New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL "issuer" and "server" names cannot be parsed #44165
Comments
(Python 2.5 library)
obtaining the info from an SSL certificate, "server()"
of key /value pairs in ASN.1 binary format. But what
data. So parsing such strings is ambiguous, and
issuer field of Verisign certificates has a "/" in the "/O=VeriSign Trust Network/OU=VeriSign, Note the "OU=Terms of use at www.verisign.com/rpa (c)00" with a "/" in the middle of the value field. Oops.
ordering a low-level certificate with a "/" in the
Inc./OU=Site Operations/CN=signin.ebay.com" and Python code will be spoofed into thinking you're eBay. Fortunately, browsers don't use Python code. The actual bug is in
at
SSL_get_peer_certificate(self->ssl))) { X509_NAME_oneline(X509_get_subject_name(self->server_cert), X509_NAME_oneline(X509_get_issuer_name(self->server_cert), The "X509_name_oneline" function takes an X509_NAME
X509_NAME_print() are legacy functions which produce a What OpenSSL callers are supposed to do is call X509_NAME_oneline() doesn't handle Unicode; it converts So what's needed are two new functions for Python's SSL The reason this now matters is that new "high And, of course, this needs to be fixed as part of
|
Logged In: YES Yes OpenSSL 0.9.8d or later should be used for a new binary http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 |
Logged In: YES The problem isn't in the version of OpenSSL used in Python, It's in "python/trunk/Modules/_ssl.c", as described above. |
Logged In: YES The bug is not in the the server() and issuer() methods Notice that it is certainly possible to produce an Also notice that that the SSL module does little to actually All that said: If you think you need this functionality, |
Logged In: YES Actually, they don't do what they're "designed to do". There are several standardized representations for ASN.1 So, given the documentation and the standard, what should be Here's an entire X.509 certificate in XML: http://www.gnu.org/software/gnutls/manual/html_node/An-X_002e509-certificate.html The "issuer" field can be seen in there. It's awfully That's probably not what's wanted by most users, although However, there's another standard string encoding, which is Now if someone can figure out how to get a string, instead |
Logged In: YES Notice that RFC 2253 has been superceded by RFC 4514 (see my |
Logged In: YES I've reworded the description in the documentation to say For adding new features: please submit a patch. Python's |
Logged In: YES I've submitted a request (titled "Request: make The OpenSSL people should also export the functionality of |
The request is bug bpo-1425 in the OpenSSL request tracker (go to openssl.org > Support for a link). |
I believe bpo-1018 addressed this, and that it can be closed. Though |
Actually, looking at it further, I'm not sure that it is fixed by the new |
I've changed the return value of ssl.sslsocket.getpeercert() to return the |
Fixed in rev 58097. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: