-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL match_hostname does not accept IP Address #67428
Comments
ssl.match_hostname does not accept the ca certificate if the hostname matches the ip address. I am trying to connect to a servert with a cacert by IP address but I get an error message like: '42.42.42.42' hostname does not match '<hostname_in_cacert>' The IP Address is in the ca certificate, so it should be accepted. |
This is a feature request. Not supporting IP addresses is a documented limitation of the current implementation. |
Here is a patch. |
New changeset b15a5f239e8a by Antoine Pitrou in branch 'default': |
The patch has a couple of issues
ssl.CertificateError: hostname '127.0.0.1' doesn't match '127.0.0.1'
In order to fix 2) and make the check more explicit I like to suggest an API change. Don't convert the host name to an IP address implicitly. If the user wants to validate an IP address, then she must pass in an ipaddress object as server_hostname. In that case SSLSocket.server_hostname is set to the ipaddress object. socket._wrap_socket() is called with server_hostname=None for ipaddress. That fixes the RFC violation. [1] cert_VerifySubjectAltName() https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certdb/certdb.c#1427 |
ping |
Sorry. I do not have time currently to tackle this issue. Feel free to submit and/or commit improvements if you feel like it. |
Patch to update the comment to remove "IP addresses are not accepted for *hostname*", because supported for IP addresses was added earlier by @pitrou in https://hg.python.org/cpython/rev/b15a5f239e8a |
|
I'm -1 on the patch for a practical reason: The current API is broken and I don't want to have it documented as officially supported. In fact it is not only broken but also incompatible with more modern releases of OpenSSL. Recently OpenSSL got proper implementation of hostname and IP checking. Hostname and IP must be set with different API calls: https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_add1_host.html |
The original issue still exists in py27, is there a chance to get the fix backported? See pyca/cryptography#3943 and urllib3/urllib3#1269 for sample issues that arise because we need to work around this one. |
I'd be in favor of backporting this to the 2.x - encouraging reliance on the nonsense behaviour of putting IPAddresses in DNS Names or relying on CN over SAN is bad, and we shouldn't encourage it. |
Python 2 is out of support. Python 3 can verify IP addresses in certificates correctly. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: