Enable disabling hostname verification for macOS and Windows

src/truststore/_macos.py

@@ -386,7 +386,9 @@ def _verify_peercerts_impl(
     policies = None
     trust = None
     try:
-        if server_hostname is not None:
+        # Only set a hostname on the policy if we're verifying the hostname
+        # on the leaf certificate.
+        if server_hostname is not None and ssl_context.check_hostname:
             cf_str_hostname = None
             try:
                 cf_str_hostname = _bytes_to_cf_string(server_hostname.encode("ascii"))
@@ -539,11 +541,6 @@ def _verify_peercerts_impl_macos_10_14(
             or cf_error_code == CFConst.errSecCertificateExpired
         ):
             is_trusted = True
-        elif (
-            not ssl_context.check_hostname
-            and cf_error_code == CFConst.errSecHostNameMismatch
-        ):
-            is_trusted = True
 
     # If we're still not trusted then we start to
     # construct and raise the SSLCertVerificationError.

src/truststore/_windows.py

@@ -212,6 +212,7 @@ class CERT_CHAIN_ENGINE_CONFIG(Structure):
 CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS = 0x00000F00
 CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG = 0x00008000
 CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG = 0x00004000
+SECURITY_FLAG_IGNORE_CERT_CN_INVALID = 0x00001000
 AUTHTYPE_SERVER = 2
 CERT_CHAIN_POLICY_SSL = 4
 FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
@@ -443,6 +444,10 @@ def _get_and_verify_cert_chain(
         )
         ssl_extra_cert_chain_policy_para.dwAuthType = AUTHTYPE_SERVER
         ssl_extra_cert_chain_policy_para.fdwChecks = 0
+        if ssl_context.check_hostname is False:
+            ssl_extra_cert_chain_policy_para.fdwChecks = (
+                SECURITY_FLAG_IGNORE_CERT_CN_INVALID
+            )
         if server_hostname:
             ssl_extra_cert_chain_policy_para.pwszServerName = c_wchar_p(server_hostname)
 
@@ -452,8 +457,6 @@ def _get_and_verify_cert_chain(
         )
         if ssl_context.verify_mode == ssl.CERT_NONE:
             chain_policy.dwFlags |= CERT_CHAIN_POLICY_VERIFY_MODE_NONE_FLAGS
-        if not ssl_context.check_hostname:
-            chain_policy.dwFlags |= CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG
         chain_policy.cbSize = sizeof(chain_policy)
 
         pPolicyPara = pointer(chain_policy)

tests/test_api.py

@@ -39,22 +39,23 @@ class FailureHost:
     error_messages: list[str]
 
 
+wrong_host_failure_host = FailureHost(
+    host="wrong.host.badssl.com",
+    error_messages=[
+        # OpenSSL
+        "Hostname mismatch, certificate is not valid for 'wrong.host.badssl.com'",
+        # macOS
+        "certificate name does not match",
+        # macOS with revocation checks
+        "certificates do not meet pinning requirements",
+        # macOS 10.13
+        "Recoverable trust failure occurred",
+        # Windows
+        "The certificate's CN name does not match the passed value.",
+    ],
+)
 failure_hosts_list = [
-    FailureHost(
-        host="wrong.host.badssl.com",
-        error_messages=[
-            # OpenSSL
-            "Hostname mismatch, certificate is not valid for 'wrong.host.badssl.com'",
-            # macOS
-            "certificate name does not match",
-            # macOS with revocation checks
-            "certificates do not meet pinning requirements",
-            # macOS 10.13
-            "Recoverable trust failure occurred",
-            # Windows
-            "The certificate's CN name does not match the passed value.",
-        ],
-    ),
+    wrong_host_failure_host,
     FailureHost(
         host="expired.badssl.com",
         error_messages=[
@@ -371,6 +372,21 @@ def test_requests_sslcontext_api_failures(failure):
     assert "cert" in repr(e.value).lower() and "verif" in repr(e.value).lower()
 
 
+def test_wrong_host_succeeds_with_hostname_verification_disabled() -> None:
+    global wrong_host_failure_host
+
+    ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    ctx.check_hostname = False
+    assert ctx.check_hostname is False
+
+    with urllib3.PoolManager(ssl_context=ctx, retries=5, assert_hostname=False) as http:
+        resp = http.request("GET", f"https://{wrong_host_failure_host.host}")
+
+    assert resp.status == 200
+    assert len(resp.data) > 0
+    assert ctx.check_hostname is False
+
+
 def test_trustme_cert(trustme_ca, httpserver):
     ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     trustme_ca.configure_trust(ctx)