[New-bugs-announce] [issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then
Steffen Ullrich
report at bugs.python.org
Sun Dec 11 15:14:26 EST 2016
New submission from Steffen Ullrich:
from Lib/ssl.py
303 elif key == 'IP Address':
304 if host_ip is not None and _ipaddress_match(value, host_ip):
305 return
306 dnsnames.append(value)
307 if not dnsnames:
308 # The subject is only checked when there is no dNSName entry
309 # in subjectAltName
RFC 2818 and RFC 6125 say that CN should not be used if subjectAltNames contains DNS names. This means CN should still be checked if SAN contains only IP addresses. By appending IP address to dnsnames in line 306 it will not check the CN if there are no DNS names in SAN but only IP address.
See also http://stackoverflow.com/questions/41089539/authentication-issue-with-ssl-certificate-using-python-requests-lib/41090559#41090559
----------
messages: 282940
nosy: noxxi
priority: normal
severity: normal
status: open
title: match_hostname treats SAN IP address as DNS name and fails to check CN then
versions: Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28938>
_______________________________________
More information about the New-bugs-announce
mailing list