Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

bpo-32185: Don't send IP in SNI TLS extension#4938

Closed
tiran wants to merge 1 commit into
python:masterpython/cpython:masterfrom
tiran:bpo-32185-sni-iptiran/cpython:bpo-32185-sni-ipCopy head branch name to clipboard
Closed

bpo-32185: Don't send IP in SNI TLS extension#4938
tiran wants to merge 1 commit into
python:masterpython/cpython:masterfrom
tiran:bpo-32185-sni-iptiran/cpython:bpo-32185-sni-ipCopy head branch name to clipboard

Conversation

@tiran

@tiran tiran commented Dec 20, 2017
edited by bedevere-bot
Loading

Copy link
Copy Markdown
Member

The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue32185

@tiran tiran added needs backport to 2.7 type-bug An unexpected behavior, bug, or error labels Dec 20, 2017
@tiran tiran mentioned this pull request Dec 20, 2017
Closed
@tiran

tiran commented Dec 20, 2017

Copy link
Copy Markdown
Member Author

Note: I don't care about platforms that have an outdated, severely vulnerable version of OpenSSL. Upstream has stopped support for OpenSSL < 1.0.2 a year ago. The extra code with inet_pton() covers ancient CentOS and Ubuntu boxes. Other platforms must update OpenSSL.

@tiran
bpo-32185: Don't send IP in SNI TLS extension
39e519e 
The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran

tiran commented Jan 20, 2018

Copy link
Copy Markdown
Member Author

PR #3462 contains a simplified fix for 3.7. I can just use OpenSSL 1.0.2 features to detect whether a hostname is an IP address. For 3.6 and earlier a backport of this PR is required.

@tiran

tiran commented Feb 24, 2018

Copy link
Copy Markdown
Member Author

The patch no longer applies to 3.7 and master because I addressed the issue together with X509 check hostname patch. I'm filing separate PRs for 3.6 and 2.7.

@tiran tiran closed this Feb 24, 2018
@tiran tiran deleted the bpo-32185-sni-ip branch February 24, 2018 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting merge type-bug An unexpected behavior, bug, or error

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tiran @the-knights-who-say-ni @bedevere-bot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.