Replace SSLContext.host_flags

Host flags are now in internal API. Public API is a new attribute
hostname_checks_common_name.

Signed-off-by: Christian Heimes <[email protected]>

Author: tiran

Doc/library/ssl.rst

@@ -593,26 +593,6 @@ Constants
    be passed, either to :meth:`SSLContext.load_verify_locations` or as a
    value of the ``ca_certs`` parameter to :func:`wrap_socket`.
 
-.. class:: HostFlags
-
-   :class:`enum.IntFlag` collection of all hostname verification flags for
-   :attr:`SSLContext.host_flags`
-
-   .. versionadded:: 3.7
-
-.. attribute:: HostFlags.HOSTFLAG_NO_PARTIAL_WILDCARDS
-
-   Dont' support wildcard certificate with partial matches, e.g.
-   ``www*.example.org``.
-
-.. attribute:: HostFlags.HOSTFLAG_NEVER_CHECK_SUBJECT
-
-   Ignore subject CN even if the certificate has no subject alternative
-   name extension.
-
-   .. note:: The flag is not available when the ssl module is compiled
-      with OpenSSL 1.0.2 or LibreSSL.
-
 .. class:: VerifyMode
 
    :class:`enum.IntEnum` collection of CERT_* constants.
@@ -877,6 +857,14 @@ Constants
 
    .. versionadded:: 3.5
 
+.. data:: HAS_NEVER_CHECK_COMMON_NAME
+
+   Whether the OpenSSL library has built-in support not checking subject
+   common name and :attr:`SSLContext.hostname_checks_common_name` is
+   writeable.
+
+   .. versionadded:: 3.7
+
 .. data:: HAS_ECDH
 
    Whether the OpenSSL library has built-in support for Elliptic Curve-based
@@ -1763,13 +1751,17 @@ to speed up repeated connections from the same clients.
    The protocol version chosen when constructing the context.  This attribute
    is read-only.
 
-.. attribute:: SSLContext.host_flags
+.. attribute:: SSLContext.hostname_checks_common_name
 
-   The flags for validating host names. By default
-   :data:`HostFlags.HOSTFLAG_NO_PARTIAL_WILDCARDS` is set.
+   Whether :attr:`~SSLContext.check_hostname` falls back to verify the cert's
+   subject common name in the absence of a subject alternative name
+   extension (default: true).
 
    .. versionadded:: 3.7
 
+   .. note::
+      Only writeable with OpenSSL 1.1.0 or higher.
+
 .. attribute:: SSLContext.verify_flags
 
    The flags for certificate verification operations. You can set flags like

Lib/ssl.py

@@ -148,11 +148,6 @@
     lambda name: name.startswith('CERT_'),
     source=_ssl)
 
-_IntFlag._convert(
-    'HostFlags', __name__,
-    lambda name: name.startswith('HOSTFLAG_'),
-    source=_ssl)
-
 PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS
 _PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()}
 
@@ -176,6 +171,8 @@
 else:
     CHANNEL_BINDING_TYPES = []
 
+HAS_NEVER_CHECK_COMMON_NAME = hasattr(_ssl, 'HOSTFLAG_NEVER_CHECK_SUBJECT')
+
 
 # Disable weak or insecure ciphers by default
 # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
@@ -475,13 +472,22 @@ def options(self):
     def options(self, value):
         super(SSLContext, SSLContext).options.__set__(self, value)
 
-    @property
-    def host_flags(self):
-        return HostFlags(super().host_flags)
+    if hasattr(_ssl, 'HOSTFLAG_NEVER_CHECK_SUBJECT'):
+        @property
+        def hostname_checks_common_name(self):
+            ncs = self._host_flags & _ssl.HOSTFLAG_NEVER_CHECK_SUBJECT
+            return ncs != _ssl.HOSTFLAG_NEVER_CHECK_SUBJECT
 
-    @host_flags.setter
-    def host_flags(self, value):
-        super(SSLContext, SSLContext).host_flags.__set__(self, value)
+        @hostname_checks_common_name.setter
+        def hostname_checks_common_name(self, value):
+            if value:
+                self._host_flags &= ~_ssl.HOSTFLAG_NEVER_CHECK_SUBJECT
+            else:
+                self._host_flags |= _ssl.HOSTFLAG_NEVER_CHECK_SUBJECT
+    else:
+        @property
+        def hostname_checks_common_name(self):
+            return True
 
     @property
     def verify_flags(self):

Lib/test/test_ssl.py

@@ -988,6 +988,19 @@ def test_verify_mode_protocol(self):
         self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
         self.assertTrue(ctx.check_hostname)
 
+    def test_hostname_checks_common_name(self):
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        self.assertTrue(ctx.hostname_checks_common_name)
+        if ssl.HAS_NEVER_CHECK_COMMON_NAME:
+            ctx.hostname_checks_common_name = True
+            self.assertTrue(ctx.hostname_checks_common_name)
+            ctx.hostname_checks_common_name = False
+            self.assertFalse(ctx.hostname_checks_common_name)
+            ctx.hostname_checks_common_name = True
+            self.assertTrue(ctx.hostname_checks_common_name)
+        else:
+            with self.assertRaises(AttributeError):
+                ctx.hostname_checks_common_name = True
 
     @unittest.skipUnless(have_verify_flags(),
                          "verify_flags need OpenSSL > 0.9.8")

Misc/NEWS.d/next/Library/2017-09-08-14-05-33.bpo-31399.FtBrrt.rst

@@ -1 +1,4 @@
-Let OpenSSL verify hostname and IP addressw
+The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
+X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. Subject
+common name fallback can be disabled with
+SSLContext.hostname_checks_common_name.

Modules/_ssl.c

@@ -4185,8 +4185,8 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
 static PyGetSetDef context_getsetlist[] = {
     {"check_hostname", (getter) get_check_hostname,
                        (setter) set_check_hostname, NULL},
-    {"host_flags", (getter) get_host_flags,
-                   (setter) set_host_flags, NULL},
+    {"_host_flags", (getter) get_host_flags,
+                    (setter) set_host_flags, NULL},
     {"options", (getter) get_options,
                 (setter) set_options, NULL},
     {"verify_flags", (getter) get_verify_flags,
@@ -5574,12 +5574,30 @@ PyInit__ssl(void)
                             SSL_OP_NO_COMPRESSION);
 #endif
 
+#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
+    PyModule_AddIntConstant(m, "HOSTFLAG_ALWAYS_CHECK_SUBJECT",
+                            X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT);
+#endif
 #ifdef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
     PyModule_AddIntConstant(m, "HOSTFLAG_NEVER_CHECK_SUBJECT",
                             X509_CHECK_FLAG_NEVER_CHECK_SUBJECT);
 #endif
+#ifdef X509_CHECK_FLAG_NO_WILDCARDS
+    PyModule_AddIntConstant(m, "HOSTFLAG_NO_WILDCARDS",
+                            X509_CHECK_FLAG_NO_WILDCARDS);
+#endif
+#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
     PyModule_AddIntConstant(m, "HOSTFLAG_NO_PARTIAL_WILDCARDS",
                             X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+#endif
+#ifdef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
+    PyModule_AddIntConstant(m, "HOSTFLAG_MULTI_LABEL_WILDCARDS",
+                            X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS);
+#endif
+#ifdef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+    PyModule_AddIntConstant(m, "HOSTFLAG_SINGLE_LABEL_SUBDOMAINS",
+                            X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS);
+#endif
 
 #if HAVE_SNI
     r = Py_True;