Fix assert_hostname=False (#3055)

Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
urllib3 · Jun 2, 2023 · 52d2eb1 · 52d2eb1
1 parent bfbd47e
commit 52d2eb1
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/changelog/3051.bugfix.rst b/changelog/3051.bugfix.rst
@@ -0,0 +1 @@
+Fixed `assert_hostname=False` to correctly skip hostname check.
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
@@ -741,6 +741,8 @@ def _ssl_wrap_socket_and_match_hostname(
         # `ssl` can't verify fingerprints or alternate hostnames
         assert_fingerprint
         or assert_hostname
+        # assert_hostname can be set to False to disable hostname checking
+        or assert_hostname is False
         # We still support OpenSSL 1.0.2, which prevents us from verifying
         # hostnames easily: https://github.com/pyca/pyopenssl/pull/933
         or ssl_.IS_PYOPENSSL

diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
@@ -1117,6 +1117,32 @@ def test_hostname_checks_common_name_respected(
                 err.reason.args[0], (ssl.SSLCertVerificationError, CertificateError)
             )
 
+    def test_assert_hostname_invalid_san(
+        self, no_localhost_san_server: ServerConfig
+    ) -> None:
+        """Ensure SAN errors are not raised while assert_hostname is false"""
+        with HTTPSConnectionPool(
+            no_localhost_san_server.host,
+            no_localhost_san_server.port,
+            cert_reqs="CERT_REQUIRED",
+            ca_certs=no_localhost_san_server.ca_certs,
+            assert_hostname=False,
+        ) as https_pool:
+            https_pool.request("GET", "/")
+
+    def test_assert_hostname_invalid_cn(
+        self, no_san_server_with_different_commmon_name: ServerConfig
+    ) -> None:
+        """Ensure CN errors are not raised while assert_hostname is false"""
+        with HTTPSConnectionPool(
+            no_san_server_with_different_commmon_name.host,
+            no_san_server_with_different_commmon_name.port,
+            cert_reqs="CERT_REQUIRED",
+            ca_certs=no_san_server_with_different_commmon_name.ca_certs,
+            assert_hostname=False,
+        ) as https_pool:
+            https_pool.request("GET", "/")
+
 
 class TestHTTPS_IPV4SAN:
     def test_can_validate_ip_san(self, ipv4_san_server: ServerConfig) -> None: