU3tFEqxJ2AbZ5HVg9AN/SEUX8c/SyzCBii3r9Dj -ubp0YWvYvgm7lnXsFAVDznf89RAzwdFur5iAQ95VfWBW6NEjdFQIh51KF6P/Qzjg -TbctVeX/MTPuKewVhkQg9/sRmegbb+RBKEeCZccLUVuk5DAgFmi0cFP4e50uuNRG -gwskG9nJp/X5aBd4Y1YKg8XS+WLPwwrYvffoHN8mWHh+YqF16MbxMHM5xRMWu6E7 -801EzEWAW5Y8J2ssp/9FSI+aXOhk68aNlIVNc2R6Rg1IA8zKV4WSWTMUWAud832h -z9UZH/YkPgipuiflpKBGs5lbElRx3o6lYblhRL8J +MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPcmVkaXMtcHktc2VydmVyMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6DXjJOyCZqR5IW6q2/Lh9XWtxKAuIZ0Y +rM4GyjK2YJnNX77kmWOPu61KkmJgxiQc5Nm3KoBXCYX/TLJnbmVsQdH83dLcmP9q +XgQb274rs7d41mtNCSDj6J/BxP5XVeizp/4voFGV3jLvxBVnB0SxPLhIh5IDAbKA +ALKYRZhno1kGAzbGCnxIicdjEc/eBeHTbCKgHv0HrYMTEVVQrBReNtSE+ijK8Z/0 +wylSuZ0WZAV9yixb+6sJAX1gjplw+evJtcnqSKmWY0p5UPh0TJAtg2nT1qWdPqr6 +lwlr43Bbo7R7KoSwdDEInKj1kDchbkhIf6h+1XGdkkgg9yxcAG4fXQIDAQABoAAw +DQYJKoZIhvcNAQELBQADggEBAGMLI6jfG95L1Kqny8+Fl9sVnJ4ynb5905Hk9vXJ +V/BVc3P6JS6c4qYSeFd6wihHC7/j2EC3wt55Sj6JzYKy93AEjBfDfBb2ZuB6VpPy +iGKXzSGO71ziI2uzz92ltJhptNc6TNUUxwaBhOZiq2sxnLpnIcPZ/txDC75fGYEm +9iSbeeHNNZTSqQyQOzKW0OL6ss+GHhlfJPzx6mSH5dvb6bpKB2SCG1aZaDuOQTl3 +8aDIo1Z/ug6BrqoDMCyRAZTDnTohhC96bbKLRMdm0g3wwDeoWuQy1q9s1/AUYfBm +305LUYORBdFy08n41lFWo1JA4errzBhVTpHNKZ6DyQfMOxA= -----END CERTIFICATE REQUEST----- diff --git a/docs/examples/ssl_connection_examples.ipynb b/docs/examples/ssl_connection_examples.ipynb index a3d015619f..c94c4e0191 100644 --- a/docs/examples/ssl_connection_examples.ipynb +++ b/docs/examples/ssl_connection_examples.ipynb @@ -11,12 +11,12 @@ "cell_type": "markdown", "metadata": {}, "source": [ - "## Connecting to a Redis instance via SSL." + "## Connecting to a Redis instance via SSL" ] }, { "cell_type": "code", - "execution_count": 5, + "execution_count": null, "metadata": {}, "outputs": [ { @@ -25,7 +25,7 @@ "True" ] }, - "execution_count": 5, + "execution_count": null, "metadata": {}, "output_type": "execute_result" } @@ -33,8 +33,13 @@ "source": [ "import redis\n", "\n", - "ssl_connection = redis.Redis(host='localhost', port=6666, ssl=True, ssl_cert_reqs=\"none\")\n", - "ssl_connection.ping()" + "r = redis.Redis(\n", + " host='localhost', \n", + " port=6666, \n", + " ssl=True, \n", + " ssl_cert_reqs=\"none\",\n", + ")\n", + "r.ping()" ] }, { @@ -48,39 +53,30 @@ "cell_type": "code", "execution_count": null, "metadata": {}, - "outputs": [], - "source": [ - "import redis\n", - "url_connection = redis.from_url(\"redis://localhost:6379?ssl_cert_reqs=none&decode_responses=True&health_check_interval=2\")\n", - "url_connection.ping()" - ] - }, - { - "cell_type": "markdown", - "id": "04e70233", - "metadata": {}, - "source": [ - "## Connecting to a Redis instance using ConnectionPool" - ] - }, - { - "cell_type": "code", - "execution_count": null, - "id": "2903de26", - "metadata": {}, - "outputs": [], + "outputs": [ + { + "data": { + "text/plain": [ + "True" + ] + }, + "execution_count": null, + "metadata": {}, + "output_type": "execute_result" + } + ], "source": [ "import redis\n", - "redis_pool = redis.ConnectionPool(host=\"localhost\", port=6666, connection_class=redis.SSLConnection)\n", - "ssl_connection = redis.StrictRedis(connection_pool=redis_pool) \n", - "ssl_connection.ping()" + "\n", + "r = redis.from_url(\"rediss://localhost:6666?ssl_cert_reqs=none&decode_responses=True&health_check_interval=2\")\n", + "r.ping()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "## Connecting to a Redis instance via SSL, while specifying a minimum TLS version" + "## Connecting to a Redis instance using a ConnectionPool" ] }, { @@ -94,34 +90,35 @@ "True" ] }, - "execution_count": 6, + "execution_count": null, "metadata": {}, "output_type": "execute_result" } ], "source": [ "import redis\n", - "import ssl\n", "\n", - "ssl_conn = redis.Redis(\n", - " host=\"localhost\",\n", - " port=6666,\n", - " ssl=True,\n", - " ssl_min_version=ssl.TLSVersion.TLSv1_3,\n", + "redis_pool = redis.ConnectionPool(\n", + " host=\"localhost\", \n", + " port=6666, \n", + " connection_class=redis.SSLConnection, \n", + " ssl_cert_reqs=\"none\",\n", ")\n", - "ssl_conn.ping()" + "\n", + "r = redis.StrictRedis(connection_pool=redis_pool) \n", + "r.ping()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "## Connecting to a Redis instance via SSL, while specifying a self-signed SSL certificate." + "## Connecting to a Redis instance via SSL, while specifying a minimum TLS version" ] }, { "cell_type": "code", - "execution_count": 6, + "execution_count": null, "metadata": {}, "outputs": [ { @@ -130,42 +127,30 @@ "True" ] }, - "execution_count": 6, + "execution_count": null, "metadata": {}, "output_type": "execute_result" } ], "source": [ - "import os\n", "import redis\n", + "import ssl\n", "\n", - "ssl_certfile=\"some-certificate.pem\"\n", - "ssl_keyfile=\"some-key.pem\"\n", - "ssl_ca_certs=ssl_certfile\n", - "\n", - "ssl_cert_conn = redis.Redis(\n", + "r = redis.Redis(\n", " host=\"localhost\",\n", " port=6666,\n", " ssl=True,\n", - " ssl_certfile=ssl_certfile,\n", - " ssl_keyfile=ssl_keyfile,\n", - " ssl_cert_reqs=\"required\",\n", - " ssl_ca_certs=ssl_ca_certs,\n", + " ssl_min_version=ssl.TLSVersion.TLSv1_3,\n", + " ssl_cert_reqs=\"none\",\n", ")\n", - "ssl_cert_conn.ping()" + "r.ping()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "## Connecting to a Redis instance via SSL, and validate the OCSP status of the certificate\n", - "\n", - "The redis package is design to be small, meaning extra libraries must be installed, in order to support OCSP stapling. As a result, first install redis via:\n", - "\n", - "*pip install redis[ocsp]*\n", - "\n", - "This will install cryptography, requests, and PyOpenSSL, none of which are generally required to use Redis." + "## Connecting to a Redis instance via SSL, while specifying a self-signed SSL CA certificate" ] }, { @@ -179,48 +164,42 @@ "True" ] }, + "execution_count": null, "metadata": {}, - "output_type": "display_data" + "output_type": "execute_result" } ], "source": [ "import os\n", "import redis\n", "\n", - "ssl_certfile=\"some-certificate.pem\"\n", - "ssl_keyfile=\"some-key.pem\"\n", - "ssl_ca_certs=ssl_certfile\n", + "pki_dir = os.path.join(\"..\", \"..\", \"dockers\", \"stunnel\", \"keys\")\n", "\n", - "ssl_cert_conn = redis.Redis(\n", + "r = redis.Redis(\n", " host=\"localhost\",\n", " port=6666,\n", " ssl=True,\n", - " ssl_certfile=ssl_certfile,\n", - " ssl_keyfile=ssl_keyfile,\n", + " ssl_certfile=os.path.join(pki_dir, \"client-cert.pem\"),\n", + " ssl_keyfile=os.path.join(pki_dir, \"client-key.pem\"),\n", " ssl_cert_reqs=\"required\",\n", - " ssl_validate_ocsp=True\n", + " ssl_ca_certs=os.path.join(pki_dir, \"ca-cert.pem\"),\n", ")\n", - "ssl_cert_conn.ping()" + "r.ping()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "## Connect via SSL, validate OCSP-stapled certificates\n", + "## Connecting to a Redis instance via SSL, and validate the OCSP status of the certificate\n", "\n", - "The redis package is design to be small, meaning extra libraries must be installed, in order to support OCSP stapling. As a result, first install redis via:\n", + "The redis package is designed to be small, meaning extra libraries must be installed, in order to support OCSP stapling. As a result, first install redis via:\n", "\n", - "*pip install redis[ocsp]*\n", + "`pip install redis[ocsp]`\n", "\n", - "This will install cryptography, requests, and PyOpenSSL, none of which are generally required to use Redis." - ] - }, - { - "cell_type": "markdown", - "metadata": {}, - "source": [ - "### Using a custom SSL context and validating against an expected certificate" + "This will install cryptography, requests, and PyOpenSSL, none of which are generally required to use Redis.\n", + "\n", + "In the next example, we will connect to a Redis instance via SSL, and validate the OCSP status of the certificate. However, the certificate we are using does not have an AIA extension, which means that the OCSP validation cannot be performed." ] }, { @@ -229,81 +208,88 @@ "metadata": {}, "outputs": [ { - "data": { - "text/plain": [ - "True" - ] - }, - "metadata": {}, - "output_type": "display_data" + "name": "stdout", + "output_type": "stream", + "text": [ + "OCSP validation failed as expected.\n" + ] } ], "source": [ + "import os\n", "import redis\n", - "import OpenSSL\n", - "\n", - "ssl_certfile=\"some-certificate.pem\"\n", - "ssl_keyfile=\"some-key.pem\"\n", - "ssl_ca_certs=ssl_certfile\n", - "ssl_expected_certificate = \"expected-ocsp-certificate.pem\"\n", "\n", - "# PyOpenSSL is used only for the purpose of validating the ocsp\n", - "# stapled response\n", - "ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)\n", - "ctx.use_certificate_file=ssl_certfile\n", - "ctx.use_privatekey_file=ssl_keyfile\n", - "expected_certificate = open(ssl_expected_certificate, 'rb').read()\n", + "pki_dir = os.path.join(\"..\", \"..\", \"dockers\", \"stunnel\", \"keys\")\n", "\n", - "ssl_cert_conn = redis.Redis(\n", + "r = redis.Redis(\n", " host=\"localhost\",\n", " port=6666,\n", " ssl=True,\n", - " ssl_certfile=ssl_certfile,\n", - " ssl_keyfile=ssl_keyfile,\n", + " ssl_certfile=os.path.join(pki_dir, \"client-cert.pem\"),\n", + " ssl_keyfile=os.path.join(pki_dir, \"client-key.pem\"),\n", " ssl_cert_reqs=\"required\",\n", - " ssl_ocsp_context=ctx,\n", - " ssl_ocsp_expected_cert=expected_certificate,\n", + " ssl_ca_certs=os.path.join(pki_dir, \"ca-cert.pem\"),\n", + " ssl_validate_ocsp=True,\n", ")\n", - "ssl_cert_conn.ping()" + "\n", + "try:\n", + " r.ping()\n", + "except redis.ConnectionError as e:\n", + " assert e.args[0] == \"No AIA information present in ssl certificate\"\n", + " print(\"OCSP validation failed as expected.