ssl.wrap_socket doesn't handle virtual TLS hosts

[nagle]

BPO	23843
Nosy	@pitrou, @tiran, @alex, @dstufft

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-09-08.15:21:18.270>
created_at = <Date 2015-04-01.18:32:18.790>
labels = ['library', 'docs']
title = "ssl.wrap_socket doesn't handle virtual TLS hosts"
updated_at = <Date 2016-09-08.15:22:12.901>
user = 'https://bugs.python.org/nagle'

bugs.python.org fields:

activity = <Date 2016-09-08.15:22:12.901>
actor = 'giampaolo.rodola'
assignee = 'docs@python'
closed = True
closed_date = <Date 2016-09-08.15:21:18.270>
closer = 'christian.heimes'
components = ['Documentation', 'Library (Lib)']
creation = <Date 2015-04-01.18:32:18.790>
creator = 'nagle'
dependencies = []
files = []
hgrepos = []
issue_num = 23843
keywords = []
message_count = 4.0
messages = ['239834', '239866', '239887', '275044']
nosy_count = 7.0
nosy_names = ['janssen', 'nagle', 'pitrou', 'christian.heimes', 'alex', 'docs@python', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue23843'
versions = ['Python 3.6']

[nagle]

ssl.wrap_socket() always uses the SSL certificate associated with the raw IP address, rather than using the server_host feature of TLS. Even when wrap_socket is used before calling "connect(port, host)", the "host" parameter isn't used by TLS.

To get proper TLS behavior (which only works in recent Python versions), it's necessary to create an SSLContext, then use

context.wrap_socket(sock, server_hostname="example.com")

This behavior is backwards-compatible (the SSL module didn't talk TLS until very recently) but confusing. The documentation does not reflect this difference. There's a lot of old code and online advice which suggests using ssl.wrap_socket(). It works until you hit a virtual host with TLS support. Then you get the wrong server cert and an unexpected "wrong host" SSL error.

Possible fixes:

1. Deprecate ssl.wrap_socket(), and modify the documentation to tell users to always use context.wrap_socket().

2. Add a "server_hostname" parameter to ssl.wrap_socket(). It doesn't accept that parameter; only context.wrap_socket() does. Modify documentation accordingly.

[pitrou]

Not sure why you're using wrap_socket() directly. Most of the time you should be using a higher-level library instead (for example a HTTP(S) library).

In any case, the doc already mentions that "Starting from Python 3.2, it can be more flexible to use SSLContext.wrap_socket() instead".

I leave this open in case other people feel positively about it.

[nagle]

I'm using wrap_socket because I want to read the details of a server's SSL certificate.

"Starting from Python 3.2, it can be more flexible to use SSLContext.wrap_socket() instead" does not convey that ssl.wrap_socket() will fail to connect to some servers because it will silently check the wrong certificate.

[tiran]

ssl.wrap_socket() will be deprecated in 3.6. Please use a context. You can still inspect the server cert with a context. In fact ssl.wrap_socket() uses a context internally.