[docs] [issue36868] New behavior of OpenSSL hostname verification not exposed, incorrectly documented
report at bugs.python.org
Sat May 11 12:03:07 EDT 2019
Christian Heimes <lists at cheimes.de> added the comment:
The entry in whatsnew is a documentation bug. Initially I wanted to expose host_flags and wrote the whatnew entry for it. Later we decided against the flag and an only implemented the hostname_checks_common_name switch (https://docs.python.org/3/library/ssl.html#ssl.SSLContext.hostname_checks_common_name).
1) SSLContext.host_flags in whatsnew is a bug. I'm updating the text.
2/3/4) The _host_flags attribute and the HOSTFLAG_* attributes are for internal use only to provide the hostname_checks_common_name flag.
5) Underscore is not a valid character for hostnames in A, AAAA, CNAME, and similar DNS record types. It's used in e.g. SRV record types, but an application will never directly connect to a SRV record address. It looks like OpenSSL interprets RFC 6125 (https://tools.ietf.org/html/rfc6125#section-6.4.3) strictly and requires valid DNS names.
I wonder, how did you get your DNS server to accept underscores? In theory you should run into a DNS exception earlier.
stage: patch review ->
Python tracker <report at bugs.python.org>
More information about the docs