[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
report at bugs.python.org
Wed Oct 6 23:46:02 CEST 2010
Mads Kiilerich <mads at kiilerich.com> added the comment:
> Indeed. But, strictly speaking, there are no tests for IPs, so it
> shouldn't be taken for granted that it works, even for commonName.
> The rationale is that there isn't really any point in using an IP rather
> a host name.
I don't know if there is a point or not, but some hosts are for some
reason intended to be connected to using IP address and their
certificates thus contains IP addresses. I think we should support that
too, and I find it a bit confusing to only have partial support for
> Well, that's additional logic to code. I'm not sure it's worth it,
> especially given that the function is called match_hostname in the first
"hostname" in Python usually refers to both IP addresses and DNS
hostnames (just like in URLs), so I think it is a fair assumption that
IP addresses also works in this hostname function.
Perhaps it should be noted that CertificateError only is raised by
match_hostname so a paranoid programmer don't start catching it
everywhere - and also that match_hostname won't raise SSLError.
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list