[New-bugs-announce] [issue22921] SSLContext's check_hostname needlessly intertwined with SNI

[Donald Stufft]

New submission from Donald Stufft:

The SSLContext().wrap_socket() method allows you to pass in a server_hostname option which will be used for two purposes, it will be used as the server name for SNI and it will be used to verify the server name of the certificate. However currently if the OpenSSL you're using does not have SNI then sending the server_hostname option to wrap_socket() will raise a ValueError.

I think that instead server_hostname should always be accepted by SSLContext().wrap_socket() regardless of if SNI is available or if check_hostname is available. It's just going to be stored and used later so we can conditonally use it for SNI or for checking the hostname depending on if SNI is available or checking if a hostname is available. The way it works right now is that unless you're happy not working when SNI is not available you have to check the hostname yourself.

If we can fix this, I think it would be smart to do it ASAP and get it into Python 2.7.9 and backported to the various Python 3.x's so that in the near future it works with all recent versions of the various Pythons (though older micro releases it may not).

This shouldn't break any code since it's changing what used to be an error into a saner working case.

----------
messages: 231544
nosy: alex, benjamin.peterson, christian.heimes, dstufft
priority: normal
severity: normal
status: open
title: SSLContext's check_hostname needlessly intertwined with SNI
type: enhancement

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22921>
_______________________________________