IP matching not working on OS X #1037
Description
IP matching was backported in #1013, however on OS X pyOpenSSL seems unable to even decode the IP from the cert.
The version is 1.8.0, the CLI works, the certificate has the IP on it, but it still raises requests.exceptions.SSLError: hostname '192.168.64.6' doesn't match 'localhost'. More details here: https://gist.github.com/FiloSottile/d308789cc7a8f1de8f36a127ecfbff19
Some monkeypatching showed that the decoded cert object is
{'subjectAltName': [('DNS', 'localhost')], 'subject': ((('commonName', None),),)}
but the binary format decodes to
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1e:02:bb:dd:fb:41:54:e3:4c:6b:8c:a6:8f:06:43:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=filippo
Validity
Not Before: Apr 15 20:58:00 2016 GMT
Not After : Mar 31 20:58:00 2019 GMT
Subject: O=filippo.xhyve
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c6:07:30:b5:2d:ea:9f:fd:bd:49:a4:52:98:a0:
4f:db:56:78:cf:e8:f1:5f:86:6f:87:44:2a:c8:1e:
f0:a2:2c:f2:44:54:5e:70:e2:04:7a:1e:cc:4e:ab:
9a:20:58:58:b8:2e:ce:32:ad:68:f8:3d:28:c9:6f:
8b:d3:79:aa:55:bb:35:dd:8a:3f:ce:e1:68:60:61:
e3:ca:fa:8f:69:0b:7e:7e:32:25:2d:e2:b2:4f:ec:
1e:97:b3:7c:15:97:21:b9:71:cd:06:80:9b:4e:66:
c8:05:c1:8d:22:c9:63:33:e5:6b:40:20:1e:62:2a:
52:fb:99:ab:0c:90:c6:e2:6f:7f:ce:57:4a:fc:ae:
12:dc:c6:72:bb:c8:78:23:24:6e:b3:1a:35:c2:33:
0f:3f:e5:b3:af:87:6f:f5:ab:bf:2a:e9:3c:b0:08:
d1:49:32:41:f4:ac:8c:ef:b8:2c:19:b5:0c:d9:f1:
e3:d3:60:25:ae:1c:17:52:76:e6:6f:6d:a0:7e:74:
bd:15:5c:25:72:37:bb:3a:d8:f6:b6:fa:dc:8c:cd:
ed:1c:29:53:2a:4d:3c:33:86:13:19:ef:ea:41:05:
41:52:9c:cd:c7:75:92:a2:4e:75:c3:78:cb:c4:48:
c2:8f:e1:db:ad:04:d8:78:95:bc:c5:bd:5c:70:49:
e9:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:192.168.64.6
Signature Algorithm: sha256WithRSAEncryption
ba:66:4c:18:b8:e6:9b:7e:d5:4c:b8:a7:15:b4:60:74:30:06:
4f:70:42:47:03:c7:3a:2b:82:21:66:e6:37:94:fd:05:9e:1d:
a9:ee:f9:9f:c8:18:99:50:a0:b6:e3:3d:da:fb:f7:31:91:9b:
94:63:a7:cf:5e:25:ed:c9:e5:30:6e:73:e4:a7:2f:f1:57:c8:
ba:2b:3e:69:c1:df:66:df:2c:9a:dd:2f:9b:e2:8d:dd:c6:e3:
77:3e:77:83:d8:e3:bf:1f:6f:82:f1:06:53:13:39:3c:07:13:
80:2f:ec:16:f6:f5:a4:f3:8b:a2:bd:3a:76:e1:5e:12:4e:5d:
ff:91:3c:0e:68:94:4d:53:83:b3:4b:84:f9:90:59:2f:07:36:
c9:64:6e:da:be:46:e8:ea:f4:9e:8f:e1:9a:0b:3c:a9:13:39:
2e:fa:7f:1b:8f:4e:dc:9c:40:f3:50:6d:8d:11:6c:60:93:3d:
53:44:06:6d:8f:8c:b2:7a:3b:c9:65:fb:8b:47:25:97:48:d6:
6c:b2:49:4d:07:2e:e9:e8:76:1c:24:27:9a:7e:e7:2f:5b:ba:
23:ab:cc:40:95:ec:9e:4f:f9:6e:6b:79:b1:20:c7:65:14:9b:
22:c6:b1:fe:bf:be:39:75:39:d3:3b:54:98:9e:15:44:f2:52:
24:bb:3a:2d
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIQHgK73ftBVONMa4ymjwZDrjANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdmaWxpcHBvMB4XDTE2MDQxNTIwNTgwMFoXDTE5MDMzMTIwNTgw
MFowGDEWMBQGA1UEChMNZmlsaXBwby54aHl2ZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMYHMLUt6p/9vUmkUpigT9tWeM/o8V+Gb4dEKsge8KIs8kRU
XnDiBHoezE6rmiBYWLguzjKtaPg9KMlvi9N5qlW7Nd2KP87haGBh48r6j2kLfn4y
JS3isk/sHpezfBWXIblxzQaAm05myAXBjSLJYzPla0AgHmIqUvuZqwyQxuJvf85X
SvyuEtzGcrvIeCMkbrMaNcIzDz/ls6+Hb/WrvyrpPLAI0UkyQfSsjO+4LBm1DNnx
49NgJa4cF1J25m9toH50vRVcJXI3uzrY9rb63IzN7RwpUypNPDOGExnv6kEFQVKc
zcd1kqJOdcN4y8RIwo/h260E2HiVvMW9XHBJ6YsCAwEAAaNbMFkwDgYDVR0PAQH/
BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8E
AjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEwKhABjANBgkqhkiG9w0BAQsFAAOC
AQEAumZMGLjmm37VTLinFbRgdDAGT3BCRwPHOiuCIWbmN5T9BZ4dqe75n8gYmVCg
tuM92vv3MZGblGOnz14l7cnlMG5z5Kcv8VfIuis+acHfZt8smt0vm+KN3cbjdz53
g9jjvx9vgvEGUxM5PAcTgC/sFvb1pPOLor06duFeEk5d/5E8DmiUTVODs0uE+ZBZ
Lwc2yWRu2r5G6Or0no/hmgs8qRM5Lvp/G49O3JxA81BtjRFsYJM9U0QGbY+Msno7
yWX7i0cll0jWbLJJTQcu6eh2HCQnmn7nL1u6I6vMQJXsnk/5bmt5sSDHZRSbIsax
/r++OXU50ztUmJ4VRPJSJLs6LQ==
-----END CERTIFICATE-----