Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find a replacement for deprecated ssl.match_hostname #368

Closed
jlaine opened this issue Apr 2, 2023 · 2 comments
Closed

Find a replacement for deprecated ssl.match_hostname #368

jlaine opened this issue Apr 2, 2023 · 2 comments

Comments

@jlaine
Copy link
Contributor

jlaine commented Apr 2, 2023

When connecting to a server, we rely on the standard library's ssl.matchhostname method to check the certificate presented by the server is valid for the hostname we connected to. Howver this method has been deprecated since Python 3.7 so we need to find a suitable replacement.

So far I have found:

  • urllib3 vendors this method into its code. This does seem like a great option as it puts the burden of maintaining a critical piece of code on us.
  • OpenSSL has an X509_check_host method. AFAICT this is not accessible from pyOpenSSL.
@GalaxySnail
Copy link
Contributor

I found service-identity which is mentioned in trio's documentation, it may be helpful.

@Ousret Ousret mentioned this issue Jun 8, 2023
Closed
@jlaine
Copy link
Contributor Author

jlaine commented Jul 4, 2023

I found service-identity which is mentioned in trio's documentation, it may be helpful.

Thank you very much, this looks like exactly what we want!

@jlaine jlaine mentioned this issue Jul 5, 2023
Closed
jlaine added a commit to jlaine/aioquic that referenced this issue Jul 5, 2023
@jlaine
Replace deprecated ssl.match_hostname method (fixes: aiortc#368)
0d8cfd5 
The standard libraries's `ssl.match_hostname` method was marked as
deprecated in Python 3.10. Rather than implementing this critical piece
of code ourselves, make use of the Python Cryptographic Authority's
`service-identity` package.

One notable behaviour change is that validation is performed *only*
against the `subjectAltName` extension instead of the `commonName`. This
is the same behaviour as web browsers use.
jlaine added a commit to jlaine/aioquic that referenced this issue Jul 5, 2023
@jlaine
Replace deprecated ssl.match_hostname method (fixes: aiortc#368)
e8b1300 
The standard libraries's `ssl.match_hostname` method was marked as
deprecated in Python 3.10. Rather than implementing this critical piece
of code ourselves, make use of the Python Cryptographic Authority's
`service-identity` package.

One notable behaviour change is that validation is performed *only*
against the `subjectAltName` extension instead of the `commonName`. This
is the same behaviour as web browsers use.
jlaine added a commit to jlaine/aioquic that referenced this issue Jul 5, 2023
@jlaine
Replace deprecated ssl.match_hostname method (fixes: aiortc#368)
2c40dd5 
The standard libraries's `ssl.match_hostname` method was marked as
deprecated in Python 3.10. Rather than implementing this critical piece
of code ourselves, make use of the Python Cryptographic Authority's
`service-identity` package.

One notable behaviour change is that validation is performed *only*
against the `subjectAltName` extension instead of the `commonName`. This
is the same behaviour as web browsers use.
@jlaine jlaine closed this as completed in b097478 Jul 5, 2023
@kchodkiewicz kchodkiewicz mentioned this issue Dec 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix ssl.match_hostname deprecation and various improvements jawah/qh3
2 participants
@jlaine @GalaxySnail