New submission from Steffen Ullrich: from Lib/ssl.py
303 elif key == 'IP Address': 304 if host_ip is not None and _ipaddress_match(value, host_ip): 305 return 306 dnsnames.append(value) 307 if not dnsnames: 308 # The subject is only checked when there is no dNSName entry 309 # in subjectAltName RFC 2818 and RFC 6125 say that CN should not be used if subjectAltNames contains DNS names. This means CN should still be checked if SAN contains only IP addresses. By appending IP address to dnsnames in line 306 it will not check the CN if there are no DNS names in SAN but only IP address. See also http://stackoverflow.com/questions/41089539/authentication-issue-with-ssl-certificate-using-python-requests-lib/41090559#41090559 ---------- messages: 282940 nosy: noxxi priority: normal severity: normal status: open title: match_hostname treats SAN IP address as DNS name and fails to check CN then versions: Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28938> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
