always disable the builtin hostname verification

It conflicts with our own, more flexible functionality Fixes #524
urllib3 · Jan 8, 2015 · 6340b18 · 6340b18
1 parent a277586
commit 6340b18
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
@@ -240,6 +240,15 @@ def test_verify_none_and_good_fingerprint(self):
                                         '7A:F2:8A:D7:1E:07:33:67:DE'
         https_pool.request('GET', '/')
 
+    def test_good_fingerprint_and_hostname_mismatch(self):
+        https_pool = HTTPSConnectionPool('127.0.0.1', self.port,
+                                         cert_reqs='CERT_REQUIRED',
+                                         ca_certs=DEFAULT_CA)
+
+        https_pool.assert_fingerprint = 'CC:45:6A:90:82:F7FF:C0:8218:8e:' \
+                                        '7A:F2:8A:D7:1E:07:33:67:DE'
+        https_pool.request('GET', '/')
+
     @requires_network
     def test_https_timeout(self):
         timeout = Timeout(connect=0.001)

diff --git a/urllib3/util/ssl_.py b/urllib3/util/ssl_.py
@@ -211,7 +211,9 @@ def create_urllib3_context(ssl_version=None, cert_reqs=ssl.CERT_REQUIRED,
 
     context.verify_mode = cert_reqs
     if getattr(context, 'check_hostname', None) is not None:  # Platform-specific: Python 3.2
-        context.check_hostname = (context.verify_mode == ssl.CERT_REQUIRED)
+        # We do our own verification, including fingerprints and alternative
+        # hostnames. So disable it here
+        context.check_hostname = False
     return context