[Buildroot] [PATCH] python-backports-ssl-match-hostname: new package
Yegor Yefremov
yegorslists at googlemail.com
Wed Apr 20 09:58:07 UTC 2016
On Wed, Apr 20, 2016 at 11:28 AM, Thomas Petazzoni
<thomas.petazzoni at free-electrons.com> wrote:
> Hello,
>
> On Wed, 20 Apr 2016 11:22:54 +0200, yegorslists at googlemail.com wrote:
>> From: Yegor Yefremov <yegorslists at googlemail.com>
>>
>> Fixes #8856
>
> Are you sure this is sufficient to fix the bug? Doesn't python-tornado
> also needs to select this new package when Python 2 is used?
Both Python 2 and 3 implement ssl.match_hostname(cert, hostname) [1]
backports.ssl_match_hostname 3.5.0.1 introduces some enhancements made
in 3.5. See its history:
History
-------
* This function was introduced in python-3.2
* It was updated for python-3.4a1 for a CVE
(backports-ssl_match_hostname-3.4.0.1)
* It was updated from RFC2818 to RFC 6125 compliance in order to fix another
security flaw for python-3.3.3 and python-3.4a5
(backports-ssl_match_hostname-3.4.0.2)
* It was updated in python-3.5 to handle IPAddresses in ServerAltName fields
(something that backports.ssl_match_hostname will do if you also install the
ipaddress library from pypi).
Tornado has following logic to decide, when to import
backports.ssl_match_hostname
if hasattr(ssl, 'match_hostname') and hasattr(ssl,
'CertificateError'): # python 3.2+
ssl_match_hostname = ssl.match_hostname
SSLCertificateError = ssl.CertificateError
elif ssl is None:
ssl_match_hostname = SSLCertificateError = None
else:
import backports.ssl_match_hostname
ssl_match_hostname = backports.ssl_match_hostname.match_hostname
SSLCertificateError = backports.ssl_match_hostname.CertificateError
So if the user wants to use ssl.match_hostname, he must select
Python's SSL support.
Turns out, that this package can be used only, if the user imports it directly.
[1] https://docs.python.org/2.7/library/ssl.html
More information about the buildroot
mailing list