[pypy-commit] pypy py3.6: Complete the implementation of PROTOCOL_TLS_CLIENT: host names are checked.

[amauryfa]

Author: Amaury Forgeot d'Arc <amauryfa at gmail.com>
Branch: py3.6
Changeset: r94417:869382060075
Date: 2018-04-22 21:31 +0200
http://bitbucket.org/pypy/pypy/changeset/869382060075/

Log:	Complete the implementation of PROTOCOL_TLS_CLIENT: host names are
	checked.

diff --git a/lib_pypy/_cffi_ssl/_stdssl/__init__.py b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
--- a/lib_pypy/_cffi_ssl/_stdssl/__init__.py
+++ b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
@@ -822,10 +822,16 @@
             raise ssl_error("failed to allocate SSL context")
         self.ctx = ffi.gc(lib.SSL_CTX_new(method), lib.SSL_CTX_free)
 
+        # Don't check host name by default
         self._check_hostname = False
+        if protocol == PROTOCOL_TLS_CLIENT:
+            self._check_hostname = True
+            self.verify_mode = CERT_REQUIRED
+        else:
+            self._check_hostname = False
+            self.verify_mode = CERT_NONE
 
         # Defaults
-        lib.SSL_CTX_set_verify(self.ctx, lib.SSL_VERIFY_NONE, ffi.NULL)
         options = lib.SSL_OP_ALL & ~lib.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
         if not lib.Cryptography_HAS_SSL2 or protocol != PROTOCOL_SSLv2:
             options |= lib.SSL_OP_NO_SSLv2
@@ -910,7 +916,9 @@
         if mode == lib.SSL_VERIFY_NONE and self.check_hostname:
             raise ValueError("Cannot set verify_mode to CERT_NONE when " \
                              "check_hostname is enabled.")
-        lib.SSL_CTX_set_verify(self.ctx, mode, ffi.NULL);
+        # Keep current verify cb
+        verify_cb = lib.SSL_CTX_get_verify_callback(self.ctx)
+        lib.SSL_CTX_set_verify(self.ctx, mode, verify_cb)
 
     @property
     def verify_flags(self):