classification
Title: Enhancement request for SSLContext - flag to handle trailing dot in hostname
Type: enhancement Stage:
Components: SSL Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: bli2020, christian.heimes
Priority: normal Keywords:

Created on 2020-04-16 18:26 by bli2020, last changed 2021-04-20 20:20 by christian.heimes.

Messages (4)
msg366620 - (view) Author: (bli2020) Date: 2020-04-16 18:26
Issue31997 I know this issue was previously closed https://bugs.python.org/issue31997 because "it works as expected and should be handled in the application layer". But, could the team add a flag in SSLContext which will handle the trailing dot hostname appropriately (for the hostname check, since openssl does not support trailing dots in the hostname).

Previously in 2.7 and 3.6/before I was able to override ssl.match_hostname to add some extra checks, but now I am unable to do so because openssl is used instead. This extra flag/implementation would help solve this problem.
msg366621 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-04-16 18:37
I prefer not to interfere with hostname matching. Could you please open a feature request with OpenSSL and request a verification flag to ignore trailing dot? I'm happy to expose the feature if OpenSSL implements it.
msg366622 - (view) Author: (bli2020) Date: 2020-04-16 18:38
sure, that sounds reasonable. I will open up a feature request with OpenSSL
msg391474 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-20 20:20
OpenSSL feature request: https://github.com/openssl/openssl/issues/11560
History
Date User Action Args
2021-04-20 20:20:30christian.heimessetmessages: + msg391474
versions: + Python 3.10, - Python 3.7
2020-04-16 18:38:35bli2020setmessages: + msg366622
2020-04-16 18:37:30christian.heimessetmessages: + msg366621
2020-04-16 18:26:55bli2020create