Issue #19782: imaplib now supports SSLContext.check_hostname and server name

indication for TLS/SSL connections.

Issue #19782: imaplib now supports SSLContext.check_hostname and server name
indication for TLS/SSL connections.
48aae579 · Christian Heimes · 0c924b83 · 48aae579 · 48aae579 · 48aae579
Commit 48aae579 authored Dec 02, 2013 by Christian Heimes
Showing with 43 additions and 4 deletions

Doc/library/imaplib.rst Doc/library/imaplib.rst +8 -0

Lib/imaplib.py Lib/imaplib.py +6 -2

Lib/test/test_imaplib.py Lib/test/test_imaplib.py +26 -2

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Doc/library/imaplib.rst
+++ b/Doc/library/imaplib.rst
@@ -80,6 +80,10 @@ There's also a subclass for secure connections:
   .. versionchanged:: 3.3
      *ssl_context* parameter added.

+   .. versionchanged:: 3.4
+      The class now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).

 The second subclass allows for connections created by a child process:

@@ -437,6 +441,10 @@ An :class:`IMAP4` instance has the following methods:

   .. versionadded:: 3.2

+   .. versionchanged:: 3.4
+      The method now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).

 .. method:: IMAP4.status(mailbox, names)


--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -745,7 +745,9 @@ class IMAP4:
            ssl_context = ssl._create_stdlib_context()
        typ, dat = self._simple_command(name)
        if typ == 'OK':
-            self.sock = ssl_context.wrap_socket(self.sock)
+            server_hostname = self.host if ssl.HAS_SNI else None
+            self.sock = ssl_context.wrap_socket(self.sock,
+                                                server_hostname=server_hostname)
            self.file = self.sock.makefile('rb')
            self._tls_established = True
            self._get_capabilities()
@@ -1216,7 +1218,9 @@ if HAVE_SSL:

        def _create_socket(self):
            sock = IMAP4._create_socket(self)
-            return self.ssl_context.wrap_socket(sock)
+            server_hostname = self.host if ssl.HAS_SNI else None
+            return self.ssl_context.wrap_socket(sock,
+                                                server_hostname=server_hostname)

        def open(self, host='', port=IMAP4_SSL_PORT):
            """Setup connection to remote server on "host:port".

--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -20,6 +20,7 @@ except ImportError:
    ssl = None

 CERTFILE = None
+CAFILE = None


 class TestImaplib(unittest.TestCase):
@@ -348,6 +349,25 @@ class ThreadedNetworkedTestsSSL(BaseThreadedNetworkedTests):
    server_class = SecureTCPServer
    imap_class = IMAP4_SSL

+    @reap_threads
+    def test_ssl_verified(self):
+        ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+        ssl_context.check_hostname = True
+        ssl_context.load_verify_locations(CAFILE)
+
+        with self.assertRaisesRegex(ssl.CertificateError,
+                                    "hostname '127.0.0.1' doesn't match 'localhost'"):
+            with self.reaped_server(SimpleIMAPHandler) as server:
+                client = self.imap_class(*server.server_address,
+                                         ssl_context=ssl_context)
+                client.shutdown()
+
+        with self.reaped_server(SimpleIMAPHandler) as server:
+            client = self.imap_class("localhost", server.server_address[1],
+                                     ssl_context=ssl_context)
+            client.shutdown()
+

 class RemoteIMAPTest(unittest.TestCase):
    host = 'cyrus.andrew.cmu.edu'
@@ -460,11 +480,15 @@ def load_tests(*args):

    if support.is_resource_enabled('network'):
        if ssl:
-            global CERTFILE
+            global CERTFILE, CAFILE
            CERTFILE = os.path.join(os.path.dirname(__file__) or os.curdir,
-                                    "keycert.pem")
+                                    "keycert3.pem")
            if not os.path.exists(CERTFILE):
                raise support.TestFailed("Can't read certificate files!")
+            CAFILE = os.path.join(os.path.dirname(__file__) or os.curdir,
+                                 "pycacert.pem")
+            if not os.path.exists(CAFILE):
+                raise support.TestFailed("Can't read CA file!")
        tests.extend([
            ThreadedNetworkedTests, ThreadedNetworkedTestsSSL,
            RemoteIMAPTest, RemoteIMAP_SSLTest, RemoteIMAP_STARTTLSTest,

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@ Core and Builtins
 Library
 -------

+- Issue #19782: imaplib now supports SSLContext.check_hostname and server name
+  indication for TLS/SSL connections.
+
 - Issue #19834: Support unpickling of exceptions pickled by Python 2.

 - Issue #19781: ftplib now supports SSLContext.check_hostname and server name