Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Issue #12000: When a SSL certificate has a subjectAltName without any 

dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
This commit is contained in:
Antoine Pitrou 2011-05-06 15:20:55 +02:00
parent b4dc2502ad 1c86b44506
commit ff9bfca482
4 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Lib/ssl.py
View File

@ -122,8 +122,9 @@ def match_hostname(cert, hostname):
if _dnsname_to_pat(value).match(hostname): if _dnsname_to_pat(value).match(hostname):
return return
dnsnames.append(value) dnsnames.append(value)
if not san: if not dnsnames:
# The subject is only checked when subjectAltName is empty # The subject is only checked when there is no dNSName entry
# in subjectAltName
for sub in cert.get('subject', ()): for sub in cert.get('subject', ()):
for key, value in sub: for key, value in sub:
# XXX according to RFC 2818, the most specific Common Name # XXX according to RFC 2818, the most specific Common Name

18
Lib/test/test_ssl.py
View File

@ -277,6 +277,24 @@ class BasicSocketTests(unittest.TestCase):
(('organizationName', 'Google Inc'),))} (('organizationName', 'Google Inc'),))}
fail(cert, 'mail.google.com') fail(cert, 'mail.google.com')
# No DNS entry in subjectAltName but a commonName
cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
'subject': ((('countryName', 'US'),),
(('stateOrProvinceName', 'California'),),
(('localityName', 'Mountain View'),),
(('commonName', 'mail.google.com'),)),
'subjectAltName': (('othername', 'blabla'), )}
ok(cert, 'mail.google.com')
# No DNS entry subjectAltName and no commonName
cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
'subject': ((('countryName', 'US'),),
(('stateOrProvinceName', 'California'),),
(('localityName', 'Mountain View'),),
(('organizationName', 'Google Inc'),)),
'subjectAltName': (('othername', 'blabla'),)}
fail(cert, 'google.com')
# Empty cert / no cert # Empty cert / no cert
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')

1
Misc/ACKS
View File

@ -50,6 +50,7 @@ Luigi Ballabio
Jeff Balogh Jeff Balogh
Matt Bandy Matt Bandy
Michael J. Barber Michael J. Barber
Nicolas Bareil
Chris Barker Chris Barker
Nick Barnes Nick Barnes
Quentin Barnes Quentin Barnes

4
Misc/NEWS
View File

@ -140,6 +140,10 @@ Core and Builtins
Library Library
------- -------
- Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName.
Patch by Nicolas Bareil.
- Issue #10775: assertRaises, assertRaisesRegex, assertWarns, and - Issue #10775: assertRaises, assertRaisesRegex, assertWarns, and
assertWarnsRegex now accept a keyword argument 'msg' when used as context assertWarnsRegex now accept a keyword argument 'msg' when used as context
managers. Initial patch by Winston Ewert. managers. Initial patch by Winston Ewert.