[New-bugs-announce] [issue28196] ssl.match_hostname() should check for SRV-ID and URI-ID

Christian Heimes report at bugs.python.org
Sun Sep 18 07:13:00 EDT 2016

New submission from Christian Heimes:

The ssl.match_hostname() function does not conform to RFC 6125 because it can fall back to Subject CN when a cert has no dNSName SAN (subject alternative name) but a SRVName otherName SAN or URI SAN.


6.4.4.  Checking of Common Names

As noted, a client MUST NOT seek a match for a reference identifier
of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the

For now it's not a security problem because no public CA in the CA/Browser Forum is allowed to issue certs with SRV-ID or URI-ID. I checked a couple of libraries and browers. OpenSSL, NSS/Firefox, GnuTLS, embedtls (Polar) and libcurl don't check for the present of SRV-ID or URI-ID either. Only Hynek's service_identity package follows the RFC to the letter. #28191 adds the ability to fetch SRV-ID entries.

assignee: christian.heimes
components: SSL
messages: 276882
nosy: christian.heimes
priority: normal
severity: normal
stage: test needed
status: open
title: ssl.match_hostname() should check for SRV-ID and URI-ID
type: behavior
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list