When connecting to a server, we rely on the standard library's ssl.matchhostname method to check the certificate presented by the server is valid for the hostname we connected to. Howver this method has been deprecated since Python 3.7 so we need to find a suitable replacement.

So far I have found:

• urllib3 vendors this method into its code. This does seem like a great option as it puts the burden of maintaining a critical piece of code on us.
• OpenSSL has an X509_check_host method. AFAICT this is not accessible from pyOpenSSL.

I found service-identity which is mentioned in trio's documentation, it may be helpful.