From 3b18ffe09370573f81220fda5e924124fcf8f0df Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Wed, 5 Mar 2025 18:13:01 +0000
Subject: [PATCH] tests: Fix TLS tests with Python 3.13

Python 3.13 sets the VERIFY_X509_STRICT flag by default in
create_default_context().

This breaks our TLS tests with dummy certificates. Remove this flag.

Thanks to @zfouts for the hint about the flag.

As an aside there is another Python 3.13 change which breaks the tests,
in that the cgi module has been removed. However there is a legacy-cgi
module you can install to get things going again (note this module is
unmaintained). E.g. In Fedora 'dnf install python3-legacy-cgi'.

Reported-by: Konstantin Pavlov <thresh@nginx.com>
Closes: https://github.com/nginx/unit/issues/1545
Link: <https://docs.python.org/3/whatsnew/3.13.html#ssl>
Link: <https://docs.python.org/3.13/library/cgi.html>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 test/test_tls.py     | 1 +
 test/test_tls_sni.py | 1 +
 2 files changed, 2 insertions(+)

diff --git a/test/test_tls.py b/test/test_tls.py
index 099217731..ffbcee401 100644
--- a/test/test_tls.py
+++ b/test/test_tls.py
@@ -49,6 +49,7 @@ def context_cert_req(cert='root'):
     context = ssl.create_default_context()
     context.check_hostname = False
     context.verify_mode = ssl.CERT_REQUIRED
+    context.verify_flags &= ~ssl.VERIFY_X509_STRICT
     context.load_verify_locations(f'{option.temp_dir}/{cert}.crt')
 
     return context
diff --git a/test/test_tls_sni.py b/test/test_tls_sni.py
index 61d72125e..b2fc05c04 100644
--- a/test/test_tls_sni.py
+++ b/test/test_tls_sni.py
@@ -99,6 +99,7 @@ def config_bundles(bundles):
     context = ssl.create_default_context()
     context.check_hostname = False
     context.verify_mode = ssl.CERT_REQUIRED
+    context.verify_flags &= ~ssl.VERIFY_X509_STRICT
     context.load_verify_locations(f'{option.temp_dir}/root.crt')
 
     return context