Christian Heimes added the comment:
Sigh, this is the seventh or eight security issue related to Python's hostname
verification, maybe more. I know for years that Python's current approach is
buggy and a collection of bad ideas. That's it, I'm going to rip out
ssl.match_hostname() and let Open
New submission from Nathaniel Smith:
Basically what it says in the title... if you create an SSL object via
wrap_socket with do_handshake_on_connect=False, or via wrap_bio, and then
forget to call do_handshake and just go straight to sending and receiving data,
then the encrypted connection is