WL#15664: Add support for Python 3.12

oscpache · oscpache · commit a751670ebbd8 · 2023-08-14T12:31:58.000-06:00
Change-Id: Id048ff3eb6fdde901558eda880cdb6fb44e55719
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -11,6 +11,7 @@ Full release notes:
 v8.2.0
 ======
 
+- WL#15664: Add support for Python 3.12
 - WL#15623: Improve the authentication module
 - WL#15218: Support WebAuthn authentication
 - BUG#35547876: C/Python 8.1.0 type check build fails in the pb2 branch
diff --git a/lib/mysql/connector/network.py b/lib/mysql/connector/network.py
@@ -31,7 +31,6 @@
 """Module implementing low-level socket communication with MySQL servers.
 """
 
-import os
 import socket
 import struct
 import warnings
@@ -507,35 +506,6 @@ def switch_to_ssl(self, ssl_context: Any, host: str) -> None:
 
         try:
             self.sock = ssl_context.wrap_socket(self.sock, server_hostname=host)
-            if ssl_context.check_hostname:
-                hostnames = [host] if host else []
-                if os.name == "nt" and host == "localhost":
-                    hostnames = ["localhost", "127.0.0.1"]
-                    aliases = socket.gethostbyaddr(host)
-                    hostnames.extend([aliases[0]] + aliases[1])
-                match_found = False
-                errs = []
-                for hostname in hostnames:
-                    try:
-                        # Deprecated in Python 3.7 without a replacement and
-                        # should be removed in the future, since OpenSSL now
-                        # performs hostname matching
-                        # pylint: disable=deprecated-method
-                        ssl.match_hostname(
-                            self.sock.getpeercert(),  # type: ignore[union-attr]
-                            hostname,
-                        )
-                        # pylint: enable=deprecated-method
-                    except ssl.CertificateError as err:
-                        errs.append(str(err))
-                    else:
-                        match_found = True
-                        break
-                if not match_found:
-                    self.sock.close()
-                    raise InterfaceError(
-                        f"Unable to verify server identity: {', '.join(errs)}"
-                    )
         except NameError as err:
             raise NotSupportedError("Python installation has no SSL support") from err
         except (ssl.SSLError, IOError) as err:
@@ -602,6 +572,7 @@ def build_ssl_context(
                     if "TLSv1" not in tls_versions:
                         context.options |= ssl.OP_NO_TLSv1
             else:
+                # `check_hostname` is True by default
                 context = ssl.create_default_context()
 
             context.check_hostname = ssl_verify_identity
diff --git a/lib/mysqlx/connection.py b/lib/mysqlx/connection.py
@@ -366,11 +366,12 @@ def set_ssl(
             raise RuntimeError("Python installation has no SSL support")
 
         if ssl_protos is None or not ssl_protos:
+            # `check_hostname` is True by default
             context = ssl.create_default_context()
             if ssl_mode != SSLMode.VERIFY_IDENTITY:
                 context.check_hostname = False
-            if ssl_mode == SSLMode.REQUIRED:
-                context.verify_mode = ssl.CERT_NONE
+                if ssl_mode == SSLMode.REQUIRED:
+                    context.verify_mode = ssl.CERT_NONE
         else:
             ssl_protos.sort(reverse=True)
             tls_version = ssl_protos[0]
@@ -391,6 +392,8 @@ def set_ssl(
                 if "TLSv1" not in ssl_protos:
                     context.options |= ssl.OP_NO_TLSv1
 
+            context.check_hostname = ssl_mode == SSLMode.VERIFY_IDENTITY
+
         if ssl_ca:
             try:
                 context.load_verify_locations(ssl_ca)
@@ -422,34 +425,6 @@ def set_ssl(
             self._socket = context.wrap_socket(self._socket, server_hostname=self._host)
         except ssl.CertificateError as err:
             raise InterfaceError(f"{err}") from err
-        if ssl_mode == SSLMode.VERIFY_IDENTITY:
-            context.check_hostname = True
-            hostnames = []
-            # Windows does not return loopback aliases on gethostbyaddr
-            if os.name == "nt" and self._host in ("localhost", "127.0.0.1"):
-                hostnames = ["localhost", "127.0.0.1"]
-            aliases = socket.gethostbyaddr(self._host)
-            hostnames.extend([aliases[0]] + aliases[1])
-            match_found = False
-            errs = []
-            for hostname in hostnames:
-                try:
-                    # Deprecated in Python 3.7 without a replacement and
-                    # should be removed in the future, since OpenSSL now
-                    # performs hostname matching
-                    # pylint: disable=deprecated-method
-                    ssl.match_hostname(self._socket.getpeercert(), hostname)
-                    # pylint: enable=deprecated-method
-                except ssl.CertificateError as err:
-                    errs.append(str(err))
-                else:
-                    match_found = True
-                    break
-            if not match_found:
-                self.close()
-                raise InterfaceError(
-                    f"Unable to verify server identity: {', '.join(errs)}"
-                )
 
         self._is_ssl = True
 
diff --git a/setup.py b/setup.py
@@ -129,6 +129,7 @@
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
+        "Programming Language :: Python :: 3.12",
         "Topic :: Database",
         "Topic :: Software Development",
         "Topic :: Software Development :: Libraries :: Application Frameworks",
