[issue23239] SSL match_hostname does not accept IP Address
Christian Heimes
report at bugs.python.org
Tue Jun 2 13:49:20 CEST 2015
Christian Heimes added the comment:
The patch has a couple of issues
1) match_hostname()'s doc string needs to be updated. It still contains "but IP addresses are not accepted for *hostname*"
2) The stdlib uses server_hostname for SNI and matching. An IP address in the SNI TLS extension violates RF 3546 https://tools.ietf.org/html/rfc3546#page-9
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
3) The code doesn't match IP addresses in dNSName and DNS names in IP Address fields. Hynek's service identity module and Mozilla's NSS [1] agree with you. As far as I have studied OpenSSL 1.0.2, it has a different opinion. I'm in favor for the current check. I suggest to document the decision in the code and raise a more explicit exception. The current message is a bit confusing:
ssl.CertificateError: hostname '127.0.0.1' doesn't match '127.0.0.1'
4) The code doesn't check the CN field for IP address as NSS does. [2]
In order to fix 2) and make the check more explicit I like to suggest an API change. Don't convert the host name to an IP address implicitly. If the user wants to validate an IP address, then she must pass in an ipaddress object as server_hostname. In that case SSLSocket.server_hostname is set to the ipaddress object. socket._wrap_socket() is called with server_hostname=None for ipaddress. That fixes the RFC violation.
[1] cert_VerifySubjectAltName() https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/certdb.c#1427
[2] CERT_VerifyCertName https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/certdb.c#1769
----------
resolution: fixed ->
status: closed -> open
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23239>
_______________________________________
More information about the Python-bugs-list
mailing list