Add TLS version test

fantix · fantix · commit 3ffdde5d9318 · 2021-09-14T17:07:37.000-04:00
diff --git a/tests/test_connect.py b/tests/test_connect.py
@@ -1213,6 +1213,8 @@ def get_server_settings(cls):
             'ssl_cert_file': SSL_CERT_FILE,
             'ssl_key_file': SSL_KEY_FILE,
             'ssl_ca_file': CLIENT_CA_CERT_FILE,
+            'ssl_min_protocol_version': 'TLSv1.2',
+            'ssl_max_protocol_version': 'TLSv1.2',
         })
 
         return conf
@@ -1408,6 +1410,42 @@ async def test_executemany_uvloop_ssl_issue_700(self):
             finally:
                 await con.close()
 
+    async def test_tls_version(self):
+        # XXX: uvloop artifact
+        old_handler = self.loop.get_exception_handler()
+        try:
+            self.loop.set_exception_handler(lambda *args: None)
+            with self.assertRaisesRegex(ssl.SSLError, 'protocol version'):
+                await self.connect(
+                    dsn='postgresql://ssl_user@localhost/postgres'
+                        '?sslmode=require&ssl_min_protocol_version=TLSv1.3'
+                )
+            with self.assertRaisesRegex(ssl.SSLError, 'protocol version'):
+                await self.connect(
+                    dsn='postgresql://ssl_user@localhost/postgres'
+                        '?sslmode=require'
+                        '&ssl_min_protocol_version=TLSv1.1'
+                        '&ssl_max_protocol_version=TLSv1.1'
+                )
+            with self.assertRaisesRegex(ssl.SSLError, 'no protocols'):
+                await self.connect(
+                    dsn='postgresql://ssl_user@localhost/postgres'
+                        '?sslmode=require'
+                        '&ssl_min_protocol_version=TLSv1.2'
+                        '&ssl_max_protocol_version=TLSv1.1'
+                )
+            con = await self.connect(
+                dsn='postgresql://ssl_user@localhost/postgres?sslmode=require'
+                    '&ssl_min_protocol_version=TLSv1.2'
+                    '&ssl_max_protocol_version=TLSv1.2'
+            )
+            try:
+                self.assertEqual(await con.fetchval('SELECT 42'), 42)
+            finally:
+                await con.close()
+        finally:
+            self.loop.set_exception_handler(old_handler)
+
 
 @unittest.skipIf(os.environ.get('PGHOST'), 'unmanaged cluster')
 class TestClientSSLConnection(BaseTestSSLConnection):
