Kaydet (Commit) d532321f authored tarafından Antoine Pitrou's avatar Antoine Pitrou

Issue #5639: Add a *server_hostname* argument to `SSLContext.wrap_socket`

in order to support the TLS SNI extension.  `HTTPSConnection` and
`urlopen()` also use this argument, so that HTTPS virtual hosts are now
supported.
üst 4ebfdf01
...@@ -76,6 +76,10 @@ The module provides the following classes: ...@@ -76,6 +76,10 @@ The module provides the following classes:
.. versionchanged:: 3.2 .. versionchanged:: 3.2
*source_address*, *context* and *check_hostname* were added. *source_address*, *context* and *check_hostname* were added.
.. versionchanged:: 3.2
This class now supports HTTPS virtual hosts if possible (that is,
if :data:`ssl.HAS_SNI` is true).
.. class:: HTTPResponse(sock, debuglevel=0, strict=0, method=None, url=None) .. class:: HTTPResponse(sock, debuglevel=0, strict=0, method=None, url=None)
......
...@@ -338,6 +338,15 @@ Constants ...@@ -338,6 +338,15 @@ Constants
.. versionadded:: 3.2 .. versionadded:: 3.2
.. data:: HAS_SNI
Whether the OpenSSL library has built-in support for the *Server Name
Indication* extension to the SSLv3 and TLSv1 protocols (as defined in
:rfc:`4366`). When true, you can use the *server_hostname* argument to
:meth:`SSLContext.wrap_socket`.
.. versionadded:: 3.2
.. data:: OPENSSL_VERSION .. data:: OPENSSL_VERSION
The version string of the OpenSSL library loaded by the interpreter:: The version string of the OpenSSL library loaded by the interpreter::
...@@ -538,7 +547,9 @@ to speed up repeated connections from the same clients. ...@@ -538,7 +547,9 @@ to speed up repeated connections from the same clients.
when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
give the currently selected cipher. give the currently selected cipher.
.. method:: SSLContext.wrap_socket(sock, server_side=False, do_handshake_on_connect=True, suppress_ragged_eofs=True) .. method:: SSLContext.wrap_socket(sock, server_side=False, \
do_handshake_on_connect=True, suppress_ragged_eofs=True, \
server_hostname=None)
Wrap an existing Python socket *sock* and return an :class:`SSLSocket` Wrap an existing Python socket *sock* and return an :class:`SSLSocket`
object. The SSL socket is tied to the context, its settings and object. The SSL socket is tied to the context, its settings and
...@@ -546,6 +557,15 @@ to speed up repeated connections from the same clients. ...@@ -546,6 +557,15 @@ to speed up repeated connections from the same clients.
and *suppress_ragged_eofs* have the same meaning as in the top-level and *suppress_ragged_eofs* have the same meaning as in the top-level
:func:`wrap_socket` function. :func:`wrap_socket` function.
On client connections, the optional parameter *server_hostname* specifies
the hostname of the service which we are connecting to. This allows a
single server to host multiple SSL-based services with distinct certificates,
quite similarly to HTTP virtual hosts. Specifying *server_hostname*
will raise a :exc:`ValueError` if the OpenSSL library doesn't have support
for it (that is, if :data:`HAS_SNI` is :const:`False`). Specifying
*server_hostname* will also raise a :exc:`ValueError` if *server_side*
is true.
.. method:: SSLContext.session_stats() .. method:: SSLContext.session_stats()
Get statistics about the SSL sessions created or managed by this context. Get statistics about the SSL sessions created or managed by this context.
...@@ -937,3 +957,6 @@ not SSLv2. ...@@ -937,3 +957,6 @@ not SSLv2.
`RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile <http://www.ietf.org/rfc/rfc3280>`_ `RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile <http://www.ietf.org/rfc/rfc3280>`_
Housley et. al. Housley et. al.
`RFC 4366: Transport Layer Security (TLS) Extensions <http://www.ietf.org/rfc/rfc4366>`_
Blake-Wilson et. al.
...@@ -72,6 +72,10 @@ The :mod:`urllib.request` module defines the following functions: ...@@ -72,6 +72,10 @@ The :mod:`urllib.request` module defines the following functions:
.. versionchanged:: 3.2 .. versionchanged:: 3.2
*cafile* and *capath* were added. *cafile* and *capath* were added.
