Message239834
| Author |
nagle |
| Recipients |
docs@python, nagle |
| Date |
2015年04月01日.18:32:18 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1427913138.81.0.946174755254.issue23843@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
ssl.wrap_socket() always uses the SSL certificate associated with the raw IP address, rather than using the server_host feature of TLS. Even when wrap_socket is used before calling "connect(port, host)", the "host" parameter isn't used by TLS.
To get proper TLS behavior (which only works in recent Python versions), it's necessary to create an SSLContext, then use
context.wrap_socket(sock, server_hostname="example.com")
This behavior is backwards-compatible (the SSL module didn't talk TLS until very recently) but confusing. The documentation does not reflect this difference. There's a lot of old code and online advice which suggests using ssl.wrap_socket(). It works until you hit a virtual host with TLS support. Then you get the wrong server cert and an unexpected "wrong host" SSL error.
Possible fixes:
1. Deprecate ssl.wrap_socket(), and modify the documentation to tell users to always use context.wrap_socket().
2. Add a "server_hostname" parameter to ssl.wrap_socket(). It doesn't accept that parameter; only context.wrap_socket() does. Modify documentation accordingly. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2015年04月01日 18:32:18 | nagle | set | recipients:
+ nagle, docs@python |
| 2015年04月01日 18:32:18 | nagle | set | messageid: <1427913138.81.0.946174755254.issue23843@psf.upfronthosting.co.za> |
| 2015年04月01日 18:32:18 | nagle | link | issue23843 messages |
| 2015年04月01日 18:32:18 | nagle | create |
|