bpo-43522: Fix SSLContext.hostname_checks_common_name (GH-24899)

[tiran]

Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from struct SSL_CTX to struct SSL.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue43522

[pquentin]

Thank you, both the reproducer and the urllib3 test suite run fine with this change!

[tiran]

The fix has landed in OpenSSL 3.0.0 and is flagged for backport to 1.1.1.

[pquentin]

Thanks! Should we mention in the docs that the flag had no effect until now?

[tiran]

Thanks! Should we mention in the docs that the flag had no effect until now?

Something like this? I'll adjust the versionchanged to 3.8.9 and 3.9.3 in backports.

  .. versionchanged:: 3.10

     The flag had no effect with OpenSSL 1.1.1k and older.

[pquentin]

Yes, that would be perfect. That way we'll know for what Python and OpenSSL combinations this flag will be safe to use.

There's one thing I don't understand: is it enough to have either the CPython and OpenSSL fixes, or do we need both?

[tiran]

The workaround in this PR is only necessary for OpenSSL 1.1.1k and older. 1.1.1l and 3.0.0 are going to copy the flag correctly without the workaround.

#if ... OPENSSL_VERSION < 0x101010cf

>>> chr(0xc + ord('a') - 1)
'l'

[miss-islington]

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9.
🐍🍒⛏🤖

[miss-islington]

Sorry, @tiran, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker b467d9a24011992242c95d9157d3455f8a84466b 3.9

[miss-islington]

Sorry @tiran, I had trouble checking out the 3.8 backport branch.
Please backport using cherry_picker on command line.
cherry_picker b467d9a24011992242c95d9157d3455f8a84466b 3.8

[bedevere-bot]

GH-25451 is a backport of this pull request to the 3.9 branch.

[bedevere-bot]

GH-25452 is a backport of this pull request to the 3.8 branch.