bpo-32185: Don't send IP in SNI TLS extension by tiran · Pull Request #4938 · python/cpython

tiran

Conversation

tiran mentioned this pull request

Dec 20, 2017

Note: I don't care about platforms that have an outdated, severely vulnerable version of OpenSSL. Upstream has stopped support for OpenSSL < 1.0.2 a year ago. The extra code with inet_pton() covers ancient CentOS and Ubuntu boxes. Other platforms must update OpenSSL.

The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.

Signed-off-by: Christian Heimes <christian@python.org>

PR #3462 contains a simplified fix for 3.7. I can just use OpenSSL 1.0.2 features to detect whether a hostname is an IP address. For 3.6 and earlier a backport of this PR is required.

The patch no longer applies to 3.7 and master because I addressed the issue together with X509 check hostname patch. I'm filing separate PRs for 3.6 and 2.7.

tiran deleted the bpo-32185-sni-ip branch

February 24, 2018 23:51

bpo-32185: Don't send IP in SNI TLS extension by tiran · Pull Request #4938 · python/cpython

Conversation

Labels