[Python-checkins] cpython (merge 3.2 -> default): Issue #12000: When a SSL certificate has a subjectAltName without any

antoine.pitrou python-checkins at python.org
Fri May 6 15:32:52 CEST 2011

• Previous message: [Python-checkins] cpython (3.2): Issue #12000: When a SSL certificate has a subjectAltName without any
• Next message: [Python-checkins] cpython (3.2): ntpath.samefile fails to detect that "A.TXT" and "a.txt" refer to the same file
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/1b37827984ba
changeset: 69875:1b37827984ba
parent: 69873:8fc801ca9ea1
parent: 69874:d4c2a99d1bad
user: Antoine Pitrou <solipsis at pitrou.net>
date: Fri May 06 15:20:55 2011 +0200
summary:
 Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
files:
 Lib/ssl.py | 5 +++--
 Lib/test/test_ssl.py | 18 ++++++++++++++++++
 Misc/ACKS | 1 +
 Misc/NEWS | 4 ++++
 4 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -122,8 +122,9 @@
 if _dnsname_to_pat(value).match(hostname):
 return
 dnsnames.append(value)
- if not san:
- # The subject is only checked when subjectAltName is empty
+ if not dnsnames:
+ # The subject is only checked when there is no dNSName entry
+ # in subjectAltName
 for sub in cert.get('subject', ()):
 for key, value in sub:
 # XXX according to RFC 2818, the most specific Common Name
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -277,6 +277,24 @@
 (('organizationName', 'Google Inc'),))}
 fail(cert, 'mail.google.com')
 
+ # No DNS entry in subjectAltName but a commonName
+ cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'Mountain View'),),
+ (('commonName', 'mail.google.com'),)),
+ 'subjectAltName': (('othername', 'blabla'), )}
+ ok(cert, 'mail.google.com')
+
+ # No DNS entry subjectAltName and no commonName
+ cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'Mountain View'),),
+ (('organizationName', 'Google Inc'),)),
+ 'subjectAltName': (('othername', 'blabla'),)}
+ fail(cert, 'google.com')
+
 # Empty cert / no cert
 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -50,6 +50,7 @@
 Jeff Balogh
 Matt Bandy
 Michael J. Barber
+Nicolas Bareil
 Chris Barker
 Nick Barnes
 Quentin Barnes
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -140,6 +140,10 @@
 Library
 -------
 
+- Issue #12000: When a SSL certificate has a subjectAltName without any
+ dNSName entry, ssl.match_hostname() should use the subject's commonName.
+ Patch by Nicolas Bareil.
+
 - Issue #10775: assertRaises, assertRaisesRegex, assertWarns, and
 assertWarnsRegex now accept a keyword argument 'msg' when used as context
 managers. Initial patch by Winston Ewert.
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython (3.2): Issue #12000: When a SSL certificate has a subjectAltName without any
• Next message: [Python-checkins] cpython (3.2): ntpath.samefile fails to detect that "A.TXT" and "a.txt" refer to the same file
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list