diff options
| author | Benjamin Peterson <benjamin@python.org> | 2014-12-07 18:18:25 (GMT) |
|---|---|---|
| committer | Benjamin Peterson <benjamin@python.org> | 2014-12-07 18:18:25 (GMT) |
| commit | a090f01bb63d73382e6e65b0364047c50afae5c2 (patch) | |
| tree | 7d51bda9c589d72eeada9f24e2fd20acc965a4e5 /Lib | |
| parent | b92fd01189c74c76a70ecf24d723d2f5c0ffc5b9 (diff) | |
| download | cpython-a090f01bb63d73382e6e65b0364047c50afae5c2.zip cpython-a090f01bb63d73382e6e65b0364047c50afae5c2.tar.gz cpython-a090f01bb63d73382e6e65b0364047c50afae5c2.tar.bz2 | |
HTTPSConnection: prefer the context's check_hostname attribute over the constructor parameter (#22959)
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/http/client.py | 4 | ||||
| -rw-r--r-- | Lib/test/test_httplib.py | 14 |
2 files changed, 16 insertions, 2 deletions
diff --git a/Lib/http/client.py b/Lib/http/client.py index 281e7f2..c0760dd 100644 --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -1210,8 +1210,8 @@ else: context = ssl._create_default_https_context() will_verify = context.verify_mode != ssl.CERT_NONE if check_hostname is None: - check_hostname = will_verify - elif check_hostname and not will_verify: + check_hostname = context.check_hostname + if check_hostname and not will_verify: raise ValueError("check_hostname needs a SSL context with " "either CERT_OPTIONAL or CERT_REQUIRED") if key_file or cert_file: diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 933e5c4..49d767d 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -882,6 +882,7 @@ class HTTPSTest(TestCase): server = self.make_server(CERT_fakehostname) context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = True context.load_verify_locations(CERT_fakehostname) h = client.HTTPSConnection('localhost', server.port, context=context) with self.assertRaises(ssl.CertificateError): @@ -892,11 +893,24 @@ class HTTPSTest(TestCase): with self.assertRaises(ssl.CertificateError): h.request('GET', '/') # With check_hostname=False, the mismatching is ignored + context.check_hostname = False h = client.HTTPSConnection('localhost', server.port, context=context, check_hostname=False) h.request('GET', '/nonexistent') resp = h.getresponse() self.assertEqual(resp.status, 404) + # The context's check_hostname setting is used if one isn't passed to + # HTTPSConnection. + context.check_hostname = False + h = client.HTTPSConnection('localhost', server.port, context=context) + h.request('GET', '/nonexistent') + self.assertEqual(h.getresponse().status, 404) + # Passing check_hostname to HTTPSConnection should override the + # context's setting. + h = client.HTTPSConnection('localhost', server.port, context=context, + check_hostname=True) + with self.assertRaises(ssl.CertificateError): + h.request('GET', '/') @unittest.skipIf(not hasattr(client, 'HTTPSConnection'), 'http.client.HTTPSConnection not available') |