diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
@@ -430,6 +430,16 @@ can be set within the scope of a group.
``'^$'`` or ``(?=-)`` that matches an empty string.
(Contributed by Serhiy Storchaka in :issue:`25054`.)

string
------


diff --git a/Lib/test/ssl-idn-cert.pem b/Lib/test/ssl-idn-cert.pem
@@ -0,0 +1,31 @@
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -80,6 +80,15 @@ def data_file(*name):
DHFILE = data_file("dh1024.pem")
BYTES_DHFILE = os.fsencode(DHFILE)

# Not defined in all versions of OpenSSL
OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
@@ -1474,16 +1483,6 @@ def test_subclass(self):
                # For compatibility
                self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)

-    def test_bad_idna_in_server_hostname(self):
-        # Note: this test is testing some code that probably shouldn't exist
-        # in the first place, so if it starts failing at some point because
-        # you made the ssl module stop doing IDNA decoding then please feel
-        # free to remove it. The test was mainly added because this case used
-        # to cause memory corruption (see bpo-30594).
-        ctx = ssl.create_default_context()
-        with self.assertRaises(UnicodeError):
-            ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
-                         server_hostname="xn--.com")

class MemoryBIOTests(unittest.TestCase):

@@ -2522,6 +2521,39 @@ def test_check_hostname(self):
                                            "check_hostname requires server_hostname"):
                    client_context.wrap_socket(s)

    def test_wrong_cert(self):
        """Connecting when the server rejects the client's certificate


diff --git a/Misc/NEWS.d/next/Security/2017-08-06-14-43-45.bpo-28414.mzZ6vD.rst b/Misc/NEWS.d/next/Security/2017-08-06-14-43-45.bpo-28414.mzZ6vD.rst
@@ -0,0 +1,2 @@
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -716,8 +716,11 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
    self->owner = NULL;
    self->server_hostname = NULL;
    if (server_hostname != NULL) {
        PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname),
-                                              "idna", "strict");
        if (hostname == NULL) {
            Py_DECREF(self);
            return NULL;
-Original file line number
+Diff line change
@@ Expand Up / @@ -430,6 +430,16 @@ can be set within the scope of a group. @@
     ``'^$'`` or ``(?=-)`` that matches an empty string.
     (Contributed by Serhiy Storchaka in :issue:`25054`.)
     string
     ------
@@ Expand Down @@