[Python-Dev] Verification of SSL cert and hostname made easy

Antoine Pitrou solipsis at pitrou.net
Sat Nov 30 23:51:17 CET 2013

On Sat, 30 Nov 2013 19:29:37 +0100
Christian Heimes <christian at python.org> wrote:
> This fix requires only a new SSLContext attribute and a small
> modification to SSLSocket.do_handshake():
>   if self.context.check_hostname:
>       try:
>           match_hostname(self.getpeercert(), self.server_hostname)
>       except Exception:
>           self.shutdown(_SHUT_RDWR)
>           self.close()
>           raise

Small nit: what happens if the server_hostname is None (i.e. wasn't
passed to context.wrap_socket())?

> The default settings for all stdlib modules will still be verify_mode =
> CERT_NONE and check_hostname = False for maximum backward compatibility.
> Python 3.4 comes with a new function ssl.create_default_context() that
> returns a new context with best practice settings and loaded root CA
> certs. The settings are TLS 1.0, no weak and insecure ciphers (no MD5,
> no RC4), no compression (CRIME attack), CERT_REQUIRED and check_hostname
> = True (for client side only).

Sounds fine to me, thanks.



More information about the Python-Dev mailing list