\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ - "### Naive validation of a stapled OCSP certificate" + "## Connect to a Redis instance via SSL, and validate OCSP-stapled certificates\n", + "\n", + "It is also possible to validate an OCSP stapled response. Again, for this example the server does not send an OCSP stapled response, so the validation will fail." ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, - "outputs": [], + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "OCSP validation failed as expected.\n" + ] + } + ], "source": [ + "import os\n", "import redis\n", - "import OpenSSL\n", "\n", - "ssl_certfile=\"some-certificate.pem\"\n", - "ssl_keyfile=\"some-key.pem\"\n", - "ssl_ca_certs=ssl_certfile\n", - "ssl_expected_certificate = \"expected-ocsp-certificate.pem\"\n", + "pki_dir = os.path.join(\"..\", \"..\", \"dockers\", \"stunnel\", \"keys\")\n", + "ca_cert = os.path.join(pki_dir, \"ca-cert.pem\")\n", + "\n", + "# It is possible to specify an expected certificate, or leave it out.\n", + "expected_certificate = open(ca_cert, 'rb').read()\n", "\n", - "# PyOpenSSL is used only for the purpose of validating the ocsp\n", - "# stapled response\n", - "ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)\n", - "ctx.use_certificate_file=ssl_certfile\n", - "ctx.use_privatekey_file=ssl_keyfile\n", + "# If needed, a custom SSL context for OCSP can be specified via ssl_ocsp_context\n", "\n", - "ssl_cert_conn = redis.Redis(\n", + "r = redis.Redis(\n", " host=\"localhost\",\n", " port=6666,\n", " ssl=True,\n", - " ssl_certfile=ssl_certfile,\n", - " ssl_keyfile=ssl_keyfile,\n", + " ssl_certfile=os.path.join(pki_dir, \"client-cert.pem\"),\n", + " ssl_keyfile=os.path.join(pki_dir, \"client-key.pem\"),\n", " ssl_cert_reqs=\"required\",\n", + " ssl_ca_certs=ca_cert,\n", " ssl_validate_ocsp_stapled=True,\n", + " ssl_ocsp_expected_cert=expected_certificate,\n", ")\n", - "ssl_cert_conn.ping()" + "\n", + "try:\n", + " r.ping()\n", + "except redis.ConnectionError as e:\n", + " assert e.args[0] == \"no ocsp response present\"\n", + " print(\"OCSP validation failed as expected.\")" ] } ], @@ -325,10 +311,9 @@ "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", - "pygments_lexer": "ipython3", - "version": "3.8.12" + "pygments_lexer": "ipython3" } }, "nbformat": 4, - "nbformat_minor": 2 + "nbformat_minor": 4 } diff --git a/tests/test_asyncio/test_cluster.py b/tests/test_asyncio/test_cluster.py index 8d4620a4a2..ac12584be5 100644 --- a/tests/test_asyncio/test_cluster.py +++ b/tests/test_asyncio/test_cluster.py @@ -2893,8 +2893,9 @@ class TestSSL: appropriate port. """ - SERVER_CERT = get_ssl_filename("server-cert.pem") - SERVER_KEY = get_ssl_filename("server-key.pem") + CA_CERT = get_ssl_filename("ca-cert.pem") + CLIENT_CERT = get_ssl_filename("client-cert.pem") + CLIENT_KEY = get_ssl_filename("client-key.pem") @pytest_asyncio.fixture() def create_client(self, request: FixtureRequest) -> Callable[..., RedisCluster]: @@ -3018,24 +3019,24 @@ async def test_validating_self_signed_certificate( ) -> None: async with await create_client( ssl=True, - ssl_ca_certs=self.SERVER_CERT, + ssl_ca_certs=self.CA_CERT, ssl_cert_reqs="required", - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ) as rc: assert await rc.ping() async def test_validating_self_signed_string_certificate( self, create_client: