Change method for disabling hostname checking for Windows and macOS

Previously we'd ignore hostname errors if configured to do so,
now we change the certificate policy to not check hostname

Author: sethmlarson

src/truststore/_macos.py

@@ -386,7 +386,9 @@ def _verify_peercerts_impl(
     policies = None
     trust = None
     try:
-        if server_hostname is not None:
+        # Only set a hostname on the policy if we're verifying the hostname
+        # on the leaf certificate.
+        if server_hostname is not None and ssl_context.check_hostname:
             cf_str_hostname = None
             try:
                 cf_str_hostname = _bytes_to_cf_string(server_hostname.encode("ascii"))
@@ -539,11 +541,6 @@ def _verify_peercerts_impl_macos_10_14(
             or cf_error_code == CFConst.errSecCertificateExpired
         ):
             is_trusted = True
-        elif (
-            not ssl_context.check_hostname
-            and cf_error_code == CFConst.errSecHostNameMismatch
-        ):
-            is_trusted = True
 
     # If we're still not trusted then we start to
     # construct and raise the SSLCertVerificationError.

src/truststore/_windows.py

@@ -212,6 +212,7 @@ class CERT_CHAIN_ENGINE_CONFIG(Structure):
 CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS = 0x00000F00
 CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG = 0x00008000
 CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG = 0x00004000
+SECURITY_FLAG_IGNORE_CERT_CN_INVALID = 0x00001000
 AUTHTYPE_SERVER = 2
 CERT_CHAIN_POLICY_SSL = 4
 FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
@@ -443,6 +444,10 @@ def _get_and_verify_cert_chain(
         )
         ssl_extra_cert_chain_policy_para.dwAuthType = AUTHTYPE_SERVER
         ssl_extra_cert_chain_policy_para.fdwChecks = 0
+        if ssl_context.check_hostname is False:
+            ssl_extra_cert_chain_policy_para.fdwChecks = (
+                SECURITY_FLAG_IGNORE_CERT_CN_INVALID
+            )
         if server_hostname:
             ssl_extra_cert_chain_policy_para.pwszServerName = c_wchar_p(server_hostname)
 
@@ -452,8 +457,6 @@ def _get_and_verify_cert_chain(
         )
         if ssl_context.verify_mode == ssl.CERT_NONE:
             chain_policy.dwFlags |= CERT_CHAIN_POLICY_VERIFY_MODE_NONE_FLAGS
-        if not ssl_context.check_hostname:
-            chain_policy.dwFlags |= CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG
         chain_policy.cbSize = sizeof(chain_policy)
 
         pPolicyPara = pointer(chain_policy)

tests/test_api.py

@@ -39,22 +39,23 @@ class FailureHost:
     error_messages: list[str]
 
 
+wrong_host_failure_host = FailureHost(
+    host="wrong.host.badssl.com",
+    error_messages=[
+        # OpenSSL
+        "Hostname mismatch, certificate is not valid for 'wrong.host.badssl.com'",
+        # macOS
+        "certificate name does not match",
+        # macOS with revocation checks
+        "certificates do not meet pinning requirements",
+        # macOS 10.13
+        "Recoverable trust failure occurred",
+        # Windows
+        "The certificate's CN name does not match the passed value.",
+    ],
+)
 failure_hosts_list = [
-    FailureHost(
-        host="wrong.host.badssl.com",
-        error_messages=[
-            # OpenSSL
-            "Hostname mismatch, certificate is not valid for 'wrong.host.badssl.com'",
-            # macOS
-            "certificate name does not match",
-            # macOS with revocation checks
-            "certificates do not meet pinning requirements",
-            # macOS 10.13
-            "Recoverable trust failure occurred",
-            # Windows
-            "The certificate's CN name does not match the passed value.",
-        ],
-    ),
+    wrong_host_failure_host,
     FailureHost(
         host="expired.badssl.com",
         error_messages=[
@@ -371,6 +372,21 @@ def test_requests_sslcontext_api_failures(failure):
     assert "cert" in repr(e.value).lower() and "verif" in repr(e.value).lower()
 
 
+def test_wrong_host_succeeds_with_hostname_verification_disabled() -> None:
+    global wrong_host_failure_host
+
+    ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    ctx.check_hostname = False
+    assert ctx.check_hostname is False
+
+    with urllib3.PoolManager(ssl_context=ctx, retries=5, assert_hostname=False) as http:
+        resp = http.request("GET", f"https://{wrong_host_failure_host.host}")
+
+    assert resp.status == 200
+    assert len(resp.data) > 0
+    assert ctx.check_hostname is False
+
+
 def test_trustme_cert(trustme_ca, httpserver):
     ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     trustme_ca.configure_trust(ctx)