bpo-31399: Let OpenSSL verify hostname and IP address by tiran · Pull Request #3462 · python/cpython
tiran
mentioned this pull request
tiran
changed the title
bpo-31399: [WIP] Let OpenSSL verify hostname and IP address
bpo-31399: Let OpenSSL verify hostname and IP address
1st1 approved these changes Jan 16, 2018
tiran
mentioned this pull request
tiran
mentioned this pull request
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. Signed-off-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
libssl must provide X509_VERIFY_PARAM_set1_host() Signed-off-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
Remove all hostflags except for NO_PARTIAL_WILDCARDS and NEVER_CHECK_SUBJECT. The other flags aren't that useful at the moment. Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. Signed-off-by: Christian Heimes <christian@python.org>
Host flags are now in internal API. Public API is a new attribute hostname_checks_common_name. Signed-off-by: Christian Heimes <christian@python.org>
alex approved these changes Jan 27, 2018
tiran
deleted the
openssl_check_hostname
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters