Issue 22440: Setting SSLContext object's check_hostname manually might accidentally skip hostname verification (original) (raw)
Issue22440
➜
This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
This issue has been migrated to GitHub: https://github.com/python/cpython/issues/66630
classification
| Title: | Setting SSLContext object's check_hostname manually might accidentally skip hostname verification | ||
|---|---|---|---|
| Type: | behavior | Stage: | resolved |
| Components: | Versions: | Python 3.4, Python 3.5 |
process
| Status: | closed | Resolution: | not a bug |
|---|---|---|---|
| Dependencies: | Superseder: | ||
| Assigned To: | Nosy List: | alex, christian.heimes, dstufft, orsenthil, pitrou | |
| Priority: | normal | Keywords: |
Created on 2014-09-19 07:53 by orsenthil, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (5) | ||
|---|---|---|
| msg227082 - (view) | Author: Senthil Kumaran (orsenthil) *  |
Date: 2014-09-19 07:53 |
| While working on , I found a tricky bit of code in: https://hg.python.org/cpython/file/ca0aa0d89273/Lib/http/client.py#l1295 https://hg.python.org/cpython/rev/1a945fb875bf/ The statement is if not self._context.check_hostname and self._check_hostname: The context object's check_hostname (created by ssl._create_stdlib_context() - note private ) is False by default and the statement holds good and acts only on self._check_hostname But if the context is constructed manually and the context object's check_hostname is set to True (with correct intentions), that statement will lead to skipping of matching hostname! Is my analysis right here? | ||
| msg227094 - (view) | Author: Alex Gaynor (alex) * |
Date: 2014-09-19 13:40 |
| If check_hostname is set on the context then do_handshake() will already perform the hostname check: https://hg.python.org/cpython/file/default/Lib/ssl.py#l787 | ||
| msg227169 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2014-09-20 19:23 |
| Alex's analysis is correct. Starting with 3.4 the SSLSocket object can perform a hostname check during the handshake. More recent versions of OpenSSL or a custom verify callback could do the check even earlier during the handshake. | ||
| msg227170 - (view) | Author: Alex Gaynor (alex) * |
Date: 2014-09-20 19:29 |
| This can be closed then I think? | ||
| msg227171 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2014-09-20 19:33 |
| Yeah. |
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:08 | admin | set | github: 66630 |
| 2014-09-20 19:33:24 | christian.heimes | set | status: open -> closedtype: behaviormessages: + resolution: not a bugstage: resolved |
| 2014-09-20 19:29:47 | alex | set | messages: + |
| 2014-09-20 19:23:32 | christian.heimes | set | messages: + |
| 2014-09-19 13:40:47 | alex | set | messages: + |
| 2014-09-19 07:53:10 | orsenthil | create |