This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Setting SSLContext object's check_hostname manually might accidentally skip hostname verification
Type: behavior Stage: resolved
Components: Versions: Python 3.4, Python 3.5
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, orsenthil, pitrou
Priority: normal Keywords:

Created on 2014-09-19 07:53 by orsenthil, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg227082 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2014-09-19 07:53
While working on issue22366, I found a tricky bit of code in:

The statement is

 if not self._context.check_hostname and self._check_hostname:

The context object's check_hostname (created by ssl._create_stdlib_context() -
note private ) is False by default and the statement holds good and acts only on

But if the context is constructed manually and the context object's
check_hostname is set to True (with correct intentions), that statement will
lead to skipping of matching hostname!

Is my analysis right here?
msg227094 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-09-19 13:40
If check_hostname is set on the context then do_handshake() will already perform the hostname check:
msg227169 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-09-20 19:23
Alex's analysis is correct. Starting with 3.4 the SSLSocket object can perform a hostname check during the handshake. More recent versions of OpenSSL or a custom verify callback could do the check even earlier during the handshake.
msg227170 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-09-20 19:29
This can be closed then I think?
msg227171 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-09-20 19:33
Date User Action Args
2022-04-11 14:58:08adminsetgithub: 66630
2014-09-20 19:33:24christian.heimessetstatus: open -> closed
type: behavior
messages: + msg227171

resolution: not a bug
stage: resolved
2014-09-20 19:29:47alexsetmessages: + msg227170
2014-09-20 19:23:32christian.heimessetmessages: + msg227169
2014-09-19 13:40:47alexsetmessages: + msg227094
2014-09-19 07:53:10orsenthilcreate