Christian Heimes added the comment: My patch could be much simpler and easier if we could just drop support for ancient versions of OpenSSL. My idea requires at least OpenSSL 0.9.8f (release 2007) with SNI support. Six years are a lot for crypto software. All relevant platforms with vendor support have a more recent version of OpenSSL, too.
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>> context.verify_mode = ssl.CERT_REQUIRED >>> context.check_hostname = True >>> context.wrap_socket(sock, server_hostname="www.example.org") server_hostname is used to for server name indicator (SNI) as well as the hostname for match_hostname(). It would remove lots and lots of code duplication, too. The check_hostname takes care about invalid combinations, too: >>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>> context.verify_mode == ssl.CERT_NONE True >>> context.check_hostname = True Traceback (most recent call last): File "<stdin>", line 1, in <module> ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue19509> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
