[New-bugs-announce] [issue23843] ssl.wrap_socket doesn't handle virtual TLS hosts

John Nagle report at bugs.python.org
Wed Apr 1 20:32:18 CEST 2015

New submission from John Nagle:

ssl.wrap_socket() always uses the SSL certificate associated with the raw IP address, rather than using the server_host feature of TLS. Even when wrap_socket is used before calling "connect(port, host)", the "host" parameter isn't used by TLS.

To get proper TLS behavior (which only works in recent Python versions), it's necessary to create an SSLContext, then use

context.wrap_socket(sock, server_hostname="example.com")

This behavior is backwards-compatible (the SSL module didn't talk TLS until very recently) but confusing.  The documentation does not reflect this difference.  There's a lot of old code and online advice which suggests using ssl.wrap_socket().  It works until you hit a virtual host with TLS support. Then you get the wrong server cert and an unexpected "wrong host" SSL error.

Possible fixes:

1. Deprecate ssl.wrap_socket(), and modify the documentation to tell users to always use context.wrap_socket().

2. Add a "server_hostname" parameter to ssl.wrap_socket().  It doesn't accept that parameter; only context.wrap_socket() does.  Modify documentation accordingly.

assignee: docs at python
components: Documentation, Library (Lib)
messages: 239834
nosy: docs at python, nagle
priority: normal
severity: normal
status: open
title: ssl.wrap_socket doesn't handle virtual TLS hosts
versions: Python 3.4

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list