Explicit root cert cleanup calls

csstaub · csstaub · commit 9f58c0b90cf7 · 2026-04-06T10:54:40.000-07:00
diff --git a/tests/common.py b/tests/common.py
@@ -277,8 +277,8 @@ def assert_connection_rejected(client, server, name, timeout_ok=True):
 def create_default_certs(algorithm='ecdsa'):
     """Create standard root, server, and client certificates.
 
-    Returns the RootCert object. Callers must keep a reference to it
-    alive for the duration of the test to prevent __del__ cleanup."""
+    Returns the RootCert object. Callers should call root.cleanup()
+    in their finally block to clean up temporary cert files."""
     root = RootCert('root', algorithm=algorithm)
     root.create_signed_cert('server')
     root.create_signed_cert('client')
diff --git a/tests/test-client-handles-client-closes-connection.py b/tests/test-client-handles-client-closes-connection.py
@@ -7,8 +7,9 @@
 from common import SocketPair, TcpClient, TlsServer, print_ok, terminate, LISTEN_PORT, TARGET_PORT, create_default_certs, start_ghostunnel_client
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
     ghostunnel = start_ghostunnel_client(extra_args=['--close-timeout=10s'])
 
     # connect to server, confirm that the tunnel is up
@@ -31,3 +32,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
diff --git a/tests/test-client-handles-no-server.py b/tests/test-client-handles-no-server.py
@@ -7,8 +7,9 @@
 from common import SocketPair, TcpClient, TlsServer, print_ok, terminate, LISTEN_PORT, TARGET_PORT, create_default_certs, start_ghostunnel_client, get_free_port
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
     ghostunnel = start_ghostunnel_client()
 
     # client should fail to connect since nothing is listening on wrong_port
@@ -26,3 +27,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
diff --git a/tests/test-client-handles-server-closes-connection.py b/tests/test-client-handles-server-closes-connection.py
@@ -7,8 +7,9 @@
 from common import SocketPair, TcpClient, TlsServer, print_ok, terminate, LISTEN_PORT, TARGET_PORT, create_default_certs, start_ghostunnel_client
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
     ghostunnel = start_ghostunnel_client(extra_args=['--close-timeout=10s'])
 
     # connect with client, confirm that the tunnel is up
@@ -31,3 +32,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
diff --git a/tests/test-server-handles-client-closes-connection.py b/tests/test-server-handles-client-closes-connection.py
@@ -7,8 +7,9 @@
 from common import SocketPair, TcpServer, TlsClient, print_ok, terminate, LISTEN_PORT, TARGET_PORT, create_default_certs, start_ghostunnel_server
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
     ghostunnel = start_ghostunnel_server(extra_args=['--close-timeout=10s'])
 
     # connect with client, confirm that the tunnel is up
@@ -31,3 +32,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
diff --git a/tests/test-server-handles-no-server.py b/tests/test-server-handles-no-server.py
@@ -7,8 +7,9 @@
 from common import SocketPair, TcpServer, TlsClient, print_ok, terminate, LISTEN_PORT, TARGET_PORT, create_default_certs, start_ghostunnel_server, get_free_port
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
     ghostunnel = start_ghostunnel_server()
 
     # client should fail to connect since nothing is listening on wrong_port
@@ -26,3 +27,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
diff --git a/tests/test-server-handles-server-closes-connection.py b/tests/test-server-handles-server-closes-connection.py
@@ -7,8 +7,9 @@
 from common import SocketPair, TcpServer, TlsClient, print_ok, terminate, LISTEN_PORT, TARGET_PORT, create_default_certs, start_ghostunnel_server
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
     ghostunnel = start_ghostunnel_server(extra_args=['--close-timeout=10s'])
 
     # connect with client, confirm that the tunnel is up
@@ -31,3 +32,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
diff --git a/tests/test-server-split-cert-key.py b/tests/test-server-split-cert-key.py
@@ -7,8 +7,9 @@
 from common import LOCALHOST, STATUS_PORT, print_ok, run_ghostunnel, terminate, SocketPair, TlsClient, TcpServer, LISTEN_PORT, TARGET_PORT, create_default_certs
 
 ghostunnel = None
+root = None
 try:
-    _root = create_default_certs()  # keep RootCert alive for cert lifecycle
+    root = create_default_certs()
 
     # start ghostunnel with --cert/--key instead of --keystore
     ghostunnel = run_ghostunnel(['server',
@@ -34,3 +35,5 @@
     print_ok("OK")
 finally:
     terminate(ghostunnel)
+    if root:
+        root.cleanup()
