Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 7243b57

Browse files
committed
don't require OpenSSL SNI to pass hostname to ssl functions (#22921)
Patch by Donald Stufft.
1 parent 378e15d commit 7243b57

16 files changed

Lines changed: 22 additions & 67 deletions

File tree

Doc/library/ssl.rst

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -664,8 +664,7 @@ Constants
664664
.. data:: HAS_SNI
665665

666666
Whether the OpenSSL library has built-in support for the *Server Name
667-
Indication* extension (as defined in :rfc:`4366`). When true, you can
668-
use the *server_hostname* argument to :meth:`SSLContext.wrap_socket`.
667+
Indication* extension (as defined in :rfc:`4366`).
669668

670669
.. versionadded:: 3.2
671670

@@ -1227,11 +1226,12 @@ to speed up repeated connections from the same clients.
12271226
On client connections, the optional parameter *server_hostname* specifies
12281227
the hostname of the service which we are connecting to. This allows a
12291228
single server to host multiple SSL-based services with distinct certificates,
1230-
quite similarly to HTTP virtual hosts. Specifying *server_hostname*
1231-
will raise a :exc:`ValueError` if the OpenSSL library doesn't have support
1232-
for it (that is, if :data:`HAS_SNI` is :const:`False`). Specifying
1233-
*server_hostname* will also raise a :exc:`ValueError` if *server_side*
1234-
is true.
1229+
quite similarly to HTTP virtual hosts. Specifying *server_hostname* will
1230+
raise a :exc:`ValueError` if *server_side* is true.
1231+
1232+
.. versionchanged:: 3.5
1233+
Always allow a server_hostname to be passed, even if OpenSSL does not
1234+
have SNI.
12351235

12361236
.. method:: SSLContext.session_stats()
12371237

Lib/asyncio/selector_events.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -708,7 +708,7 @@ def __init__(self, loop, rawsock, protocol, sslcontext, waiter=None,
708708
'server_side': server_side,
709709
'do_handshake_on_connect': False,
710710
}
711-
if server_hostname and not server_side and ssl.HAS_SNI:
711+
if server_hostname and not server_side:
712712
wrap_kwargs['server_hostname'] = server_hostname
713713
sslsock = sslcontext.wrap_socket(rawsock, **wrap_kwargs)
714714

Lib/ftplib.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -747,9 +747,8 @@ def auth(self):
747747
resp = self.voidcmd('AUTH TLS')
748748
else:
749749
resp = self.voidcmd('AUTH SSL')
750-
server_hostname = self.host if ssl.HAS_SNI else None
751750
self.sock = self.context.wrap_socket(self.sock,
752-
server_hostname=server_hostname)
751+
server_hostname=self.host)
753752
self.file = self.sock.makefile(mode='r', encoding=self.encoding)
754753
return resp
755754

@@ -788,9 +787,8 @@ def prot_c(self):
788787
def ntransfercmd(self, cmd, rest=None):
789788
conn, size = FTP.ntransfercmd(self, cmd, rest)
790789
if self._prot_p:
791-
server_hostname = self.host if ssl.HAS_SNI else None
792790
conn = self.context.wrap_socket(conn,
793-
server_hostname=server_hostname)
791+
server_hostname=self.host)
794792
return conn, size
795793

796794
def abort(self):

Lib/http/client.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1224,10 +1224,9 @@ def connect(self):
12241224
server_hostname = self._tunnel_host
12251225
else:
12261226
server_hostname = self.host
1227-
sni_hostname = server_hostname if ssl.HAS_SNI else None
12281227

12291228
self.sock = self._context.wrap_socket(self.sock,
1230-
server_hostname=sni_hostname)
1229+
server_hostname=server_hostname)
12311230
if not self._context.check_hostname and self._check_hostname:
12321231
try:
12331232
ssl.match_hostname(self.sock.getpeercert(), server_hostname)

Lib/imaplib.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -745,9 +745,8 @@ def starttls(self, ssl_context=None):
745745
ssl_context = ssl._create_stdlib_context()
746746
typ, dat = self._simple_command(name)
747747
if typ == 'OK':
748-
server_hostname = self.host if ssl.HAS_SNI else None
749748
self.sock = ssl_context.wrap_socket(self.sock,
750-
server_hostname=server_hostname)
749+
server_hostname=self.host)
751750
self.file = self.sock.makefile('rb')
752751
self._tls_established = True
753752
self._get_capabilities()
@@ -1223,9 +1222,8 @@ def __init__(self, host='', port=IMAP4_SSL_PORT, keyfile=None, certfile=None, ss
12231222

12241223
def _create_socket(self):
12251224
sock = IMAP4._create_socket(self)
1226-
server_hostname = self.host if ssl.HAS_SNI else None
12271225
return self.ssl_context.wrap_socket(sock,
1228-
server_hostname=server_hostname)
1226+
server_hostname=self.host)
12291227

12301228
def open(self, host='', port=IMAP4_SSL_PORT):
12311229
"""Setup connection to remote server on "host:port".

