◐ Shell
reader mode source ↗
Skip to content

bpo-31399: Let OpenSSL verify hostname and IP address#3462

Merged
tiran merged 7 commits into
python:masterfrom
tiran:openssl_check_hostname
Jan 27, 2018
Merged

bpo-31399: Let OpenSSL verify hostname and IP address#3462
tiran merged 7 commits into
python:masterfrom
tiran:openssl_check_hostname

Conversation

@tiran

@tiran tiran commented Sep 8, 2017
edited
Loading

Copy link
Copy Markdown
Member

Replace Python's custom ssl.match_hostname() with OpenSSL 1.0.2 APIs. The hostname or IP address are now verified by OpenSSL during the TLS handshake. A failure to verify the name results in a proper handshake abort with TLS Alert bad cert.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue31399

@Mariatta Mariatta added and removed needs rebase labels Oct 9, 2017
@tiran tiran force-pushed the openssl_check_hostname branch from a3fa2cf to 75d33a3 Compare January 11, 2018 20:51
@tiran tiran requested a review from a team as a code owner January 11, 2018 20:51
@tiran tiran force-pushed the openssl_check_hostname branch from 75d33a3 to 35176ba Compare January 11, 2018 21:14
@tiran tiran requested review from 1st1 and asvetlov as code owners January 11, 2018 21:14
@tiran tiran force-pushed the openssl_check_hostname branch from 35176ba to 65faab4 Compare January 11, 2018 21:18
alex
alex reviewed Jan 11, 2018
View reviewed changes

@alex alex left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

Mostly looks good, from a first skim

@tiran tiran mentioned this pull request Jan 11, 2018
Closed
@tiran tiran force-pushed the openssl_check_hostname branch from 65faab4 to c9f4c6f Compare January 11, 2018 22:02
@tiran

tiran commented Jan 11, 2018

Copy link
Copy Markdown
Member Author

Thanks @alex

I have updated the comment for hostflaggs and created openssl/openssl#5061.

@tiran tiran force-pushed the openssl_check_hostname branch 6 times, most recently from e499eca to 89a28a5 Compare January 12, 2018 14:54
@tiran

tiran commented Jan 16, 2018

Copy link
Copy Markdown
Member Author

Blocked by #5180

@asvetlov @1st1 The PR touches asyncio. Please review the test changes.

@tiran tiran changed the title bpo-31399: [WIP] Let OpenSSL verify hostname and IP address Jan 16, 2018
asvetlov
asvetlov approved these changes Jan 16, 2018
View reviewed changes

@asvetlov asvetlov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

asyncio test change is correct (but please update assertion as suggested)

@tiran tiran force-pushed the openssl_check_hostname branch 2 times, most recently from c400837 to d1dd4f3 Compare January 16, 2018 21:09
@tiran

tiran commented Jan 16, 2018

Copy link
Copy Markdown
Member Author

@asvetlov Thanks, I changed the assert as requested

I also forgot to remove the call to match_hostname. How should I handle the call in asyncio? If I remove it, the code will no worker be secure on 3.6.

@1st1

1st1 commented Jan 16, 2018

Copy link
Copy Markdown
Member

I also forgot to remove the call to match_hostname. How should I handle the call in asyncio? If I remove it, the code will no worker be secure on 3.6.

This change is for 3.7 only, right? If so just remove the call in the master branch. We no longer try to use asyncio CPython code with other CPython versions.

@tiran tiran force-pushed the openssl_check_hostname branch from d1dd4f3 to d07134d Compare January 17, 2018 10:20
@tiran

tiran commented Jan 17, 2018

Copy link
Copy Markdown
Member Author

Yes, it's 3.7 only.

19 hidden items Load more…
@tiran tiran force-pushed the openssl_check_hostname branch from d07134d to 7b5edd5 Compare January 20, 2018 09:43
@tiran tiran requested a review from a team as a code owner January 20, 2018 09:43
@tiran

tiran commented Jan 20, 2018

Copy link
Copy Markdown
Member Author

This branch is now based on PR #5242. Please review and ACK the other PR first.

@tiran tiran force-pushed the openssl_check_hostname branch 3 times, most recently from 7c4fc70 to 197d51f Compare January 20, 2018 12:25
@tiran tiran mentioned this pull request Jan 20, 2018
Merged
@asvetlov

asvetlov commented Jan 20, 2018

Copy link
Copy Markdown
Contributor

Are there stoppers for the issue left?

@tiran

tiran commented Jan 20, 2018

Copy link
Copy Markdown
Member Author

@asvetlov No stoppers, I'm just waiting for a final review. The PR has changed a bit since @alex reviewed it. I have added more documentation and additional checks for LibreSSL.

@asvetlov

asvetlov commented Jan 20, 2018
edited
Loading

Copy link
Copy Markdown
Contributor

Good to know.
Just for note -- LGTM.

@tiran tiran mentioned this pull request Jan 20, 2018
Closed
alex
alex reviewed Jan 22, 2018
View reviewed changes

@alex alex left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

Code looks fine, I have some API design concerns though.

@tiran tiran force-pushed the openssl_check_hostname branch 2 times, most recently from 2199b99 to e819fbd Compare January 23, 2018 11:17
tiran added 7 commits January 26, 2018 15:27
@tiran
bpo-31399: Let OpenSSL verify hostname and IP
f289cab 
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran
Remove match_hostname calls
9dbf5f7 
Signed-off-by: Christian Heimes <christian@python.org>
@tiran
Document host flags
802807d 
Signed-off-by: Christian Heimes <christian@python.org>
@tiran
Check for libssl with set1_host
bb1f7aa 
libssl must provide X509_VERIFY_PARAM_set1_host()

Signed-off-by: Christian Heimes <christian@python.org>
@tiran
bpo-31399: Add documentation for OpenSSL 1.0.2 requirement
a48ae16 
Signed-off-by: Christian Heimes <christian@python.org>
@tiran
bpo-31399: Only expose useful hostflags
1e8b4ab 
Remove all hostflags except for NO_PARTIAL_WILDCARDS and
NEVER_CHECK_SUBJECT. The other flags aren't that useful at the moment.

Don't support OpenSSL special mode with a leading dot, e.g.
".example.org" matches "www.example.org". It's not standard conform.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran
Replace SSLContext.host_flags
845c149 
Host flags are now in internal API. Public API is a new attribute
hostname_checks_common_name.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran tiran force-pushed the openssl_check_hostname branch from e819fbd to 845c149 Compare January 26, 2018 15:35
@tiran tiran merged commit 61d478c into python:master Jan 27, 2018
@bedevere-bot

bedevere-bot commented Jan 27, 2018

Copy link
Copy Markdown

@tiran: Please replace # with GH- in the commit message next time. Thanks!

@tiran tiran deleted the openssl_check_hostname branch January 27, 2018 14:51
@asottile

asottile commented Apr 27, 2018

Copy link
Copy Markdown
Contributor

Running into this patch on travis-ci as ubuntu trusty ships with openssl 1.0.1 -- this patch causes python3.7 to build without _ssl support on trusty. See also:

I agree that the patch is the right move going forward 👍, figured I'd post this here for visibility though.

@awarecan awarecan mentioned this pull request Feb 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex alex alex approved these changes

@1st1 1st1

@asvetlov asvetlov asvetlov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@tiran @1st1 @asvetlov @bedevere-bot @asottile @alex @Mariatta @the-knights-who-say-ni