[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName
Mads Kiilerich
report at bugs.python.org
Fri May 6 17:35:12 CEST 2011
Mads Kiilerich <mads at kiilerich.com> added the comment:
In my opinion the RFCs are a bit unclear about how iPAddress subjectAltNames should be handled. (I also don't know if Python currently do the right thing by accepting and matching IP addresses if specified in commonName.)
Until now Python failed to the safe side by not matching on subjectAltName iPAddress but also not falling back to commonName if they were specified. AFAICS, with this change it is possible to create strange certificates that Python would accept when an IP address matched commonName but other implementations would reject because of iPAddress mismatch.
That is probably not a real problem, but I wanted to point it out as the biggest issue I could find with this fix. Nice catch.
We could perhaps add IP addresses to dnsnames even though we don't match on them.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12000>
_______________________________________
More information about the Python-bugs-list
mailing list