Issue #19785: smtplib now supports SSLContext.check_hostname and server name

indication for TLS/SSL connections.

Issue #19785: smtplib now supports SSLContext.check_hostname and server name
indication for TLS/SSL connections.
a5768f72 · Christian Heimes · 216d463b · a5768f72 · a5768f72 · a5768f72
Kaydet (Commit) a5768f72 authored Ara 02, 2013 tarafından Christian Heimes
Hide whitespace changes
Inline Side-by-side

Showing with 45 additions and 6 deletions

smtplib.rst Doc/library/smtplib.rst +9 -0

smtplib.py Lib/smtplib.py +7 -2

test_smtpnet.py Lib/test/test_smtpnet.py +26 -4

NEWS Misc/NEWS +3 -0

No files found.
--- a/Doc/library/smtplib.rst
+++ b/Doc/library/smtplib.rst
@@ -90,6 +90,10 @@ Protocol) and :rfc:`1869` (SMTP Service Extensions).
   .. versionchanged:: 3.3
      source_address argument was added.
+   .. versionchanged:: 3.4
+      The class now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
 .. class:: LMTP(host='', port=LMTP_PORT, local_hostname=None, source_address=None)
@@ -316,6 +320,11 @@ An :class:`SMTP` instance has the following methods:
   .. versionchanged:: 3.3
      *context* was added.
+   .. versionchanged:: 3.4
+      The method now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
 .. method:: SMTP.sendmail(from_addr, to_addrs, msg, mail_options=[], rcpt_options=[])

--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -232,6 +232,7 @@ class SMTP:
        will be used.
        """
+        self._host = host
        self.timeout = timeout
        self.esmtp_features = {}
        self.source_address = source_address
@@ -667,7 +668,9 @@ class SMTP:
            if context is None:
                context = ssl._create_stdlib_context(certfile=certfile,
                                                     keyfile=keyfile)
-            self.sock = context.wrap_socket(self.sock)
+            server_hostname = self._host if ssl.HAS_SNI else None
+            self.sock = context.wrap_socket(self.sock,
+                                            server_hostname=server_hostname)
            self.file = None
            # RFC 3207:
            # The client MUST discard any knowledge obtained from
@@ -892,7 +895,9 @@ if _have_ssl:
                print('connect:', (host, port), file=stderr)
            new_socket = socket.create_connection((host, port), timeout,
                    self.source_address)
-            new_socket = self.context.wrap_socket(new_socket)
+            server_hostname = self._host if ssl.HAS_SNI else None
+            new_socket = self.context.wrap_socket(new_socket,
+                                                  server_hostname=server_hostname)
            return new_socket
    __all__.append("SMTP_SSL")

--- a/Lib/test/test_smtpnet.py
+++ b/Lib/test/test_smtpnet.py
@@ -3,23 +3,35 @@
 import unittest
 from test import support
 import smtplib
+import socket
 ssl = support.import_module("ssl")
 support.requires("network")
+def check_ssl_verifiy(host, port):
+    context = ssl.create_default_context()
+    with socket.create_connection((host, port)) as sock:
+        try:
+            sock = context.wrap_socket(sock, server_hostname=host)
+        except Exception:
+            return False
+        else:
+            sock.close()
+            return True
 class SmtpTest(unittest.TestCase):
    testServer = 'smtp.gmail.com'
    remotePort = 25
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    def test_connect_starttls(self):
        support.get_attribute(smtplib, 'SMTP_SSL')
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        with support.transient_internet(self.testServer):
            server = smtplib.SMTP(self.testServer, self.remotePort)
            try:
-                server.starttls(context=self.context)
+                server.starttls(context=context)
            except smtplib.SMTPException as e:
                if e.args[0] == 'STARTTLS extension not supported by server.':
                    unittest.skip(e.args[0])
@@ -32,7 +44,7 @@ class SmtpTest(unittest.TestCase):
 class SmtpSSLTest(unittest.TestCase):
    testServer = 'smtp.gmail.com'
    remotePort = 465
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    can_verify = check_ssl_verifiy(testServer, remotePort)
    def test_connect(self):
        support.get_attribute(smtplib, 'SMTP_SSL')
@@ -49,9 +61,19 @@ class SmtpSSLTest(unittest.TestCase):
            server.quit()
    def test_connect_using_sslcontext(self):
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        support.get_attribute(smtplib, 'SMTP_SSL')
+        with support.transient_internet(self.testServer):
+            server = smtplib.SMTP_SSL(self.testServer, self.remotePort, context=context)
+            server.ehlo()
+            server.quit()
+    @unittest.skipUnless(can_verify, "SSL certificate can't be verified")
+    def test_connect_using_sslcontext_verified(self):
        support.get_attribute(smtplib, 'SMTP_SSL')
+        context = ssl.create_default_context()
        with support.transient_internet(self.testServer):
-            server = smtplib.SMTP_SSL(self.testServer, self.remotePort, context=self.context)
+            server = smtplib.SMTP_SSL(self.testServer, self.remotePort, context=context)
            server.ehlo()
            server.quit()

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@ Core and Builtins
 Library
 -------
+- Issue #19785: smtplib now supports SSLContext.check_hostname and server name
+  indication for TLS/SSL connections.
 - Issue #19784: poplib now supports SSLContext.check_hostname and server name
  indication for TLS/SSL connections.