[New-bugs-announce] [issue23928] SSL wiki page, host name matching, CN and SAN
Jeffrey Walton
report at bugs.python.org
Mon Apr 13 09:17:28 CEST 2015
New submission from Jeffrey Walton:
The Python wiki page on SSL states (https://wiki.python.org/moin/SSL):
To validate that a certificate matches requested site,
you need to check commonName field in the subject of
the certificate.
I don't think its quite correct.
Both the IETF and the CA/B Forums deprecated the use of a hostname or IP address in the commonName (CN). All hostnames and IP addresses must be listed in the subjectAlternateName (SAN), and that's where to look for them.
Though deprecated, placing a name in the CN is not forbidden. In fact, RFC 6125 states the CN should be used as a "last resort" in Section 6.4.4:
Therefore, if and only if the presented identifiers
do not include a DNS-ID, SRV-ID, URI-ID, or any
application-specific identifier types supported by
the client, then the client MAY as a last resort check
for a string whose form matches that of a fully
qualified DNS domain name in a Common Name field of
the subject field (i.e., a CN-ID).
Following the advice on the wiki might lead to a Type II error, where an otherwise good certificate is rejected. Its not as bad as accepting a bad certificate, though (by omitting the hostname matching checks).
The IETF deprecated the practice of placing a name in the CN in RFC 6125, Section 6.4.4. The CA/Browser Forum deprecated a DNS name in the CN in Baseline Requirements (BR) Section 9.2.2 Subject Common Name Field.
----------
assignee: docs at python
components: Documentation
messages: 240590
nosy: Jeffrey.Walton, docs at python
priority: normal
severity: normal
status: open
title: SSL wiki page, host name matching, CN and SAN
type: enhancement
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23928>
_______________________________________
More information about the New-bugs-announce
mailing list