[New-bugs-announce] [issue22959] http.client.HTTPSConnection checks hostname when SSL context has check_hostname==False
zodalahtathi
report at bugs.python.org
Thu Nov 27 20:42:39 CET 2014
New submission from zodalahtathi:
http.client.HTTPSConnection has both a check_hostname parameter, and a context parameter to pass an already setup SSL context.
When check_hostname is not set and thus is None, and when passing a SSL context set to NOT check hostnames, ie:
import http.client
import ssl
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
https = http.client.HTTPSConnection(..., context=ssl_context)
The https object WILL check hostname.
In my opinion the line :
https://hg.python.org/cpython/file/3.4/Lib/http/client.py#l1207
will_verify = context.verify_mode != ssl.CERT_NONE
Should be changed to:
will_verify = (context.verify_mode != ssl.CERT_NONE) and (context.check_hostname)
----------
components: Library (Lib)
messages: 231775
nosy: zodalahtathi
priority: normal
severity: normal
status: open
title: http.client.HTTPSConnection checks hostname when SSL context has check_hostname==False
type: behavior
versions: Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22959>
_______________________________________
More information about the New-bugs-announce
mailing list