[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Andreas Hasenack report at bugs.python.org
Tue Dec 11 16:41:03 CET 2007 

New submission from Andreas Hasenack:

(I hope I used the correct component for this report)

http://pypi.python.org/pypi/ssl/

I used the client example shown at
http://docs.python.org/dev/library/ssl.html#client-side-operation to
connect to a bank site called www.realsecureweb.com.br at
200.208.16.101. Its certificate signed by verisign. My OpenSSL has this
CA at /etc/pki/tls/rootcerts/verisign-inc-class-3-public-primary.pem.
The verification works.

If I make up a hostname called something else, like "wwws", and place it
in /etc/hosts pointing to that IP address, the SSL connection should not
be established because that name doesn't match the common name field in
the server certificate. But the SSL module happily connects to it
(excerpt below):

cert = verisign-inc-class-3-public-primary.pem
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
           ca_certs="/etc/pki/tls/rootcerts/%s" % cert,
           cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('wwws', 443))
print repr(ssl_sock.getpeername())

output:
('200.208.16.101', 443)
('RC4-MD5', 'TLSv1/SSLv3', 128)
{'notAfter': 'Sep 10 23:59:59 2008 GMT',
 'subject': ((('countryName', u'BR'),),
             (('stateOrProvinceName', u'Sao Paulo'),),
             (('localityName', u'Sao Paulo'),),
             (('organizationName', u'Banco ABN AMRO Real SA'),),
             (('organizationalUnitName', u'TI Internet PF e PJ'),),
             (('commonName', u'www.realsecureweb.com.br'),))}

If I now open, say, a firefox window and point it to "https://wwws", it
gives me the expected warning that the hostname doesn't match the
certificate.

I'll attach the verisign CA certificate to make it easier to reproduce
the error.

----------
components: Library (Lib)
files: verisign-inc-class-3-public-primary.pem
messages: 58434
nosy: ahasenack
severity: normal
status: open
title: New SSL module doesn't seem to verify hostname against commonName in certificate
type: security
versions: Python 2.6
Added file: http://bugs.python.org/file8924/verisign-inc-class-3-public-primary.pem

__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue1589>
__________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: verisign-inc-class-3-public-primary.pem
Type: application/x-x509-ca-cert
Size: 2585 bytes
Desc: not available
Url : http://mail.python.org/pipermail/python-bugs-list/attachments/20071211/4b01e616/attachment.crt

More information about the Python-bugs-list mailing list