[New-bugs-announce] [issue22440] Setting SSLContext object's check_hostname manually might accidentally skip hostname verification
Senthil Kumaran
report at bugs.python.org
Fri Sep 19 09:53:10 CEST 2014
New submission from Senthil Kumaran:
While working on issue22366, I found a tricky bit of code in:
https://hg.python.org/cpython/file/ca0aa0d89273/Lib/http/client.py#l1295
https://hg.python.org/cpython/rev/1a945fb875bf/
The statement is
if not self._context.check_hostname and self._check_hostname:
The context object's check_hostname (created by ssl._create_stdlib_context() -
note private ) is False by default and the statement holds good and acts only on
self._check_hostname
But if the context is constructed manually and the context object's
check_hostname is set to True (with correct intentions), that statement will
lead to skipping of matching hostname!
Is my analysis right here?
----------
messages: 227082
nosy: alex, christian.heimes, dstufft, orsenthil, pitrou
priority: normal
severity: normal
status: open
title: Setting SSLContext object's check_hostname manually might accidentally skip hostname verification
versions: Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22440>
_______________________________________
More information about the New-bugs-announce
mailing list