Message277030
With this change: (tested with OpenSSL git-master)
@@ -632,20 +651,22 @@ newPySSLSocket(PySSLContext *sslctx, PyS
SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
}
mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
#ifdef SSL_MODE_AUTO_RETRY
mode |= SSL_MODE_AUTO_RETRY;
#endif
SSL_set_mode(self->ssl, mode);
+ if (server_hostname != NULL) {
#if HAVE_SNI
- if (server_hostname != NULL)
SSL_set_tlsext_host_name(self->ssl, server_hostname);
#endif
+ SSL_set1_host(self->ssl, server_hostname);
+ }
/* If the socket is in non-blocking mode or timeout mode, set the BIO
* to non-blocking mode (blocking is the default)
*/
if (sock && sock->sock_timeout >= 0) {
BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
}
When connecting to https://wrong.host.badssl.com/, the error is:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch (_ssl.c:768)
With this change in mind, an idea is to drop the Python implementation of match_hostname and rely on OpenSSL's checking mechanism (`do_x509_check`). As a result:
* ssl.CertificateError can be either an alias of ssl.SSLCertVerificationError or a subclass of it
* When verify_result is X509_V_ERR_HOSTNAME_MISMATCH, the error message is formatted with more information following the current approach in `match_hostname` ("hostname XXX doesn't match YYY...") |
|
Date |
User |
Action |
Args |
2016-09-20 14:54:14 | yan12125 | set | recipients:
+ yan12125, janssen, christian.heimes, alex, dstufft |
2016-09-20 14:54:13 | yan12125 | set | messageid: <1474383253.97.0.100810470395.issue28182@psf.upfronthosting.co.za> |
2016-09-20 14:54:13 | yan12125 | link | issue28182 messages |
2016-09-20 14:54:13 | yan12125 | create | |
|