[issue26238] httplib use wrong hostname in https request with SNI support
Changes by lirenke : -- resolution: -> fixed ___ Python tracker <http://bugs.python.org/issue26238> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26238] httplib use wrong hostname in https request with SNI support
lirenke added the comment: In RFC6066, literal IPv4 is not allowed as hostname indeed. Actually, many requests still use the format of "IP+PORT" to access the server, and it seems Python don't prohibit this action explicitly. The explorer Chrome also use literal IP address to access for instance. In our case, all requests will be forwarded by apacheproxy and there is another apache server that receiving them. The URL is like "https://128.6.42.21:8088/xx/";, and the SNI will be added by OpenSSL in TLS-handshake packet when new https connection create. In this time, "128.6.42.21:8088" is set to self._tunnel_host in set_tunnel(), then, the server_hostname, as SNI, is determined. The Server side's apache will check the SNI between handshake packet and local vHost configuration. So it is the place where mismatch happen. Error Code 400, Bad Request will return to client.<https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI> Definitely, port number shouldn't be a part of SNI. Compare with Chrome do, we hope Python could handle the server_hostname precisely too. Calling self._get_hostport() again and setting the IP address to server_hostname without port number is our suggestion. -- ___ Python tracker <http://bugs.python.org/issue26238> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26238] httplib use wrong hostname in https request with SNI support
lirenke added the comment: We use Python 2.7.9, and I have checked the httplib.py in 2.7.11 version same time. Notice that in set_tunnel(), self._tunnel_host have already updated by calling _get_hostport(), just like you said. It's different between 2.7.9 and 2.7.11. Then, I replace the file and retry, the problem is gone. Maybe this is an fixed bug before which I don't notice. I think it's time to upgrade python for us... Thank you for your remind and help, Martin. -- status: open -> closed ___ Python tracker <http://bugs.python.org/issue26238> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26238] httplib use wrong hostname in https request with SNI support
New submission from lirenke: httplib give openssl SNI extension message like IP:PORT string. the apache server would return 400 code if SNI/request ServerName mismatch. In class HTTPSConnection, we hope call self._get_hostport() before give the value to server_hostname. === if self._tunnel_host: server_hostname = self._tunnel_host else: server_hostname = self.host self.sock = self._context.wrap_socket(self.sock, server_hostname=server_hostname) === -- components: Library (Lib) messages: 259207 nosy: lvhancy priority: normal severity: normal status: open title: httplib use wrong hostname in https request with SNI support versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue26238> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com