[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Nicolas Bareil report at bugs.python.org
Fri May 6 12:48:29 CEST 2011 

Nicolas Bareil <nico at chdir.org> added the comment:

Hello Antoine, Steffen,

You are absolutely right about removing the 'not san' part. Here is the
new patch, with tests :

diff -r c22d5b37f6a4 Lib/ssl.py
--- a/Lib/ssl.py        Fri May 06 09:31:02 2011 +0300
+++ b/Lib/ssl.py        Fri May 06 12:47:14 2011 +0200
@@ -122,8 +122,9 @@
             if _dnsname_to_pat(value).match(hostname):
                 return
             dnsnames.append(value)
-    if not san:
-        # The subject is only checked when subjectAltName is empty
+    if not dnsnames:
+        # The subject is only checked when there is no dNSName entry
+        # in subjectAltName
         for sub in cert.get('subject', ()):
             for key, value in sub:
                 # XXX according to RFC 2818, the most specific Common Name
diff -r c22d5b37f6a4 Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py      Fri May 06 09:31:02 2011 +0300
+++ b/Lib/test/test_ssl.py      Fri May 06 12:47:14 2011 +0200
@@ -277,6 +277,24 @@
                             (('organizationName', 'Google Inc'),))}
         fail(cert, 'mail.google.com')
 
+        # No DNS entry in subjectAltName but a commonName
+        cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+                'subject': ((('countryName', 'US'),),
+                            (('stateOrProvinceName', 'California'),),
+                            (('localityName', 'Mountain View'),),
+                            (('commonName', 'mail.google.com'),)),
+                'subjectAltName': (('othername', 'blabla'), )}
+        ok(cert, 'mail.google.com')
+
+        # No DNS entry subjectAltName and no commonName
+        cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+                'subject': ((('countryName', 'US'),),
+                            (('stateOrProvinceName', 'California'),),
+                            (('localityName', 'Mountain View'),),
+                            (('organizationName', 'Google Inc'),)),
+                'subjectAltName': (('othername', 'blabla'),)}
+        fail(cert, 'google.com')
+
         # Empty cert / no cert
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')


Steffen, I will submit a bug report to Mercurial as soon as this patch is expected to be integrate in py3k.

----------
versions: +Python 3.4

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12000>
_______________________________________

More information about the Python-bugs-list mailing list