Message 277030 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	yan12125
Recipients	alex, christian.heimes, dstufft, janssen, yan12125
Date	2016-09-20.14:54:13
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1474383253.97.0.100810470395.issue28182@psf.upfronthosting.co.za>
In-reply-to

Content
With this change: (tested with OpenSSL git-master) @@ -632,20 +651,22 @@ newPySSLSocket(PySSLContext sslctx, PyS SSL_set_bio(self->ssl, inbio->bio, outbio->bio); } mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; #ifdef SSL_MODE_AUTO_RETRY mode \|= SSL_MODE_AUTO_RETRY; #endif SSL_set_mode(self->ssl, mode); + if (server_hostname != NULL) { #if HAVE_SNI - if (server_hostname != NULL) SSL_set_tlsext_host_name(self->ssl, server_hostname); #endif + SSL_set1_host(self->ssl, server_hostname); + } / If the socket is in non-blocking mode or timeout mode, set the BIO * to non-blocking mode (blocking is the default) / if (sock && sock->sock_timeout >= 0) { BIO_set_nbio(SSL_get_rbio(self->ssl), 1); BIO_set_nbio(SSL_get_wbio(self->ssl), 1); } When connecting to https://wrong.host.badssl.com/, the error is: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch (_ssl.c:768) With this change in mind, an idea is to drop the Python implementation of match_hostname and rely on OpenSSL's checking mechanism (`do_x509_check`). As a result: ssl.CertificateError can be either an alias of ssl.SSLCertVerificationError or a subclass of it * When verify_result is X509_V_ERR_HOSTNAME_MISMATCH, the error message is formatted with more information following the current approach in `match_hostname` ("hostname XXX doesn't match YYY...")

With this change: (tested with OpenSSL git-master)

@@ -632,20 +651,22 @@ newPySSLSocket(PySSLContext *sslctx, PyS
         SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
     }
     mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
 #ifdef SSL_MODE_AUTO_RETRY
     mode |= SSL_MODE_AUTO_RETRY;
 #endif
     SSL_set_mode(self->ssl, mode);
 
+    if (server_hostname != NULL) {
 #if HAVE_SNI
-    if (server_hostname != NULL)
         SSL_set_tlsext_host_name(self->ssl, server_hostname);
 #endif
+        SSL_set1_host(self->ssl, server_hostname);
+    }
 
     /* If the socket is in non-blocking mode or timeout mode, set the BIO
      * to non-blocking mode (blocking is the default)
      */
     if (sock && sock->sock_timeout >= 0) {
         BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
         BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
     }

When connecting to https://wrong.host.badssl.com/, the error is:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch (_ssl.c:768)

With this change in mind, an idea is to drop the Python implementation of match_hostname and rely on OpenSSL's checking mechanism (`do_x509_check`). As a result:

* ssl.CertificateError can be either an alias of ssl.SSLCertVerificationError or a subclass of it
* When verify_result is X509_V_ERR_HOSTNAME_MISMATCH, the error message is formatted with more information following the current approach in `match_hostname` ("hostname XXX doesn't match YYY...")

History
Date	User	Action	Args
2016-09-20 14:54:14	yan12125	set	recipients: + yan12125, janssen, christian.heimes, alex, dstufft
2016-09-20 14:54:13	yan12125	set	messageid: <1474383253.97.0.100810470395.issue28182@psf.upfronthosting.co.za>
2016-09-20 14:54:13	yan12125	link	issue28182 messages
2016-09-20 14:54:13	yan12125	create