[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-05-03 Thread Christian Heimes
Christian Heimes added the comment: Seth's urllib3 newsletter reminded me that I forgot to link to OpenSSL issues here. The problem was caused by a bug in OpenSSL. The issue is fixed in OpenSSL default branch and is scheduled to land in next 1.1.1 release. My changes to Python's ssl module

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-04-17 Thread Christian Heimes
Christian Heimes added the comment: Workaround has been added to upcoming 3.8 to 3.10 releases. Older versions will get fixed by next OpenSSL update. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed type: -> behavior

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-04-17 Thread Christian Heimes
Christian Heimes added the comment: New changeset f77ca86f75d5ad9b52e5f3cd19c0024b204b168c by Christian Heimes in branch '3.8': [3.8] bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899) (GH-25452) https://github.com/python/cpython/commit/f77ca86f75d5ad9b52e5f3cd19c0024b204b168c

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-04-17 Thread Christian Heimes
Christian Heimes added the comment: New changeset cdf02879790b8e52456df6e9d58fb8c0842fc359 by Christian Heimes in branch '3.9': [3.9] bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899) (GH-25451) https://github.com/python/cpython/commit/cdf02879790b8e52456df6e9d58fb8c0842fc359

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-04-17 Thread Christian Heimes
Change by Christian Heimes : -- pull_requests: +24180 pull_request: https://github.com/python/cpython/pull/25451 ___ Python tracker ___

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-04-17 Thread Christian Heimes
Change by Christian Heimes : -- pull_requests: +24181 pull_request: https://github.com/python/cpython/pull/25452 ___ Python tracker ___

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-04-17 Thread Christian Heimes
Christian Heimes added the comment: New changeset b467d9a24011992242c95d9157d3455f8a84466b by Christian Heimes in branch 'master': bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899) https://github.com/python/cpython/commit/b467d9a24011992242c95d9157d3455f8a84466b --

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-17 Thread Quentin Pradet
Quentin Pradet added the comment: Thank you for the quick fix!  Both the reproducer and the urllib3 test suite run fine with this change. However, we can't trust `HAS_NEVER_CHECK_COMMON_NAME` anymore, because it will be True in Python versions where `hostname_checks_common_name` does not

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Christian Heimes
Change by Christian Heimes : -- keywords: +patch pull_requests: +23663 stage: -> patch review pull_request: https://github.com/python/cpython/pull/24899 ___ Python tracker

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Christian Heimes
Christian Heimes added the comment: PS: I don't see any remark or warning about the behavior on the man pages https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html and https://www.openssl.org/docs/man1.1.1/man3/X509_check_host.html --

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Christian Heimes
Christian Heimes added the comment: Oh heck, this is a genuine bug. I'm not yet sure if it's an undocumented API quirk in OpenSSL, a design bug in OpenSSL, or a bug in my code. Python sets the host flags on the X509_VERIFY_PARAM of the *SSL_CTX. All flags get copied to *SSL struct and later

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Quentin Pradet
Change by Quentin Pradet : Added file: https://bugs.python.org/file49883/server.key ___ Python tracker ___ ___ Python-bugs-list mailing

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Quentin Pradet
Change by Quentin Pradet : Added file: https://bugs.python.org/file49881/client.pem ___ Python tracker ___ ___ Python-bugs-list mailing

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Quentin Pradet
Change by Quentin Pradet : Added file: https://bugs.python.org/file49882/server.pem ___ Python tracker ___ ___ Python-bugs-list mailing

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Quentin Pradet
Change by Quentin Pradet : Added file: https://bugs.python.org/file49880/app.py ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue43522] SSLContext.hostname_checks_common_name appears to have no effect

2021-03-16 Thread Quentin Pradet
New submission from Quentin Pradet : urllib3 is preparing a v2 with various SSL improvements, such as leaning on the ssl module to match hostnames when possible and reject certificates without a SAN. See https://urllib3.readthedocs.io/en/latest/v2-roadmap.html#modern-security-by-default for