This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Arfrever, christian.heimes, dstufft, georg.brandl, giampaolo.rodola, janssen, larry, pitrou
Date 2013-11-28.15:38:20
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1385653100.95.0.23235045378.issue19509@psf.upfronthosting.co.za>
In-reply-to
Content 
My patch could be much simpler and easier if we could just drop support for ancient versions of OpenSSL. My idea requires at least OpenSSL 0.9.8f (release 2007) with SNI support. Six years are a lot for crypto software. All relevant platforms with vendor support have a more recent version of OpenSSL, too.

>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.wrap_socket(sock, server_hostname="www.example.org")

server_hostname is used to for server name indicator (SNI) as well as the hostname for match_hostname(). It would remove lots and lots of code duplication, too.

The check_hostname takes care about invalid combinations, too:

>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.verify_mode == ssl.CERT_NONE
True
>>> context.check_hostname = True
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED
History
Date User Action Args
2013-11-28 15:38:21christian.heimessetrecipients: + christian.heimes, georg.brandl, janssen, pitrou, larry, giampaolo.rodola, Arfrever, dstufft
2013-11-28 15:38:20christian.heimessetmessageid: <1385653100.95.0.23235045378.issue19509@psf.upfronthosting.co.za>
2013-11-28 15:38:20christian.heimeslinkissue19509 messages
2013-11-28 15:38:20christian.heimescreate