[Python-Dev] frozenset C API?
Bill Janssen
janssen at parc.com
Wed Sep 12 20:12:24 CEST 2007
> > By the way, I think the hostname matching provisions of 2818 (which
> > is, after all, only an informational RFC, not a standard) are poorly
> > thought out. Many machines have more hostnames than you can shake a
> > stick at, and often provide certs with the wrong hostname in them
> > (usually because they have no way to determine what the *right*
> > hostname is, from inside that machine).
>
> ...which is why you pretty much need to have a canonical hostname mapped
> to each IP you're using on a machine. Basically, you need to map the
> hostname you intend to use to an IP, then do reverse-DNS to find out
> whether the hostname is in fact the canonical hostname. If not, you're
> using the wrong hostname on your cert.
Yep. The problem is having a particular service know which
certificate it should choose to use, and also to know when the network
connectivity has changed. Usually, server ports are bound to wildcard
IP addresses, so that they can still be reached even if the network
connectivity changes (particularly true for servers running on
laptops, or the Python server I'm running on my iPhone). The server
has no way of knowing which IP address the client knows it as, and no
way of knowing which of its multiple certificates to present, so that
the name in the cert will match the name the client thought it was
using.
Or am I wrong? Is there some interface in the socket API which gives
this information?
Bill
More information about the Python-Dev
mailing list