New submission from Jeffrey Walton: The Python wiki page on SSL states (https://wiki.python.org/moin/SSL): To validate that a certificate matches requested site, you need to check commonName field in the subject of the certificate. I don't think its quite correct. Both the IETF and the CA/B Forums deprecated the use of a hostname or IP address in the commonName (CN). All hostnames and IP addresses must be listed in the subjectAlternateName (SAN), and that's where to look for them. Though deprecated, placing a name in the CN is not forbidden. In fact, RFC 6125 states the CN should be used as a "last resort" in Section 6.4.4: Therefore, if and only if the presented identifiers do not include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client, then the client MAY as a last resort check for a string whose form matches that of a fully qualified DNS domain name in a Common Name field of the subject field (i.e., a CN-ID). Following the advice on the wiki might lead to a Type II error, where an otherwise good certificate is rejected. Its not as bad as accepting a bad certificate, though (by omitting the hostname matching checks). The IETF deprecated the practice of placing a name in the CN in RFC 6125, Section 6.4.4. The CA/Browser Forum deprecated a DNS name in the CN in Baseline Requirements (BR) Section 9.2.2 Subject Common Name Field. ---------- assignee: docs@python components: Documentation messages: 240590 nosy: Jeffrey.Walton, docs@python priority: normal severity: normal status: open title: SSL wiki page, host name matching, CN and SAN type: enhancement _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue23928> _______________________________________