Support a servername parameter on HTTPSConnections which overrides th…

…e name used for SNI/hostname verification.
urllib3 · Jun 15, 2018 · 8a4faeb · 8a4faeb
1 parent 6be6372
commit 8a4faeb
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/urllib3/connection.py b/urllib3/connection.py
@@ -242,14 +242,15 @@ class HTTPSConnection(HTTPConnection):
 
     def __init__(self, host, port=None, key_file=None, cert_file=None,
                  strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
-                 ssl_context=None, **kw):
+                 ssl_context=None, server_hostname=None, **kw):
 
         HTTPConnection.__init__(self, host, port, strict=strict,
                                 timeout=timeout, **kw)
 
         self.key_file = key_file
         self.cert_file = cert_file
         self.ssl_context = ssl_context
+        self.server_hostname = server_hostname
 
         # Required property for Google AppEngine 1.9.0 which otherwise causes
         # HTTPS requests to go out as HTTP. (See Issue #356)
@@ -270,6 +271,7 @@ def connect(self):
             keyfile=self.key_file,
             certfile=self.cert_file,
             ssl_context=self.ssl_context,
+            server_hostname=self.server_hostname
         )
 
 
@@ -328,6 +330,10 @@ def connect(self):
             # Override the host with the one we're requesting data from.
             hostname = self._tunnel_host
 
+        server_hostname = hostname
+        if self.server_hostname is not None:
+            server_hostname = self.server_hostname
+
         is_time_off = datetime.date.today() < RECENT_DATE
         if is_time_off:
             warnings.warn((
@@ -352,7 +358,7 @@ def connect(self):
             certfile=self.cert_file,
             ca_certs=self.ca_certs,
             ca_cert_dir=self.ca_cert_dir,
-            server_hostname=hostname,
+            server_hostname=server_hostname,
             ssl_context=context)
 
         if self.assert_fingerprint:
@@ -373,7 +379,7 @@ def connect(self):
                     'for details.)'.format(hostname)),
                     SubjectAltNameWarning
                 )
-            _match_hostname(cert, self.assert_hostname or hostname)
+            _match_hostname(cert, self.assert_hostname or server_hostname)
 
         self.is_verified = (
             context.verify_mode == ssl.CERT_REQUIRED or