[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou report at bugs.python.org
Wed Sep 29 20:46:28 CEST 2010

Antoine Pitrou <pitrou at free.fr> added the comment:

> > Correct me if I'm wrong, but the "well-maintained pyOpenSSL
> > package" doesn't have the missing functionality (hostname
> > checking in server certificates), either.
> I'm pretty sure it's just a wrapper around the openssl library, which
> does not include it. That was Bill Janssen's argument for why the ssl
> module shouldn't do that verification. Well, that and the fact that
> there's no finalized standard for it yet. I believe this is the latest
> draft:
> http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09

Well, to be clear, it shouldn't be done *automatically*. But providing a
helper function that implements the feature and lets higher layers like
http.client and urllib.request call it if desired would be more than

(openssl may not provide such a function, but gnutls does, by the way)


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list