Mads Kiilerich m...@kiilerich.com added the comment:
Nicolas Bareil wrote, On 05/07/2011 09:48 AM:
Do you think this test should fail?
Until now I have considered this behaviour OK but undocumented and
officially unsupported in Python. One (the best?) reason for considering
it OK is that if
Nicolas Bareil n...@chdir.org added the comment:
Hello Mads
Until now Python failed to the safe side by not matching on
subjectAltName iPAddress but also not falling back to commonName
if they were specified. AFAICS, with this change it is possible to
create strange certificates that
Nicolas Bareil n...@chdir.org added the comment:
Hello Antoine, Steffen,
You are absolutely right about removing the 'not san' part. Here is the
new patch, with tests :
diff -r c22d5b37f6a4 Lib/ssl.py
--- a/Lib/ssl.pyFri May 06 09:31:02 2011 +0300
+++ b/Lib/ssl.pyFri May 06
Roundup Robot devnull@devnull added the comment:
New changeset d4c2a99d1bad by Antoine Pitrou in branch '3.2':
Issue #12000: When a SSL certificate has a subjectAltName without any
http://hg.python.org/cpython/rev/d4c2a99d1bad
New changeset 1b37827984ba by Antoine Pitrou in branch 'default':
Antoine Pitrou pit...@free.fr added the comment:
Patch committed in 3.2 and 3.x, thank you!
--
resolution: - fixed
stage: - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12000
Changes by Mads Kiilerich m...@kiilerich.com:
--
nosy: +kiilerix
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12000
___
___
Python-bugs-list
Mads Kiilerich m...@kiilerich.com added the comment:
In my opinion the RFCs are a bit unclear about how iPAddress subjectAltNames
should be handled. (I also don't know if Python currently do the right thing by
accepting and matching IP addresses if specified in commonName.)
Until now Python
Steffen Daode Nurpmeso sdao...@googlemail.com added the comment:
P.S.: if you're really right ('have those RFC's, but didn't read
them yet), you could also open an issue for Mercurial at
http://mercurial.selenic.com/bts - i think those guys do the very
same.
Thanks, Steffen!
--
nosy:
New submission from Nicolas Bareil n...@chdir.org:
When connecting to a SSL server, the certificate verification failed if
it has a subjectAltName extension without any dNSName entry inside: it
should fallback to the Common Name.
Example:
cert = conn.getpeercert()
cert