Chi Hsuan Yen added the comment:

With this change: (tested with OpenSSL git-master)

@@ -632,20 +651,22 @@ newPySSLSocket(PySSLContext *sslctx, PyS
         SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
     mode |= SSL_MODE_AUTO_RETRY;
     SSL_set_mode(self->ssl, mode);
+    if (server_hostname != NULL) {
-    if (server_hostname != NULL)
         SSL_set_tlsext_host_name(self->ssl, server_hostname);
+        SSL_set1_host(self->ssl, server_hostname);
+    }
     /* If the socket is in non-blocking mode or timeout mode, set the BIO
      * to non-blocking mode (blocking is the default)
     if (sock && sock->sock_timeout >= 0) {
         BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
         BIO_set_nbio(SSL_get_wbio(self->ssl), 1);

When connecting to, the error is:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: Hostname mismatch (_ssl.c:768)

With this change in mind, an idea is to drop the Python implementation of 
match_hostname and rely on OpenSSL's checking mechanism (`do_x509_check`). As a 

* ssl.CertificateError can be either an alias of ssl.SSLCertVerificationError 
or a subclass of it
* When verify_result is X509_V_ERR_HOSTNAME_MISMATCH, the error message is 
formatted with more information following the current approach in 
`match_hostname` ("hostname XXX doesn't match YYY...")


Python tracker <>
Python-bugs-list mailing list

Reply via email to