Message 135119 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	nbareil
Recipients	nbareil
Date	2011年05月04日.11:35:51
SpamBayes Score	4.5962064e-08
Marked as misclassified	No
Message-id	<1304508952.88.0.678717772317.issue12000@psf.upfronthosting.co.za>

Content
When connecting to a SSL server, the certificate verification failed if it has a subjectAltName extension without any dNSName entry inside: it should fallback to the Common Name. Example: >>> cert = conn.getpeercert() >>> cert {'notAfter': 'May 15 14:31:42 2011 GMT', 'subject': ((('countryName', u'FR'),), (('stateOrProvinceName', u'Ile-de-France'),), (('localityName', u'Paris'),), (('organizationName', 'xxx'),), (('organizationalUnitName', 'xxx'),), (('commonName', 'foobar.corp'),), (('emailAddress', u'test@test.net'),)), 'subjectAltName': (('email', text@test.net'),)} This certificate is valid according to RFC 2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Even if the use of CommonName is deprecated, we should not break existing systems. Current revision of Lib/ssl.py : 108 def match_hostname(cert, hostname): ... 119 san = cert.get('subjectAltName', ()) 120 for key, value in san: 121 if key == 'DNS': 122 if _dnsname_to_pat(value).match(hostname): 123 return 124 dnsnames.append(value) 125 if not san: 126 # The subject is only checked when subjectAltName is empty 127 for sub in cert.get('subject', ()): 128 for key, value in sub: 129 # XXX according to RFC 2818, the most specific Common Name 130 # must be used. 131 if key == 'commonName': 132 if _dnsname_to_pat(value).match(hostname): 133 return 134 dnsnames.append(value) ... Proposed patch is: diff -r 513f6dfd3173 Lib/ssl.py --- a/Lib/ssl.py Sun May 01 20:24:59 2011 -0500 +++ b/Lib/ssl.py Mon May 02 11:16:46 2011 +0200 @@ -122,8 +122,9 @@ if _dnsname_to_pat(value).match(hostname): return dnsnames.append(value) - if not san: - # The subject is only checked when subjectAltName is empty + if not san and not dnsnames: + # The subject is only checked when there is no dNSName entry + # in subjectAltName for sub in cert.get('subject', ()): for key, value in sub: # XXX according to RFC 2818, the most specific Common Name

Content

When connecting to a SSL server, the certificate verification failed if
it has a subjectAltName extension without any dNSName entry inside: it
should fallback to the Common Name.
Example:
 >>> cert = conn.getpeercert()
 >>> cert
 {'notAfter': 'May 15 14:31:42 2011 GMT',
 'subject': ((('countryName', u'FR'),),
 (('stateOrProvinceName', u'Ile-de-France'),),
 (('localityName', u'Paris'),),
 (('organizationName', 'xxx'),),
 (('organizationalUnitName', 'xxx'),),
 (('commonName', 'foobar.corp'),),
 (('emailAddress', u'test@test.net'),)),
 'subjectAltName': (('email', text@test.net'),)}
This certificate is valid according to RFC 2818:
 If a subjectAltName extension of type dNSName is present, that MUST
 be used as the identity. Otherwise, the (most specific) Common Name
 field in the Subject field of the certificate MUST be used. Although
 the use of the Common Name is existing practice, it is deprecated and
 Certification Authorities are encouraged to use the dNSName instead.
Even if the use of CommonName is deprecated, we should not break
existing systems.
Current revision of Lib/ssl.py :
 108 def match_hostname(cert, hostname):
 ...
 119 san = cert.get('subjectAltName', ())
 120 for key, value in san:
 121 if key == 'DNS':
 122 if _dnsname_to_pat(value).match(hostname):
 123 return
 124 dnsnames.append(value)
 125 if not san:
 126 # The subject is only checked when subjectAltName is empty
 127 for sub in cert.get('subject', ()):
 128 for key, value in sub:
 129 # XXX according to RFC 2818, the most specific Common Name
 130 # must be used.
 131 if key == 'commonName':
 132 if _dnsname_to_pat(value).match(hostname):
 133 return
 134 dnsnames.append(value)
 ...
Proposed patch is:
diff -r 513f6dfd3173 Lib/ssl.py
--- a/Lib/ssl.py Sun May 01 20:24:59 2011 -0500
+++ b/Lib/ssl.py Mon May 02 11:16:46 2011 +0200
@@ -122,8 +122,9 @@
 if _dnsname_to_pat(value).match(hostname):
 return
 dnsnames.append(value)
- if not san:
- # The subject is only checked when subjectAltName is empty
+ if not san and not dnsnames:
+ # The subject is only checked when there is no dNSName entry
+ # in subjectAltName
 for sub in cert.get('subject', ()):
 for key, value in sub:
 # XXX according to RFC 2818, the most specific Common Name

History
Date	User	Action	Args
2011年05月04日 11:35:52	nbareil	set	recipients: + nbareil
2011年05月04日 11:35:52	nbareil	set	messageid: <1304508952.88.0.678717772317.issue12000@psf.upfronthosting.co.za>
2011年05月04日 11:35:52	nbareil	link	issue12000 messages
2011年05月04日 11:35:51	nbareil	create

homepage