>> With typical https libraries, I don't know how hard it'd be to check
>> the second name in the certificate.
I tried writing a python script to fetch an https URL and check a
different domain name against the subjectAltNames in the site's
certificate. It turned out to be really easy, viz. the tiny script
below. So at first glance, that doesn't seem to be a big problem.
R's,
John
--- snippo, python3 below ---
import http.client
import argparse
import re
parser = argparse.ArgumentParser('Fetch an https thing and also check an alt
name')
parser.add_argument('url', help='URL to fetch')
parser.add_argument('name', help='Other domain name to check')
args = parser.parse_args()
if not args:
exit(1)
r = re.match(r'https://([-a-z0-9.]*)(/.*)', args.url)
if not r:
print ("Doesn't look like an https url: ",r)
exit(1)
domain = r.group(1)
path = r.group(2)
c = http.client.HTTPSConnection(domain)
if not c:
print("cannot set up ",domain)
exit(1)
c.request('GET', path)
r = c.getresponse()
if r.status != 200:
print ("status is", r.status)
exit(1)
data = r.read()
cert = c.sock.getpeercert()
c.close()
# check for alt name
matched = False
if 'subjectAltName' in cert:
for t, n in cert['subjectAltName']:
if t == 'DNS' and n == args.name: # should check wildcards, too.
matched = True
break
if not matched:
print("no dice for",name)
exit(1)
print ("data is", data)
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