.. versionchanged:: 3.2
HTTPS virtual hosts are now supported if possible (that is, if
:data:`ssl.HAS_SNI` is true).
.. function:: install_opener(opener) .. function:: install_opener(opener)
Install an :class:`OpenerDirector` instance as the default global opener. Install an :class:`OpenerDirector` instance as the default global opener.
......
...@@ -1081,7 +1081,9 @@ else: ...@@ -1081,7 +1081,9 @@ else:
self.sock = sock self.sock = sock
self._tunnel() self._tunnel()
self.sock = self._context.wrap_socket(sock) server_hostname = self.host if ssl.HAS_SNI else None
self.sock = self._context.wrap_socket(sock,
server_hostname=server_hostname)
try: try:
if self._check_hostname: if self._check_hostname:
ssl.match_hostname(self.sock.getpeercert(), self.host) ssl.match_hostname(self.sock.getpeercert(), self.host)
......
...@@ -77,6 +77,7 @@ from _ssl import ( ...@@ -77,6 +77,7 @@ from _ssl import (
SSL_ERROR_EOF, SSL_ERROR_EOF,
SSL_ERROR_INVALID_ERROR_CODE, SSL_ERROR_INVALID_ERROR_CODE,
) )
from _ssl import HAS_SNI
from socket import getnameinfo as _getnameinfo from socket import getnameinfo as _getnameinfo
from socket import error as socket_error from socket import error as socket_error
...@@ -158,10 +159,12 @@ class SSLContext(_SSLContext): ...@@ -158,10 +159,12 @@ class SSLContext(_SSLContext):
def wrap_socket(self, sock, server_side=False, def wrap_socket(self, sock, server_side=False,
do_handshake_on_connect=True, do_handshake_on_connect=True,
suppress_ragged_eofs=True): suppress_ragged_eofs=True,
server_hostname=None):
return SSLSocket(sock=sock, server_side=server_side, return SSLSocket(sock=sock, server_side=server_side,
do_handshake_on_connect=do_handshake_on_connect, do_handshake_on_connect=do_handshake_on_connect,
suppress_ragged_eofs=suppress_ragged_eofs, suppress_ragged_eofs=suppress_ragged_eofs,
server_hostname=server_hostname,
_context=self) _context=self)
...@@ -176,6 +179,7 @@ class SSLSocket(socket): ...@@ -176,6 +179,7 @@ class SSLSocket(socket):
do_handshake_on_connect=True, do_handshake_on_connect=True,
family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
suppress_ragged_eofs=True, ciphers=None, suppress_ragged_eofs=True, ciphers=None,
server_hostname=None,
_context=None): _context=None):
if _context: if _context:
...@@ -202,7 +206,11 @@ class SSLSocket(socket): ...@@ -202,7 +206,11 @@ class SSLSocket(socket):
self.ssl_version = ssl_version self.ssl_version = ssl_version
self.ca_certs = ca_certs self.ca_certs = ca_certs
self.ciphers = ciphers self.ciphers = ciphers
if server_side and server_hostname:
raise ValueError("server_hostname can only be specified "
"in client mode")
self.server_side = server_side self.server_side = server_side
self.server_hostname = server_hostname
self.do_handshake_on_connect = do_handshake_on_connect self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs self.suppress_ragged_eofs = suppress_ragged_eofs
connected = False connected = False
...@@ -232,7 +240,8 @@ class SSLSocket(socket): ...@@ -232,7 +240,8 @@ class SSLSocket(socket):
if connected: if connected:
# create the SSL object # create the SSL object
try: try:
self._sslobj = self.context._wrap_socket(self, server_side) self._sslobj = self.context._wrap_socket(self, server_side,
server_hostname)
if do_handshake_on_connect: if do_handshake_on_connect:
timeout = self.gettimeout() timeout = self.gettimeout()
if timeout == 0.0: if timeout == 0.0:
...@@ -431,7 +440,7 @@ class SSLSocket(socket): ...@@ -431,7 +440,7 @@ class SSLSocket(socket):
if self._sslobj: if self._sslobj:
raise ValueError("attempt to connect already-connected SSLSocket!") raise ValueError("attempt to connect already-connected SSLSocket!")
socket.connect(self, addr) socket.connect(self, addr)
self._sslobj = self.context._wrap_socket(self, False) self._sslobj = self.context._wrap_socket(self, False, self.server_hostname)
try: try:
if self.do_handshake_on_connect: if self.do_handshake_on_connect:
self.do_handshake() self.do_handshake()
......
