Python does not read Alternative Subject Names from some SSL certificates

[atrasatti]

BPO	13034
Nosy	@pitrou

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/pitrou'
closed_at = <Date 2011-10-01.17:35:20.329>
created_at = <Date 2011-09-23.11:53:12.623>
labels = ['extension-modules', 'type-bug']
title = 'Python does not read Alternative Subject Names from some SSL certificates'
updated_at = <Date 2011-10-01.17:35:45.196>
user = 'https://bugs.python.org/atrasatti'

bugs.python.org fields:

activity = <Date 2011-10-01.17:35:45.196>
actor = 'pitrou'
assignee = 'pitrou'
closed = True
closed_date = <Date 2011-10-01.17:35:20.329>
closer = 'pitrou'
components = ['Extension Modules']
creation = <Date 2011-09-23.11:53:12.623>
creator = 'atrasatti'
dependencies = []
files = []
hgrepos = []
issue_num = 13034
keywords = []
message_count = 7.0
messages = ['144441', '144449', '144451', '144740', '144741', '144742', '144743']
nosy_count = 5.0
nosy_names = ['janssen', 'pitrou', 'python-dev', 'atrasatti', 'achipa']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue13034'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3']

[atrasatti]

We found a problem with SSL certificates, when they are larger than 1024 bits and you need to check Alternative Subject Names.
In our case we have a 2048 bit certificate, issued by Verisign for the domain developer.nokia.com. The certificate also covers other sub-domains, once of which is projects.developer.nokia.com. We found the issue using the mercurial client, but we dug down to SSLSocket.getpeercert. It looks like when the openSSL library reads the certificate it does not return any Alternative Subject Name, even though they are there. Using the standard openssl binary we could read the certificate with no problems and the alternative domain names are all there, including the one we need.

See below two examples, the first is our 2048 bit certificate and what Python returns. Then there is Google's code.google.com SSL certificate, 1024 bits and as you can see Python returns the other names correctly.

This was tested with Python 2.7.2.

