Roundup Robot added the comment:
New changeset a409a7cd908d by Benjamin Peterson in branch '3.4':
HTTPSConnection: prefer the context's check_hostname attribute over the
constructor parameter (#22959)
https://hg.python.org/cpython/rev/a409a7cd908d
New changeset 41021c771510 by Benjamin
Benjamin Peterson added the comment:
Okay, I basically applied my patch to 3.4/3.5. I simply removed the
check_hostname parameter from 2.7, since it was to be added in 2.7.9.
--
resolution: - fixed
status: open - closed
___
Python tracker
zodalahtathi added the comment:
Thank you
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22959
___
___
Python-bugs-list mailing list
zodalahtathi added the comment:
I think it does, when passing a context with ssl_context.verify_mode !=
ss.CERT_NONE, and when not setting the check_hostname parameter:
1. will_verify will be True
(https://hg.python.org/cpython/file/3.4/Lib/http/client.py#l1207)
2. check_hostname will be True
Benjamin Peterson added the comment:
As the documentation says If context is specified and has a verify_mode of
either CERT_OPTIONAL or CERT_REQUIRED, then by default host is matched against
the host name(s) allowed by the server’s certificate. If you want to change
that behaviour, you can
Alex Gaynor added the comment:
This will cause it to not validate in some cases where it currently is
validating? That seems like a regression to me.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22959
Benjamin Peterson added the comment:
On Sun, Nov 30, 2014, at 11:20, Alex Gaynor wrote:
Alex Gaynor added the comment:
This will cause it to not validate in some cases where it currently is
validating? That seems like a regression to me.
I suppose. Certainly, none of the default cases
zodalahtathi added the comment:
I agree that changing a default to something less secure is not something to do
lightly, however I think forcing a check that is explicitly disabled is a bug
and can be counter productive security wise.
People who don't have time to look at the stdlib code, and
Benjamin Peterson added the comment:
Why do you think it still verifies the hostname? It will certainly check if the
certificate has a valid trust chain, but it won't do matching on the hostname.
--
nosy: +benjamin.peterson
___
Python tracker
New submission from zodalahtathi:
http.client.HTTPSConnection has both a check_hostname parameter, and a context
parameter to pass an already setup SSL context.
When check_hostname is not set and thus is None, and when passing a SSL context
set to NOT check hostnames, ie:
import http.client
Changes by Antoine Pitrou pit...@free.fr:
--
nosy: +alex, christian.heimes
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22959
___
___
11 matches
Mail list logo