Callable[..., Awaitable[RedisCluster]] ) -> None: - with open(self.SERVER_CERT) as f: + with open(self.CA_CERT) as f: cert_data = f.read() async with await create_client( ssl=True, ssl_ca_data=cert_data, ssl_cert_reqs="required", - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ) as rc: assert await rc.ping() diff --git a/tests/test_asyncio/test_connect.py b/tests/test_asyncio/test_connect.py index 6c902c2d05..0df7ebb43a 100644 --- a/tests/test_asyncio/test_connect.py +++ b/tests/test_asyncio/test_connect.py @@ -61,13 +61,14 @@ async def test_uds_connect(uds_address): ) async def test_tcp_ssl_tls12_custom_ciphers(tcp_address, ssl_ciphers): host, port = tcp_address - certfile = get_ssl_filename("server-cert.pem") - keyfile = get_ssl_filename("server-key.pem") + certfile = get_ssl_filename("client-cert.pem") + keyfile = get_ssl_filename("client-key.pem") + ca_certfile = get_ssl_filename("ca-cert.pem") conn = SSLConnection( host=host, port=port, client_name=_CLIENT_NAME, - ssl_ca_certs=certfile, + ssl_ca_certs=ca_certfile, socket_timeout=10, ssl_min_version=ssl.TLSVersion.TLSv1_2, ssl_ciphers=ssl_ciphers, @@ -89,13 +90,14 @@ async def test_tcp_ssl_tls12_custom_ciphers(tcp_address, ssl_ciphers): ) async def test_tcp_ssl_connect(tcp_address, ssl_min_version): host, port = tcp_address - certfile = get_ssl_filename("server-cert.pem") - keyfile = get_ssl_filename("server-key.pem") + certfile = get_ssl_filename("client-cert.pem") + keyfile = get_ssl_filename("client-key.pem") + ca_certfile = get_ssl_filename("ca-cert.pem") conn = SSLConnection( host=host, port=port, client_name=_CLIENT_NAME, - ssl_ca_certs=certfile, + ssl_ca_certs=ca_certfile, socket_timeout=10, ssl_min_version=ssl_min_version, ) diff --git a/tests/test_connect.py b/tests/test_connect.py index ec686540fa..d7ca04b651 100644 --- a/tests/test_connect.py +++ b/tests/test_connect.py @@ -58,13 +58,14 @@ def test_uds_connect(uds_address): ) def test_tcp_ssl_connect(tcp_address, ssl_min_version): host, port = tcp_address - certfile = get_ssl_filename("server-cert.pem") - keyfile = get_ssl_filename("server-key.pem") + certfile = get_ssl_filename("client-cert.pem") + keyfile = get_ssl_filename("client-key.pem") + ca_certfile = get_ssl_filename("ca-cert.pem") conn = SSLConnection( host=host, port=port, client_name=_CLIENT_NAME, - ssl_ca_certs=certfile, + ssl_ca_certs=ca_certfile, socket_timeout=10, ssl_min_version=ssl_min_version, ) @@ -82,13 +83,14 @@ def test_tcp_ssl_connect(tcp_address, ssl_min_version): ) def test_tcp_ssl_tls12_custom_ciphers(tcp_address, ssl_ciphers): host, port = tcp_address - certfile = get_ssl_filename("server-cert.pem") - keyfile = get_ssl_filename("server-key.pem") + certfile = get_ssl_filename("client-cert.pem") + keyfile = get_ssl_filename("client-key.pem") + ca_certfile = get_ssl_filename("ca-cert.pem") conn = SSLConnection( host=host, port=port, client_name=_CLIENT_NAME, - ssl_ca_certs=certfile, + ssl_ca_certs=ca_certfile, socket_timeout=10, ssl_min_version=ssl.TLSVersion.TLSv1_2, ssl_ciphers=ssl_ciphers, diff --git a/tests/test_ssl.py b/tests/test_ssl.py index fd6fa51db7..fc7416dbc7 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -18,8 +18,10 @@ class TestSSL: