[issue22440] Setting SSLContext object's check_hostname manually might accidentally skip hostname verification

2014-09-20 Thread Christian Heimes
Christian Heimes added the comment: Yeah. -- resolution: -> not a bug stage: -> resolved status: open -> closed type: -> behavior ___ Python tracker ___ __

[issue22440] Setting SSLContext object's check_hostname manually might accidentally skip hostname verification

2014-09-20 Thread Alex Gaynor
Alex Gaynor added the comment: This can be closed then I think? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscrib

[issue22440] Setting SSLContext object's check_hostname manually might accidentally skip hostname verification

2014-09-20 Thread Christian Heimes
Christian Heimes added the comment: Alex's analysis is correct. Starting with 3.4 the SSLSocket object can perform a hostname check during the handshake. More recent versions of OpenSSL or a custom verify callback could do the check even earlier during the handshake. -- __

[issue22440] Setting SSLContext object's check_hostname manually might accidentally skip hostname verification

2014-09-19 Thread Alex Gaynor
Alex Gaynor added the comment: If check_hostname is set on the context then do_handshake() will already perform the hostname check: https://hg.python.org/cpython/file/default/Lib/ssl.py#l787 -- ___ Python tracker

[issue22440] Setting SSLContext object's check_hostname manually might accidentally skip hostname verification

2014-09-19 Thread Senthil Kumaran
New submission from Senthil Kumaran: While working on issue22366, I found a tricky bit of code in: https://hg.python.org/cpython/file/ca0aa0d89273/Lib/http/client.py#l1295 https://hg.python.org/cpython/rev/1a945fb875bf/ The statement is if not self._context.check_hostname and self._check_host