New submission from Christian Heimes: A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.
>>> import _ssl >>> _ssl._test_decode_cert('rid.pem') Traceback (most recent call last): File "<stdin>", line 1, in <module> SystemError: error return without exception set The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception. It looks like we haven't had tests for GEN_RID as well as some other field types. Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268 ---------- components: Extension Modules files: rid.pem messages: 272020 nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou priority: normal severity: normal stage: test needed status: open title: X509 cert with GEN_RID subject alt name causes SytemError type: behavior versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6 Added file: http://bugs.python.org/file44014/rid.pem _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27691> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com