Permalink
Browse files

Output a more helpful message when there is a certificate name mismatch.

Note: Currently, there is an issue connecting to EC2 services using
boto with host name verification enabled. The client connecting will be
redirect, for example from ec2.amazonaws.com to
ec2.us-east-1.amazonaws.com. The python SSL library does not seem to
support the X509v3 Subject Alternative Name fields (even though the
documentation mentions a subjectAltName, this seems to be not of the
x509v3 kind) - verification with the openssl s_client shows that
ec2.us-east-1.amazonaws.com is indeed mentioned on the certificate.

The only solution at the moment seems to be trying to connect to the
host directly where the hostname is presented as the commonName. This
patch hopefully will tip more people in the right direction when they
are looking for errors.
  • Loading branch information...
mbr committed Oct 24, 2011
1 parent c4c126d commit 243f7184ce63670239c243d5db64c9782a67c0d0
Showing with 4 additions and 1 deletion.
  1. +4 −1 boto/https_connection.py
View
@@ -116,6 +116,9 @@ def connect(self):
cert = self.sock.getpeercert()
hostname = self.host.split(':', 0)[0]
if not ValidateCertificateHostname(cert, hostname):
- raise InvalidCertificateException(hostname, cert, 'hostname mismatch')
+ raise InvalidCertificateException(hostname,
+ cert,
+ 'remote hostname "%s" does not match '\
+ 'certificate' % hostname)

0 comments on commit 243f718

Please sign in to comment.