[New-bugs-announce] [issue23843] ssl.wrap_socket doesn't handle virtual TLS hosts
report at bugs.python.org
Wed Apr 1 20:32:18 CEST 2015
New submission from John Nagle:
ssl.wrap_socket() always uses the SSL certificate associated with the raw IP address, rather than using the server_host feature of TLS. Even when wrap_socket is used before calling "connect(port, host)", the "host" parameter isn't used by TLS.
To get proper TLS behavior (which only works in recent Python versions), it's necessary to create an SSLContext, then use
This behavior is backwards-compatible (the SSL module didn't talk TLS until very recently) but confusing. The documentation does not reflect this difference. There's a lot of old code and online advice which suggests using ssl.wrap_socket(). It works until you hit a virtual host with TLS support. Then you get the wrong server cert and an unexpected "wrong host" SSL error.
1. Deprecate ssl.wrap_socket(), and modify the documentation to tell users to always use context.wrap_socket().
2. Add a "server_hostname" parameter to ssl.wrap_socket(). It doesn't accept that parameter; only context.wrap_socket() does. Modify documentation accordingly.
assignee: docs at python
components: Documentation, Library (Lib)
nosy: docs at python, nagle
title: ssl.wrap_socket doesn't handle virtual TLS hosts
versions: Python 3.4
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce