gh-91826: Enable cert and hostname verification for stdlib

Lib/ssl.py

@@ -779,16 +779,20 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
             context.keylog_filename = keylogfile
     return context
 
-def _create_unverified_context(protocol=None, *, cert_reqs=CERT_NONE,
-                           check_hostname=False, purpose=Purpose.SERVER_AUTH,
-                           certfile=None, keyfile=None,
-                           cafile=None, capath=None, cadata=None):
-    """Create a SSLContext object for Python stdlib modules
+
+def _create_verified_context(
+    protocol=None, *, cert_reqs=None, check_hostname=None,
+    purpose=Purpose.SERVER_AUTH, certfile=None, keyfile=None,
+    cafile=None, capath=None, cadata=None
+):
+    """Create a SSLContext for Python stdlib modules (verified)
 
     All Python stdlib modules shall use this function to create SSLContext
     objects in order to keep common settings in one place. The configuration
     is less restrict than create_default_context()'s to increase backward
     compatibility.
+
+    Cert and hostname verification is enabled by default for client contexts.
     """
     if not isinstance(purpose, _ASN1Object):
         raise TypeError(purpose)
@@ -800,9 +804,17 @@ def _create_unverified_context(protocol=None, *, cert_reqs=CERT_NONE,
         # verify certs and host name in client mode
         if protocol is None:
             protocol = PROTOCOL_TLS_CLIENT
+        if cert_reqs is None:
+            cert_reqs = CERT_REQUIRED
+        if check_hostname is None:
+            check_hostname = True
     elif purpose == Purpose.CLIENT_AUTH:
         if protocol is None:
             protocol = PROTOCOL_TLS_SERVER
+        if cert_reqs is None:
+            cert_reqs = CERT_NONE
+        if check_hostname is None:
+            check_hostname = False
     else:
         raise ValueError(purpose)
 
@@ -833,12 +845,28 @@ def _create_unverified_context(protocol=None, *, cert_reqs=CERT_NONE,
             context.keylog_filename = keylogfile
     return context
 
+
+def _create_unverified_context(
+    protocol=None, *, cert_reqs=CERT_NONE, check_hostname=False,
+    purpose=Purpose.SERVER_AUTH, certfile=None, keyfile=None,
+    cafile=None, capath=None, cadata=None
+):
+    """Create a SSLContext for Python stdlib modules (unverified)
+
+    Cert and hostname verification is **disabled** by default.
+    """
+    return _create_verified_context(
+        protocol, cert_reqs=cert_reqs, check_hostname=check_hostname,
+        purpose=purpose, certfile=certfile, keyfile=keyfile,
+        cafile=cafile, capath=capath, cadata=cadata
+    )
+
+
 # Used by http.client if no context is explicitly passed.
 _create_default_https_context = create_default_context
 
-
 # Backwards compatibility alias, even though it's not a public name.
-_create_stdlib_context = _create_unverified_context
+_create_stdlib_context = _create_verified_context
 
 
 class SSLObject:
@@ -1520,9 +1548,9 @@ def get_server_certificate(addr, ssl_version=PROTOCOL_TLS_CLIENT,
         cert_reqs = CERT_REQUIRED
     else:
         cert_reqs = CERT_NONE
-    context = _create_stdlib_context(ssl_version,
-                                     cert_reqs=cert_reqs,
-                                     cafile=ca_certs)
+    context = _create_unverified_context(
+        ssl_version, cert_reqs=cert_reqs, cafile=ca_certs
+    )
     with create_connection(addr, timeout=timeout) as sock:
         with context.wrap_socket(sock, server_hostname=host) as sslsock:
             dercert = sslsock.getpeercert(True)

Lib/test/test_ftplib.py

@@ -914,6 +914,8 @@ def setUp(self, encoding=DEFAULT_ENCODING):
         self.server = DummyTLS_FTPServer((HOST, 0), encoding=encoding)
         self.server.start()
         self.client = ftplib.FTP_TLS(timeout=TIMEOUT, encoding=encoding)
+        self.client.context.check_hostname = False
+        self.client.context.verify_mode = ssl.CERT_NONE
         self.client.connect(self.server.host, self.server.port)
         # enable TLS
         self.client.auth()
@@ -928,6 +930,8 @@ def setUp(self, encoding=DEFAULT_ENCODING):
         self.server = DummyTLS_FTPServer((HOST, 0), encoding=encoding)
         self.server.start()
         self.client = ftplib.FTP_TLS(timeout=TIMEOUT)
+        self.client.context.check_hostname = False
+        self.client.context.verify_mode = ssl.CERT_NONE
         self.client.connect(self.server.host, self.server.port)
 
     def tearDown(self):

