New submission from Senthil Kumaran: While working on issue22366, I found a tricky bit of code in:
https://hg.python.org/cpython/file/ca0aa0d89273/Lib/http/client.py#l1295 https://hg.python.org/cpython/rev/1a945fb875bf/ The statement is if not self._context.check_hostname and self._check_hostname: The context object's check_hostname (created by ssl._create_stdlib_context() - note private ) is False by default and the statement holds good and acts only on self._check_hostname But if the context is constructed manually and the context object's check_hostname is set to True (with correct intentions), that statement will lead to skipping of matching hostname! Is my analysis right here? ---------- messages: 227082 nosy: alex, christian.heimes, dstufft, orsenthil, pitrou priority: normal severity: normal status: open title: Setting SSLContext object's check_hostname manually might accidentally skip hostname verification versions: Python 3.4, Python 3.5 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22440> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
