[Python-checkins] cpython: Issue #19783: nntplib now supports SSLContext.check_hostname and server name

Mon Dec 2 20:20:21 CET 2013

http://hg.python.org/cpython/rev/42a6919ee7e5
changeset:   87716:42a6919ee7e5
user:        Christian Heimes <christian at cheimes.de>
date:        Mon Dec 02 20:20:11 2013 +0100
summary:
  Issue #19783: nntplib now supports SSLContext.check_hostname and server name
indication for TLS/SSL connections.

files:
  Doc/library/nntplib.rst |  8 ++++++++
  Lib/nntplib.py          |  9 +++++----
  Misc/NEWS               |  3 +++
  3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/Doc/library/nntplib.rst b/Doc/library/nntplib.rst
--- a/Doc/library/nntplib.rst
+++ b/Doc/library/nntplib.rst
@@ -102,6 +102,10 @@
 
    .. versionadded:: 3.2
 
+   .. versionchanged:: 3.4
+      The class now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
 
 .. exception:: NNTPError
 
@@ -241,6 +245,10 @@
 
    .. versionadded:: 3.2
 
+   .. versionchanged:: 3.4
+      The method now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
 
 .. method:: NNTP.newgroups(date, *, file=None)
 
diff --git a/Lib/nntplib.py b/Lib/nntplib.py
--- a/Lib/nntplib.py
+++ b/Lib/nntplib.py
@@ -279,7 +279,7 @@
 
 if _have_ssl:
 
-    def _encrypt_on(sock, context):
+    def _encrypt_on(sock, context, hostname):
         """Wrap a socket in SSL/TLS. Arguments:
         - sock: Socket to wrap
         - context: SSL context to use for the encrypted connection
@@ -289,7 +289,8 @@
         # Generate a default SSL context if none was passed.
         if context is None:
             context = ssl._create_stdlib_context()
-        return context.wrap_socket(sock)
+        server_hostname = hostname if ssl.HAS_SNI else None
+        return context.wrap_socket(sock, server_hostname=server_hostname)
 
 
 # The classes themselves
@@ -1005,7 +1006,7 @@
             resp = self._shortcmd('STARTTLS')
             if resp.startswith('382'):
                 self.file.close()
-                self.sock = _encrypt_on(self.sock, context)
+                self.sock = _encrypt_on(self.sock, context, self.host)
                 self.file = self.sock.makefile("rwb")
                 self.tls_on = True
                 # Capabilities may change after TLS starts up, so ask for them
@@ -1065,7 +1066,7 @@
             in default port and the `ssl_context` argument for SSL connections.
             """
             self.sock = socket.create_connection((host, port), timeout)
-            self.sock = _encrypt_on(self.sock, ssl_context)
+            self.sock = _encrypt_on(self.sock, ssl_context, host)
             file = self.sock.makefile("rwb")
             _NNTPBase.__init__(self, file, host,
                                readermode=readermode, timeout=timeout)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,9 @@
 - Issue #19784: poplib now supports SSLContext.check_hostname and server name
   indication for TLS/SSL connections.
 
+- Issue #19783: nntplib now supports SSLContext.check_hostname and server name
+  indication for TLS/SSL connections.
+
 - Issue #19782: imaplib now supports SSLContext.check_hostname and server name
   indication for TLS/SSL connections.
 

-- 
Repository URL: http://hg.python.org/cpython