Binary for projects.developer.nokia.com
'0\x82\x06\xb10\x82\x05\x99\xa0\x03\x02\x01\x02\x02\x10\x0e\xf6_f@\xe4\xd1gtU\x9e39Rn80\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x000\x81\xbc1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x170\x15\x06\x03U\x04\n\x13\x0eVeriSign,
Inc.1\x1f0\x1d\x06\x03U\x04\x0b\x13\x16VeriSign Trust Network1;09\x06\x03U\x04\x0b\x132Terms of use at https://www.verisign.com/rpa (c)101604\x06\x03U\x04\x03\x13-VeriSign Class 3 International Server CA - G30\x1e\x17\r110608000000Z\x17\r120607235959Z0h1\x0b0\t\x06\x03U\x04\x06\x13\x02FI1\x0e0\x0c\x06\x03U\x04\x08\x13\x05Espoo1\x0e0\x0c\x06\x03U\x04\x07\x14\x05Espoo1\x0e0\x0c\x06\x03U\x04\n\x14\x05Nokia1\x0b0\t\x06\x03U\x04\x0b\x14\x02IT1\x1c0\x1a\x06\x03U\x04\x03\x14\x13developer.nokia.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xf8\xdeL"\x8az\xbb\xa6\xddj\x14\x89X\xeeh\x87\x07\xbd\xb3\xc5=!
\xb9\x80\xe8\xe6v"\xec6w\x82\r\xb6b\x10\xb8\xe5\x06\x88w\xfd\x03\xa9\x82\x9d\xdf\xdb\xbft\xdb\x06\xc5'\xdd\x83\x0e
xf1GdM\x9a\x14\xefyO\x8e\x9dO,
\x92\xf8\xcf\xd3\xb3\xa8m\xc3@^\xa5\x0e\xfb$ddn\xc0\x1cV\xe4\xeaE\xce\x1eoG\xca\xf3\x01\xab\x08V\xd2<\x91\x7f7\xbc\x90\x16\xd6b\xdb\x83(ySA\xccH\x1b\x80"7)^\xe9\x1c\xcaZ&r-\xc6\xf0\xe0\xb6\xde\x16c
W\x0b\xf4\xd24ei[E\xbaY\xc9[;
\xbbs\nQ\xfc\x1b_TiM\x8e\xb6\x9c9\x7f}\xa3\xfe\x96\xab\xa9\xb4\x8dn\S\xfc\x08\xd5\x1a71
\xd3\x14\xaaF\xd0\xe4\xcf\x0f-\xf9\x10\xa7U\xf6\x92\xafQa\x8b\x02x\xc7V;
\xe2F\xf5 L\xe4\xc1\r\x1f\xec|
\x02\xee\xda\x9ej\xb3\xda\xda\x9b\xf8\xaf\xb5\xa2=\x1e\n\x14qf\xe7\xef\xbd\x8av\xe7l\x9d7\x93\xea\x11\x02\x03\x01\x00\x01\xa3\x82\x03\x000\x82\x02\xfc0\x82\x01I\x06\x03U\x1d\x11\x04\x82\x01@0\x82\x01<\x82\x13developer.nokia.com\x82\x17www.developer.nokia.com\x82\x17aux.developer.nokia.com\x82\x16cc.developer.nokia.com\x82\x1cprojects.developer.nokia.com\x82\x17sso.developer.nokia.com\x82\x19stage.developer.nokia.com\x82\x17ejb.developer.nokia.com\x82\x16cm.developer.nokia.com\x82\x17dav.developer.nokia.com\x82\x1fdav.sandbox.developer.nokia.com\x
82\x1ect.sandbox.developer.nokia.com0\t\x06\x03U\x1d\x13\x04\x020\x000\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x05\xa00A\x06\x03U\x1d\x1f\x04:0806\xa04\xa02\x860http://SVRIntl-
G3-crl.verisign.com/SVRIntlG3.crl0D\x06\x03U\x1d
\x04=0;09\x06\x0b\x86H\x01\x86\xf8E\x01\x07\x17\x030*0(\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16\x1chttps://www.verisign.com/rpa0(\x06\x03U\x1d%\x04! 0\x1f\x06\t\x86H\x01\x86\xf8B\x04\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020r\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04f0d0$\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x18http://ocsp.verisign.com0<\x06\x08+\x06\x01\x05\x05\x070\x02\x860http://SVRIntl-
G3-
aia.verisign.com/SVRIntlG3.cer0n\x06\x08+\x06\x01\x05\x05\x07\x01\x0c\x04b0\xa1^\xa0\\0Z0X0V\x16\timage/gif0! 0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14Kk\xb9(\x96\x06\x0c\xbb\xd0R8\x9b)\xacK\x07\x8b! \x05\x180&\x16$http://logo.verisign.com/vslogo1.gif0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x00\x03\x82\x01\x01\x006N\x97\x1e\xba\x85\xcb\x1e \xddO6\xf9\xf3\x16-\xb6\x05\x13"\xec*\x00\x0f\xde\x89\xc1\xb7\xc1^\xf0\x8b0=C\x87\xf3| zI\xe4\r\xedmD1\xc1\x06[GqMuV\xd9\x03\xdd\xa6\xbd2Z! \x0c\xdf\x93\x9c\xc6\xba\x12\xd1\xaa\xd08\x1c\x82\x02\xd1\xb3\xeeK\xca\xcaEK\x07\xffR\xcfW\xae\xa0\x85\xeb\xc1h\xeb\r\xad\xd5\x92d\x82\xac\x03(\x07\xa1F\x82\x93\xdep\xe9\x9a\xf8O\xb1\xfc\xe0&\xfat\xf4d\xa3q&\x05J\xb9\xdb\x9a\xb5o;
\xb7O\xaa/\xac\xba\xab\xc9\xd9)m\xf2c\xe8=\xc4\x95\xef\xe9\x92\xee\tlx\xe2\xfc>\x87\xab\xbe\xde\xd4[\xc3\x85>X\x8f\xf3\xe3\x89\xc9,
\\xb2:\x9f\xf3\xe2\xf3\x81;
\xdbk\x9f\x1e\xbc\x00\xc7\x87@\xb3\xac\xdf\xe09\xfe:
\xef\n\xcf\xdaCZ\xc7\x07X\xd0\x0f\xf2nBKe\x1f\xd8\xcc\xb4\xa2%\x01<\x0eE\nt{G\r\x9a\xfd\xaf\x97\xaf\xba\xb8\x983\xc5~\xd2\x1d\xdd\x04\x13\xd3\xf3VK:'

