[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Mads Kiilerich added the comment: Nicolas Bareil wrote, On 05/07/2011 09:48 AM: > Do you think this test should fail? Until now I have considered this behaviour OK but undocumented and officially unsupported in Python. One (the best?) reason for considering it OK is that if someone (intention

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Nicolas Bareil added the comment: Hello Mads > Until now Python failed to the safe side by not matching on > subjectAltName iPAddress but also not falling back to commonName > if they were specified. AFAICS, with this change it is possible to > create strange certificates that Python would ac

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Mads Kiilerich added the comment: In my opinion the RFCs are a bit unclear about how iPAddress subjectAltNames should be handled. (I also don't know if Python currently do the right thing by accepting and matching IP addresses if specified in commonName.) Until now Python failed to the safe s

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Changes by Mads Kiilerich : -- nosy: +kiilerix ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pyth

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Antoine Pitrou added the comment: Patch committed in 3.2 and 3.x, thank you! -- resolution: -> fixed stage: -> committed/rejected status: open -> closed ___ Python tracker ___

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Roundup Robot added the comment: New changeset d4c2a99d1bad by Antoine Pitrou in branch '3.2': Issue #12000: When a SSL certificate has a subjectAltName without any http://hg.python.org/cpython/rev/d4c2a99d1bad New changeset 1b37827984ba by Antoine Pitrou in branch 'default': Issue #12000: When

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Nicolas Bareil added the comment: Hello Antoine, Steffen, You are absolutely right about removing the 'not san' part. Here is the new patch, with tests : diff -r c22d5b37f6a4 Lib/ssl.py --- a/Lib/ssl.pyFri May 06 09:31:02 2011 +0300 +++ b/Lib/ssl.pyFri May 06 12:47:14 2011 +020

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Steffen Daode Nurpmeso added the comment: P.S.: if you're really right ('have those RFC's, but didn't read them yet), you could also open an issue for Mercurial at http://mercurial.selenic.com/bts - i think those guys do the very same. Thanks, Steffen! -- nosy: +sdaoden __

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

Antoine Pitrou added the comment: Are you sure about "if not san and not dnsnames"? It is even more restrictive than the currently condition. "if not dnsnames" looks like it would fit the bill better. Also, better if you can provide a complete patch, including additional test(s) in Lib/test/

[issue12000] SSL certificate verification failed if no dNSName entry in subjectAltName

New submission from Nicolas Bareil : When connecting to a SSL server, the certificate verification failed if it has a subjectAltName extension without any dNSName entry inside: it should fallback to the Common Name. Example: >>> cert = conn.getpeercert() >>> cert {'notAfter': 'May 1