Message388875
urllib3 is preparing a v2 with various SSL improvements, such as leaning on the ssl module to match hostnames when possible and reject certificates without a SAN. See https://urllib3.readthedocs.io/en/latest/v2-roadmap.html#modern-security-by-default for more details.
For this reason, we want to set `hostname_checks_common_name` to False on Python 3.7+ and OpenSSL 1.1.0+. (In other cases, we use a modified version of `ssl.match_hostname` that does not consider common names.)
I would expect that setting `hostname_checks_common_name` to False would rejects certificates without SANs, but that does not appear to be the case. I used the following Python code:
import socket
import ssl
print(ssl.OPENSSL_VERSION)
hostname = 'localhost'
context = ssl.create_default_context()
context.load_verify_locations("client.pem")
context.hostname_checks_common_name = False
with socket.create_connection((hostname, 8000)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
assert "subjectAltName" not in ssock.getpeercert()
which prints `OpenSSL 1.1.1i 8 Dec 2020` and does not fail as expected. I'm testing this on macOS 11.2.2 but this currently breaks our test suite on Ubuntu, Windows and macOS, including on Python 3.10, see https://github.com/urllib3/urllib3/runs/2122811894?check_suite_focus=true.
To reproduce this, I used trustme (https://trustme.readthedocs.io/en/latest/). I modified the code to not include a SAN at all and ran `gunicorn --keyfile server.key --certfile server.pem app:app`, with app being the Flask quickstart application. I'll try to attach all those files if I manage to do it.
What am I missing? |
|
Date |
User |
Action |
Args |
2021-03-16 20:07:50 | Quentin.Pradet | set | recipients:
+ Quentin.Pradet, christian.heimes |
2021-03-16 20:07:50 | Quentin.Pradet | set | messageid: <1615925270.47.0.272234983925.issue43522@roundup.psfhosted.org> |
2021-03-16 20:07:50 | Quentin.Pradet | link | issue43522 messages |
2021-03-16 20:07:50 | Quentin.Pradet | create | |
|