Python dictionary extracted
{'notAfter': 'Jun 7 23:59:59 2012 GMT', 'subject': ((('countryName', u'FI'),), (('stateOrProvinceName', u'Espoo'),), (('localityName', u'Espoo'),), (('organizationName', u'Nokia'),), (('organizationalUnitName', u'IT'),), (('commonName', u'developer.nokia.com'),))}

Binary for code.google.com
'0\x82\x05\x080\x82\x04q\xa0\x03\x02\x01\x02\x02\nk\xf3\xf0+\x00\x03\x00\x00/\xf60\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x000F1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\n\x13\nGoogle
Inc1"0 \x06\x03U\x04\x03\x13\x19Google Internet Authority0\x1e\x17\r110905060549Z\x17\r120905061549Z0f1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\nCalifornia1\x160\x14\x06\x03U\x04\x07\x13\rMountain
View1\x130\x11\x06\x03U\x04\n\x13\nGoogle
Inc1\x150\x13\x06\x03U\x04\x03\x14\x0c*.google.com0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\xbd\x7f49\x0c\xbdg\x962\xd4\x18\x8d#\x16\x91[\xbcH\x8f\xac+\x8a=\xd0\x1cW\x8bRVIh\x89\xf4\x85\xe0\x12\xe1\xfaG\x1a\xf9\x0bQ\xc2\b;
\x0f$)c\xb9\xc7\xc45\xb90dK1\xf9\xcd\x111\x15]\xac\xb4\xfd\xa7>\x85\x16a\x15\xd3\x870\x82\xf4\xee^\x86\xbb\xd1\xf6\x81\x9a\x06\x07\xbe\xb7\xebx*\x9a\tX\x03;
\x9bE\xad\x02\xeb(:\xa3k| \xca"\xca&\xd4\x98\x03I\\\x81\xc1\xb3\xf7\xf2\x95\xc9;\x02\x03\x01\x00\x01\x a3\x82\x02\xdb0\x82\x02\xd70\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x140\xf5l\xa9\xb8\xd6\xe2\xc7\xcdy\x7fF\xf5)t%\xe4\x9f\x16U0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xbf\xc00\xeb\xf5C\x11>g\xba\x9e\x91\xfb\xfcj\xda\xe3k\x12$0[\x06\x03U\x1d\x1f\x04T0R0P\xa0N\xa0L\x86Jhttp://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl0f\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04Z0X0V\x06\x08+\x06\x01\x05\x05\x070\x02\x86Jhttp://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt0! \x06\t+\x06\x01\x04\x01\x827\x14\x02\x04\x14\x1e\x12\x00W\x00e\x00b\x00S\x00e\x00r\x00v\x00e\x00r0\x82\x01\xab\x06\x03U\x1d\x11\x04\x82\x01\xa20\x82\x01\x9e\x82\x0c*.google.com\x82\ngoogle.com\x82\x0b*.atggl.com\x82\r*.youtube.com\x82\x0byoutube.com\x82\x0b*.ytimg.com\x82\x0f*.google.com.br\x82\x0e*.google.co.in\x82\x0b*.google.es\x82\x0e*.google.co.uk\x82\x0b*.google.ca\x82\x0b*.google.fr\x82\x0b*.google.pt\x82\x0b*.google.it\x82\x0b*.google.de\x82\x0b*.google.cl\x82\x0b*.google.pl\x82\x0b*.goo gle.nl\x82\x0f*.google.com.au\x82\x0e*.google.co.jp\x82\x0b*.google.hu\x82\x0f*.google.com.mx\x82\x0f*.google.com.ar\x82\x0f*.google.com.co\x82\x0f*.google.com.vn\x82\x0f*.google.com.tr\x82\r*.android.com\x82\x14*.googlecommerce.com0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x00\x03\x81\x81\x00Mfgo\xae\xd5}\xcb\xf7\xca\x82\xed\xcerGvl'F0\x0e?
\x8c0\xbc\x7f\xc6\x0c:\x98\xe0\x02\xe4
J\x10\x9d\xe3\xe5p\xd6\xfam\xe0\x91wY\xdb\xf0-\xefV\xfc\xaeVJ!\x0eL_\xf4|
\xff\xb3q\xf4h%\xcc\xf1\xfe
\xfe\xe4\xa57\xb5\x8d\xeeT\xf3-\x04\x01\xfdB`P\xfb\x82\xf3w\xce\x93\x8e+q\x9b\x03\xc9\xcf[Y\xc0\x0f\xf5,V\xb0$\xe6\x1f9qi\xef\xf1\xb3\xda\xba\xc9\xc0\xbb\x84\x1a\x9f\x89'

