Issue 22440: Setting SSLContext object's check_hostname manually might accidentally skip hostname verification

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/66630

classification

Title:	Setting SSLContext object's check_hostname manually might accidentally skip hostname verification
Type:	behavior	Stage:	resolved
Components:		Versions:	Python 3.4, Python 3.5

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:		Nosy List:	alex, christian.heimes, dstufft, orsenthil, pitrou
Priority:	normal	Keywords:

Created on 2014-09-19 07:53 by orsenthil, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg227082 - (view)	Author: Senthil Kumaran (orsenthil) *	Date: 2014-09-19 07:53
While working on issue22366, I found a tricky bit of code in: https://hg.python.org/cpython/file/ca0aa0d89273/Lib/http/client.py#l1295 https://hg.python.org/cpython/rev/1a945fb875bf/ The statement is if not self._context.check_hostname and self._check_hostname: The context object's check_hostname (created by ssl._create_stdlib_context() - note private ) is False by default and the statement holds good and acts only on self._check_hostname But if the context is constructed manually and the context object's check_hostname is set to True (with correct intentions), that statement will lead to skipping of matching hostname! Is my analysis right here?
msg227094 - (view)	Author: Alex Gaynor (alex) *	Date: 2014-09-19 13:40
If check_hostname is set on the context then do_handshake() will already perform the hostname check: https://hg.python.org/cpython/file/default/Lib/ssl.py#l787
msg227169 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2014-09-20 19:23
Alex's analysis is correct. Starting with 3.4 the SSLSocket object can perform a hostname check during the handshake. More recent versions of OpenSSL or a custom verify callback could do the check even earlier during the handshake.
msg227170 - (view)	Author: Alex Gaynor (alex) *	Date: 2014-09-20 19:29
This can be closed then I think?
msg227171 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2014-09-20 19:33
Yeah.

History
Date	User	Action	Args
2022-04-11 14:58:08	admin	set	github: 66630
2014-09-20 19:33:24	christian.heimes	set	status: open -> closed type: behavior messages: + msg227171 resolution: not a bug stage: resolved
2014-09-20 19:29:47	alex	set	messages: + msg227170
2014-09-20 19:23:32	christian.heimes	set	messages: + msg227169
2014-09-19 13:40:47	alex	set	messages: + msg227094
2014-09-19 07:53:10	orsenthil	create