ssl.match_hostname() is deprecated

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.

GNU Affero General Public License v3.0

3.19k stars 445 forks source link

ssl.match_hostname() is deprecated #627

Closed igor-mendix closed 2 months ago

igor-mendix commented 8 months ago

ssl.match_hostname() function used here: https://github.com/nabla-c0d3/sslyze/blob/49380c1c2b1d1b521ffd4314fc52ea3927afd599/sslyze/plugins/certificate_info/_cert_chain_analyzer.py#L296 is deprecated since Python 3.7, and is already absent in 3.12.

mig5 commented 7 months ago

Is there any easy workaround for this? This is a problem running sslyze 5.2.0 on the latest Debian stable (12 aka Bookworm).

blshkv commented 7 months ago

    from sslyze.plugins.certificate_info._cert_chain_analyzer import (
  File "/usr/lib/python3.12/site-packages/sslyze/plugins/certificate_info/_cert_chain_analyzer.py", line 3, in <module>
    from ssl import CertificateError, match_hostname
ImportError: cannot import name 'match_hostname' from 'ssl' (/usr/lib/python3.12/ssl.py)

sslyze fails to start with python3_12. Please fix

blshkv commented 7 months ago

a potential "quick" workaround is to use "https://pypi.org/project/backports.ssl_match_hostname/", but I'm not sure. And it's like going backwards

kchodkiewicz commented 7 months ago

there was the same issue in other project and I'd say there is a good solution: https://github.com/aiortc/aioquic/issues/368

tl;dr

urllib3 has a port of match_hostname (simple to incorporate)
service-identity different implementation but seems to be more proper solution (a bit more complex to incorporate)

nabla-c0d3 commented 5 months ago

This might get solved by https://github.com/nabla-c0d3/sslyze/issues/638

nabla-c0d3 commented 2 months ago

Fixed in v6.0.0.