Python dictionary
{'notAfter': 'Sep 5 06:15:49 2012 GMT', 'subjectAltName': (('DNS', '*.google.com'), ('DNS', 'google.com'), ('DNS', '*.atggl.com'), ('DNS', '*.youtube.com'), ('DNS', 'youtube.com'), ('DNS', '*.ytimg.com'), ('DNS', '*.google.com.br'), ('DNS', '*.google.co.in'), ('DNS', '*.google.es'), ('DNS', '*.google.co.uk'), ('DNS', '*.google.ca'), ('DNS', '*.google.fr'), ('DNS', '*.google.pt'), ('DNS', '*.google.it'), ('DNS', '*.google.de'), ('DNS', '*.google.cl'), ('DNS', '*.google.pl'), ('DNS', '*.google.nl'), ('DNS', '*.google.com.au'), ('DNS', '*.google.co.jp'), ('DNS', '*.google.hu'), ('DNS', '*.google.com.mx'), ('DNS', '*.google.com.ar'), ('DNS', '*.google.com.co'), ('DNS', '*.google.com.vn'), ('DNS', '*.google.com.tr'), ('DNS', '*.android.com'), ('DNS', '*.googlecommerce.com')), 'subject':
((('countryName', u'US'),), (('stateOrProvinceName', u'California'),), (('localityName', u'Mountain View'),), (('organizationName', u'Google Inc'),), (('commonName', u'*.google.com'),))}

>>

[pitrou]

Thanks for reporting. This trivial patch seems to fix it (still needs a test):

diff -r 1b4fae183da3 Modules/_ssl.c
--- a/Modules/_ssl.c	Tue Aug 09 18:48:02 2011 -0500
+++ b/Modules/_ssl.c	Fri Sep 23 18:16:04 2011 +0200
@@ -590,7 +590,7 @@ _get_peer_alt_names (X509 *certificate) 
     /* get a memory buffer */
     biobuf = BIO_new(BIO_s_mem());
 
-    i = 0;
+    i = -1;
     while ((i = X509_get_ext_by_NID(
                     certificate, NID_subject_alt_name, i)) >= 0) {
 

Yay for undocumented OpenSSL APIs with weird semantics.

[pitrou]

For the record, curl uses the (also undocumented) X509_get_ext_d2i() function instead.

[python-dev]

New changeset 65e7f40fefd4 by Antoine Pitrou in branch '3.2':
Issue bpo-13034: When decoding some SSL certificates, the subjectAltName extension could be unreported.
http://hg.python.org/cpython/rev/65e7f40fefd4

New changeset 90a06fbb1f85 by Antoine Pitrou in branch 'default':
Issue bpo-13034: When decoding some SSL certificates, the subjectAltName extension could be unreported.
http://hg.python.org/cpython/rev/90a06fbb1f85

[python-dev]

New changeset 8e6694387c98 by Antoine Pitrou in branch '2.7':
Issue bpo-13034: When decoding some SSL certificates, the subjectAltName extension could be unreported.
http://hg.python.org/cpython/rev/8e6694387c98

[pitrou]

This should be fixed now.

[pitrou]

(fixing the title)