[issue23239] SSL match_hostname does not accept IP Address

2021-04-17 Thread Christian Heimes 


Christian Heimes  added the comment:

Python 2 is out of support. Python 3 can verify IP addresses in certificates 
correctly.

--
resolution:  -> out of date
stage: needs patch -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2018-03-21 Thread Christian Heimes 

Christian Heimes  added the comment:

#32819 and #32185 have solved the last outstanding bugs with IP address 
validation and handling. I'm fine with a backport of the feature to 2.7 now.

--
assignee: christian.heimes -> 
versions:  -Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2017-09-27 Thread Alex Gaynor 

Alex Gaynor  added the comment:

I'd be in favor of backporting this to the 2.x - encouraging reliance on the 
nonsense behaviour of putting IPAddresses in DNS Names or relying on CN over 
SAN is bad, and we shouldn't encourage it.

--
nosy: +Alex Gaynor

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2017-09-27 Thread j-harbott 

j-harbott  added the comment:

The original issue still exists in py27, is there a chance to get the fix 
backported? See https://github.com/pyca/cryptography/issues/3943 and 
https://github.com/shazow/urllib3/issues/1269 for sample issues that arise 
because we need to work around this one.

--
nosy: +j-harbott
versions: +Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2016-09-15 Thread Christian Heimes 

Changes by Christian Heimes :


--
components: +SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2016-09-08 Thread Christian Heimes 

Changes by Christian Heimes :


--
assignee:  -> christian.heimes
priority: normal -> high
versions: +Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2016-08-24 Thread R. David Murray 

Changes by R. David Murray :


--
stage: commit review -> needs patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2016-04-07 Thread Christian Heimes 

Christian Heimes added the comment:

I'm -1 on the patch for a practical reason: The current API is broken and I 
don't want to have it documented as officially supported.

In fact it is not only broken but also incompatible with more modern releases 
of OpenSSL. Recently OpenSSL got proper implementation of hostname and IP 
checking. Hostname and IP must be set with different API calls:

https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_add1_host.html
https://www.openssl.org/docs/manmaster/crypto/X509_check_host.html

--
stage: resolved -> commit review
versions: +Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2016-04-07 Thread Marc Abramowitz 

Marc Abramowitz added the comment:

`ip_certs_comment.patch` is a simple patch that just removes the verbiage about 
not supporting IP addresses in hostnames, as that restriction was removed by an 
earlier commit from Antoine.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2016-03-19 Thread Marc Abramowitz 

Marc Abramowitz added the comment:

Patch to update the comment to remove "IP addresses are not accepted for 
*hostname*", because supported for IP addresses was added earlier by @pitrou in 
https://hg.python.org/cpython/rev/b15a5f239e8a

--
nosy: +Marc.Abramowitz
Added file: http://bugs.python.org/file42186/ip_certs_comment.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-07-12 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

> ping

Sorry. I do not have time currently to tackle this issue. Feel free to submit 
and/or commit improvements if you feel like it.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-07-05 Thread Christian Heimes 

Christian Heimes added the comment:

ping

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-06-02 Thread Christian Heimes 

Christian Heimes added the comment:

The patch has a couple of issues

1) match_hostname()'s doc string needs to be updated. It still contains "but IP 
addresses are not accepted for *hostname*"

2) The stdlib uses server_hostname for SNI and matching. An IP address in the 
SNI TLS extension violates RF 3546 https://tools.ietf.org/html/rfc3546#page-9

   Literal IPv4 and IPv6 addresses are not permitted in "HostName".

3) The code doesn't match IP addresses in dNSName and DNS names in IP Address 
fields. Hynek's service identity module and Mozilla's NSS [1] agree with you. 
As far as I have studied OpenSSL 1.0.2, it has a different opinion. I'm in 
favor for the current check. I suggest to document the decision in the code and 
raise a more explicit exception. The current message is a bit confusing:

  ssl.CertificateError: hostname '127.0.0.1' doesn't match '127.0.0.1'

4) The code doesn't check the CN field for IP address as NSS does. [2]


In order to fix 2) and make the check more explicit I like to suggest an API 
change. Don't convert the host name to an IP address implicitly. If the user 
wants to validate an IP address, then she must pass in an ipaddress object as 
server_hostname. In that case SSLSocket.server_hostname is set to the ipaddress 
object. socket._wrap_socket() is called with server_hostname=None for 
ipaddress. That fixes the RFC violation.


[1] cert_VerifySubjectAltName() 
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/certdb.c#1427
[2] CERT_VerifyCertName 
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/certdb.c#1769

--
resolution: fixed -> 
status: closed -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-02-15 Thread Antoine Pitrou 

Changes by Antoine Pitrou :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-02-15 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset b15a5f239e8a by Antoine Pitrou in branch 'default':
Issue #23239: ssl.match_hostname() now supports matching of IP addresses.
https://hg.python.org/cpython/rev/b15a5f239e8a

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-17 Thread Antoine Pitrou 

Changes by Antoine Pitrou :


--
keywords: +patch
Added file: http://bugs.python.org/file37746/ip_certs.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-17 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

Here is a patch.

--
stage: needs patch -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-14 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

This is a feature request. Not supporting IP addresses is a documented 
limitation of the current implementation.

--
nosy: +christian.heimes, dstufft

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-14 Thread Antoine Pitrou 

Changes by Antoine Pitrou :


--
stage:  -> needs patch
type: security -> enhancement
versions:  -Python 2.7, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-14 Thread R. David Murray 

Changes by R. David Murray :


--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-14 Thread Ádám Zsigmond 

New submission from Ádám Zsigmond:

ssl.match_hostname does not accept the ca certificate if the hostname matches 
the ip address. 

I am trying to connect to a servert with a cacert by IP address but I get an 
error message like: '42.42.42.42' hostname does not match ''

The IP Address is in the ca certificate, so it should be accepted.

--
components: Extension Modules
messages: 234017
nosy: Ádám.Zsigmond
priority: normal
severity: normal
status: open
title: SSL match_hostname does not accept IP Address
type: security
versions: Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23239] SSL match_hostname does not accept IP Address

2015-01-14 Thread STINNER Victor 

Changes by STINNER Victor :


--
nosy: +alex, pitrou
versions: +Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com