diff options
| author | Victor Stinner <vstinner@python.org> | 2022-06-24 15:45:28 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-24 15:45:28 (GMT) |
| commit | f0b234e6ed83e810bd9844e744f5e22aa538a356 (patch) | |
| tree | 7bfb542d0c120c3f48b1e607bd10185ad00718f6 /Lib/http | |
| parent | e69306f08b9be84ccdd0a1c6601ec229c4e5b377 (diff) | |
| download | cpython-f0b234e6ed83e810bd9844e744f5e22aa538a356.zip cpython-f0b234e6ed83e810bd9844e744f5e22aa538a356.tar.gz cpython-f0b234e6ed83e810bd9844e744f5e22aa538a356.tar.bz2 | |
gh-94172: urllib.request avoids deprecated check_hostname (#94193)
The urllib.request no longer uses the deprecated check_hostname
parameter of the http.client module.
Add private http.client._create_https_context() helper to http.client,
used by urllib.request.
Remove the now redundant check on check_hostname and verify_mode in
http.client: the SSLContext.check_hostname setter already implements
the check.
Diffstat (limited to 'Lib/http')
| -rw-r--r-- | Lib/http/client.py | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/Lib/http/client.py b/Lib/http/client.py index f54172f..4bef50e 100644 --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -786,6 +786,20 @@ class HTTPResponse(io.BufferedIOBase): ''' return self.status + +def _create_https_context(http_version): + # Function also used by urllib.request to be able to set the check_hostname + # attribute on a context object. + context = ssl._create_default_https_context() + # send ALPN extension to indicate HTTP/1.1 protocol + if http_version == 11: + context.set_alpn_protocols(['http/1.1']) + # enable PHA for TLS 1.3 connections if available + if context.post_handshake_auth is not None: + context.post_handshake_auth = True + return context + + class HTTPConnection: _http_vsn = 11 @@ -1418,19 +1432,9 @@ else: self.key_file = key_file self.cert_file = cert_file if context is None: - context = ssl._create_default_https_context() - # send ALPN extension to indicate HTTP/1.1 protocol - if self._http_vsn == 11: - context.set_alpn_protocols(['http/1.1']) - # enable PHA for TLS 1.3 connections if available - if context.post_handshake_auth is not None: - context.post_handshake_auth = True - will_verify = context.verify_mode != ssl.CERT_NONE - if check_hostname is None: - check_hostname = context.check_hostname - if check_hostname and not will_verify: - raise ValueError("check_hostname needs a SSL context with " - "either CERT_OPTIONAL or CERT_REQUIRED") + context = _create_https_context(self._http_vsn) + if check_hostname is not None: + context.check_hostname = check_hostname if key_file or cert_file: context.load_cert_chain(cert_file, key_file) # cert and key file means the user wants to authenticate. @@ -1438,8 +1442,6 @@ else: if context.post_handshake_auth is not None: context.post_handshake_auth = True self._context = context - if check_hostname is not None: - self._context.check_hostname = check_hostname def connect(self): "Connect to a host on a given (SSL) port." |