bpo-31399: Let OpenSSL verify hostname and IP address by tiran · Pull Request #3462 · python/cpython
bpo-31399: [WIP] Let OpenSSL verify hostname and IP address
bpo-31399: Let OpenSSL verify hostname and IP address
1st1
approved these changes
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. Signed-off-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
libssl must provide X509_VERIFY_PARAM_set1_host() Signed-off-by: Christian Heimes <christian@python.org>
Signed-off-by: Christian Heimes <christian@python.org>
Remove all hostflags except for NO_PARTIAL_WILDCARDS and NEVER_CHECK_SUBJECT. The other flags aren't that useful at the moment. Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. Signed-off-by: Christian Heimes <christian@python.org>
Host flags are now in internal API. Public API is a new attribute hostname_checks_common_name. Signed-off-by: Christian Heimes <christian@python.org>
alex
approved these changes