...@@ -89,6 +89,7 @@ class BasicSocketTests(unittest.TestCase): ...@@ -89,6 +89,7 @@ class BasicSocketTests(unittest.TestCase):
ssl.CERT_NONE ssl.CERT_NONE
ssl.CERT_OPTIONAL ssl.CERT_OPTIONAL
ssl.CERT_REQUIRED ssl.CERT_REQUIRED
self.assertIn(ssl.HAS_SNI, {True, False})
def test_random(self): def test_random(self):
v = ssl.RAND_status() v = ssl.RAND_status()
...@@ -277,6 +278,12 @@ class BasicSocketTests(unittest.TestCase): ...@@ -277,6 +278,12 @@ class BasicSocketTests(unittest.TestCase):
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
def test_server_side(self):
# server_hostname doesn't work for server sockets
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
sock = socket.socket()
self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
server_hostname="some.hostname")
class ContextTests(unittest.TestCase): class ContextTests(unittest.TestCase):
...@@ -441,6 +448,14 @@ class NetworkedTests(unittest.TestCase): ...@@ -441,6 +448,14 @@ class NetworkedTests(unittest.TestCase):
self.assertEqual({}, s.getpeercert()) self.assertEqual({}, s.getpeercert())
finally: finally:
s.close() s.close()
# Same with a server hostname
s = ctx.wrap_socket(socket.socket(socket.AF_INET),
server_hostname="svn.python.org")
if ssl.HAS_SNI:
s.connect(("svn.python.org", 443))
s.close()
else:
self.assertRaises(ValueError, s.connect, ("svn.python.org", 443))
# This should fail because we have no verification certs # This should fail because we have no verification certs
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
s = ctx.wrap_socket(socket.socket(socket.AF_INET)) s = ctx.wrap_socket(socket.socket(socket.AF_INET))
...@@ -1500,6 +1515,7 @@ def test_main(verbose=False): ...@@ -1500,6 +1515,7 @@ def test_main(verbose=False):
print("test_ssl: testing with %r %r" % print("test_ssl: testing with %r %r" %
(ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO)) (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
print(" under %s" % plat) print(" under %s" % plat)
print(" HAS_SNI = %r" % ssl.HAS_SNI)
for filename in [ for filename in [
CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE, CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE,
......
...@@ -9,6 +9,10 @@ import socket ...@@ -9,6 +9,10 @@ import socket
import urllib.error import urllib.error
import urllib.request import urllib.request
import sys import sys
try:
import ssl
except ImportError:
ssl = None
TIMEOUT = 60 # seconds TIMEOUT = 60 # seconds
...@@ -278,13 +282,34 @@ class TimeoutTest(unittest.TestCase): ...@@ -278,13 +282,34 @@ class TimeoutTest(unittest.TestCase):
self.assertEqual(u.fp.fp.raw._sock.gettimeout(), 60) self.assertEqual(u.fp.fp.raw._sock.gettimeout(), 60)
@unittest.skipUnless(ssl, "requires SSL support")
class HTTPSTests(unittest.TestCase):
def test_sni(self):
# Checks that Server Name Indication works, if supported by the
# OpenSSL linked to.
# The ssl module itself doesn't have server-side support for SNI,
# so we rely on a third-party test site.
expect_sni = ssl.HAS_SNI
with support.transient_internet("bob.sni.velox.ch"):
u = urllib.request.urlopen("https://bob.sni.velox.ch/")
contents = u.readall()
if expect_sni:
self.assertIn(b"Great", contents)
self.assertNotIn(b"Unfortunately", contents)
else:
self.assertNotIn(b"Great", contents)
self.assertIn(b"Unfortunately", contents)
def test_main(): def test_main():
support.requires("network") support.requires("network")
support.run_unittest(AuthTests, support.run_unittest(AuthTests,
OtherNetworkTests, HTTPSTests,
CloseSocketTest, OtherNetworkTests,
TimeoutTest, CloseSocketTest,
) TimeoutTest,
)
if __name__ == "__main__": if __name__ == "__main__":
test_main() test_main()
...@@ -43,6 +43,11 @@ Core and Builtins ...@@ -43,6 +43,11 @@ Core and Builtins
Library Library
------- -------
- Issue #5639: Add a *server_hostname* argument to ``SSLContext.wrap_socket``
in order to support the TLS SNI extension. ``HTTPSConnection`` and
``urlopen()`` also use this argument, so that HTTPS virtual hosts are now
supported.
- Issue #10166: Avoid recursion in pstats Stats.add() for many stats items. - Issue #10166: Avoid recursion in pstats Stats.add() for many stats items.
- Issue #10163: Skip unreadable registry keys during mimetypes - Issue #10163: Skip unreadable registry keys during mimetypes
......
...@@ -281,7 +281,8 @@ _setSSLError (char *errstr, int errcode, char *filename, int lineno) { ...@@ -281,7 +281,8 @@ _setSSLError (char *errstr, int errcode, char *filename, int lineno) {
static PySSLSocket * static PySSLSocket *
newPySSLSocket(SSL_CTX *ctx, PySocketSockObject *sock, newPySSLSocket(SSL_CTX *ctx, PySocketSockObject *sock,
enum py_ssl_server_or_client socket_type) enum py_ssl_server_or_client socket_type,
char *server_hostname)
{ {
PySSLSocket *self; PySSLSocket *self;
...@@ -305,6 +306,11 @@ newPySSLSocket(SSL_CTX *ctx, PySocketSockObject *sock, ...@@ -305,6 +306,11 @@ newPySSLSocket(SSL_CTX *ctx, PySocketSockObject *sock,
SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY); SSL_set_mode(self->ssl, SSL_MODE_AUTO_RETRY);
#endif #endif
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (server_hostname != NULL)
SSL_set_tlsext_host_name(self->ssl, server_hostname);
#endif
/* If the socket is in non-blocking mode or timeout mode, set the BIO /* If the socket is in non-blocking mode or timeout mode, set the BIO
* to non-blocking mode (blocking is the default) * to non-blocking mode (blocking is the default)
*/ */
...@@ -1711,16 +1717,37 @@ load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds) ...@@ -1711,16 +1717,37 @@ load_verify_locations(PySSLContext *self, PyObject *args, PyObject *kwds)
static PyObject * static PyObject *
context_wrap_socket(PySSLContext *self, PyObject *args, PyObject *kwds) context_wrap_socket(PySSLContext *self, PyObject *args, PyObject *kwds)
{ {
char *kwlist[] = {"sock", "server_side", NULL}; char *kwlist[] = {"sock", "server_side", "server_hostname", NULL};
PySocketSockObject *sock; PySocketSockObject *sock;
int server_side = 0; int server_side = 0;
char *hostname = NULL;
PyObject *hostname_obj, *res;
if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!i:_wrap_socket", kwlist, /* server_hostname is either None (or absent), or to be encoded
using the idna encoding. */
if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!i|O!:_wrap_socket", kwlist,
PySocketModule.Sock_Type, PySocketModule.Sock_Type,
&sock, &server_side)) &sock, &server_side,
Py_TYPE(Py_None), &hostname_obj)) {
PyErr_Clear();
if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!iet:_wrap_socket", kwlist,
PySocketModule.Sock_Type,
&sock, &server_side,
"idna", &hostname))
return NULL;
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
PyMem_Free(hostname);
PyErr_SetString(PyExc_ValueError, "server_hostname is not supported "
"by your OpenSSL library");
return NULL; return NULL;
#endif
}
return (PyObject *) newPySSLSocket(self->ctx, sock, server_side); res = (PyObject *) newPySSLSocket(self->ctx, sock, server_side,
hostname);
if (hostname != NULL)
PyMem_Free(hostname);
return res;
} }
static PyObject * static PyObject *
...@@ -2090,6 +2117,14 @@ PyInit__ssl(void) ...@@ -2090,6 +2117,14 @@ PyInit__ssl(void)
PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3); PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1); PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
r = Py_True;
#else
r = Py_False;
#endif
Py_INCREF(r);
PyModule_AddObject(m, "HAS_SNI", r);
/* OpenSSL version */ /* OpenSSL version */
/* SSLeay() gives us the version of the library linked against, /* SSLeay() gives us the version of the library linked against,
which could be different from the headers version. which could be different from the headers version.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment