[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

Tue, 16 Mar 2021 13:08:31 -0700 


New submission from Quentin Pradet <quentin.pra...@gmail.com>:

urllib3 is preparing a v2 with various SSL improvements, such as leaning on the 
ssl module to match hostnames when possible and reject certificates without a 
SAN. See 
https://urllib3.readthedocs.io/en/latest/v2-roadmap.html#modern-security-by-default
 for more details.

For this reason, we want to set `hostname_checks_common_name` to False on 
Python 3.7+ and OpenSSL 1.1.0+. (In other cases, we use a modified version of 
`ssl.match_hostname` that does not consider common names.)

I would expect that setting `hostname_checks_common_name` to False would 
rejects certificates without SANs, but that does not appear to be the case. I 
used the following Python code:

    import socket
    import ssl
    
    print(ssl.OPENSSL_VERSION)
    hostname = 'localhost'
    context = ssl.create_default_context()
    context.load_verify_locations("client.pem")
    context.hostname_checks_common_name = False
    
    with socket.create_connection((hostname, 8000)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                assert "subjectAltName" not in ssock.getpeercert()


which prints `OpenSSL 1.1.1i  8 Dec 2020` and does not fail as expected. I'm 
testing this on macOS 11.2.2 but this currently breaks our test suite on 
Ubuntu, Windows and macOS, including on Python 3.10, see 
https://github.com/urllib3/urllib3/runs/2122811894?check_suite_focus=true.

To reproduce this, I used trustme (https://trustme.readthedocs.io/en/latest/). 
I modified the code to not include a SAN at all and ran `gunicorn --keyfile 
server.key --certfile server.pem app:app`, with app being the Flask quickstart 
application. I'll try to attach all those files if I manage to do it.

What am I missing?

----------
assignee: christian.heimes
components: SSL
files: no_san_ignored.py
messages: 388875
nosy: Quentin.Pradet, christian.heimes
priority: normal
severity: normal
status: open
title: SSLContext.hostname_checks_common_name appears to have no effect
versions: Python 3.10
Added file: https://bugs.python.org/file49879/no_san_ignored.py

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43522>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to