[proxy] github.com← back | site home | direct (HTTPS) ↗ | proxy home | ◑ dark◐ light
/ cpython Public

Conversation

Copy link
Member

tiran commented Dec 20, 2017
edited by bedevere-bot
Loading

The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue32185

tiran added needs backport to 2.7 type-bug An unexpected behavior, bug, or error labels Dec 20, 2017
tiran mentioned this pull request Dec 20, 2017
Closed
Copy link
Member Author

tiran commented Dec 20, 2017

Note: I don't care about platforms that have an outdated, severely vulnerable version of OpenSSL. Upstream has stopped support for OpenSSL < 1.0.2 a year ago. The extra code with inet_pton() covers ancient CentOS and Ubuntu boxes. Other platforms must update OpenSSL.

bpo-32185: Don't send IP in SNI TLS extension
39e519e 
The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.

Signed-off-by: Christian Heimes <christian@python.org>
Copy link
Member Author

tiran commented Jan 20, 2018

PR #3462 contains a simplified fix for 3.7. I can just use OpenSSL 1.0.2 features to detect whether a hostname is an IP address. For 3.6 and earlier a backport of this PR is required.

Copy link
Member Author

tiran commented Feb 24, 2018

The patch no longer applies to 3.7 and master because I addressed the issue together with X509 check hostname patch. I'm filing separate PRs for 3.6 and 2.7.

tiran closed this Feb 24, 2018
tiran deleted the bpo-32185-sni-ip branch February 24, 2018 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting merge type-bug An unexpected behavior, bug, or error

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants