bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)

Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>
2025-08-04 00:48:58 +00:00 · 2021-04-17 10:07:19 +02:00 · 2021-04-17 10:07:19 +02:00 · b467d9a240
commit b467d9a240
parent cfaa2d338b
18 changed files with 997 additions and 709 deletions
--- a/Lib/test/make_ssl_certs.py
+++ b/Lib/test/make_ssl_certs.py
@ -7,6 +7,9 @@ import shutil
 import tempfile
 from subprocess import *

+startdate = "20180829142316Z"
+enddate = "20371028142316Z"
+
 req_template = """
    [ default ]
    base_url               = http://testca.pythontest.net/testca
@ -21,6 +24,8 @@ req_template = """
    O                      = Python Software Foundation
    CN                     = {hostname}

+    [req_x509_extensions_nosan]
+
    [req_x509_extensions_simple]
    subjectAltName         = @san

@ -70,8 +75,12 @@ req_template = """
    database  = $dir/index.txt
    crlnumber = $dir/crl.txt
    default_md = sha256
-    default_days = 3600
-    default_crl_days = 3600
+    startdate = {startdate}
+    default_startdate = {startdate}
+    enddate = {enddate}
+    default_enddate = {enddate}
+    default_days = 7000
+    default_crl_days = 7000
    certificate = pycacert.pem
    private_key = pycakey.pem
    serial    = $dir/serial
@ -116,10 +125,15 @@ def make_cert_key(hostname, sign=False, extra_san='',
            tempnames.append(f.name)
    req_file, cert_file, key_file = tempnames
    try:
-        req = req_template.format(hostname=hostname, extra_san=extra_san)
+        req = req_template.format(
+            hostname=hostname,
+            extra_san=extra_san,
+            startdate=startdate,
+            enddate=enddate
+        )
        with open(req_file, 'w') as f:
            f.write(req)
-        args = ['req', '-new', '-days', '3650', '-nodes',
+        args = ['req', '-new', '-nodes', '-days', '7000',
                '-newkey', key, '-keyout', key_file,
                '-extensions', ext,
                '-config', req_file]
@ -168,19 +182,30 @@ def make_ca():
        f.write("00")
    with open(os.path.join('cadir','index.txt.attr'),'w+') as f:
        f.write('unique_subject = no')
+    # random start value for serial numbers
+    with open(os.path.join('cadir','serial'), 'w') as f:
+        f.write('CB2D80995A69525B\n')

    with tempfile.NamedTemporaryFile("w") as t:
-        t.write(req_template.format(hostname='our-ca-server', extra_san=''))
+        req = req_template.format(
+            hostname='our-ca-server',
+            extra_san='',
+            startdate=startdate,
+            enddate=enddate
+        )
+        t.write(req)
        t.flush()
        with tempfile.NamedTemporaryFile() as f:
-            args = ['req', '-new', '-days', '3650', '-extensions', 'v3_ca', '-nodes',
-                    '-newkey', 'rsa:3072', '-keyout', 'pycakey.pem',
+            args = ['req', '-config', t.name, '-new',
+                    '-nodes',
+                    '-newkey', 'rsa:3072',
+                    '-keyout', 'pycakey.pem',
                    '-out', f.name,
                    '-subj', '/C=XY/L=Castle Anthrax/O=Python Software Foundation CA/CN=our-ca-server']
            check_call(['openssl'] + args)
-            args = ['ca', '-config', t.name, '-create_serial',
+            args = ['ca', '-config', t.name,
                    '-out', 'pycacert.pem', '-batch', '-outdir', TMP_CADIR,
-                    '-keyfile', 'pycakey.pem', '-days', '3650',
+                    '-keyfile', 'pycakey.pem',
                    '-selfsign', '-extensions', 'v3_ca', '-infiles', f.name ]
            check_call(['openssl'] + args)
            args = ['ca', '-config', t.name, '-gencrl', '-out', 'revocation.crl']
@ -223,18 +248,18 @@ if __name__ == '__main__':
        f.write(key)
        f.write(cert)

-    cert, key = make_cert_key('localhost', True)
+    cert, key = make_cert_key('localhost', sign=True)
    with open('keycert3.pem', 'w') as f:
        f.write(key)
        f.write(cert)

-    cert, key = make_cert_key('fakehostname', True)
+    cert, key = make_cert_key('fakehostname', sign=True)
    with open('keycert4.pem', 'w') as f:
        f.write(key)
        f.write(cert)

    cert, key = make_cert_key(
-        'localhost-ecc', True, key='param:secp384r1.pem'
+        'localhost-ecc', sign=True, key='param:secp384r1.pem'
    )
    with open('keycertecc.pem', 'w') as f:
        f.write(key)
@ -254,7 +279,7 @@ if __name__ == '__main__':
        'RID.1 = 1.2.3.4.5',
    ]

-    cert, key = make_cert_key('allsans', extra_san='\n'.join(extra_san))
+    cert, key = make_cert_key('allsans', sign=True, extra_san='\n'.join(extra_san))
    with open('allsans.pem', 'w') as f:
        f.write(key)
        f.write(cert)
@ -271,11 +296,16 @@ if __name__ == '__main__':
    ]

    # IDN SANS, signed
-    cert, key = make_cert_key('idnsans', True, extra_san='\n'.join(extra_san))
+    cert, key = make_cert_key('idnsans', sign=True, extra_san='\n'.join(extra_san))
    with open('idnsans.pem', 'w') as f:
        f.write(key)
        f.write(cert)

+    cert, key = make_cert_key('nosan', sign=True, ext='req_x509_extensions_nosan')
+    with open('nosan.pem', 'w') as f:
+        f.write(key)
+        f.write(cert)
+
    unmake_ca()
    print("update Lib/test/test_ssl.py and Lib/test/test_asyncio/util.py")
    print_cert('keycert.pem')