bpo-39616: clarify SSLContext.check_hostname effect

It doesn't actually affect whether match_hostname() is called (it never is in this context any longer), but whether hostname verification occurs in the first place.
2020-02-12 14:28:49 +02:00 · 2020-02-12 14:28:49 +02:00 · 917a5c419e
parent 4fac7ed43e
commit 917a5c419e
1 changed files with 10 additions and 10 deletions
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -1878,16 +1878,16 @@ to speed up repeated connections from the same clients.

 .. attribute:: SSLContext.check_hostname

-   Whether to match the peer cert's hostname with :func:`match_hostname` in
-   :meth:`SSLSocket.do_handshake`. The context's
-   :attr:`~SSLContext.verify_mode` must be set to :data:`CERT_OPTIONAL` or
-   :data:`CERT_REQUIRED`, and you must pass *server_hostname* to
-   :meth:`~SSLContext.wrap_socket` in order to match the hostname.  Enabling
-   hostname checking automatically sets :attr:`~SSLContext.verify_mode` from
-   :data:`CERT_NONE` to :data:`CERT_REQUIRED`.  It cannot be set back to
-   :data:`CERT_NONE` as long as hostname checking is enabled. The
-   :data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default.
-   With other protocols, hostname checking must be enabled explicitly.
+   Whether to match the peer cert's hostname in :meth:`SSLSocket.do_handshake`.
+   The context's :attr:`~SSLContext.verify_mode` must be set to
+   :data:`CERT_OPTIONAL` or :data:`CERT_REQUIRED`, and you must pass
+   *server_hostname* to :meth:`~SSLContext.wrap_socket` in order to match the
+   hostname.  Enabling hostname checking automatically sets
+   :attr:`~SSLContext.verify_mode` from :data:`CERT_NONE` to
+   :data:`CERT_REQUIRED`.  It cannot be set back to :data:`CERT_NONE` as long
+   as hostname checking is enabled. The :data:`PROTOCOL_TLS_CLIENT` protocol
+   enables hostname checking by default. With other protocols, hostname
+   checking must be enabled explicitly.

   Example::