bpo-31399: Let OpenSSL verify hostname and IP address

[tiran]

Replace Python's custom ssl.match_hostname() with OpenSSL 1.0.2 APIs. The hostname or IP address are now verified by OpenSSL during the TLS handshake. A failure to verify the name results in a proper handshake abort with TLS Alert bad cert.

Signed-off-by: Christian Heimes [email protected]

https://bugs.python.org/issue31399

[alex]

Mostly looks good, from a first skim

[alex]

I don't understand this comment

[tiran]

OpenSSL has no API to get hostflags from X509_VERIFY_PARAM. We have to maintain our own copy. I'll clarify the comment in my next push.

[alex]

Ahhh. Now I understand. I think "OpenSSL does not have an API for getting the hostflags from an X509_VERIFY_PARAM" would be clearer.

Also is there a bug/PR on OpenSSL for this we can link?

[alex]

Do we need X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS as well?

[tiran]

Thanks @alex

I have updated the comment for hostflaggs and created openssl/openssl#5061.

[tiran]

Blocked by #5180

@asvetlov @1st1 The PR touches asyncio. Please review the test changes.

[asvetlov]

asyncio test change is correct (but please update assertion as suggested)

[asvetlov]

Please use self.assertIsNone(proto.transport)

[tiran]

@asvetlov Thanks, I changed the assert as requested

I also forgot to remove the call to match_hostname. How should I handle the call in asyncio? If I remove it, the code will no worker be secure on 3.6.

[1st1]

I also forgot to remove the call to match_hostname. How should I handle the call in asyncio? If I remove it, the code will no worker be secure on 3.6.

This change is for 3.7 only, right? If so just remove the call in the master branch. We no longer try to use asyncio CPython code with other CPython versions.

[tiran]

Yes, it's 3.7 only.

[tiran]

This branch is now based on PR #5242. Please review and ACK the other PR first.

[asvetlov]

Are there stoppers for the issue left?

[tiran]

@asvetlov No stoppers, I'm just waiting for a final review. The PR has changed a bit since @alex reviewed it. I have added more documentation and additional checks for LibreSSL.

[asvetlov]

Good to know.
Just for note -- LGTM.

[alex]

Code looks fine, I have some API design concerns though.

[alex]

"no longer used by TLS connections" or something?

[alex]

Do all of these need to be a public API?

I don't see a need to support things like partial wildcards or multi-label wildcards.

The previous implementation didn't support them, and I don't think expanding the public API like this is a good idea.

[tiran]

Partial wildcard matching is disabled by default. I have to expose the flag value so the getter can report the flag correctly:

>>> import ssl
>>> ssl.create_default_context().host_flags
<HostFlags.HOSTFLAG_NO_PARTIAL_WILDCARDS: 4>

I also like to add NEVER_CHECK_SUBJECT for urllib3, too.

I don't care about the other flags. I'm happy to remove them.

[alex]

Does this need to be a public API? I feel like we can set reasonable defaults that are applicable to everything.

[tiran]

I exposed the flag primary for urllib3/urllib3#497. urllib3 wants to disable CN support and require certificates with SAN fields.

[alex]

What if we just expose a single check_subject_hostname or something like that, instead of all these flags?

[tiran]

I'm ok with that, but I'm not 100% happy with the name.

• check_subject_cn
• check_common_name
• check_subject_common_name
• use_common_name
• check_only_san
• ...

I'm going to rename host_flags to _host_flags, keep all flags in _ssl and implement the flag in pure Python. That way we don't expose the API, but still have it available to implement other flags.

[alex]

Sounds good -- my desire is for us not to commit to a really broad API when we really want a tiny thing.

hostname_checks_common_name perhaps?

[tiran]

That's explicit, almost German. I like it :)

The feature is only available with OpenSSL 1.1.0+. How should I handle OpenSSL 1.0.2? Don't define the property at all or only implement readonly property + ssl.HAS_NEVER_CHECK_HOSTNAME?

[alex]

readonly + a constant makes sense to me

[tiran]

Done

I'm currently at a conference and will take care of proper documentation next week.

[alex]

Not sure this comment is needed here, since it's not acually referring to any code which exists

[bedevere-bot]

@tiran: Please replace # with GH- in the commit message next time. Thanks!

[asottile]

Running into this patch on travis-ci as ubuntu trusty ships with openssl 1.0.1 -- this patch causes python3.7 to build without _ssl support on trusty. See also:

• python3.7: _ssl module is not properly built (trusty) deadsnakes/issues#63
• https://twitter.com/llanga/status/989749795567775744

I agree that the patch is the right move going forward 👍, figured I'd post this here for visibility though.