[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Christian Heimes added the comment: 3.6 will be out of support very soon. I'm closing this old bug as wontfix. Thanks for your investigation! :) -- resolution: -> wont fix status: open -> closed ___ Python tracker

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Nathaniel Smith added the comment: I agree that backporting X509_VERIFY_PARAM_set1_host is unreasonable, at least until the openssl ecosystem has moved forward a bit. But in earlier versions, would it be easy to detect that do_handshake() hasn't been called and raise an

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Christian Heimes added the comment: Correct, the fix is in 3.7 and 3.8 only. I don't see a realistic way to address the problem in 3.6 and 2.7 without breaking people on old LTS releases and BSD. (The bug tracker changes status automatically when you reply to a pending

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Nathaniel Smith added the comment: ...huh, not sure why that shows me changing the status. I just typed something in the text box, didn't touch any of the dropdowns... -- status: open -> pending ___ Python tracker

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Nathaniel Smith added the comment: Do you mean, the fix is in 3.7 only? -- status: pending -> open ___ Python tracker ___

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Christian Heimes added the comment: The bug has been fixed in #31399. Since 3.7, Python uses OpenSSL's X509_VERIFY_PARAM_set1_host() to verify the host name during the handshake. Unfortunately the fix is in OpenSSL 1.0.2 only. Backport would break compatibility with OpenSSL

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Christian Heimes added the comment: The PR doesn't fix all bugs with the current approach. In the auto-handshake case, the struct members peer_cert and handshake_done are not set correctly. I'll look into the matter. Perhaps I can set them in the handshake or verify callback. if

[issue30141] If you forget to call do_handshake, then everything seems to work but hostname checking is disabled

Changes by Nathaniel Smith : -- title: If you forget to call do_handshake, then everything seems to work but hostname is disabled -> If you forget to call do_handshake, then everything seems to work but hostname checking is disabled