Lib/test/test_nntplib.py

@@ -1632,7 +1632,8 @@ def run_server(self, sock):
     def test_starttls(self):
         file = self.nntp.file
         sock = self.nntp.sock
-        self.nntp.starttls()
+        context = ssl._create_unverified_context()
+        self.nntp.starttls(context=context)
         # Check that the socket and internal pseudo-file really were
         # changed.
         self.assertNotEqual(file, self.nntp.file)

Lib/test/test_poplib.py

@@ -17,6 +17,7 @@
 from test.support import threading_helper
 
 import warnings
+
 with warnings.catch_warnings():
     warnings.simplefilter('ignore', DeprecationWarning)
     import asynchat
@@ -417,6 +418,7 @@ def setUp(self):
         self.server.handler = DummyPOP3_SSLHandler
         self.server.start()
         self.client = poplib.POP3_SSL(self.server.host, self.server.port)
+        self.client.context.load_verify_locations(CAFILE)
 
     def test__all__(self):
         self.assertIn('POP3_SSL', poplib.__all__)
@@ -459,6 +461,7 @@ def setUp(self):
         self.server.start()
         self.client = poplib.POP3(self.server.host, self.server.port,
                                   timeout=test_support.LOOPBACK_TIMEOUT)
+        self.client.context.load_verify_locations(CAFILE)
         self.client.stls()
 
     def tearDown(self):

Lib/test/test_ssl.py

@@ -1709,23 +1709,54 @@ def test_create_default_context(self):
         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
         self._assert_context_options(ctx)
 
+    def test__create_stdlib_context(self):
+        self.assertIs(ssl._create_stdlib_context, ssl._create_verified_context)
 
+    def test__create_verified_context(self):
+        ctx = ssl._create_verified_context()
+        self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
+        self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
+        self.assertTrue(ctx.check_hostname)
+        self._assert_context_options(ctx)
 
-    def test__create_stdlib_context(self):
-        ctx = ssl._create_stdlib_context()
+        with warnings_helper.check_warnings():
+            ctx = ssl._create_verified_context(ssl.PROTOCOL_TLSv1)
+        self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
+        self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
+        self.assertTrue(ctx.check_hostname)
+        self._assert_context_options(ctx)
+
+        with warnings_helper.check_warnings():
+            ctx = ssl._create_verified_context(
+                ssl.PROTOCOL_TLSv1_2,
+                cert_reqs=ssl.CERT_NONE,
+                check_hostname=False
+            )
+        self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
+        self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
+        self.assertFalse(ctx.check_hostname)
+        self._assert_context_options(ctx)
+
+        ctx = ssl._create_verified_context(purpose=ssl.Purpose.CLIENT_AUTH)
+        self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
+        self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
+        self._assert_context_options(ctx)
+
+    def test__create_unverified_context(self):
+        ctx = ssl._create_unverified_context()
         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
         self.assertFalse(ctx.check_hostname)
         self._assert_context_options(ctx)
 
         with warnings_helper.check_warnings():
-            ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
+            ctx = ssl._create_unverified_context(ssl.PROTOCOL_TLSv1)
         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
         self._assert_context_options(ctx)
 
         with warnings_helper.check_warnings():
-            ctx = ssl._create_stdlib_context(
+            ctx = ssl._create_unverified_context(
                 ssl.PROTOCOL_TLSv1_2,
                 cert_reqs=ssl.CERT_REQUIRED,
                 check_hostname=True
@@ -1735,7 +1766,7 @@ def test__create_stdlib_context(self):
         self.assertTrue(ctx.check_hostname)
         self._assert_context_options(ctx)
 
-        ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
+        ctx = ssl._create_unverified_context(purpose=ssl.Purpose.CLIENT_AUTH)
         self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
         self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
         self._assert_context_options(ctx)

Misc/NEWS.d/next/Security/2022-04-24-11-34-31.gh-issue-91826.bfumF-.rst

@@ -0,0 +1,2 @@
+:mod:`ftplib`, :mod:`imaplib`, :mod:`nntplib`, :mod:`poplib`, and
+:mod:`smtplib` now verify TLS certificate and hostname by default.