ssl_support: Adjust to tunneling changes in Python 2.7.7 and 3.4.1.

The fix for https://bugs.python.org/issue7776 changed httplib.HTTPConnection's handling of tunneling: `host' now points to the proxy host, so we have to adjust the code to perform the certificate validation on `_tunnel_host' instead when it is available.

ssl_support: Adjust to tunneling changes in Python 2.7.7 and 3.4.1.
The fix for https://bugs.python.org/issue7776 changed httplib.HTTPConnection's handling of tunneling: `host' now points to the proxy host, so we have to adjust the code to perform the certificate validation on `_tunnel_host' instead when it is available.
bf0cecd7 · Raphael Kubo da Costa · 04ee0d93 · bf0cecd7
Commit bf0cecd7 authored Jul 03, 2014 by Raphael Kubo da Costa
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

setuptools/ssl_support.py setuptools/ssl_support.py +8 -1

No files found.
--- a/setuptools/ssl_support.py
+++ b/setuptools/ssl_support.py
@@ -178,12 +178,19 @@ class VerifyingHTTPSConn(HTTPSConnection):
        if hasattr(self, '_tunnel') and getattr(self, '_tunnel_host', None):
            self.sock = sock
            self._tunnel()
+            # http://bugs.python.org/issue7776: Python>=3.4.1 and >=2.7.7
+            # change self.host to mean the proxy server host when tunneling is
+            # being used. Adapt, since we are interested in the destination
+            # host for the match_hostname() comparison.
+            actual_host = self._tunnel_host
+        else:
+            actual_host = self.host

        self.sock = ssl.wrap_socket(
            sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=self.ca_bundle
        )
        try:
-            match_hostname(self.sock.getpeercert(), self.host)
+            match_hostname(self.sock.getpeercert(), actual_host)
        except CertificateError:
            self.sock.shutdown(socket.SHUT_RDWR)
            self.sock.close()