bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899) Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. Signed-off-by: Christian Heimes <christian@python.org>

commit: b467d9a24011992242c95d9157d3455f8a84466b [log] [tgz]
author: Christian Heimes <christian@python.org> Sat Apr 17 10:07:19 2021 +0200
committer: GitHub <noreply@github.com> Sat Apr 17 10:07:19 2021 +0200
tree: ef3a885c3c2384130cc3873e9b14c744b6fd19d2
parent: cfaa2d338bd72af63a35a424515b47a183cefc14 [diff] [blame]
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index d2b257e..951f969 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c

@@ -964,6 +964,11 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
         _setSSLError(NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
+    /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf
+    X509_VERIFY_PARAM *ssl_params = SSL_get0_param(self->ssl);
+    X509_VERIFY_PARAM_set_hostflags(ssl_params, sslctx->hostflags);
+#endif
     SSL_set_app_data(self->ssl, self);
     if (sock) {
         SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
commit	b467d9a24011992242c95d9157d3455f8a84466b	[log] [tgz]
author	Christian Heimes <christian@python.org>	Sat Apr 17 10:07:19 2021 +0200
committer	GitHub <noreply@github.com>	Sat Apr 17 10:07:19 2021 +0200
tree	ef3a885c3c2384130cc3873e9b14c744b6fd19d2
parent	cfaa2d338bd72af63a35a424515b47a183cefc14 [diff] [blame]