[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Roundup Robot added the comment: New changeset 40f9e91f3626 by Benjamin Peterson in branch '2.7': add NEWS note for #22921 https://hg.python.org/cpython/rev/40f9e91f3626 New changeset 060fd5d09063 by Benjamin Peterson in branch '3.4': add NEWS note for #22921 https://hg.python.org/cpython/rev/06

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Roundup Robot added the comment: New changeset ce4073afd992 by Benjamin Peterson in branch '2.7': allow hostname to be passed to SSLContext even if OpenSSL doesn't support SNI (closes #22921) https://hg.python.org/cpython/rev/ce4073afd992 -- resolution: -> fixed stage: needs patch -> r

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Donald Stufft added the comment: Added a patch for Python 2.7 -- Added file: http://bugs.python.org/file37262/check-hostname-no-sni-with-docs-py27.patch ___ Python tracker ___ _

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Roundup Robot added the comment: New changeset f2d4beb90a5b by Benjamin Peterson in branch '3.4': don't require OpenSSL SNI to pass hostname to ssl functions (#22921) https://hg.python.org/cpython/rev/f2d4beb90a5b New changeset 24dfe7310cc1 by Benjamin Peterson in branch 'default': merge 3.4 (#2

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Donald Stufft added the comment: Uploaded a third patch, this is the same technique as in the -2 patch, except it fixes a missed spot in Lib/ssl.py where I needed a better error message. Additionally this goes through and unskips all of the tests that were marked as depending on HAS_SNI when w

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Donald Stufft added the comment: A new patch that achieves the same thing in a simpler way at benjamin's suggestion. -- Added file: http://bugs.python.org/file37259/check-hostname-no-sni-with-docs-2.patch ___ Python tracker

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Donald Stufft added the comment: Added docs. -- Added file: http://bugs.python.org/file37258/check-hostname-no-sni-with-docs.patch ___ Python tracker ___ ___

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Christian Heimes added the comment: Thanks a lot, Donald! Back then I didn't pursue the point because I wasn't sure about possible security implications. -- ___ Python tracker

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Donald Stufft added the comment: I tested this patch on Python 3.5 compiled on CentOS 5.11 which does not have SNI enabled. The end result is that you can use server_hostname even when SNI isn't there to enable the SSL certificate checks. Of course the check will fail if the host your connecti

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Antoine Pitrou added the comment: This sounds ok to me, but are there still SNI-less OpenSSLs around? -- nosy: +pitrou ___ Python tracker ___

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

Changes by Antoine Pitrou : -- components: +Library (Lib) stage: -> needs patch type: enhancement -> behavior versions: +Python 2.7, Python 3.4, Python 3.5 ___ Python tracker __

[issue22921] SSLContext's check_hostname needlessly intertwined with SNI

New submission from Donald Stufft: The SSLContext().wrap_socket() method allows you to pass in a server_hostname option which will be used for two purposes, it will be used as the server name for SNI and it will be used to verify the server name of the certificate. However currently if the Ope