Lib/nntplib.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -289,8 +289,7 @@ def _encrypt_on(sock, context, hostname):
289289
# Generate a default SSL context if none was passed.
290290
if context is None:
291291
context = ssl._create_stdlib_context()
292-
server_hostname = hostname if ssl.HAS_SNI else None
293-
return context.wrap_socket(sock, server_hostname=server_hostname)
292+
return context.wrap_socket(sock, server_hostname=hostname)
294293

295294

296295
# The classes themselves

Lib/poplib.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -387,9 +387,8 @@ def stls(self, context=None):
387387
if context is None:
388388
context = ssl._create_stdlib_context()
389389
resp = self._shortcmd('STLS')
390-
server_hostname = self.host if ssl.HAS_SNI else None
391390
self.sock = context.wrap_socket(self.sock,
392-
server_hostname=server_hostname)
391+
server_hostname=self.host)
393392
self.file = self.sock.makefile('rb')
394393
self._tls_established = True
395394
return resp
@@ -430,9 +429,8 @@ def __init__(self, host, port=POP3_SSL_PORT, keyfile=None, certfile=None,
430429

431430
def _create_socket(self, timeout):
432431
sock = POP3._create_socket(self, timeout)
433-
server_hostname = self.host if ssl.HAS_SNI else None
434432
sock = self.context.wrap_socket(sock,
435-
server_hostname=server_hostname)
433+
server_hostname=self.host)
436434
return sock
437435

438436
def stls(self, keyfile=None, certfile=None, context=None):

Lib/smtplib.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -684,9 +684,8 @@ def starttls(self, keyfile=None, certfile=None, context=None):
684684
if context is None:
685685
context = ssl._create_stdlib_context(certfile=certfile,
686686
keyfile=keyfile)
687-
server_hostname = self._host if ssl.HAS_SNI else None
688687
self.sock = context.wrap_socket(self.sock,
689-
server_hostname=server_hostname)
688+
server_hostname=self._host)
690689
self.file = None
691690
# RFC 3207:
692691
# The client MUST discard any knowledge obtained from
@@ -915,9 +914,8 @@ def _get_socket(self, host, port, timeout):
915914
print('connect:', (host, port), file=stderr)
916915
new_socket = socket.create_connection((host, port), timeout,
917916
self.source_address)
918-
server_hostname = self._host if ssl.HAS_SNI else None
919917
new_socket = self.context.wrap_socket(new_socket,
920-
server_hostname=server_hostname)
918+
server_hostname=self._host)
921919
return new_socket
922920

923921
__all__.append("SMTP_SSL")

Lib/ssl.py

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -538,12 +538,7 @@ def __init__(self, sock=None, keyfile=None, certfile=None,
538538
raise ValueError("server_hostname can only be specified "
539539
"in client mode")
540540
if self._context.check_hostname and not server_hostname:
541-
if HAS_SNI:
542-
raise ValueError("check_hostname requires server_hostname")
543-
else:
544-
raise ValueError("check_hostname requires server_hostname, "
545-
"but it's not supported by your OpenSSL "
546-
"library")
541+
raise ValueError("check_hostname requires server_hostname")
547542
self.server_side = server_side
548543
self.server_hostname = server_hostname
549544
self.do_handshake_on_connect = do_handshake_on_connect

Lib/test/test_asyncio/test_events.py

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,6 @@
1212
import ssl
1313
except ImportError:
1414
ssl = None
15-
HAS_SNI = False
16-
else:
17-
from ssl import HAS_SNI
1815
import subprocess
1916
import sys
2017
import threading
@@ -857,7 +854,6 @@ def test_create_unix_server_ssl(self):
857854
server.close()
858855

859856
@unittest.skipIf(ssl is None, 'No ssl module')
860-
@unittest.skipUnless(HAS_SNI, 'No SNI support in ssl module')
861857
def test_create_server_ssl_verify_failed(self):
862858
proto = MyProto(loop=self.loop)
863859
server, host, port = self._make_ssl_server(
@@ -882,7 +878,6 @@ def test_create_server_ssl_verify_failed(self):
882878
server.close()
883879

884880
@unittest.skipIf(ssl is None, 'No ssl module')
885-
@unittest.skipUnless(HAS_SNI, 'No SNI support in ssl module')
886881
@unittest.skipUnless(hasattr(socket, 'AF_UNIX'), 'No UNIX Sockets')
887882
def test_create_unix_server_ssl_verify_failed(self):
888883
proto = MyProto(loop=self.loop)
@@ -909,7 +904,6 @@ def test_create_unix_server_ssl_verify_failed(self):
909904
server.close()
910905

911906
@unittest.skipIf(ssl is None, 'No ssl module')
912-
@unittest.skipUnless(HAS_SNI, 'No SNI support in ssl module')
913907
def test_create_server_ssl_match_failed(self):
914908
proto = MyProto(loop=self.loop)
915909
server, host, port = self._make_ssl_server(
@@ -937,7 +931,6 @@ def test_create_server_ssl_match_failed(self):
937931
server.close()
938932

939933
@unittest.skipIf(ssl is None, 'No ssl module')
940-
@unittest.skipUnless(HAS_SNI, 'No SNI support in ssl module')
941934
@unittest.skipUnless(hasattr(socket, 'AF_UNIX'), 'No UNIX Sockets')
942935
def test_create_unix_server_ssl_verified(self):
943936
proto = MyProto(loop=self.loop)
@@ -963,7 +956,6 @@ def test_create_unix_server_ssl_verified(self):
963956
server.close()
964957

965958
@unittest.skipIf(ssl is None, 'No ssl module')
966-
@unittest.skipUnless(HAS_SNI, 'No SNI support in ssl module')
967959
def test_create_server_ssl_verified(self):
968960
proto = MyProto(loop=self.loop)
969961
server, host, port = self._make_ssl_server(

0 commit comments

Comments
 (0)