Check hostname when using SSL

[aniapte]

Issue: Redis client successfully creates SSL connections to AWS Elasticache redis server even though the hostname looks like "redis.example.com".
Expectation: SSL connection must fail because the AWS Elasticache server will return a ssl certificate issued to "*.example.ma443f.use1.cache.amazonaws.com"

We are using the connection pool like this

pool = redis.ConnectionPool(host=host, port=port, db=0,
                                  connection_class=redis.SSLConnection, ssl_cert_reqs='required',
                                  ssl_ca_certs=certfile, retry_on_timeout=True)

Note that ssl_cert_requs='requred' is set with the expectation that SSL and hostname check will be enforced.

However the _connect method in redis/connection.py explicitly sets check_hostname to False.

def _connect(self):
     "Wrap the socket with SSL support"
     sock = super(SSLConnection, self)._connect()
     if hasattr(ssl, "create_default_context"):
         context = ssl.create_default_context()
         context.check_hostname = False
         context.verify_mode = self.cert_reqs
        ...

Why does it set check_hostname to False?

[andymccurdy]

I don't have a great answer for this as the code was added in a PR. One guess is that many users have created encrypted connections via tunnels and perhaps that kind of setup doesn't want hostname validation.

I've added an ssl_check_hostname option that specifies how to handle this. By default ssl_check_hostname=False to maintain backwards compatibility but you easy flip it to True for your use case.