[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: OMG, >1year. :) This was always a minor issue. I still think the current asyncio behavior is dumb, but whatever. FWIW, I tripped on this when adding SSL support to ZEO, which is a client-server *database* protocol used by ZODB, having nothing to do with the Web

[issue27391] server_hostname should only be required when checking host names

Christian Heimes added the comment: So it's not a problem with the SSL module but rather in asyncio. From the initial report it was not clear to me that it only affects asyncio. I'm not sure this issue should be fixed at all. As I explained earlier, a hostname is required for both hostname ver

[issue27391] server_hostname should only be required when checking host names

Krzysztof Warunek added the comment: The case appears in asyncio's create_connection. Actually it's known thing https://github.com/python/cpython/blob/3.6/Lib/asyncio/base_events.py#L699, a workaround mentioned (same as Jim has pointed) is used widely. It seems reasonably at first sight to "fi

[issue27391] server_hostname should only be required when checking host names

Christian Heimes added the comment: Jim, yes I agree. In a matter of fact, the ssl module also agrees with you and behaves like that for a while. I cannot reproduce the problem with either 2.7, 3.5, or 3.6. I have attached an demo script. check_hostname = True * server_hostname='www.python.or

[issue27391] server_hostname should only be required when checking host names

Changes by Guido van Rossum : -- nosy: -gvanrossum ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: I'm not ignoring anything AFAICT. There are applications where server hostname isn't useful (no virtual hosts, client has server's public key). I'm not positive we're disagreeing, so let me put this another way. 1. If the given SSL context has check_hostname set

[issue27391] server_hostname should only be required when checking host names

Christian Heimes added the comment: You are still ignoring my remarks about TLS SNI. :) Python uses server_hostname for two different but related parts of the TLS/SSL. 1) When server_hostname is set, the client sends the hostname to the server during the TLS handshake in the ClientHello messag

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: SSL is used for more than just HTTP. The are applications in which clients have server public keys that they use to authenticate servers rather than using certificate authorities. For these applications, server host names are irrelevant. This is why it makes se

[issue27391] server_hostname should only be required when checking host names

Changes by STINNER Victor : -- nosy: -haypo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pytho

[issue27391] server_hostname should only be required when checking host names

Yury Selivanov added the comment: > It's a bad idea. I thought so too :) I was actually going to ask you to review this request. In any case, feel free to close this issue. -- ___ Python tracker ___

[issue27391] server_hostname should only be required when checking host names

Christian Heimes added the comment: It's a bad idea. An increasing amount of web servers require a TLS SNI extension. I'd rather make server_hostname a required argument for all client-side SSL sockets -- no matter how check_hostname is configured. -- _

[issue27391] server_hostname should only be required when checking host names

Yury Selivanov added the comment: > The feature is pretty much required these days. We have the feature. What Jim was asking is to make server_hostname argument optional when check_hostname is False in the ssl context -- ___ Python tracker

[issue27391] server_hostname should only be required when checking host names

Christian Heimes added the comment: server_hostname is also required for SNI (server name indicator). Virtual hosting depends on the feature. Without SNI TLS extension you'll end up on the wrong vhost or the web server sends you the wrong certificate. The feature is pretty much required these

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: OK, sure, I'll make a PR. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: No need to apologize! My capitulation was just due to the fact that this isn't a big deal. (My tone probably came across as cranky; sorry) WRT backward compatibility, I suspect that there's a bit of wiggle here between loop implementations and I doubt this would

[issue27391] server_hostname should only be required when checking host names

Yury Selivanov added the comment: > SSL contexts, https://docs.python.org/3/library/ssl.html#ssl-contexts, have an attribute, check_hostname, which controls whether hostname checking is required. If set to false in a context passed to create_connection, then it makes no sense to require server_

[issue27391] server_hostname should only be required when checking host names

R. David Murray added the comment: Sorry, I've been having trouble communicating on this ticket. I thought I'd posetd an apology but I don't see it...I wonder where I did post it? Bad morning :(. Anyway, create_connection was what I was asking for. Reading the docs, I, at least, agree with

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: Consider this a suggestion. Do with it what you will. I'm closing this as I don't want to spend more time on it other than creating a PR if requested. -- status: open -> closed ___ Python tracker

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: I'm not sure I understand your question. The documentation for create_connection, https://docs.python.org/3/library/asyncio-eventloop.html#creating-connections states that server_hostname is required if the host is empty. (I'm generalizing "empty" to include None

[issue27391] server_hostname should only be required when checking host names

R. David Murray added the comment: You still haven't told me what you are passing the context to that objects to not having server_hostname. I suppose the asyncio experts would know immediately, so I should probably just leave it to them...or wait for your PR. --

[issue27391] server_hostname should only be required when checking host names

Jim Fulton added the comment: It's not bug, it's a misfeature, IMO. If you pass an SSL context and either don't pass a hostname or pass an empty string, then server_hostname is required, even if check_hostname is false for the context. The fix is trivial. I'd be happy to provide a PR. --

[issue27391] server_hostname should only be required when checking host names

R. David Murray added the comment: (To clarify: I haven't used the ssl interface enough for it to be obvious to me where the bug is.) -- ___ Python tracker ___ _

[issue27391] server_hostname should only be required when checking host names

R. David Murray added the comment: Where is it required? -- nosy: +r.david.murray ___ Python tracker ___ ___ Python-bugs-list mailing

[issue27391] server_hostname should only be required when checking host names

New submission from Jim Fulton: If the given ssl context has check_hostname set to False, then the server_hostname shouldn't be required. -- components: asyncio messages: 269292 nosy: gvanrossum, haypo, j1m, yselivanov priority: normal severity: normal status: open title: server_hostnam