-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Still need to support hostname verification #1020
Comments
@njsmith Do we need to expose more than one interface to do this here or is one sufficient? If one, which one? |
Well, I guess openssl technically exposes a bunch of different interfaces to control different pieces:
So I guess we could do anything from just exposing the raw openssl knobs and letting people do whatever they want, to a high-level The stdlib basically took the latter approach, and that's the last link in my references above. |
The downside of both raw OpenSSL knobs and a high-level One way to fix the API design issue is to add a Footnotes
|
Also FWIW, here is the hostname logic we have in mitmproxy - it's pretty similar to the CPython one, but uses cryptography bindings instead. |
Twisted is in the same spot as mitmproxy here, and I think for us we'd just like to have the OpenSSL APIs exposed fairly literally, just a |
It looks like #795 got closed prematurely. #933 made it so that you can skip setting a verify callback, and use OpenSSL's built-in verification functionality. And OpenSSL's built-in verification functionality can now verify hostnames properly on all supported OpenSSL versions. But..... you still have to turn this feature on. And pyopenssl still doesn't expose the APIs to do that. So something like #796 is still needed.
References:
The text was updated successfully, but these errors were encountered: