➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2017-09-12 15:58 bychristian.heimes, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 3531 | merged | christian.heimes,2017-09-13 05:39 | |
| Messages (2) | |||
|---|---|---|---|
| msg301967 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2017-09-12 15:58 | |
Hostname verification makes not much sense without verifying the certificate chain first. At the moment one has to set verify_mode to CERT_REQUIRED first:>>> import ssl >>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)>>> ctx.check_hostname, ctx.verify_mode (False, <VerifyMode.CERT_NONE: 0>)>>> ctx.check_hostname = TrueTraceback (most recent call last): File "<stdin>", line 1, in <module>ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED>>> ctx.verify_mode = ssl.CERT_REQUIRED>>> ctx.check_hostname = TrueOn the other hand verify mode cannot be set to CERT_NONE without disabling check_hostname first. One has to remember to set the values in opposite order!>>> ctx.verify_mode = ssl.CERT_NONETraceback (most recent call last): File "<stdin>", line 1, in <module> File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 485, in verify_mode super(SSLContext, SSLContext).verify_mode.__set__(self, value) ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.>>> ctx.check_hostname = False>>> ctx.verify_mode = ssl.CERT_NONEI find this confusing. In order to support PROTOCOL_TLS_CLIENT with _create_unverified_context(), I had to modify the code to this abomination: if not check_hostname: context.check_hostname = False if cert_reqs is not None: context.verify_mode = cert_reqs if check_hostname: context.check_hostname = TrueRather than making our users to jump through additional hoops, check_hostname = True should just set CERT_REQUIRED. This is a sane and safe default. On the other hand, ssl.CERT_NONE shall *not* disable check_hostname and still fail with a ValueError if check_hostname is enabled.By the way we should not suggest CERT_OPTIONAL here, too. For TLS client connections, CERT_OPTIONAL is not really optional. CERT_OPTIONAL: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb), CERT_REQUIRED: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb). According tohttps://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode. I'll open a new bug report. | |||
| msg302288 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2017-09-15 18:29 | |
New changesete82c034496512139e9ea3f68ceda86c04bc7baab by Christian Heimes in branch 'master':bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531)https://github.com/python/cpython/commit/e82c034496512139e9ea3f68ceda86c04bc7baab | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:52 | admin | set | github: 75612 |
| 2017-09-15 18:30:20 | christian.heimes | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2017-09-15 18:29:59 | christian.heimes | set | messages: +msg302288 |
| 2017-09-13 05:39:07 | christian.heimes | set | keywords: +patch stage: needs patch -> patch review pull_requests: +pull_request3528 |
| 2017-09-12 15:59:00 | christian.heimes | set | nosy: +janssen,alex,dstufft |
| 2017-09-12 15:58:47 | christian.heimes | create | |