Mads Kiilerich <m...@kiilerich.com> added the comment: In my opinion the RFCs are a bit unclear about how iPAddress subjectAltNames should be handled. (I also don't know if Python currently do the right thing by accepting and matching IP addresses if specified in commonName.)
Until now Python failed to the safe side by not matching on subjectAltName iPAddress but also not falling back to commonName if they were specified. AFAICS, with this change it is possible to create strange certificates that Python would accept when an IP address matched commonName but other implementations would reject because of iPAddress mismatch. That is probably not a real problem, but I wanted to point it out as the biggest issue I could find with this fix. Nice catch. We could perhaps add IP addresses to dnsnames even though we don't match on them. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12000> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
