[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2017-09-05 Thread Christian Heimes
Changes by Christian Heimes : -- stage: -> resolved status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list U

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2017-09-05 Thread Alex Gaynor
Alex Gaynor added the comment: +1 Christian, we should not be expanding our usage of CNs at all. -- status: pending -> open ___ Python tracker ___ ___

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2017-09-05 Thread Christian Heimes
Christian Heimes added the comment: I don't like to change the behavior of match_hostname(). RFC 2818 is deprecated. Recent browsers are no longer using CN to verify hostnames. Python is going to ignore CN soonish, too. -- status: open -> pending type: -> behavior versions: +Python 2.

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2016-12-11 Thread Ray Satiro
Changes by Ray Satiro : -- nosy: +raysatiro ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2016-12-11 Thread Steffen Ullrich
Steffen Ullrich added the comment: On Sun, Dec 11, 2016 at 08:26:32PM +, Christian Heimes wrote: > > Christian Heimes added the comment: > > Python's implementation of host name verification conforms to RFC 6125, > section 6.4.4. The CN check is optional (MAY). Python treats the presence

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2016-12-11 Thread Cory Benfield
Changes by Cory Benfield : -- nosy: +Lukasa status: pending -> open ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2016-12-11 Thread Christian Heimes
Christian Heimes added the comment: Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed. In fact hostname verification code should

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2016-12-11 Thread Ned Deily
Changes by Ned Deily : -- nosy: +alex, christian.heimes, dstufft, janssen ___ Python tracker ___ ___ Python-bugs-list mailing list Uns

[issue28938] match_hostname treats SAN IP address as DNS name and fails to check CN then

2016-12-11 Thread Steffen Ullrich
New submission from Steffen Ullrich: from Lib/ssl.py 303elif key == 'IP Address': 304if host_ip is not None and _ipaddress_match(value, host_ip): 305return 306dnsnames.append(value) 307if not dnsnames: 308# The subject is only checked w