and connecting to the appropriate port. """ + CA_CERT = get_ssl_filename("ca-cert.pem") + CLIENT_CERT = get_ssl_filename("client-cert.pem") + CLIENT_KEY = get_ssl_filename("client-key.pem") SERVER_CERT = get_ssl_filename("server-cert.pem") - SERVER_KEY = get_ssl_filename("server-key.pem") def test_ssl_with_invalid_cert(self, request): ssl_url = request.config.option.redis_ssl_url @@ -53,16 +55,16 @@ def test_validating_self_signed_certificate(self, request): host=p[0], port=p[1], ssl=True, - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ssl_cert_reqs="required", - ssl_ca_certs=self.SERVER_CERT, + ssl_ca_certs=self.CA_CERT, ) assert r.ping() r.close() def test_validating_self_signed_string_certificate(self, request): - with open(self.SERVER_CERT) as f: + with open(self.CA_CERT) as f: cert_data = f.read() ssl_url = request.config.option.redis_ssl_url p = urlparse(ssl_url)[1].split(":") @@ -70,8 +72,8 @@ def test_validating_self_signed_string_certificate(self, request): host=p[0], port=p[1], ssl=True, - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ssl_cert_reqs="required", ssl_ca_data=cert_data, ) @@ -147,10 +149,10 @@ def _create_oscp_conn(self, request): host=p[0], port=p[1], ssl=True, - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ssl_cert_reqs="required", - ssl_ca_certs=self.SERVER_CERT, + ssl_ca_certs=self.CA_CERT, ssl_validate_ocsp=True, ) return r @@ -171,14 +173,6 @@ def test_ssl_ocsp_called_withcrypto(self, request): assert "No AIA information present in ssl certificate" in str(e) r.close() - # rediss://, url based - ssl_url = request.config.option.redis_ssl_url - sslclient = redis.from_url(ssl_url) - with pytest.raises(ConnectionError) as e: - sslclient.ping() - assert "No AIA information present in ssl certificate" in str(e) - sslclient.close() - @skip_if_nocryptography() def test_valid_ocsp_cert_http(self): from redis.ocsp import OCSPVerifier @@ -253,10 +247,10 @@ def test_mock_ocsp_staple(self, request): host=p[0], port=p[1], ssl=True, - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ssl_cert_reqs="required", - ssl_ca_certs=self.SERVER_CERT, + ssl_ca_certs=self.CA_CERT, ssl_validate_ocsp=True, ssl_ocsp_context=p, # just needs to not be none ) @@ -266,19 +260,19 @@ def test_mock_ocsp_staple(self, request): r.close() ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD) - ctx.use_certificate_file(self.SERVER_CERT) - ctx.use_privatekey_file(self.SERVER_KEY) + ctx.use_certificate_file(self.CLIENT_CERT) + ctx.use_privatekey_file(self.CLIENT_KEY) r = redis.Redis( host=p[0], port=p[1], ssl=True, - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ssl_cert_reqs="required", - ssl_ca_certs=self.SERVER_CERT, + ssl_ca_certs=self.CA_CERT, ssl_ocsp_context=ctx, - ssl_ocsp_expected_cert=open(self.SERVER_KEY, "rb").read(), + ssl_ocsp_expected_cert=open(self.SERVER_CERT, "rb").read(), ssl_validate_ocsp_stapled=True, ) @@ -291,10 +285,10 @@ def test_mock_ocsp_staple(self, request): host=p[0], port=p[1], ssl=True, - ssl_certfile=self.SERVER_CERT, - ssl_keyfile=self.SERVER_KEY, + ssl_certfile=self.CLIENT_CERT, + ssl_keyfile=self.CLIENT_KEY, ssl_cert_reqs="required", - ssl_ca_certs=self.SERVER_CERT, + ssl_ca_certs=self.CA_CERT, ssl_validate_ocsp_stapled=True, )