This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Quentin.Pradet
Recipients Quentin.Pradet, christian.heimes
Date 2021-03-16.20:07:50
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
urllib3 is preparing a v2 with various SSL improvements, such as leaning on the ssl module to match hostnames when possible and reject certificates without a SAN. See for more details.

For this reason, we want to set `hostname_checks_common_name` to False on Python 3.7+ and OpenSSL 1.1.0+. (In other cases, we use a modified version of `ssl.match_hostname` that does not consider common names.)

I would expect that setting `hostname_checks_common_name` to False would rejects certificates without SANs, but that does not appear to be the case. I used the following Python code:

    import socket
    import ssl
    hostname = 'localhost'
    context = ssl.create_default_context()
    context.hostname_checks_common_name = False
    with socket.create_connection((hostname, 8000)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                assert "subjectAltName" not in ssock.getpeercert()

which prints `OpenSSL 1.1.1i  8 Dec 2020` and does not fail as expected. I'm testing this on macOS 11.2.2 but this currently breaks our test suite on Ubuntu, Windows and macOS, including on Python 3.10, see

To reproduce this, I used trustme ( I modified the code to not include a SAN at all and ran `gunicorn --keyfile server.key --certfile server.pem app:app`, with app being the Flask quickstart application. I'll try to attach all those files if I manage to do it.

What am I missing?
Date User Action Args
2021-03-16 20:07:50Quentin.Pradetsetrecipients: + Quentin.Pradet, christian.heimes
2021-03-16 20:07:50Quentin.Pradetsetmessageid: <>
2021-03-16 20:07:50Quentin.Pradetlinkissue43522 messages
2021-03-16 20:07:50Quentin.Pradetcreate