[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then
Christian Heimes
report at bugs.python.org
Sun Dec 11 15:26:32 EST 2016
Christian Heimes added the comment:
Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed.
In fact hostname verification code should be more strict and not fall back to CN when a SRV-ID or URI is present. But the ssl module lacks support to fetch SRV-ID, see #28191. Since public CAs and members of the CAB forum are not yet allowed to issue certificates with SRV-ID, it's not a security issue.
https://tools.ietf.org/html/rfc6125#section-6.4.4
6.4.4. Checking of Common Names
As noted, a client MUST NOT seek a match for a reference identifier
of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client.
Therefore, if and only if the presented identifiers do not include a
DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
supported by the client, then the client MAY as a last resort check
for a string whose form matches that of a fully qualified DNS domain
name in a Common Name field of the subject field (i.e., a CN-ID).
----------
assignee: -> christian.heimes
components: +SSL
resolution: -> not a bug
status: open -> pending
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28938>
_______________________________________
More information about the Python-bugs-list
mailing list