[Python-Dev] SSL certs

Aahz aahz at pythoncraft.com
Thu Sep 13 06:26:06 CEST 2007 

On Wed, Sep 12, 2007, Bill Janssen wrote:
>
>>> By the way, I think the hostname matching provisions of 2818 (which
>>> is, after all, only an informational RFC, not a standard) are poorly
>>> thought out.  Many machines have more hostnames than you can shake a
>>> stick at, and often provide certs with the wrong hostname in them
>>> (usually because they have no way to determine what the *right*
>>> hostname is, from inside that machine).
>> 
>> ...which is why you pretty much need to have a canonical hostname mapped
>> to each IP you're using on a machine.  Basically, you need to map the
>> hostname you intend to use to an IP, then do reverse-DNS to find out
>> whether the hostname is in fact the canonical hostname.  If not, you're
>> using the wrong hostname on your cert.
> 
> Yep.  The problem is having a particular service know which
> certificate it should choose to use, and also to know when the network
> connectivity has changed.  Usually, server ports are bound to wildcard
> IP addresses, so that they can still be reached even if the network
> connectivity changes (particularly true for servers running on
> laptops, or the Python server I'm running on my iPhone).  The server
> has no way of knowing which IP address the client knows it as, and no
> way of knowing which of its multiple certificates to present, so that
> the name in the cert will match the name the client thought it was
> using.

My understanding is that the client tells the server which hostname it
wants to use; the server should then pass down that information.  That's
how virtual hosting works in the first place.  The only difference with
SSL is that the hostname must have a unique IP address, so that when the
client does a reverse DNS to validate the IP address presented by the SSL
certificate, it all comes together correctly.

There are, of course, wildcard certs; I don't understand how those work.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

"Many customs in this life persist because they ease friction and promote
productivity as a result of universal agreement, and whether they are
precisely the optimal choices is much less important." --Henry Spencer
http://www.lysator.liu.se/c/ten-commandments.html

More information about the Python-Dev mailing list