[New-bugs-announce] [issue43522] SSLContext.hostname_checks_common_name appears to have no effect

Quentin Pradet report at bugs.python.org
Tue Mar 16 16:07:50 EDT 2021 

New submission from Quentin Pradet <quentin.pradet at gmail.com>:

urllib3 is preparing a v2 with various SSL improvements, such as leaning on the ssl module to match hostnames when possible and reject certificates without a SAN. See https://urllib3.readthedocs.io/en/latest/v2-roadmap.html#modern-security-by-default for more details.

For this reason, we want to set `hostname_checks_common_name` to False on Python 3.7+ and OpenSSL 1.1.0+. (In other cases, we use a modified version of `ssl.match_hostname` that does not consider common names.)

I would expect that setting `hostname_checks_common_name` to False would rejects certificates without SANs, but that does not appear to be the case. I used the following Python code:

    import socket
    import ssl
    
    print(ssl.OPENSSL_VERSION)
    hostname = 'localhost'
    context = ssl.create_default_context()
    context.load_verify_locations("client.pem")
    context.hostname_checks_common_name = False
    
    with socket.create_connection((hostname, 8000)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                assert "subjectAltName" not in ssock.getpeercert()


which prints `OpenSSL 1.1.1i  8 Dec 2020` and does not fail as expected. I'm testing this on macOS 11.2.2 but this currently breaks our test suite on Ubuntu, Windows and macOS, including on Python 3.10, see https://github.com/urllib3/urllib3/runs/2122811894?check_suite_focus=true.

To reproduce this, I used trustme (https://trustme.readthedocs.io/en/latest/). I modified the code to not include a SAN at all and ran `gunicorn --keyfile server.key --certfile server.pem app:app`, with app being the Flask quickstart application. I'll try to attach all those files if I manage to do it.

What am I missing?

----------
assignee: christian.heimes
components: SSL
files: no_san_ignored.py
messages: 388875
nosy: Quentin.Pradet, christian.heimes
priority: normal
severity: normal
status: open
title: SSLContext.hostname_checks_common_name appears to have no effect
versions: Python 3.10
Added file: https://bugs.python.org/file49879/no_san_ignored.py

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43522>
_______________________________________

More information about the New-bugs-announce mailing list