[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Roundup Robot]

Roundup Robot added the comment:

New changeset 40f9e91f3626 by Benjamin Peterson in branch '2.7':
add NEWS note for #22921
https://hg.python.org/cpython/rev/40f9e91f3626

New changeset 060fd5d09063 by Benjamin Peterson in branch '3.4':
add NEWS note for #22921
https://hg.python.org/cpython/rev/060fd5d09063

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Roundup Robot]

Roundup Robot added the comment:

New changeset ce4073afd992 by Benjamin Peterson in branch '2.7':
allow hostname to be passed to SSLContext even if OpenSSL doesn't support SNI 
(closes #22921)
https://hg.python.org/cpython/rev/ce4073afd992

--
resolution:  -> fixed
stage: needs patch -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

Donald Stufft added the comment:

Added a patch for Python 2.7

--
Added file: 
http://bugs.python.org/file37262/check-hostname-no-sni-with-docs-py27.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Roundup Robot]

Roundup Robot added the comment:

New changeset f2d4beb90a5b by Benjamin Peterson in branch '3.4':
don't require OpenSSL SNI to pass hostname to ssl functions (#22921)
https://hg.python.org/cpython/rev/f2d4beb90a5b

New changeset 24dfe7310cc1 by Benjamin Peterson in branch 'default':
merge 3.4 (#22921)
https://hg.python.org/cpython/rev/24dfe7310cc1

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

Donald Stufft added the comment:

Uploaded a third patch, this is the same technique as in the -2 patch, except 
it fixes a missed spot in Lib/ssl.py where I needed a better error message.

Additionally this goes through and unskips all of the tests that were marked as 
depending on HAS_SNI when what they really depended on was the ability to set 
SSLContext().check_hostname = True.

This also fixes a number of tests that are currently failing whenever HAS_SNI = 
False that started to fail as fallout of PEP 476.

--
Added file: 
http://bugs.python.org/file37260/check-hostname-no-sni-with-docs-3.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

Donald Stufft added the comment:

A new patch that achieves the same thing in a simpler way at benjamin's 
suggestion.

--
Added file: 
http://bugs.python.org/file37259/check-hostname-no-sni-with-docs-2.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

Donald Stufft added the comment:

Added docs.

--
Added file: 
http://bugs.python.org/file37258/check-hostname-no-sni-with-docs.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Christian Heimes]

Christian Heimes added the comment:

Thanks a lot, Donald!

Back then I didn't pursue the point because I wasn't sure about possible 
security implications.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

Donald Stufft added the comment:

I tested this patch on Python 3.5 compiled on CentOS 5.11 which does not have 
SNI enabled. The end result is that you can use server_hostname even when SNI 
isn't there to enable the SSL certificate checks. Of course the check will fail 
if the host your connecting to requires SNI to serve the expected certificate, 
but that's no different than it is today.

The docs still need updated, I can do that a little bit later today, but 
figured I'd let people review this since it's done and working other than the 
docs.

The basic gist of the patch is that we stash the hostname and use it for the 
validation checks, but we don't send it deeper into the stack if SNI is not 
available.

--
keywords: +patch
Added file: http://bugs.python.org/file37256/check-hostname-no-sni.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Antoine Pitrou]

Antoine Pitrou added the comment:

This sounds ok to me, but are there still SNI-less OpenSSLs around?

--
nosy: +pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Antoine Pitrou]

Changes by Antoine Pitrou :


--
components: +Library (Lib)
stage:  -> needs patch
type: enhancement -> behavior
versions: +Python 2.7, Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

New submission from Donald Stufft:

The SSLContext().wrap_socket() method allows you to pass in a server_hostname 
option which will be used for two purposes, it will be used as the server name 
for SNI and it will be used to verify the server name of the certificate. 
However currently if the OpenSSL you're using does not have SNI then sending 
the server_hostname option to wrap_socket() will raise a ValueError.

I think that instead server_hostname should always be accepted by 
SSLContext().wrap_socket() regardless of if SNI is available or if 
check_hostname is available. It's just going to be stored and used later so we 
can conditonally use it for SNI or for checking the hostname depending on if 
SNI is available or checking if a hostname is available. The way it works right 
now is that unless you're happy not working when SNI is not available you have 
to check the hostname yourself.

If we can fix this, I think it would be smart to do it ASAP and get it into 
Python 2.7.9 and backported to the various Python 3.x's so that in the near 
future it works with all recent versions of the various Pythons (though older 
micro releases it may not).

This shouldn't break any code since it's changing what used to be an error into 
a saner working case.

--
messages: 231544
nosy: alex, benjamin.peterson, christian.heimes, dstufft
priority: normal
severity: normal
status: open
title: SSLContext's check_hostname needlessly intertwined with SNI
type: enhancement

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com