This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, njs
Date 2017-04-23.11:59:48
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1492948788.54.0.063578734835.issue30141@psf.upfronthosting.co.za>
In-reply-to
Content
Sigh, this is the seventh or eight security issue related to Python's hostname verification, maybe more. I know for years that Python's current approach is buggy and a collection of bad ideas. That's it, I'm going to rip out ssl.match_hostname() and let OpenSSL handle all verification internally. I've been working on another PEP that features the change for quite some time. I'll to finish my SSL PEP before PyCon and language summit. 

Here is a quick proof-of-concept implementation (requires OpenSSL >= 1.0.2 and libressl >= 2.5).

https://github.com/tiran/cpython/tree/openssl_check_hostname
History
Date User Action Args
2017-04-23 11:59:48christian.heimessetrecipients: + christian.heimes, njs
2017-04-23 11:59:48christian.heimessetmessageid: <1492948788.54.0.063578734835.issue30141@psf.upfronthosting.co.za>
2017-04-23 11:59:48christian.heimeslinkissue30141 messages
2017-04-23 11:59:48christian.heimescreate