merge 2.7.9 release branch

Doc/library/httplib.rst

@@ -70,7 +70,7 @@ The module provides the following classes:
       *source_address* was added.
 
 
-.. class:: HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address, context, check_hostname]]]]]])
+.. class:: HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address[, context]]]]]]])
 
    A subclass of :class:`HTTPConnection` that uses SSL for communication with
    secure servers.  Default port is ``443``.  If *context* is specified, it must
@@ -83,13 +83,6 @@ The module provides the following classes:
 
    Please read :ref:`ssl-security` for more information on best practices.
 
-   .. note::
-      If *context* is specified and has a :attr:`~ssl.SSLContext.verify_mode`
-      of either :data:`~ssl.CERT_OPTIONAL` or :data:`~ssl.CERT_REQUIRED`, then
-      by default *host* is matched against the host name(s) allowed by the
-      server's certificate.  If you want to change that behaviour, you can
-      explicitly set *check_hostname* to False.
-
    .. versionadded:: 2.0
 
    .. versionchanged:: 2.6
@@ -99,7 +92,7 @@ The module provides the following classes:
       *source_address* was added.
 
    .. versionchanged:: 2.7.9
-      *context* and *check_hostname* was added.
+      *context* was added.
 
       This class now performs all the necessary certificate and hostname checks
       by default. To revert to the previous, unverified, behavior

Lib/httplib.py

@@ -1191,23 +1191,16 @@ else:
 
         def __init__(self, host, port=None, key_file=None, cert_file=None,
                      strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
-                     source_address=None, context=None, check_hostname=None):
+                     source_address=None, context=None):
             HTTPConnection.__init__(self, host, port, strict, timeout,
                                     source_address)
             self.key_file = key_file
             self.cert_file = cert_file
             if context is None:
                 context = ssl._create_default_https_context()
-            will_verify = context.verify_mode != ssl.CERT_NONE
-            if check_hostname is None:
-                check_hostname = will_verify
-            elif check_hostname and not will_verify:
-                raise ValueError("check_hostname needs a SSL context with "
-                                 "either CERT_OPTIONAL or CERT_REQUIRED")
             if key_file or cert_file:
                 context.load_cert_chain(cert_file, key_file)
             self._context = context
-            self._check_hostname = check_hostname
 
         def connect(self):
             "Connect to a host on a given (SSL) port."
@@ -1221,13 +1214,6 @@ else:
 
             self.sock = self._context.wrap_socket(self.sock,
                                                   server_hostname=server_hostname)
-            if not self._context.check_hostname and self._check_hostname:
-                try:
-                    ssl.match_hostname(self.sock.getpeercert(), server_hostname)
-                except Exception:
-                    self.sock.shutdown(socket.SHUT_RDWR)
-                    self.sock.close()
-                    raise
 
     __all__.append("HTTPSConnection")
 

Lib/test/data/README

-This empty directory serves as destination for temporary files
-created by some tests.

Lib/test/test_httplib.py

@@ -639,18 +639,15 @@ class HTTPSTest(TestCase):
         server = self.make_server(CERT_fakehostname)
         context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
         context.verify_mode = ssl.CERT_REQUIRED
+        context.check_hostname = True
         context.load_verify_locations(CERT_fakehostname)
         h = httplib.HTTPSConnection('localhost', server.port, context=context)
         with self.assertRaises(ssl.CertificateError):
             h.request('GET', '/')
-        # Same with explicit check_hostname=True
-        h = httplib.HTTPSConnection('localhost', server.port, context=context,
-                                   check_hostname=True)
-        with self.assertRaises(ssl.CertificateError):
-            h.request('GET', '/')
-        # With check_hostname=False, the mismatching is ignored
-        h = httplib.HTTPSConnection('localhost', server.port, context=context,
-                                   check_hostname=False)
+        h.close()
+        # With context.check_hostname=False, the mismatching is ignored
+        context.check_hostname = False
+        h = httplib.HTTPSConnection('localhost', server.port, context=context)
         h.request('GET', '/nonexistent')
         resp = h.getresponse()
         self.assertEqual(resp.status, 404)

Lib/urllib2.py

@@ -139,10 +139,10 @@ def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
             )
         if not _have_ssl:
             raise ValueError('SSL support not available')
-        context = ssl._create_stdlib_context(cert_reqs=ssl.CERT_REQUIRED,
+        context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH,
                                              cafile=cafile,
                                              capath=capath)
-        https_handler = HTTPSHandler(context=context, check_hostname=True)
+        https_handler = HTTPSHandler(context=context)
         opener = build_opener(https_handler)
     elif context:
         https_handler = HTTPSHandler(context=context)
@@ -1231,14 +1231,13 @@ class HTTPHandler(AbstractHTTPHandler):
 if hasattr(httplib, 'HTTPS'):
     class HTTPSHandler(AbstractHTTPHandler):
 
-        def __init__(self, debuglevel=0, context=None, check_hostname=None):
+        def __init__(self, debuglevel=0, context=None):
             AbstractHTTPHandler.__init__(self, debuglevel)
             self._context = context
-            self._check_hostname = check_hostname
 
         def https_open(self, req):
             return self.do_open(httplib.HTTPSConnection, req,
-                context=self._context, check_hostname=self._check_hostname)
+                context=self._context)
 
         https_request = AbstractHTTPHandler.do_request_
 

Misc/NEWS

@@ -58,6 +58,9 @@ What's New in Python 2.7.9?
 Library
 -------
 
+- Issue #22959: Remove the *check_hostname* parameter of
+  httplib.HTTPSConnection. The *context* parameter should be used instead.
+
 - Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
   will return. This resolves CVE-2013-1753.