Nicolas Bareil n...@chdir.org added the comment:
Hello,
Your patch about SSLContext is great! But what can we do about python 2.x?
I understand that we have to keep backward compatibility but something has to
be done for improving current situation, even Paypal API (*) recommends using
Nicolas Bareil n...@chdir.org added the comment:
Martin v. Löwis rep...@bugs.python.org writes:
what do you think about a DeprecationWarning at runtime?
What API exactly should this deprecate?
Ooops, lapsus. I was thinking about a RuntimeWarning raised on HTTPS
request
Nicolas Bareil n...@chdir.org added the comment:
Hello Mads
Until now Python failed to the safe side by not matching on
subjectAltName iPAddress but also not falling back to commonName
if they were specified. AFAICS, with this change it is possible to
create strange certificates
Nicolas Bareil n...@chdir.org added the comment:
Hello Antoine, Steffen,
You are absolutely right about removing the 'not san' part. Here is the
new patch, with tests :
diff -r c22d5b37f6a4 Lib/ssl.py
--- a/Lib/ssl.pyFri May 06 09:31:02 2011 +0300
+++ b/Lib/ssl.pyFri May 06 12
New submission from Nicolas Bareil n...@chdir.org:
When connecting to a SSL server, the certificate verification failed if
it has a subjectAltName extension without any dNSName entry inside: it
should fallback to the Common Name.
Example:
cert = conn.getpeercert()
cert
{'notAfter