ssl.match_hostname() is deprecated

[igor-mendix]

ssl.match_hostname() function used here:

sslyze/sslyze/plugins/certificate_info/_cert_chain_analyzer.py

Line 296 in 49380c1

match_hostname(certificate_names, server_hostname) # type: ignore

is deprecated since Python 3.7, and is already absent in 3.12.

[mig5]

Is there any easy workaround for this? This is a problem running sslyze 5.2.0 on the latest Debian stable (12 aka Bookworm).

[blshkv]

    from sslyze.plugins.certificate_info._cert_chain_analyzer import (
  File "/usr/lib/python3.12/site-packages/sslyze/plugins/certificate_info/_cert_chain_analyzer.py", line 3, in <module>
    from ssl import CertificateError, match_hostname
ImportError: cannot import name 'match_hostname' from 'ssl' (/usr/lib/python3.12/ssl.py)

sslyze fails to start with python3_12. Please fix

[blshkv]

a potential "quick" workaround is to use "https://pypi.org/project/backports.ssl_match_hostname/", but I'm not sure.
And it's like going backwards

[kchodkiewicz]

there was the same issue in other project and I'd say there is a good solution: aiortc/aioquic#368

tl;dr

• urllib3 has a port of match_hostname (simple to incorporate)
• service-identity different implementation but seems to be more proper solution (a bit more complex to incorporate)

[nabla-c0d3]

This might get solved by #638

[nabla-c0d3]

Fixed in v6.0.0.