Issue #19785: smtplib now supports SSLContext.check_hostname and server name

indication for TLS/SSL connections.
2013-12-02 20:44:17 +01:00 · 2013-12-02 20:44:17 +01:00 · a5768f7292
parent 216d463b1f
commit a5768f7292
4 changed files with 45 additions and 6 deletions
--- a/Doc/library/smtplib.rst
+++ b/Doc/library/smtplib.rst
@ -90,6 +90,10 @@ Protocol) and :rfc:`1869` (SMTP Service Extensions).
   .. versionchanged:: 3.3
      source_address argument was added.

+   .. versionchanged:: 3.4
+      The class now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).

 .. class:: LMTP(host='', port=LMTP_PORT, local_hostname=None, source_address=None)

@ -316,6 +320,11 @@ An :class:`SMTP` instance has the following methods:
   .. versionchanged:: 3.3
      *context* was added.

+   .. versionchanged:: 3.4
+      The method now supports hostname check with
+      :attr:`SSLContext.check_hostname` and *Server Name Indicator* (see
+      :data:`~ssl.HAS_SNI`).
+

 .. method:: SMTP.sendmail(from_addr, to_addrs, msg, mail_options=[], rcpt_options=[])

--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@ -232,6 +232,7 @@ class SMTP:
        will be used.

        """
+        self._host = host
        self.timeout = timeout
        self.esmtp_features = {}
        self.source_address = source_address
@ -667,7 +668,9 @@ class SMTP:
            if context is None:
                context = ssl._create_stdlib_context(certfile=certfile,
                                                     keyfile=keyfile)
-            self.sock = context.wrap_socket(self.sock)
+            server_hostname = self._host if ssl.HAS_SNI else None
+            self.sock = context.wrap_socket(self.sock,
+                                            server_hostname=server_hostname)
            self.file = None
            # RFC 3207:
            # The client MUST discard any knowledge obtained from
@ -892,7 +895,9 @@ if _have_ssl:
                print('connect:', (host, port), file=stderr)
            new_socket = socket.create_connection((host, port), timeout,
                    self.source_address)
-            new_socket = self.context.wrap_socket(new_socket)
+            server_hostname = self._host if ssl.HAS_SNI else None
+            new_socket = self.context.wrap_socket(new_socket,
+                                                  server_hostname=server_hostname)
            return new_socket

    __all__.append("SMTP_SSL")
--- a/Lib/test/test_smtpnet.py
+++ b/Lib/test/test_smtpnet.py
@ -3,23 +3,35 @@
 import unittest
 from test import support
 import smtplib
+import socket

 ssl = support.import_module("ssl")

 support.requires("network")

+def check_ssl_verifiy(host, port):
+    context = ssl.create_default_context()
+    with socket.create_connection((host, port)) as sock:
+        try:
+            sock = context.wrap_socket(sock, server_hostname=host)
+        except Exception:
+            return False
+        else:
+            sock.close()
+            return True
+

 class SmtpTest(unittest.TestCase):
    testServer = 'smtp.gmail.com'
    remotePort = 25
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

    def test_connect_starttls(self):
        support.get_attribute(smtplib, 'SMTP_SSL')
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        with support.transient_internet(self.testServer):
            server = smtplib.SMTP(self.testServer, self.remotePort)
            try:
-                server.starttls(context=self.context)
+                server.starttls(context=context)
            except smtplib.SMTPException as e:
                if e.args[0] == 'STARTTLS extension not supported by server.':
                    unittest.skip(e.args[0])
@ -32,7 +44,7 @@ class SmtpTest(unittest.TestCase):
 class SmtpSSLTest(unittest.TestCase):
    testServer = 'smtp.gmail.com'
    remotePort = 465
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    can_verify = check_ssl_verifiy(testServer, remotePort)

    def test_connect(self):
        support.get_attribute(smtplib, 'SMTP_SSL')
@ -49,9 +61,19 @@ class SmtpSSLTest(unittest.TestCase):
            server.quit()

    def test_connect_using_sslcontext(self):
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        support.get_attribute(smtplib, 'SMTP_SSL')
        with support.transient_internet(self.testServer):
-            server = smtplib.SMTP_SSL(self.testServer, self.remotePort, context=self.context)
+            server = smtplib.SMTP_SSL(self.testServer, self.remotePort, context=context)
+            server.ehlo()
+            server.quit()
+
+    @unittest.skipUnless(can_verify, "SSL certificate can't be verified")
+    def test_connect_using_sslcontext_verified(self):
+        support.get_attribute(smtplib, 'SMTP_SSL')
+        context = ssl.create_default_context()
+        with support.transient_internet(self.testServer):
+            server = smtplib.SMTP_SSL(self.testServer, self.remotePort, context=context)
            server.ehlo()
            server.quit()

--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -18,6 +18,9 @@ Core and Builtins
 Library
 -------

+- Issue #19785: smtplib now supports SSLContext.check_hostname and server name
+  indication for TLS/SSL connections.
+
 - Issue #19784: poplib now supports SSLContext.check_hostname and server name
  indication for TLS/SSL connections.