remove HTTPSConnection's check_hostname parameter (#22959)

diff --git a/Doc/library/httplib.rst b/Doc/library/httplib.rst
index b659fd0970e335fabe63b932ab622194a6ea2aa4..354edb234df76dd0cd366328f41e5c7740544f6e 100644 (file)
--- a/Doc/library/httplib.rst
+++ b/Doc/library/httplib.rst
@@ -70,7 +70,7 @@ The module provides the following classes:
       *source_address* was added.
 
 
-.. class:: HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address, context, check_hostname]]]]]])
+.. class:: HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address[, context]]]]]]])
 
    A subclass of :class:`HTTPConnection` that uses SSL for communication with
    secure servers.  Default port is ``443``.  If *context* is specified, it must
@@ -83,13 +83,6 @@ The module provides the following classes:
 
    Please read :ref:`ssl-security` for more information on best practices.
 
-   .. note::
-      If *context* is specified and has a :attr:`~ssl.SSLContext.verify_mode`
-      of either :data:`~ssl.CERT_OPTIONAL` or :data:`~ssl.CERT_REQUIRED`, then
-      by default *host* is matched against the host name(s) allowed by the
-      server's certificate.  If you want to change that behaviour, you can
-      explicitly set *check_hostname* to False.
-
    .. versionadded:: 2.0
 
    .. versionchanged:: 2.6
@@ -99,7 +92,7 @@ The module provides the following classes:
       *source_address* was added.
 
    .. versionchanged:: 2.7.9
-      *context* and *check_hostname* was added.
+      *context* was added.
 
       This class now performs all the necessary certificate and hostname checks
       by default. To revert to the previous, unverified, behavior

diff --git a/Lib/httplib.py b/Lib/httplib.py
index 7c2790685858dd6c380ebea7d54587b9bcaaa4ab..ec1dc8cd99f663b11f6c4e4fb23ecc01c823a380 100644 (file)
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -1187,23 +1187,16 @@ else:
 
         def __init__(self, host, port=None, key_file=None, cert_file=None,
                      strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
-                     source_address=None, context=None, check_hostname=None):
+                     source_address=None, context=None):
             HTTPConnection.__init__(self, host, port, strict, timeout,
                                     source_address)
             self.key_file = key_file
             self.cert_file = cert_file
             if context is None:
                 context = ssl._create_default_https_context()
-            will_verify = context.verify_mode != ssl.CERT_NONE
-            if check_hostname is None:
-                check_hostname = will_verify
-            elif check_hostname and not will_verify:
-                raise ValueError("check_hostname needs a SSL context with "
-                                 "either CERT_OPTIONAL or CERT_REQUIRED")
             if key_file or cert_file:
                 context.load_cert_chain(cert_file, key_file)
             self._context = context
-            self._check_hostname = check_hostname
 
         def connect(self):
             "Connect to a host on a given (SSL) port."
@@ -1217,13 +1210,6 @@ else:
 
             self.sock = self._context.wrap_socket(self.sock,
                                                   server_hostname=server_hostname)
-            if not self._context.check_hostname and self._check_hostname:
-                try:
-                    ssl.match_hostname(self.sock.getpeercert(), server_hostname)
-                except Exception:
-                    self.sock.shutdown(socket.SHUT_RDWR)
-                    self.sock.close()
-                    raise
 
     __all__.append("HTTPSConnection")
 

diff --git a/Lib/test/data/README b/Lib/test/data/README
deleted file mode 100644 (file)
index 8bf8c9b..0000000
--- a/Lib/test/data/README
+++ /dev/null
@@ -1,2 +0,0 @@
-This empty directory serves as destination for temporary files
-created by some tests.

diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 3e7a57e7f09b9fd1253c15452f487d45753dd26c..d3e6fcedadd8afac64ec395a47e5fe9fd98311e5 100644 (file)
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -616,18 +616,15 @@ class HTTPSTest(TestCase):
         server = self.make_server(CERT_fakehostname)
         context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
         context.verify_mode = ssl.CERT_REQUIRED
+        context.check_hostname = True
         context.load_verify_locations(CERT_fakehostname)
         h = httplib.HTTPSConnection('localhost', server.port, context=context)
         with self.assertRaises(ssl.CertificateError):
             h.request('GET', '/')
-        # Same with explicit check_hostname=True
-        h = httplib.HTTPSConnection('localhost', server.port, context=context,
-                                   check_hostname=True)
-        with self.assertRaises(ssl.CertificateError):
-            h.request('GET', '/')
-        # With check_hostname=False, the mismatching is ignored
-        h = httplib.HTTPSConnection('localhost', server.port, context=context,
-                                   check_hostname=False)
+        h.close()
+        # With context.check_hostname=False, the mismatching is ignored
+        context.check_hostname = False
+        h = httplib.HTTPSConnection('localhost', server.port, context=context)
         h.request('GET', '/nonexistent')
         resp = h.getresponse()
         self.assertEqual(resp.status, 404)

diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 78b08fc56d45c9b082290de1d5fe5d9bd59e9c35..9277b1d1cdc89cb9d99892b6dc783b90b5c7ce7e 100644 (file)
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -139,10 +139,10 @@ def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
             )
         if not _have_ssl:
             raise ValueError('SSL support not available')
-        context = ssl._create_stdlib_context(cert_reqs=ssl.CERT_REQUIRED,
+        context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH,
                                              cafile=cafile,
                                              capath=capath)
-        https_handler = HTTPSHandler(context=context, check_hostname=True)
+        https_handler = HTTPSHandler(context=context)
         opener = build_opener(https_handler)
     elif context:
         https_handler = HTTPSHandler(context=context)
@@ -1231,14 +1231,13 @@ class HTTPHandler(AbstractHTTPHandler):
 if hasattr(httplib, 'HTTPS'):
     class HTTPSHandler(AbstractHTTPHandler):
 
-        def __init__(self, debuglevel=0, context=None, check_hostname=None):
+        def __init__(self, debuglevel=0, context=None):
             AbstractHTTPHandler.__init__(self, debuglevel)
             self._context = context
-            self._check_hostname = check_hostname
 
         def https_open(self, req):
             return self.do_open(httplib.HTTPSConnection, req,
-                context=self._context, check_hostname=self._check_hostname)
+                context=self._context)
 
         https_request = AbstractHTTPHandler.do_request_
 

diff --git a/Misc/NEWS b/Misc/NEWS
index 5e7a79564177739bcd9459235482dd45f7a6fe70..f471ed32b201a8f1ca93dde575fecf1088334090 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 2.7.9?
 Library
 -------
 
+- Issue #22959: Remove the *check_hostname* parameter of
+  httplib.HTTPSConnection. The *context* parameter should be used instead.
+
 - Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
   will return. This resolves CVE-2013-1753.