[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Change by Steve Dower : -- pull_requests: +6174 ___ Python tracker ___ ___

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Christian Heimes added the comment: The issue has been fixed in 2.7, 3.6-3.8 for OpenSSL >= 1.0.2 or platforms with inet_pton. I didn't bother to fix platforms without inet_pton since OpenSSL 1.0.1 and earlier are no longer support any way. -- resolution: -> fixed

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Christian Heimes added the comment: New changeset a5c9112300ecd492ed6cc9759dc8028766401f61 by Christian Heimes (Miss Islington (bot)) in branch '2.7': [2.7] bpo-32185: Don't send IP in SNI TLS extension (GH-5865) (#5871)

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Change by miss-islington : -- pull_requests: +5644 ___ Python tracker ___

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Christian Heimes added the comment: New changeset e9370a47389903bb72badc95032ec84a0ebbf8cc by Christian Heimes in branch '3.6': bpo-32185: Don't send IP in SNI TLS extension (#5865) https://github.com/python/cpython/commit/e9370a47389903bb72badc95032ec84a0ebbf8cc

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Change by Christian Heimes : -- pull_requests: +5639 ___ Python tracker ___ ___

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Christian Heimes added the comment: PS: With OpenSSL >= 1.0.2, inet_pton() is not required. -- ___ Python tracker ___

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Christian Heimes added the comment: The code works on all platforms with OpenSSL >= 1.0.2. OpenSSL 1.0.1, 0.9.8 and earlier are no longer supported by upstream. Anybody with even marginal interest in secure TLS/SSL should update. Python.org's Windows and macOS binaries are

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Antoine Pitrou added the comment: By the way, Windows nowadays has inet_pton(): https://msdn.microsoft.com/en-us/library/windows/desktop/cc805844(v=vs.85).aspx Are there other platforms without it? inet_pton() is part of POSIX. -- nosy: +paul.moore, steve.dower,

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Antoine Pitrou added the comment: > There is no platform-compatible way to detect if a string is an IP address. Actually, you could use the ipaddress module. -- nosy: +pitrou ___ Python tracker

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Change by Christian Heimes : -- keywords: +patch pull_requests: +4829 ___ Python tracker ___

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Change by Christian Heimes : -- keywords: +3.5regression stage: -> patch review type: -> behavior ___ Python tracker ___

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

Christian Heimes added the comment: Thanks! 3.4 and 3.5 are out of scope. They only receive security fixes. For 3.7 https://github.com/python/cpython/compare/master...tiran:openssl_check_hostname will take care of the issue 2.7 and 3.6 are a bit tricky. There is no

[issue32185] SSLContext.wrap_socket sends SNI Extension when server_hostname is IP

New submission from Matt Davis : The current implementation of SSLContext.wrap_socket blindly sends whatever is passed in server_hostname in the SNI extension, assuming it's a DNS hostname. RFC6066 describes the SNI TLS extension, and specifically states that 'Literal IPv4